DPA Statement
Data Processing Addendum
This Data Processing Addendum (“Addendum”) is an addendum to the General Terms and Conditions (the “Agreement”) and only applies as described in the Agreement. Capitalized terms used but not defined herein shall have the same meaning as set forth in the Agreement. Like the Agreement, this Addendum is by and between us (the “Processor”) and you (the “Client”) with regard to the Processing of Client Data (as hereinafter defined) in connection with your use of our products and services (the “Service”), in accordance with the requirements of Data Protection Laws (as hereinafter defined).
Client hereby agrees that it is entering into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Processor processes Personal Data for which such Authorized Affiliates qualify as a Data Controller (as hereinafter defined). For the purposes of this Addendum only, and except where indicated otherwise, the term “Client” shall include Client and its Authorized Affiliates.
For clarity, this Addendum does not apply to (i) Purchaser Data, (ii) such other Personal Data that Processor independently collects, or (iii) that Processor collects pursuant to its own privacy policy or notice. Client and Processor hereby agree to comply with the following provisions, each acting reasonably and in good faith.
1. DEFINITIONS
“Affiliate” of a Person means any entity that directly or indirectly controls, is controlled by, or is under common control with such Person. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of such Person.
“Authorized Affiliate” means any of Client's Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Service pursuant to a written agreement between Client and Processor (the “Agreement”), but has not signed its own agreement with Processor and is not a named customer under the Agreement.
“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as enacted by the state of California, as may be amended from time to time, including, without limitation, as amended by the California Privacy Rights Act.
“Client Data” means any Personal Data governed by or regulated by Data Protection Laws that Processor processes as a Data Processor on behalf of Client under the Agreement; provided it excludes (i) Purchaser Data, (ii) such other Personal Data that Processor independently collects, or (iii) that Processor collects pursuant to its own privacy policy or notice.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. Client is the Data Controller with respect to Client Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. Processor, including its Affiliates, is the Data Processor with respect to Client Data.
“Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the processing of Personal Data in connection with the Services, including where applicable EU Data Protection Laws, the CCPA, and the data protection or privacy laws of any other country or jurisdiction solely to the extent applicable.
“EEA” means, for purposes of this Addendum, the European Economic Area, United Kingdom and Switzerland.
“EU Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation), as may be amended from time to time (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced); (iii) the United Kingdom Data Protection Act 2018 (“UK GDPR”); and (iv) Switzerland’s Federal Act on Data Protection of 25 September 2020 (“FADP”).
“Personal Data” means any information relating to an identified or identifiable natural person, provided, that with respect to this Addendum, the reference is to Client Data processed in relation to Client’s access to and use of the Service.
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework as well as the UK Extension to the EU-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce and approved by the European Commission pursuant to their Decision C(2023) 4745 on July 7, 2023
“Prohibited Data” means (a) government issued ID numbers such as passport numbers, taxpayer numbers, driver’s license numbers, (b) individual medical or health information (including without limitation, protected health information under the Health Information Portability and Accountability Act), (c) individual financial information or account numbers (including without limitation, credit or debit card numbers or bank account numbers), (d) passwords (other than passwords for Client’s account on the Service), or (e) “special” or “sensitive” categories of personal data and personal information as defined under applicable Data Protection Laws.
“Purchaser Data” shall have the same definition as set forth in the Agreement.
“Request” means a verified request from a Data Subject to exercise his/her specific data subject rights under the Data Protection Laws applicable to and with respect to their Personal Data.
“Security Measures” means the security measures applicable to the specific Service purchased by Client detailed on Schedule A attached hereto and incorporated herein.
“Standard Contractual Clauses” means the agreement executed by and between Client and Processor and attached hereto as Attachment 1 pursuant to the European Commission’s decision on Standard Contractual Clauses as implemented in Commission Decision 2021/914 dated 4 June 2021 for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as made available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as amended from time to time).
“Sub-processor” means any Data Processor engaged by Processor to assist in fulfilling its obligations with respect to providing the Service.
The terms, “Data Subject”, “Member State”, “Processing”, “Process” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws, as applicable, and their cognate terms shall be construed accordingly.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Client Data, Client is the Data Controller of Client Data and Processor will process Client Data only as a Data Processor acting on behalf of Client.
2.2 Client’s Processing of Client Data. Client shall (i) comply with the Data Protection Laws and its obligations as a Data Controller under the Data Protection Laws in connection with its use of the Service and with respect to any processing instructions issued to Processor, and (ii) provide notice and either have obtained or obtain all consents and rights necessary under Data Protection Laws for Processor to process Client Data and provide the Service. Client shall have sole responsibility for the accuracy, quality, and legality of Client Data and the means by which Client acquires and uses Client Data. Client represents and warrants that its instructions to Processor with respect to Processing Client Data are compliant with Data Protection Laws.
2.3 Processor’s Processing of Client Data. Processor shall only process Client Data on behalf of and in accordance with Client’s instructions for the period set forth in the Agreement and shall treat Client Data as confidential. The following are deemed instructions by Client to Processor to process Client Data: (i) Processing in accordance with the Agreement and any applicable order form(s) and/or statement(s) of work pursuant thereto; (ii) Processing initiated by Account Users (as hereinafter defined) in their use of the Service; (iii) Processing to comply with other reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with Data Protection Laws and the terms of the Agreement; and (iv) Processing in accordance with all configurations of the Service by or for Client. If Processor believes any instruction from Client is in, or could cause a, violation of Data Protection Law, Processor will promptly inform Client and Processor will be permitted to suspend such Processing connected to the instruction in question.
2.4 Processor will comply with Data Protection Laws as applicable to its performance under the Agreement and this Addendum as Data Processor. Processor will not Process Client Data outside of the direct relationship between Client and Processor, nor will Processor “sell” Client Data or “share” Client Data for purposes of “targeted advertising” (as such terms are defined under Data Protection Laws).
2.5 Details of Data Processing.
(a) Subject matter: The subject matter of the data processing under this Addendum is the Client Data.
(b) Duration: As between Processor and Client, the duration of the data processing under this Addendum is until the termination of the Agreement in accordance with its terms; provided, however, that Processor may continue to store Client Data after the termination of such agreement, as set forth in this Addendum.
(c) Purpose: The purpose of the data processing under this Addendum is the provision of the Service to the Client and the performance of Processor’s obligations pursuant to the Agreement (including this Addendum) or as otherwise agreed by the parties.
(d) Nature of the processing: Processor provides a subscription and/or license to its Service, as described in the Agreement.
(e) Categories of data subjects: Any individual accessing and/or using the Service through the Client’s Account as authorized by Client (“Account Users”).
(f)Types of Client Data:
- Client and Account Users: Account User’s login information to the Service;
- Prohibited Data. Client is contractually prohibited from processing via the Service any Prohibited Data. Client represents and warrants that it will not provide any Prohibited Data to Processor or through the Services.
2.6 Legitimate Interests. Notwithstanding anything to the contrary in the Agreement or this Addendum, Client acknowledges that Processor will have a right to use and disclose data relating to the operation, support and/or use of the Service for its legitimate business purposes, such as billing, account management, technical support, and product development.
3. RIGHTS OF DATA SUBJECTS AND COOPERATION
3.1 Data Subject Requests. Processor will provide reasonable cooperation to assist Client, at Client’s cost to the extent legally permissible, to respond to any Requests from Data Subjects or applicable data protection authorities relating to the processing of Personal Data in connection with the use of the Service. In the event any such Request is made directly to Processor, Processor will respond to such communication directly to redirect such Request to Client.
3.2 Records of Processing. To the extent Client is unable to independently access the relevant records of processing of Client Data within the Service, Processor will provide reasonable cooperation to assist Client in a timely manner as is required by Client to demonstrate Processor’s compliance with its obligations under the Data Protection Laws and under this Addendum.
3.3 Government Requests. If a law enforcement agency sends Processor a demand for Client Data (for example, through a subpoena or court order), Processor will attempt to redirect the law enforcement agency to request that data directly from Client. As part of this effort, Processor may provide Client’s basic contact information to the law enforcement agency. If compelled to disclose Client Data to a law enforcement agency, Processor will give Client reasonable notice of such demand to allow Client to seek a protective order or other appropriate remedy unless Processor is legally prohibited from doing so.
3.4 Data Protection Impact Assessments. To the extent Processor is required under Data Protection Laws, Processor will (at Client’s expense to the extent legally permitted) provide reasonably requested information regarding the Service to enable the Client to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
4. PROCESSOR PERSONNEL
Processor shall treat Client Data as confidential. Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Processor shall ensure that access to Personal Data is limited to those of its personnel who require such access to perform Processor’s obligations under the Agreement and/or to provide the Service.
5. SUB-PROCESSORS
5.1 Appointment of Sub-processors. Client acknowledges and agrees that (a) Processor’s Affiliates may be retained as Sub-processors; and (b) Processor may engage third-party Sub-processors in connection with the provision of the Service. Processor has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Personal Data to the extent applicable to the nature of the Service provided by such Sub-processor. Processor shall make available, upon reasonable request, to Client the current list of Sub-processors for the Service and shall give Client the opportunity to reasonably object to any addition to or replacement of such Sub-processors.
5.2 Objection Right for new Sub-processors. If Client has a reasonable basis to object to Processor’s use of a new Sub-processor, Client shall notify Processor promptly in writing within 10 business days after receipt of Processor’s notice regarding such new Sub-processor. In the event Client objects to a new Sub-processor(s) on a reasonable basis, the parties will use reasonable efforts to work in good faith to find an acceptable, reasonable, alternate solution. If the parties are not able to agree to an alternate solution within a reasonable time (no more than 90 days), Client may terminate the applicable order form(s) and/or statement(s) of work in respect only to the specific Service which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to Processor. Client hereby waives any claim it may have against Processor as a result of Processor’s failure to perform the Services that arise from Client’s objection to a new Sub-processor.
6. SECURITY
6.1 Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including the measures described in the Security Measures. Client is responsible for reviewing the information made available by Processor relating to data security and making an independent determination as to whether the Service meets Client’s requirements and legal obligations under Data Protection Laws. Client acknowledges that the Security Measures are subject to technical progress and development and that Processor may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Client.
6.2 Third-Party Certifications. Processor and its Sub-processors have obtained the third-party certifications and audits, if any, set forth in the Security Measures. Upon Client’s written request no more than once per calendar twelve (12) months, Processor shall provide a copy of Processor’s and/or a Sub-processor’s then most recent third-party audits or certifications, as applicable, or any summaries thereof, that Processor or such Sub-processor, as applicable, generally makes available to its customers at the time of such request. All documents and summaries provided under this Section 6.2 shall be considered confidential information.
6.3 Client Responsibilities. Notwithstanding the above, Client agrees that except to the extent expressly provided in this Addendum, Client is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Client Data when in transit to and from the Service and taking any appropriate steps to securely encrypt or backup any Client Data uploaded to the Service.
6.4 Audits. To the extent Processor is unable to reasonably demonstrate its compliance with this Addendum through 6.2, upon Client’s written request but no more than once per calendar twelve (12) month period, and subject to any confidentiality obligations set forth in the Agreement, Processor shall make available to Client information regarding Processor’s compliance with the obligations set forth in this Addendum in the form of the third- party certifications and audits described in the Security Measures. Client may contact Processor in accordance with the “Notices” provision of the Agreement to schedule an on-site audit of the procedures relevant to the protection of Personal Data. Any such audit conducted under this Section 6.4 shall be conducted in compliance with Processor’s safety, security and other relevant policies and shall in no manner impact the security, confidentiality, integrity, or availability of Processor’s data or systems. Further, under no event will the Client be given logical access to the Processor's systems. Client shall reimburse Processor for any time expended for any such on-site audit at Processor’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such on-site audit, Client and Processor shall mutually agree upon the scope, timing, and duration of the audit. Client shall promptly notify Processor with information regarding any non-compliance discovered during the course of an audit.
7. SECURITY INCIDENT MANAGEMENT AND NOTIFICATION
Processor maintains the security incident management policies and procedures specified in the Security Measures and shall, to the extent permitted by law, notify Client without undue delay of any actual unauthorized disclosure of Client Data by Processor or its Sub-processors of which Processor becomes aware (a “Security Incident”) and provide details of the Security Incident to the Client solely as such details reasonably become available to Processor. To the extent such Security Incident is caused by a violation of the requirements of this Addendum by Processor, Processor shall investigate and take the steps it deems necessary to respond to the cause of such Security Incident in accordance with its data incident response policy and procedures.
8. DELETION OF CUSTOMER DATA
Processor shall delete Client Data in accordance with the procedures and timeframes specified in the Agreement. The parties agree that the certification of deletion of Personal Data shall be provided by Processor to Client only upon Client’s written request. Notwithstanding the foregoing, Processor shall not be required to delete Client Data to the extent Processor is required by applicable law to retain some or all of the Client Data, or to the extent it has archived Client Data on back-up systems, which Client Data Processor will take reasonable measures designed to securely isolate and protect from any further processing. In addition, Processor may retain and use, or continue to use, any anonymized or pseudonymized Client Data for its own, independent and unrestricted purposes.
9. INTERNATIONAL TRANSFERS
9.1 Processing Locations. Unless otherwise specified by Processor to Client, Processor stores Client Data in the United States and/or Canada. For purposes of providing the Service, Client Data may transfer from the originating location of Client Data to the Service located in the United States and/or Canada. Additionally, for purposes of providing the Service including technical support, Client Data may be accessed from locations where Processor’s Affiliates are located.
9.2 Data Privacy Framework. Processor transfers Personal Data from locations located in the EEA to the U.S. pursuant to the, and in compliance with the, EU-US Data Privacy Framework as a legal basis for transfers, for as long as the Processor is self-certified to the Privacy Shield. Processor agrees to protect such Personal Data in accordance with the requirements of the EU-U.S. Data Privacy Framework. If the Processor is unable to comply with this requirement, the Processor will inform the Client.
9.3 Standard Contractual Clauses. As an alternative transfer mechanism to the EU-U.S. Data Privacy Framework certification referenced in Section 9.2, to the extent that Processor processes any Personal Data protected by EU Data Protection Laws and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, Processor and Client may enter into the Standard Contractual Clauses approved by the European Commission from time to time for the transfer of Personal Data to Data Processors established in third countries. The parties agree that (i) purely for the purposes of the descriptions in the Standard Contractual Clauses, Processor will be deemed the "data importer" and Client will be deemed the "data exporter" (notwithstanding that you may yourself be located outside Europe and/or be acting as a processor on behalf of third party controllers) and (ii) if and to the extent the Standard Contractual Clauses (where applicable) conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.
9.3.1 To the extent Processor’s Processing of Client Data includes transfers of Personal Data out of the European Economic Area (“EEA”), the parties, with effect from the commencement of the relevant transfer, hereby enter into the Standard Contractual Clauses (mutatis mutandis, as the case may be) in respect of any transfer (or onward transfer), unless an alternative transfer mechanism permitted by applicable Data Protection Law exists, in which case, the parties can mutually agree to such alternative mechanism in writing. If applicable, the Standard Contractual Clauses are entered into as set forth in Schedule B.
9.3.2 To the extent Processor’s Processing of Client Data includes transfers of Personal Data out of the United Kingdom (“UK”), the parties, with effect from the commencement of the relevant transfer, hereby enter into the Standard Contractual Clauses (mutatis mutandis, as the case may be) and the International Data Transfer Addendum issued by the United Kingdom Information Commissioners Office and laid before Parliament in accordance with s119A(1) of the Data Protection Act 2018 on 2 February 2022 (“UK Addendum”) in respect of any transfer (or onward transfer), unless an alternative transfer mechanism permitted by applicable Data Protection Law exists, in which case, the parties can mutually agree to such alternative mechanism in writing. If applicable, the Standard Contractual Clauses are entered into as set forth in Schedule B and the UK Addendum is entered into as set forth in Schedule C.
10. RELATIONSHIP WITH THE AGREEMENT
10.1 Status of Agreement. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. The parties agree that this Addendum shall terminate automatically upon the termination of the Agreement. If there is any conflict between this Addendum and such agreement, this Addendum will prevail to the extent of that conflict.
10.2 Claims. Any claims brought under or in connection with this Addendum will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. Other than liability that may not be limited under applicable law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under such Agreement and all Addenda (including this Addendum) together.
10.3 No Third Party Beneficiary. No one other than a party to this Addendum, its successors and permitted assignees will have any right to enforce any of its terms. Any claims against Processor or its Affiliates under this Addendum will be brought solely against the entity that is a party to the Agreement. Client further agrees that any regulatory penalties or other liabilities incurred by Processor in relation to the Client Data that arise as a result of, or in connection with, Client’s failure to comply with its obligations under this Addendum or any applicable Data Protection Laws will count toward and reduce Processor’s liability under the Agreement as if it were liability to the Processor under the Agreement.
10.4 Governing Law. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
10.5 Aggregated Data. For clarity, and notwithstanding anything to the contrary in the Agreement or this Addendum, this Addendum shall not apply to any Personal Data that has been anonymized, de-identified or aggregated, in compliance with applicable requirements under applicable Data Protection Laws where such requirements exist, such that it is no longer considered Personal Data as defined under applicable Data Protection Laws.
11. LEGAL EFFECT
This Addendum shall be legally binding between Client and Processor, regardless of whether this Addendum is physically appended to the Agreement, provided that this Addendum is incorporated by reference into such Agreement and Client is provided with the URL to this Addendum.
Effective Date of this Data Processing Addendum: 08/07/2024
Contact [email protected]
Schedule A
Security Measures
The security measures Processor implements to protect Personal Data are set forth below, and any others mutually agreed to in writing by the parties pursuant to the Addendum:
Software Development
- All software engineers receive software security training that covers security best practices including OWASP Top Ten and Mobile Security best practices.
- Use of static code analysis tools designed to analyze code for security vulnerabilities.
- All source code is developed in accordance with a standard Software Development Life Cycle (SDLC) process that includes:
(a) Software and Security code review before being promoted to production use;
(b) Running through a continuous integration test suite; and
(c) Manual quality assurance testing
Hosting Environment
- All hosting environments use carrier class data centers having high availability standards and redundancy. Typical certifications for these data centers include, for example:
(a) PCI DSS Level 1 Service Provider;
(b) SOC 1 Type II & SOC 2 Type II; and
(c) ISO 27001
Confidentiality
- Client Data is protected through reasonable measures designed to prevent unauthorized disclosure contrary to as provided in this Addendum.
- Client Data is processed only in accordance with this Addendum and only as required for the performance of the Services.
- Processor takes precautions designed to prevent viewing of computer screens that may contain Client Data. When outside of a Processor facility, Processor employees and sub-processors may only access Client Data in a private space or utilize a privacy screen to obscure the Client Data from unauthorized viewing
Processor ensures that all employees, agents, sub-processors, and representatives likely to handle Client Data are under a duty of confidentiality and receive appropriate security awareness training.
Electronic Data
- Client Data is protected through reasonable measures designed to prevent unauthorized disclosure contrary to as provided in this Addendum.
- Client Data is processed only in accordance with this Addendum and only as required for the performance of the Services.
- Processor takes precautions designed to prevent viewing of computer screens that may contain Client Data. When outside of a Processor facility, Processor employees and sub-processors may only access Client Data in a private space or utilize a privacy screen to obscure the Client Data from unauthorized viewing
Processor ensures that all employees, agents, sub-processors, and representatives likely to handle Client Data are under a duty of confidentiality and receive appropriate security awareness training.
Paper Data
While most documentation and data is managed electronically, there are some circumstances that require printing of paper documents, such as validation documents that require handwritten signatures. When handling printing documents, Processor will take reasonable precautions designed to prevent its exposure to anyone outside of those individuals authorized to access the Personal Data contained within those printed documents.
Client Data contained in printed form is shredded promptly after its use. For validation documents, documents are shredded after all approvals are hand-signed and the document has been scanned.
Passwords and Encryption
All Client Data is encrypted to prevent unauthorized access and access to such Client Data is password protected. The encryption key and passwords are kept secure at all times.
All web traffic is encrypted by TLS 1.2 or greater. Processor follows NIST recommendations for hashing symmetric and asymmetric encryption.
Security Incidents
If Processor becomes aware of unauthorized access or disclosure of Client Data under its control, Process will adhere to the procedures and processes set forth in its own incident response plan.
Audit
Processor executes internal security audits in accordance with its internal audit policies and procedures. Any remedial measures identified in an audit will be promptly implemented by the Processor in its sole discretion.
Access Control
Access to Client Data is restricted pursuant to Processor’s internal access control policies and procedures. Authorized personnel will be permitted to access Client Data only to the extent necessary for the performance of their duties.
Schedule B
Standard Contractual Clauses
- Standard Contractual Clause Appendix: The Appendix to the Standard Contractual Clauses shall be deemed completed pursuant to the below table.
Applicable Module(s): | MODULE TWO: Transfer controller to processor |
Clause 7 – Docking Clause: | MODULE TWO: No |
For Modules Two and Three Clause 9 – Use of sub-processors | MODULE TWO: Option 2: General written authorisation |
Clause 11 – Redress, independent dispute resolution body Option: | MODULE TWO: No |
For Modules One, Two and Three Clause 13 – Supervision | MODULE TWO: Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Section 2(B) of this Schedule B shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Section 2(B) of this Schedule B shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Section 2(B) of this Schedule B shall act as competent supervisory authority. |
Clauses 14 and 15 | Not applicable |
Clause 17 – Governing Law | MODULE TWO: Option 1: Ireland |
Clause 18 – Choice of forum and jurisdiction | MODULE TWO: Irish Data Protection Commission |
- Annex I to the Standard Contractual Clauses: By signing the parties agree to also be bound by the UK Addendum to the EU Commission Standard Contractual Clauses attached hereto. Annex I to the Standard Contractual Clauses shall be deemed completed pursuant to the below table.
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: | The Client to the Addendum |
Address: | As set forth in the Agreement |
Contact person’s name, position and contact details: | As set forth in the Agreement |
Activities relevant to the data transferred under these Clauses: | As set forth in Section 2.4 of the Addendum. |
Signature and date: | By transferring Personal Data from the EEA or the UK (as applicable) to the Data Importer, the Data Exporter will be deemed to have signed the Standard Contractual Clauses as set forth in this Schedule B. |
Role (controller/processor): | Controller |
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: | Nortap Technology Inc. d/b/a Leap Event Technology |
Address: | 10675 Perry Hwy, #1316, Wexford, PA 15090 |
Contact person’s name, position and contact details: | [email protected] |
Activities relevant to the data transferred under these Clauses: | As set forth in Section 2.4 of the Addendum. |
Signature and date: | By receiving Personal Data from the EEA or the UK (as applicable) from the Data Exporter, the Data Importer will be deemed to have signed the Standard Contractual Clauses as set forth in this Schedule B. |
Role (controller/processor): | Processor |
A. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | As set forth in Section 2.5 of the Addendum to which these clauses are attached. |
Categories of personal data transferred | As set forth in Section 2.5 of the Addendum to which these clauses are attached. |
Sensitive data transferred (if applicable) | As set forth in Section 2.5 of the Addendum to which these clauses are attached. |
(For sensitive data only: applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.) | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | As set forth in Section 2.5 of the Addendum to which these clauses are attached. |
Nature of the processing | As set forth in Section 2.5 of the Addendum to which these clauses are attached. |
Purpose(s) of the data transfer and further processing | As set forth in Section 2.5 of the Addendum to which these clauses are attached. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | As set forth in Section 2.5 of the Addendum to which these clauses are attached. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | As necessary to provide the Services to the controller. |
B. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 | Irish Data Protection Commission |
- Annex II to the Standard Contractual Clauses: Annex II to the Standard Contractual Clauses shall be deemed completed pursuant to the below.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
As set forth in Schedule A.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
As set forth in Schedule A.
Schedule C
This Schedule C shall apply to any transfer of Personal Data from a Data Exporter located in the United Kingdom, to a Data Importer located in a third country that is not deemed to offer adequately similar protection as provided under United Kingdom law.
TABLE 1: Parties
Start Date | When Personal Data from the UK is first Processed pursuant to the Addendum | |
The Parties | Data Exporter | Data Importer |
Parties’ Details | See Section 2 of Schedule B above | See Section 2 of Schedule B above |
Key Contact | See Section 2 of Schedule B above | See Section 2 of Schedule B above |
Signature | By transferring Personal Data from the UK (as applicable) to the Data Importer, the Data Exporter will be deemed to have signed this Schedule C. | By Processing Personal Data from the UK received from the Data Exporter, the Data Importer will be deemed to have signed this Schedule C. |
TABLE 2: Selected SCCs, Modules, and Selected Clauses
UK Addendum to EU SCCs | The version of the approved EU SCCs which this UK Addendum is appended to, detailed below, including the Appendix Information: Date: Reference (if any): Other identifier (if any): |
||||
Module in Operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time Period) | |
Module | N/A | N/A | N/A | N/A | N/A |
1 | N/A | N/A | N/A | N/A | N/A |
2 | N/A | N/A | N/A | N/A | N/A |
TABLE 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:
See Schedule B to the Addendum.
TABLE 4: Ending this UK Addendum when the Approved Addendum Changes
Neither party shall have the right to terminate this Schedule C in the event this Approved UK Addendum changes.
MANDATORY CLAUSES
Entering into this UK Addendum
- Each Party agrees to be bound by the terms and conditions set out in this UK Addendum, in exchange for the other Party also agreeing to be bound by this UK Addendum.
- Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this UK Addendum
3. Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
UK Addendum | This International Data Transfer Addendum which is made up of this UK Addendum incorporating the UK Addendum EU SCCs. |
UK Addendum EU SCCs | The version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template UK Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018 |
- This UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in the UK Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this UK Addendum and the equivalent provision of the Approved EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws applies.
- If the meaning of this UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this UK Addendum has been entered into.
Hierarchy
- Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
- Where there is any inconsistency or conflict between the Approved Addendum and the UK Addendum EU SCCs (as applicable), the Approved Addendum overrides the UK Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the UK Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
- Where this UK Addendum incorporates UK Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this UK Addendum impacts those UK Addendum EU SCCs
Incorporation of and Changes to the EU SCCs
- This UK Addendum incorporates the UK Addendum EU SCCs which are amended to the extent necessary so that: a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; b. Sections 9 to 11 override Clause 5 (Hierarchy) of the UK Addendum EU SCCs; and c. this UK Addendum (including the UK Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
- Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
- No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
- The following amendments to the UK Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this UK Addendum, incorporating the UK Addendum EU SCCs;
b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”; i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this UK Addendum
- The Parties may agree to change Clauses 17 and/or 18 of the UK Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
- If the Parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
- From time to time, the ICO may issue a revised Approved Addendum which: a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or b. reflects changes to UK Data Protection Laws; The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
- If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the UK Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: a its direct costs of performing its obligations under the UK Addendum; and/or b its risk under the UK Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
- The Parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.