Data processing addendum
This Data Processing Addendum ("DPA") is an additional agreement to the Terms of Service ("Terms") made between the customer ("Customer") and Inorbit Technologies PTY LTD, located in Sydney NSW, Australia ("Company").
By accepting the Terms (which incorporate this DPA), both parties agree to this DPA on behalf of themselves and, where applicable under relevant Data Protection Laws (defined below), on behalf of their Affiliates (defined below), if any. The Effective Date of this DPA is upon agreement by the parties and replaces any previous agreements concerning data processing and/or data protection. This DPA is an integral component of the Terms.
1. Definitions
1.1 “Authorized Sub-Processor” means a third-party who has a need to know or otherwise access Customer’s Personal Data to enable Company to perform its obligations under this DPA or the Terms, and who is either (1) listed on the List (as defined below) or (2) subsequently authorized under Section 4.2 of this DPA.
1.2 "Company Account Data" refers to personal data associated with Company's interactions with Customer. This includes the personal details or contact information of individuals authorized by Customer to access Customer's account, as well as billing information of individuals linked to Customer's account. Additionally, Company Account Data encompasses any necessary data collected by the Company to facilitate the management of its relationship with Customer, perform identity verification, or comply with relevant laws and regulations.
1.3 "Company Usage Data" refers to the data on the usage of the Services collected and processed by the Company. This includes, but is not limited to, information used to determine the origin and destination of a communication, activity logs, and data utilised for the enhancement and upkeep of Service performance. Additionally, it encompasses data employed for the investigation and prevention of system abuse.
1.4 “Data Exporter” means Customer.
1.5 “Data Importer” means Company.
1.6 "Data Protection Laws" refers to the applicable laws and regulations in any relevant jurisdiction concerning the utilisation or handling of Personal Data. These laws include, but are not limited to:
California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act ("CPRA");
General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), and the EU GDPR incorporated into the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), collectively referred to as the "GDPR";
UK Data Protection Act 2018;
Privacy and Electronic Communications (EC Directive) Regulations 2003; and
Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 et seq.) ("VCDPA").
These laws are subject to updates, amendments, or replacements from time to time. Terms such as "Data Subject," "Personal Data," "Personal Data Breach," "processing," "processor," "controller," and "supervisory authority" are defined in accordance with the GDPR.
1.7 "EU SCCs" refers to the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021. These clauses are designed for transfers of personal data to countries not otherwise recognised as offering an adequate level of protection for personal data by the European Commission. The EU SCCs may be amended and updated from time to time. Additionally, they are modified by Section 6.2 of this DPA.
1.8 "ex-EEA Transfer" refers to the transfer of Personal Data, which is processed in compliance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the "EEA"). This transfer occurs when it is not regulated by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.9 "ex-UK Transfer" refers to the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in compliance with the UK GDPR and the Data Protection Act 2018. This transfer occurs from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"). It is important to note that such transfer is not regulated by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.10 "Security Incident" refers to a confirmed or reasonably suspected accidental or unlawful occurrence involving the destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
1.11 “Services” shall have the meaning set forth in the Terms.
1.12 “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
1.13 “Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
1.14 “UK SCCs” means the EU SCCs, as amended by the UK Addendum.
2. Relationships between the parties; Data Processing
2.1 The parties acknowledge and agree that concerning the processing of Personal Data, Customer may function as either a controller or processor, and unless otherwise expressly stated in this DPA or the Terms, Company operates as a processor. Customer must ensure that, in its utilization of the Services, it consistently processes Personal Data in adherence to Data Protection Laws. Customer holds sole responsibility for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the methods by which Customer obtained such Personal Data, and (iii) the instructions it issues to Company regarding the processing of said Personal Data (as detailed below). Customer must refrain from providing or making accessible to Company any Personal Data that violates the Terms or is otherwise unsuitable for the nature of the Services, and is liable to indemnify Company against all claims and losses arising in connection therewith.
Customer appoints Company as a processor to handle Personal Data on behalf of and in accordance with Customer's instructions:
as outlined in the Terms and this DPA, and as necessary to deliver the Services to Customer. This includes investigating security incidents, preventing spam and fraudulent activity, and identifying and thwarting network exploits or abuse;
as required to adhere to applicable laws or regulations, including Data Protection Laws; and (c) as otherwise mutually agreed upon in writing between Customer and Company.
Customer acknowledges that Company is not responsible for determining the applicable laws or regulations pertaining to Customer's business, nor whether the provision of Services by Company aligns with or will comply with such laws or regulations. Company will notify Customer if it becomes aware or reasonably believes that Customer's instructions contravene any applicable law or regulation, including Data Protection Laws.
2.2 Company is prohibited from processing Personal Data:
for purposes other than those specified in the Terms and/or Exhibit A;
in a manner inconsistent with the terms and conditions outlined in this DPA or any other documented instructions provided by Customer, including transfers of Personal Data to a third country or international organisation, unless compelled by applicable Data Protection Laws. In such instances, Company shall notify Customer of such legal requirement prior to processing, unless prohibited by law on important grounds of public interest; or
in contravention of Data Protection Laws.
Customer hereby instructs Company to process Personal Data in accordance with the aforementioned guidelines and as part of any processing initiated by Customer in its utilization of the Services.
2.3 The scope, nature, purpose, and duration of the processing by Company, along with the types of Personal Data collected and categories of Data Subjects, are detailed in Exhibit A to this DPA.
2.4 Upon completion of the Services, at the discretion of Customer, Company will either return or delete Customer's Personal Data, unless further retention of such Personal Data is necessitated or authorised by applicable Data Protection Laws. If returning or destroying the data is impractical or prohibited by law, rule, or regulation, Company will implement measures to restrict further processing of such Personal Data (except as required for ongoing hosting or processing mandated by law, rule, or regulation) and will continue to adequately safeguard the Personal Data in its possession, custody, or control. If Customer and Company have executed Standard Contractual Clauses as delineated in Section 6 (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data, as described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable), will be provided by Company to Customer solely upon Customer's request.
3. Confidentiality
3.1 Customer agrees that Company may disclose Personal Data to its advisers, auditors, or other third parties as reasonably required in connection with the fulfilment of its obligations under this DPA, the Terms, or the provision of Services to Customer.
3.2 If any Third Party Request is directed to Company regarding its processing of Personal Data, Company will promptly notify Customer and provide relevant details, to the extent permitted by law. Company will not respond to any Third Party Request without prior consent from Customer, except where legally obligated or to verify that the request pertains to Customer.
3.3 Company will ensure that any individual authorized to process Personal Data has consented to uphold confidentiality obligations in accordance with Company's terms of confidentiality as outlined in the Terms.
4. Authorised Sub-Processors
4.1 Customer acknowledges and agrees that Company may
involve its Affiliates and
engage Authorized Sub-Processors as per Section 4.2, to access and process Personal Data concerning the Services. Customer grants Company general written authorisation to engage sub-processors as required to carry out the Services.
4.2 Company maintains a List of its current Authorized Sub-Processors, which is accessible here. This List may be updated periodically by Company. It includes a mechanism for Customers to subscribe to notifications regarding new Authorized Sub-Processors. If Customer opts for such notifications, Company will promptly provide details of any changes in Authorized Sub-Processors.
Before granting access or involvement in the processing of Personal Data to any third party not listed as an existing Authorized Sub-Processor, Company will add such third party to the List at least ten (10) days in advance and notify Customer accordingly in writing. This notification may be posted via our Authorized Sub-Processor change log located here. Customer reserves the right to object to such engagement by informing Company within ten (10) days of receiving the aforementioned notice. Any objection must be submitted in writing and must be based on reasonable grounds related to data protection.
Customer acknowledges that certain sub-processors are essential for providing the Services and that objecting to the use of a sub-processor may impede Company's ability to offer the Services to Customer.
4.3 If Customer reasonably objects to an engagement in accordance with Section 4.2, and Company cannot provide a commercially reasonable alternative within 90 days of such objection, Customer may cease using the affected Service by giving written notice to Company. However, discontinuation shall not exempt Customer from any fees owed to Company under the Terms.
4.4 If Customer does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Company, that third party will be considered an Authorized Sub-Processor for the purposes of this DPA.
4.5 Company agrees to impose contractual data protection obligations, including appropriate technical and organisational measures, on any sub-processor it appoints that necessitates such measures to protect Personal Data to the standard mandated by Applicable Data Protection Law and this DPA. If an Authorized Sub-Processor fails to fulfil its data protection obligations under such agreement with Company, Company will remain liable to Customer for the fulfilment of the Authorized Sub-Processor’s obligations under such agreement.
4.6 If Customer and Company have executed Standard Contractual Clauses as delineated in Section 6 (Transfers of Personal Data), (i) the aforementioned authorisations will constitute Customer's prior written consent to Company subcontracting the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that copies of the agreements with Authorized Sub-Processors, as required by Clause 9(c) of the EU SCCs, may be edited by Company to remove commercial information or information unrelated to the Standard Contractual Clauses or their equivalent, before being provided to Customer upon request.
5. Security of Personal Data
5.1 Considering the nature, scope, context, and purposes of processing, among other factors, Company is obligated to maintain suitable technical and organisational measures to ensure a level of security commensurate with the risk of processing Personal Data. Additional information about Company's technical and organisational security measures is provided in Exhibit B.
5.2 Company will notify of a Security Incident as follows:
(a) Customer will be notified without undue delay, and in no event later than seventy-two (72) hours after Customer's discovery of a Security Incident impacting Personal Data, provided such notification is permitted by applicable law or regulation, and Company is acting as a processor;
(b) Company will, as permitted and required by applicable law or regulation, promptly inform Customer of any Security Incident involving Company Account Data and/or Company Usage Data, where Company acts as a controller; and
(c) Customer will receive notification of any Security Incident via email, sent to the email address(es) designated by Customer in Customer's account.
Company will exert reasonable efforts to detect a Security Incident. In the event a Security Incident is attributed to Company's breach of this DPA, Company will promptly take corrective action to address the cause of such Security Incident, based on its sole discretion to the extent it deems necessary and reasonable to rectify the violation. Moreover, Company will extend reasonable assistance to Customer should Customer be obligated under applicable Data Protection Laws to notify a regulatory authority or affected data subjects about a Security Incident.
It's important to note that Company's duty to report or address a Security Incident does not imply an admission of fault or liability on the part of Company regarding the incident.
6. Transfers of Personal Data
6.1 The parties consent to Company transferring Personal Data processed under this DPA outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland as necessary to deliver the Services. Customer acknowledges that Company's primary processing activities occur in the United States and that the transfer of Customer's Personal Data to the United States is essential for providing the Services. If Company transfers Personal Data protected under this DPA to a jurisdiction lacking an adequacy decision from the European Commission, Company will ensure that suitable safeguards are in place for the transfer of Personal Data, as required by Data Protection Laws.
6.2 Ex-EEA Transfers: The parties agree that transfers of Personal Data from the EEA are conducted in accordance with the EU Standard Contractual Clauses (EU SCCs). These clauses are considered to be agreed upon (and incorporated into this DPA by reference) and finalized as follows:
6.2.1 Module One (Controller to Controller) of the EU SCCs is applicable when Company processes Personal Data as a controller as per Section 9 of this DPA.
6.2.2 Module Two (Controller to Processor) of the EU SCCs applies when Customer acts as a controller and Company processes Personal Data on behalf of Customer as a processor, as outlined in Section 2 of this DPA.
6.3 For each module, the following provisions apply:
6.3.1 The optional docking clause in Clause 7 is not applicable.
6.3.2 In Clause 9, Option 2 (general written authorisation) applies, and the minimum time period for prior notice of sub-processor changes shall be as outlined in Section 4.2 of this DPA.
6.3.3 The optional language in Clause 11 does not apply.
6.3.4 All square brackets in Clause 13 are hereby removed.
6.3.5 In Clause 17 (Option 1), the EU SCCs will be governed by the laws of Ireland.
6.3.6 Disputes will be resolved before the courts of Dublin, Ireland, as stipulated in Clause 18(b).
6.3.7 Exhibit B to this DPA contains the information required in Annex I and Annex III of the EU SCCs.
6.3.8 Exhibit B to this DPA contains the information required in Annex II of the EU SCCs.
6.3.9 By entering into this DPA, the parties are considered to have executed the EU SCCs incorporated herein, along with their Annexes.
6.4 Ex-UK Transfers: The parties agree that transfers outside the UK are conducted by the UK SCCs. These SCCs are considered to be agreed upon and incorporated into this DPA by reference, and they are amended and completed under the UK Addendum, which is included as Exhibit C of this DPA.
6.5 Transfers from Switzerland: The parties agree that transfers from Switzerland are conducted by the EU SCCs with the following modifications:
6.5.1 The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as referenced in the EU SCCs shall be construed to include the Federal Act on Data Protection of 19 June 1992 (referred to as the "FADP," and as revised as of 25 September 2020, the "Revised FADP") concerning data transfers governed by the FADP.
6.5.2 The provisions of the EU SCCs shall be construed to safeguard the data of legal entities until the effective date of the Revised FADP.
6.5.3 Clause 13 of the EU SCCs is amended to stipulate that the Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland shall have jurisdiction over data transfers governed by the FADP, while the appropriate EU supervisory authority shall have jurisdiction over data transfers governed by the GDPR. Subject to this adjustment, all other requirements of Section 13 shall be adhered to.
6.5.4 The term "EU Member State" as referenced in the EU SCCs shall not be interpreted in a manner that excludes Data Subjects in Switzerland from exercising their rights in their habitual place of residence by Clause 18(c) of the EU SCCs.
6.6 Supplementary Measures: Concerning any transfer from outside the EEA or the UK, the following additional measures shall be implemented:
6.6.1 As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, requesting access to (or copies of) Customer’s Personal Data ("Government Agency Requests");
6.6.2 If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Company will endeavor to redirect the law enforcement or government agency to request the data directly from Customer. As part of this process, Company may furnish the government agency with Customer's basic contact information. In the event Company is compelled to disclose Customer's Personal Data to a law enforcement or government agency, Company will provide Customer with reasonable notice of the demand and collaborate to enable Customer to seek a protective order or other appropriate remedy, unless legally prohibited. Company will not voluntarily disclose Personal Data to any law enforcement or government agency. The Data Exporter and Data Importer shall promptly discuss and determine whether all or any transfers of Personal Data under this DPA should be suspended in light of such Government Agency Requests.
6.6.3 The Data Exporter and Data Importer will convene regular meetings to assess whether:
(i) the protection provided by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to offer a level of protection broadly equivalent to that provided in the EEA or the UK, as applicable; (ii) The Data Exporter and Data Importer will assess whether additional measures are reasonably necessary to ensure that the transfer complies with Data Protection Laws. (iii) Both parties will evaluate whether it remains appropriate for Personal Data to be transferred to the relevant Data Importer, considering all pertinent information available to them and any guidance provided by supervisory authorities.
6.6.4 If Data Protection Laws mandate the Data Exporter to execute the Standard Contractual Clauses for a specific transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer will promptly comply with the Data Exporter's request to execute such Standard Contractual Clauses. This execution will incorporate any necessary amendments to reflect applicable appendices and annexes, transfer details, and the requirements of relevant Data Protection Laws.
6.6.5 If (i) any of the methods for legitimizing transfers of Personal Data outside the EEA or UK outlined in this DPA become invalid, or (ii) any supervisory authority mandates the suspension of transfers of Personal Data via those methods, the Data Importer may, by notifying the Data Exporter, amend or implement alternative arrangements for such transfers as mandated by Data Protection Laws, with effect from the specified date in such notice.
7. Rights of Data Subjects
7.1 Company will, to the extent permissible under applicable Data Protection Law, notify Customer upon receipt of a Data Subject's request to exercise their rights regarding their Personal Data. These rights include access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to automated decision-making (collectively referred to as "Data Subject Request(s)").
If Company receives a Data Subject Request pertaining to Customer's data, Company will advise the Data Subject to direct their request to Customer. Customer will then be responsible for addressing such requests, including, if necessary, utilizing the functionalities provided by the Services. Customer bears the sole responsibility for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Company. Furthermore, Customer is responsible for maintaining a record of consent to processing for each Data Subject, where applicable.
7.2 Upon the Customer's request and considering the nature of the processing relevant to any Data Subject Request, Company will assist the Customer in fulfilling its obligation to respond to such requests and/or demonstrate compliance within the timeframe stipulated by applicable Data Protection Laws, to the extent feasible. This assistance is provided under the condition that (i) the Customer is unable to respond independently, including through any self-service features provided, and (ii) Company can provide such assistance in accordance with all relevant Data Protection Laws. The Customer shall bear any costs and expenses arising from such assistance by Company to the extent permitted by law.
8. Actions and Access Requests: Audits
8.1 Considering the nature of the processing and the information accessible to Company, Company will offer Customer reasonable cooperation and assistance as necessary for Customer to fulfill its obligations under the GDPR regarding conducting a data protection impact assessment and/or demonstrating compliance, provided that Customer lacks access to the pertinent information otherwise. Customer shall bear any costs and expenses arising from such assistance by Company to the extent permitted by law.
8.2 Taking into account the nature of the processing and the information at its disposal, Company will extend reasonable cooperation and assistance to Customer concerning Customer's collaboration and/or prior consultation with any governmental authority, as required by the GDPR. Customer shall be responsible for any costs and expenses arising from such assistance by Company, to the extent legally permitted.
8.3 Customer and Company recognize that Customer must be able to evaluate Company's adherence to its obligations under applicable Data Protection Laws and this DPA. Company will maintain records adequate to demonstrate its compliance with its obligations under this DPA and retain such records for a duration of three (3) years following the termination of the Terms.
8.4 Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall, either (i) provide copies of certifications or reports demonstrating Company's compliance with prevailing data security standards applicable to the processing of Customer's Personal Data for Customer's review, or (ii) if reports or certifications are deemed insufficient under Data Protection Laws, allow Customer's independent third-party representative to conduct an audit or inspection of Company's data security infrastructure and procedures. Such audit or inspection must be adequate to demonstrate Company's compliance with its obligations under Data Protection Laws. Customer shall adhere to the following conditions:
(a) provide reasonable prior written notice of any audit request, ensuring the inspection does not unduly disrupt Company's business operations;
(b) conduct the audit during business hours and limit it to once per calendar year; and
(c) restrict the audit to data relevant to Customer. Customer shall bear the costs associated with any audits or inspections, including reimbursing Company for time spent on-site audits. If Customer and Company have executed Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that audits outlined in Clause 8.9 of the EU SCCs shall align with this Section 8.4.
8.5 Company shall promptly notify Customer if an instruction, in Company's judgment, violates Data Protection Laws or supervisory authority directives.
9. Company's Role as a Controller
The parties acknowledge and affirm that regarding Company Account Data and Company Usage Data, Company operates as an independent controller, distinct from Customer, and not as a joint controller. Company will handle Company Account Data and Company Usage Data as a controller for the following purposes: (i) managing the relationship with Customer; (ii) conducting core business operations such as accounting, audits, tax preparation and filing, and compliance activities; (iii) monitoring, investigating, preventing, and detecting fraud, security incidents, and other misuse of the Services, aiming to safeguard Customer's interests; (iv) performing identity verification procedures; (v) adhering to legal or regulatory obligations concerning the processing and retention of Personal Data applicable to Company; and (vi) abiding by Data Protection Laws, as well as complying with this DPA and the Terms. Company may also process Company Usage Data as a controller to deliver, enhance, and maintain the Services, within the bounds permitted by Data Protection Laws. Any processing by the Company as a controller shall be in accordance with the Company’s
10. Conflict
In case of any conflict or inconsistency among the following documents, the order of precedence shall be as follows:
(1) the applicable terms outlined in the Standard Contractual Clauses;
(2) the provisions of this Data Processing Addendum (DPA);
(3) the Terms agreed upon by the parties; and
(4) the Company's privacy policy. Any claims arising in connection with this DPA will be subject to the terms and conditions delineated in the Terms, which include, but are not limited to, the exclusions and limitations specified therein.
Exhibit A - Details of processing
Nature and Purpose of Processing: Company will handle Customer's Personal Data as necessary to fulfill the Services outlined in the Terms, for the purposes specified in both the Terms and this DPA, and in accordance with Customer's instructions as delineated in this DPA. The processing activities may include, but are not limited to: receiving, storing, utilizing, updating, safeguarding, deleting, and disposing of data.
Duration of Processing: Company will process Customer's Personal Data for the duration required to (i) deliver the Services to Customer as per the Terms; (ii) address Company's legitimate business requirements; or (iii) comply with relevant laws or regulations. Processing of Company Account Data and Company Usage Data will adhere to the stipulations laid out in Company's privacy policy.
Categories of Data Subjects: This encompasses the Personal Data of any individuals provided by Customer in association with the Services, including but not limited to Customer's employees and end users.
Categories of Personal Data: Company processes various types of Personal Data encompassed within Company Account Data, Company Usage Data, and any Personal Data provided by Customer (including any Personal Data collected from its end users and processed through the Services) or collected by Company to facilitate the Services or as otherwise stipulated in the Terms or this DPA.
Categories of Personal Data may include but are not limited to: real names (as supplied by Customer), internet protocol addresses, email addresses, job roles, work or personal addresses, account names, or any other Personal Data entered by Customer on behalf of its employees or end-users.
Sensitive Data or Special Categories of Data: Customer is prohibited under the Terms from processing any data containing sensitive information such as passwords, credit card details, Patient Health Information, personal identification numbers, or similar types of sensitive personal data.
Exhibit B - Technical and organisational Security Measures
Purpose: This exhibit outlines the security program of the Processor, including security certifications, and delineates the physical, technical, organisational, and administrative controls and measures put in place to safeguard Personal Data from unauthorised access, destruction, use, modification, or disclosure (hereafter referred to as the "Security Measures"). These Security Measures are designed to align with the commonly accepted standards of similarly situated software-as-a-service providers, often referred to as "industry standard."
Updates and Modifications: The Security Measures remain subject to technical progress and development. The Processor reserves the right to update or modify these measures periodically. However, such updates and modifications will be implemented with the utmost care to ensure that they do not materially degrade or diminish the overall security of the application, as described in this document.
Definitions: Any capitalised terms used herein but not explicitly defined have the meanings set forth in the Terms of Service, as applicable.
Security Measures:
The Security Measures are detailed in the following table:
Exhibit C - UK Addendum
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
This UK Addendum shall take effect concurrently with the Data Protection Agreement (DPA).
Table 1: Parties
Table 2: Selected SCCs, Modules, and Selected Clauses
The EU Standard Contractual Clauses (SCCs) referred to in this UK Addendum are the version specified in the Data Protection Agreement (DPA) and completed by Sections 6.2 and 6.3 of the DPA.
Table 3: Appendix Information
"Appendix Information" refers to the details required for the chosen modules as outlined in the Appendix of the Approved EU Standard Contractual Clauses (SCCs), excluding the particulars of the Parties involved. For this UK Addendum, such information is delineated in:
Table 4: Ending this UK Addendum when the Approved UK Addendum Changes
Entering into this UK Addendum
Each party hereby consents to be legally bound by the provisions delineated in this UK Addendum, on the condition that the other party also commits to adhere to the terms and conditions outlined herein.
While Annex 1A and Clause 7 of the Approved EU Standard Contractual Clauses (SCCs) necessitate signature by the Parties, for facilitating ex-UK Transfers, the Parties may execute this UK Addendum through any means that renders them legally binding on both Parties and enables data subjects to assert their rights as articulated herein. Entering into this UK Addendum shall carry equivalent weight as signing the Approved EU SCCs and any segment thereof.
Interpretation of this UK Addendum
In instances where this UK Addendum employs terminology defined in the Approved EU Standard Contractual Clauses (SCCs), those terms shall bear the same significance as outlined in the Approved EU SCCs. Furthermore, the following terms hold the subsequent meanings:
The UK Addendum shall consistently be construed under UK Data Protection Laws, ensuring compliance with the Parties' obligation to provide the Appropriate Safeguards.
If any provisions within the UK Addendum modify the Approved EU SCCs in a manner not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendments shall not be integrated into the UK Addendum. Instead, the corresponding provision of the Approved EU SCCs will be applied.
In cases of inconsistency or conflict between UK Data Protection Laws and the UK Addendum, UK Data Protection Laws shall take precedence.
If the interpretation of the UK Addendum is ambiguous or there are multiple interpretations, the interpretation most closely aligned with UK Data Protection Laws shall prevail.
Any references to legislation (or specific provisions thereof) shall encompass that legislation (or specific provision) as it may evolve. This includes instances where the legislation (or specific provision) has been consolidated, re-enacted, or replaced after the execution of the UK Addendum.
Hierarchy
Despite Clause 5 of the Approved EU SCCs stipulating that they take precedence over all related agreements between the parties, the parties agree that, for transfers from the UK (ex-UK Transfers), the hierarchy outlined in Section 10 below will take precedence.
In cases of any inconsistency or conflict between the Approved UK Addendum and the EU SCCs (where applicable), the Approved UK Addendum supersedes the EU SCCs. However, if the terms of the EU SCCs that are inconsistent or conflicting offer greater protection for data subjects, those terms will take precedence over the Approved UK Addendum.
If this UK Addendum incorporates EU SCCs that have been established to safeguard transfers from the EU, which are subject to the GDPR, the parties acknowledge that nothing in the UK Addendum affects those EU SCCs.
Incorporation and Changes to the EU SCCs
This UK Addendum includes the EU SCCs, which are modified as necessary so that:
They collectively apply to data transfers from the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter's processing during such transfers, and they establish Appropriate Safeguards for these transfers.
Sections 9 to 11 outlined above take precedence over Clause 5 (Hierarchy) of the EU SCCs.
If the parties haven't agreed upon alternative modifications meeting the requirements of Section 12 of this UK Addendum, the provisions of Section 15 of this UK Addendum will be enforced.
No alterations to the Approved EU SCCs, aside from those required to comply with the provisions of Section 12 of this UK Addendum, are permissible.
The following modifications to the EU SCCs, as outlined in Section 12 of this UK Addendum, are implemented:
References to the "Clauses" in this UK Addendum, incorporating the EU SCCs;
In Clause 2, remove the phrase: "and, concerning data transfers from controllers to processors and/or processors to processors, standard contractual clauses under Article 28(7) of Regulation (EU) 2016/679"
Clause 6 (Description of the transfer(s)) is updated to: "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.";
Clause 8.7(i) of Module 1 is revised to: "it is to a country benefitting from adequacy regulations under Section 17A of the UK GDPR that covers the onward transfer";
Clause 8.8(i) of Modules 2 and 3 is amended to: "the onward transfer is to a country benefitting from adequacy regulations under Section 17A of the UK GDPR that covers the onward transfer;"
References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all substituted with "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
References to Regulation (EU) 2018/1725 are eliminated;
References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all substituted with "UK";
The mention of "Clause 12(c)(i)" in Clause 10(b)(i) of Module one is replaced with "Clause 11(c)(i)";
Clause 13(a) and Part C of Annex I are not utilized;
The terms "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";
In Clause 16(e), subsection (i) is substituted with: "the Secretary of State makes regulations under Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";
Clause 17 is updated to: "These Clauses are governed by the laws of England and Wales.";
Clause 18 is amended to: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.";
The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10, and 11.
Amendments to the UK Addendum
The parties retain the option to modify Clauses 17 and/or 18 of the EU SCCs to reference the laws and/or courts of Scotland or Northern Ireland.
Should the parties desire to alter the format of the information contained in Part 1: Tables of the Approved UK Addendum, they may do so by mutual agreement in writing, provided that such modifications uphold the Appropriate Safeguards.
The ICO reserves the right to issue a revised Approved UK Addendum periodically, which may:
Introduce reasonable and proportionate amendments to the Approved UK Addendum, including rectifying errors therein; and/or
Reflect alterations to UK Data Protection Laws.
The revised Approved UK Addendum will stipulate the effective start date of the changes and whether the parties are required to review this UK Addendum, including the Appendix Information. This UK Addendum will be automatically amended according to the provisions outlined in the revised Approved UK Addendum from the specified start date.
If the ICO issues a revised Approved UK Addendum under Section 18 of this UK Addendum if a party will experience a significant, disproportionate, and demonstrable increase in:
Its direct costs associated with fulfilling its obligations under the UK Addendum; and/or
Its risk exposure under the UK Addendum,
and provided that it has initially taken reasonable measures to mitigate those costs or risks to a reasonable extent, such that they are not substantial and disproportionate, then that party may terminate this UK Addendum with a reasonable notice period, by giving written notice of such period to the other party before the start date of the revised Approved UK Addendum.
The parties are not required to seek consent from any third party to make alterations to this UK Addendum, but any modifications must be conducted under its provisions.
Exhibit E - United States Privacy Law Exhibit
This United States Privacy Law Exhibit ("Exhibit") complements the Data Protection Agreement (DPA) and provides additional details mandated by the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Any terms not explicitly defined in this Exhibit shall carry the meanings ascribed to them in the DPA and/or the Terms.
A. California
Definitions
For the context of this Section A, the following terms shall bear the meanings ascribed to them in the CPRA: "Business," "Business Purpose," "Commercial Purpose," "Consumer," "Personal Information," "Processing," "Sell," "Service Provider," "Share," and "Verifiable Consumer Request."
All mentions of "Personal Data," "Controller," "Processor," and "Data Subject" in the Data Protection Agreement (DPA) shall be construed as references to "Personal Information," "Business," "Service Provider," and "Consumer," respectively, as defined in the CPRA.
Obligations
Except regarding Company Account Data and Company Usage Data (as defined in the DPA), the parties acknowledge and agree that Customer acts as a Business, and Company acts as a Service Provider under the CPRA (where applicable). Company receives Personal Information from Customer solely to deliver the Services as outlined in the Terms, constituting a Business Purpose.
Customer shall only disclose Personal Information to Company for the specific purposes detailed in Exhibit A of this DPA.
Company is prohibited from Selling or Sharing Personal Information obtained from Customer under the Terms.
Company may not retain, utilize, or divulge Personal Information received from Customer as per the Terms for any reason, including Commercial Purposes, except as necessary to fulfill the Services for Customer under the Terms, or as otherwise specified in the Terms or permitted by the CPRA.
Company may not retain, utilize, or disclose Personal Information received from Customer as per the Terms beyond the direct business association between Company and Customer, except where and to the extent allowed by the CPRA.
Company shall promptly notify Customer if it determines that it can no longer fulfill its obligations under the CPRA.
Unless permitted by the CPRA, Company shall refrain from amalgamating Personal Information obtained from or on behalf of Company with Personal Information received from or on behalf of another party, or collected from its interactions with the Consumer.
Company shall adhere to all obligations imposed on Service Providers by the CPRA, including ensuring that the level of privacy protection afforded to Personal Information provided by Customer under the Terms meets the requirements stipulated by the CPRA.
If the Company engages a new sub-processor to aid in delivering the Services to Customer under the Terms, Company shall: (i) notify Customer of such engagement via the notification mechanism outlined in section 4.2 of the DPA at least ten (10) days before enabling a new Sub-Processor; and (ii) establish a written agreement with the Sub-processor mandating compliance with all relevant provisions of the CPRA.
Consumer Rights
Company is obligated to aid Customer in addressing Verifiable Consumer Requests to exercise the Consumer's rights under the CPRA, as outlined in Section 7 of the DPA.
Audit Rights
As required by the CPRA, Company must permit Customer to conduct inspections or audits under Section 8.4 of the DPA.
B. VIRGINIA
Definitions
For the purpose of this Section B, the terms "Consumer," "Controller," "Personal data," "Processing," and "Processor" shall carry the meanings ascribed to them in the VCDPA.
All mentions of "Data Subject" in this DPA shall be considered references to "Consumer" as defined in the VCDPA.
Obligations
Except concerning Company Account Data and Company Usage Data (as defined in the DPA), the parties acknowledge and agree that Customer acts as a Controller, and Company acts as a Processor under the VCDPA (to the extent applicable).
The specifics regarding the nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Consumers, are delineated in Exhibit A of this DPA.
Company shall strictly adhere to Customer's directives regarding the Processing of Customer Personal Data and shall assist Customer in fulfilling its obligations under the VCDPA by:
(a) Aiding Customer in addressing Consumer rights requests under the VCDPA, as outlined in Section 7 of the DPA;
(b) Adhering to Section 5 ("Security of Personal Data") of the DPA concerning Personal Data provided by Customer;
(c) In the event of a Security Incident, furnishing information adequate to enable Customer to meet its obligations under Va. Code § 18.2-186.6; and
(d) Providing information sufficient to enable Customer to conduct and document data protection assessments as required by the VCDPA.
Company shall maintain the confidentiality of Personal Data provided by Customer and ensure that every individual processing such Personal Data is bound by a duty of confidentiality concerning such Processing.
Upon Customer's written request, Company shall delete or return all Personal Data provided by Customer under Section 2.4 of the DPA, unless retention of such Personal Data is mandated or authorized by law or the DPA and/or Terms.
If Company engages any other person or a new Sub-processor to assist in providing the Services to Customer under the Terms, Company shall execute a written contract with the Sub-processor mandating compliance with all applicable requirements of a Processor outlined in the VCDPA.
Audit Rights
Upon Customer's written request at reasonable intervals, Company shall, as outlined in Sections 8.3-8.4 of the DPA, (i) provide Customer with all necessary information within its possession to demonstrate Company's compliance with its obligations under the VCDPA; and (ii) permit and cooperate with reasonable inspections or audits as mandated by the VCDPA.
Last updated