Data Processing Addendum
This Data Processing Addendum (“Addendum”) supplements the Agreement entered into by and between NMI and Company. Any terms not defined in this Addendum will have the meaning set forth in the Agreement. To the extent NMI receives Personal Data from Company, the terms of this Addendum will apply to the parties.
1. Definitions
1.1 “Addendum” means any person or entity that controls, is controlled by, or is under common control with, such party.
1.2 “Applicable Laws ” means any applicable laws, rules, and regulations in any relevant jurisdiction applicable to the Addendum, the Agreement, or the use or Processing of Personal Data, including those concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling of Personal Data. Applicable Laws expressly include, as applicable: (i) the California Consumer Privacy Act (and its successor/amending statute the California Privacy Rights Act)(the “CPRA”; (ii) the Virginia Consumer Data Protection Act (the “VCDPA”); (iii) the Colorado Privacy Act (the “”CPA”); (iv) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (v) the EU GDPR as it forms part of the law of England and Wales by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (vi) the UK Data Protection Act 2018; and (vii) the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case, as updated, amended or replaced from time to time.
1.3 “Authorized Person” means an employee of either Party or an employee of a Party’s Affiliate who has a need to know or otherwise access Personal Data to enable a Party to perform its obligations under this Addendum or the Agreement and who has been apprised of the confidential nature of Personal Data before they may access such data and who has undergone appropriate background screening and training.
1.4 “Business or Data Controller” means the Company which alone determines the purposes and means of the Processing of Personal Data
1.5 “Consumer or Data Subject” means a natural person about whom a Data Controller holds Personal Data pursuant to the Agreement and who can be identified, directly or indirectly, by reference to that Personal Data.
1.6 “Consumer Rights or Data Subject Rights” means the rights recognized and granted to Data Subjects with respect to their Personal Data under Applicable Laws
1.7 “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission; available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as amended and updated from time to time).
1.8 “ex-EEA Transfer” means the transfer of Personal Data, which is Processed in accordance with the GDPR, outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
1.9 “ex-UK Transfer” means the transfer of Personal Data, which is Processed in accordance with the UK GDPR and the Data Protection Act 2018, outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in the UK in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
1.10 “Personal Data” means any information relating to an identified or identifiable living individual that is transmitted, uploaded, created, processed or stored by NMI as part of the provision of the Services provided by NMI under the Agreement. An identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Tokenized data or encrypted data that NMI cannot reidentify is not considered Personal Data.
1.11 “Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data other than (a) through the use of a Company’s or any Users’ generated password that, consistent with the settings and permissions in the respective Service, has rights to access such Personal Data, or (b) access by NMI personnel or Subprocessor personnel whose access to or use of such Personal Data is for the purpose of performance of the Services as permitted under this Agreement and applicable law.
1.12 “Process or Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.13 “Service Provider or Data Processor or Processor” means NMI, which Processes Personal Data on behalf of and pursuant to the instructions of Company.
1.14 “Services” shall have the meaning set forth in the Agreement.
1.15 “Sensitive Personal Data” means data that is also Personal Data but includes a subsect of Personal Data that constitutes: “sensitive personal information,” “sensitive data,” or any similar category of information subject to Applicable Laws.
1.16 “Subprocessor” means any third party appointed by or on behalf of NMI to process Personal Data. A Subprocessor may also be referred to as a Third-Party Service Provider.
1.17 “UK Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0, in force 21 March 2022 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018, available at International data transfer agreement and guidance page
2. Processing of Data and Compliance with Applicable Laws
2.1 The Parties shall comply with this Addendum at all times during the term of the Agreement and for any period post termination where the Parties process Personal Data in accordance with the Agreement. Any failure by either party to comply with the obligations set forth in this Addendum will be considered a material breach of the Agreement, and the other party will have the right, without limiting any of the rights or remedies under this Addendum or the Agreement, or at law or in equity, to immediately terminate the Agreement for cause.
2.2 The rights and obligations of NMI with respect to Processing are described herein and in the Agreement. The subject matter, nature, purpose and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects involved, are described in Exhibit 1 to this Addendum.
2.3 NMI shall only Process Personal Data for the limited and specified purposes described in Exhibit 1, the terms set forth in this Addendum and in any written instructions provided by Company.
2.4 Company represents and warrants that it will: (i) comply with all Applicable Laws; (ii) any written instructions it provides to NMI will comply with all Applicable Laws; and (iii) shall make the required disclosures and obtain the necessary consents for NMI to process Personal Data. Company shall notify NMI if an instruction it gave NMI violates Applicable Laws.
2.5 If Company cannot comply with Applicable Laws in the performance of its obligations to NMI, Company agrees to promptly inform NMI in writing of its inability to comply, in which case NMI may (at its discretion) suspend the processing of Personal Data, terminate the Agreement, or otherwise stop processing Personal Data and remediate any issues that arise as a result of Company’s failure to comply with Applicable Laws.
2.6 NMI acknowledges and confirms that it does not receive any Personal Data from Company as consideration for any services or other items provided to Company. Except as expressly set forth in the Agreement, NMI shall not have, derive or exercise any rights or benefits regarding data provided by Company (“Consumer Data”) and NMI shall not sell any Consumer Data, as defined by Applicable Laws. NMI shall not retain, use or disclose any Consumer Data except as necessary for the specific purpose of performing the Services for Company pursuant to the Agreement, for the benefit of the Company (such as, but not limited to, providing insight information or to offer the Company additional products or services), or otherwise for its internal business purposes. Company agrees that NMI may anonymise Consumer Data to use for its internal business purposes and to develop its products and services. NMI understands the rules, restrictions, requirements and definitions of the CPRA and agrees to refrain from taking any action that would cause any transfers of Consumer Data to or from NMI to qualify as a sale of personal information under the CPRA. The terms “personal information,” “sale,” and “sell” for the purposes of this Section 8 are as defined in Section 1798.140 of the California Consumer Protection Act (“CCPA”).
2.7 Company hereby instructs NMI to transfer Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with this Addendum.
3. Security of Personal Data.
3.1 NMI shall in relation to the Personal Data implement the Security Requirements attached hereto as Exhibit 3 and any additional measures required pursuant to Applicable Laws.
3.2 After termination or expiry of the Agreement, upon Company’s written request , , NMI shall, and shall ensure that all Authorized Persons, promptly and securely dispose of or return to Company , at Company’s choice, all copies of Personal Data, unless NMI is otherwise required to retain the Personal Data in accordance with Applicable Law.
3.3 Where and to the extent disposal of Personal Data in accordance with Section 3.2 is explicitly prevented by Applicable Law(s) or technically infeasible, NMI or Authorized Persons, as applicable, shall (i) take measures to block such Personal Data from any further Processing (except to the extent necessary for continued Processing explicitly required by Applicable Law(s)), and (ii) continue to exercise appropriate Technical and Organizational Security Measures to protect such Personal Data until it may be disposed of in accordance with Section 3.2.
4. Subprocessing and Authorized Personnel
4.1 MI shall take reasonable steps to ensure that access to Personal Data is limited to those individuals who need to know/access the Personal Data to provide the Services, and (ii) ensure that all individuals it authorizes to process Personal Data are bound by confidentiality obligations (whether by contract or under Applicable Law) in respect of the processing of Personal Data.
4.2 Company acknowledges that NMI may engage Subprocessors in connection with providing the Services. Company consents to NMI’s use of Subprocessors subject to compliance with the terms in this Section 4. A copy of the list of Subprocessors who are involved in processing of Personal Data can be found here NMI has entered, and for new Subprocessors will enter, into a written agreement with each Subprocessor that complies with the relevant Applicable Laws applicable to the Subprocessor or the processing.
4.3 NMI will notify Company (for which email shall suffice) if NMI intends to add additional Subprocessors to the above mentioned list, at least fourteen (14) days before the changes come into effect.
4.4 Company may reasonably object to NMI’s use of a new Subprocessor by notifying NMI promptly in writing within fourteen (14) days after receipt of NMI’s notice. If Company reasonably objects to a new Subprocessor and NMI does not resolve Company’s reasonable objection within a reasonable period of time not to exceed fourteen (14) days, either Party may terminate the portion of the Agreement relating to the Services involving the new Subprocessor (which may involve termination of the entire Agreement) by providing written otice to the other Party. Termination under this Section 4.4 will be without fault to either party.
4.5 Each party shall remain responsible and liable for its compliance with Applicable Laws and any obligations ensuing from the Agreement and this Addendum.
5. Personal Data Breach
5.1 NMI shall notify Company of a Personal Data Breach as soon as reasonably practicable, but in any event, not more than forty-eight (48) hours after confirming such Personal Data Breach.
5.2 In the event of a Personal Data Breach, NMI will provide Company with such details as Company reasonably requires (to the extent that such information is known or available to NMI) regarding: (i) the nature of the Personal Data breach, including the categories and approximate numbers of data subjects and Personal Data records concerned; (ii) any investigations into such Personal Data Breach; (iii) the likely consequences of the Personal Data Breach; and (iv) any measures taken, or that NMI recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects and prevent the re-occurrence of the Personal Data Breach.
5.3 NMI may give Company phased updates as additional information regarding the Personal Data Breach becomes available to NMI; and provide reasonable cooperation and assistance to Company in relation to any remedial action to be taken in response to a Personal Data Breach, but will not notify any data subjects of the Personal Data Breach, except pursuant to the Company’s explicit instruction or as required by any law, rule, regulation or binding court order to which NMI is subject.
5.4 Company may share any notification and details provided by NMI under this Section 5 with the appropriate governmental/supervisory authority if required to do so under Applicable Laws.
6. Transfers of Personal Data
6.1 If NMI transfers Personal Data protected under this Addendum to a jurisdiction for which the United Kingdom or European Commission (as applicable) has not issued an adequacy decision (each, (“Restricted Transfer”)), NMI shall ensure that (i) a Restricted Transfer by NMI may only be made to Subprocessors as approved by Company in accordance with Section 4 of this Addendum; (ii) any Restricted Transfer conducted by NMI or any Authorized Person shall be undertaken in accordance with the appropriate Standard Contractual Clauses entered into in accordance with Applicable Law (as applicable); and (iii) that each Restricted Transfer will be made after appropriate safeguards have been implemented for the Restricted Transfer of Personal Data in accordance with Applicable Laws.
6.2 Ex-EEA Transfers. If applicable, Ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this Addendum by reference. For the purposes of the EU SCCs, the appropriate module shall be:
(i)Module Two (Controller to Processor), where the Company engages with NMI as a Merchant, with the following options:
a. Clause 7 (Docking Clause) shall apply; b. In Clause 9 (use of sub-processors) option 2 (general written authorisation) shall apply and the time period shall be that specified in clause 4.2 of this Agreement. c. In Clause 11, the optional language does not apply; d. All square brackets in Clause 13 are hereby removed; e. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the Republic of Ireland; f. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland; g. Exhibit 2 to this Addendum contains the information required in Annex I of the EU SCCs; h. Exhibit 3 to this Addendum contains the information required in Annex II of the EU SCCs; and i. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including its Annexes.
(ii) Module Three (Processor to Processor), where the Company engages with NMI as a Reseller acting on behalf of a Merchant(s) as controller of the Personal Data, with the following options: a. Clause 7 (Docking Clause) shall apply; b. In Clause 9 (use of sub-processors) option 2 (general written authorisation) shall apply and the time period shall be that specified in clause 4.2 of this Agreement. c. In Clause 11, the optional language does not apply; d. All square brackets in Clause 13 are hereby removed; e. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the Republic of Ireland; f. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland; g. Exhibit 2 to this Addendum contains the information required in Annex I of the EU SCCs; h. Exhibit 3 to this Addendum contains the information required in Annex II of the EU SCCs; and i. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including its Annexes.
6.3 Ex-UK Transfers. If applicable, Ex-UK Transfers are made pursuant to the UK Data Transfer Addendum, which is deemed entered into and incorporated into this Addendum by reference. For the UK Data Transfer Addendum, where applicable the following applies:
(i) Exhibit 4 to this Addendum contains the information required in Part 1 – Tables, of the UK Data Transfer Addendum; and
(ii) By entering into this Addendum, the parties are deemed to have signed the UK Data Transfer Addendum incorporated herein.
7. Rights of Data Subjects.
NMI will provide such assistance as is reasonably required to enable Company to comply with Data Subject Rights requests within the time limits imposed by Applicable Laws.
8. Recordkeeping.
8.1 Recordkeeping. NMI shall maintain records and information in accordance with Applicable Laws to demonstrate its compliance with this Addendum (“Records”).
8.2 Verification Requirements. On reasonable written request, no more than once per calendar year, NMI shall make available to Company all Records necessary to demonstrate compliance with the Applicable Laws. NMI reserves the right to charge reasonable expenses for any additional requests by Company.
9. Miscellaneous
9.1 NMI may modify or amend this Addendum ma to ensure that it complies with Applicable Laws, providing that it gives the Company reasonable written notice of such changes. Both parties may disclose this Addendum to third parties (including other businesses, Consumers and regulators) for purposes of demonstrating compliance with Applicable Laws.
9.2 If an amendment to this Addendum is required to comply with Applicable Laws, both parties shall work together in good faith to promptly execute a mutually agreeable amendment.
9.3 If any individual provisions of this Addendum are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum shall not be affected.
9.4 This Addendum may be executed in one or more counterparts, each of which shall be deemed to be an original executed copy of the Addendum.
9.5 Addendum shall automatically terminate upon the termination or expiration of the Agreements under which the Services are provided, but the provisions of this Addendum shall survive beyond termination where NMI is required to process Personal Data after termination or expiry of the Agreement, and in such case the provisions shall continue to apply to the extent that NMI processes the Personal Data.
9.6 In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) Applicable Laws; (2) the terms of this Addendum; and (3) the Agreement.
9.7 Notwithstanding anything contrary to this Addendum or Agreement between the parties, NMI will not be liable to any Data Subject for a claim arising from NMI’s acts or omissions, to the extent that NMI was acting in line with Company’s written instruction and consent.
Exhibit 1
Details of Processing
Nature and Purpose of Processing: Each Party will Process Company’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement, the Data Processing Addendum, and in accordance with Company’s instructions as set forth in this Exhibit 1. The nature of Processing shall include:
- The Parties will process Personal Data as necessary to fulfil the Party’s obligations under the Agreement and as otherwise set forth in this Addendum
Duration of Processing:
- The term of the Agreement.
Categories of Data Subjects: Categories of data subjects whose personal data is transferred include:
- the end-users of a the Company or its customers (as applicable) who’s payment information is processed through the Services in accordance with the Agreement
Categories of Personal Data:
General Personal Data
- Cardholder data (including but not limited to cardholder name, expiration date, account numbers, service codes)
- Bank account details
- Contact information (including but not limited to name, email, mobile number, address, email address)
- IP address/ location
- Tax ID
Special categories of data / Sensitive Personal Data
- None
Exhibit 2
This Exhibit 2 shall apply in accordance with clause 6.2, where applicable.
A LIST OF PARTIES
For transfers of EU Personal Data :
Data exporter(s):
Name: |
Company |
Address: |
As specified in the Order Form |
Contact person’s name, position and contact details: |
|
As specified in the Order Form |
|
Activities relevant to the data transferred under these Clauses:
|
|
Role: |
controller |
Data importer(s):
Name: |
NMI |
||
Address: |
As specified in the Order Form |
||
Contact person’s name, position and contact details: |
|||
As specified in the Order Form |
|||
Activities relevant to the data transferred under these Clauses:
|
|||
Role: |
processor |
DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred:
- As described in Exhibit 1
Categories of Personal Data transferred
- As described in Exhibit 1.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous, for any period that the data importer provides Services under this Agreement.
Nature of the processing
- As described in Exhibit 1
Purpose(s) of the data transfer and further processing
- As described in Exhibit 1
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
- As described in Exhibit 1
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- As described in Section D below.
COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13.
For transfers of EU Personal Data:
Name: |
Data Protection Commission, Ireland |
Address: |
21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland |
For transfers of UK Personal Data:
Name: |
UK Information Commissioner’s Office |
Address: |
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors: As detailed in clause 4.2 of this Data Processing Addendum.
Exhibit 3
Description of the Technical and Organizational Security Measures implemented by the NMI
NMI maintains the following administrative, physical and technical safeguards (“Security Requirements”) for the protection of Personal Data, as described in Section 3 of the Addendum and outlined here.
Exhibit 4 UK Addendum (as applicable)
For transfers of Personal Data from Company to NMI which are subject to the UK GDPR (as amended or replaced from time to time), the parties agree to be bound by the terms of the UK Addendum, which shall be completed and entered into as follows:
Part 1:
Table 1: Parties: As set out in the EU SCCs contained in Exhibit 2 of this Addendum.
Table 2: Selected SCCs, Modules and Selected Clauses:
Addendum EU SCCs |
The version of the Approved EU SCCs as specified in clause 6.2 of this Agreement and to which this Addendum is appended to. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As set forth in Annex 1A of the EU SCCs. |
Annex 1B: Description of Transfer: As set forth in Annex 1B of the EU SCCs. |
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set forth in Annex II of the EU SCCs. |
Annex III: List of Sub processors (Modules 2 and 3 only): As set forth in Annex 3 to the EU SCCs. |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes |
Which Parties may end this Addendum as set out in Clause 19 of this Exhibit: [X] Importer [X] Exporter ☐ neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 . |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications, in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that: a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made: a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs; b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws; g. References to Regulation (EU) 2018/1725 are removed; h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”; i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”; j. Clause 13(a) and Part C of Annex I are not used; k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”; l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which: a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: a. its direct costs of performing its obligations under the Addendum; and/or b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Alternative Part 2 Mandatory Clauses:
|
|