1.0 Purpose of the DPA. This Data Processing Agreement (“DPA”) forms part of the agreement between Cord and Customer for the purchase of services (the “Services”) by Customer from Cord (the “Agreement”) and sets out the additional terms, requirements and conditions relating to Cord’s processing of Personal Data in connection with the Services. This DPA contains the mandatory clauses required by Article 28(3) of GDPR and UK GDPA (both as defined below) for contracts between controllers and processors.
2.0 Definitions. For the purpose of this DPA, these terms shall mean the following:
2.1 “Applicable Data Protection Law” shall mean the following laws and regulations of the United States, the European Union, the European Economic Area and/or their member states, and Switzerland and/or the United Kingdom in force from time to time as applicable to the Processing of the categories of Personal Data set forth in Section 4.7 of this DPA: the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the Swiss Federal Data Protection Act (“FDPA”), the UK General Data Protection Regulation which has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018 (“UK GDPR”) and the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100-.199 (“CCPA”).
2.2 “Authorized Personnel” means (a) Cord employees and Cord Affiliates’ employees who have a need to know or otherwise access Personal Data for the purposes of performing applicable Services; and (b) Cord’s contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable Cord to perform the Services. For the avoidance of doubt, Authorized Personnel include the sub-processors set forth in Section 7.
2.3 “EEA” means European Economic Area.
2.4 “EU Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data from the EEA to non-EEA countries that do not provide an adequate level of data protection approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (C/2021/3972) on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.
2.5 “European Data Protection Law” means the EU GDPR, the UK GDPR, and the FDPA.
2.6 “International Transfer” means, in relation to Personal Data which is subject to the GDRP, UK GDPR or FDPA, the transfer of such Personal Data to or access by parties outside the EEA, the UK, or Switzerland, as applicable.
2.7 “Personal Data” has the meaning ascribed to it by Applicable Data Protection Laws, including, where applicable, “personal information”, “personally identifiable information”, and “personal data”.
2.8 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.9 “Personal Data Breach” means a breach of Cord’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
2.10 “Restricted Transfer” means (a) in relation to Personal Data which is subject to the GDPR, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission, (b) in relation to Personal Data which is subject to the UK GDPR, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, and/or (c) in relation to Personal Data which is subject to FDPA, the transfer of such Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
2.11 “Sell” means the exchange of Personal Data for monetary or other valuable consideration, or as otherwise defined in the CCPA or federal law.
2.12 “Service Provider” means a legal entity that Processes Personal Data on behalf of Customer and to which Customer discloses Personal Data for a business purpose.
2.13 “Special Categories of Data” means (i) personal data revealing racial or ethnic origin, political opinions, philosophical beliefs.or trade union membership, (ii) genetic data, (iii) bbiometric data (where used for identification of a person) and/or (iv) data concerning health, a person’s sex life or sexual orientation.
2.14 “Standard Contractual Clauses” means the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses as modified by the UK Addendum, as applicable.
2.15 “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner’s Office under s119A(1) of the UK Data Protection Act 2018, Version B1.0, in force 21 March 2022, or such alternative as may be approved by the UK Information Commissioner from time to time, and as amended, superseded, or replaced from time to time, and incorporating the clauses for the transfer of Personal Data from the EEA to Processors established in non-EEA countries that do not provide an adequate level of data protection approved by EC Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (C/2021/3972), as currently set out at: (http://data.europa.eu/eli/dec_impl/2021/914/oj).
3.0 Processor Obligations.
3.1 General. Cord shall:
-
(a) process the Customer Personal Data only in accordance with the provision of the Services as set out in the Agreement, the terms of this DPA and/or any other written instructions of Customer;
-
(b) taking into account the nature of the processing and the information available to it, provide reasonable and timely assistance to Customer to enable Customer to respond to any request from a data subject to exercise any of its rights under GDPR/UK GDPR (including its rights of access, correction, objection, erasure and data portability, as permitted), and any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Cord, Cord shall (i) not respond to any such request or complaint unless required to do so by Applicable Data Protection Laws, and (ii) promptly inform Customer providing full details of the same unless otherwise prohibited.
-
(c) taking into account the nature of the processing and the information available to it, provide Customer with reasonable assistance (at Customer’s expense) in support of a data protection impact assessment, solely in relation to Customer Personal Data, the Services and where the Customer would not otherwise have access to the relevant information.
-
(d) maintain a record of all categories of Processing activities carried out on behalf of a Customer in accordance with GDPR/UK GDPR;
-
(e) at all times implement and maintain appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data including, but not limited to, the security measures described in the Security Standards;
-
(f) promptly upon the cessation of any Services involving the Processing of Customer Data, at the Customer’s option return (if feasible) or delete all copies of the Customer Personal Data, other than to the extent that its retention is required by Applicable Data Protection Laws.
3.2 The nature and purpose of the Processing, types and categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing are set out in Annex 2.
3.3 Data Processing. Customer and Cord hereby agree that with respect to any Personal Data contained in the Customer Data, Customer shall be deemed to be the data controller and the contracting Cord entity shall be deemed to be the data processor as those terms are understood under Applicable Data Protection Laws. Unless otherwise specifically agreed to by Cord, Customer Personal Data may be Processed by Cord and its authorized third-party service providers in the United States, the UK, the EEA or other locations around the world provided that any transfer of Customer Personal Data will comply with this DPA. As between the Parties, all Customer Personal Data Processed under the terms of the Agreement shall remain the property of Customer. To the extent such Customer Personal Data is not so categorized on the applicable Order or otherwise in writing, Customer’s Personal Data is limited to Customer employee first and last names, employee email addresses, IP address, and employee phone numbers. During the term of the Agreement Cord shall Process Customer Personal Data in accordance with Customer’s written instructions and as permitted in the Agreement. In the event Cord reasonably believes there is a conflict with any Applicable Data Protection Laws and Customer’s instructions, Cord will inform Customer and the Parties shall cooperate in good faith to resolve the conflict and achieve compliance with such instruction. Cord will ensure that all of its employees are informed of the confidential nature of the Customer Personal Data and are bound by confidentiality obligations in respect of the Personal Data.
3.4 Cord as a Controller. Where Cord is a controller, Cord shall Process the Personal Data of Customer’s Users as is necessary for the provision of the Services to Customer (for security and support purposes) and for its legitimate interest in ensuring the efficient provision of, and anticipating necessary fixes to, the Services. The legal bases are Article 6.1.b and 6.1.f of GDPR/UK GDPR. Cord’s Data Protection Officer can be contacted via email at privacy@Cord.com. Provision of Personal Data by the Customer is a requirement necessary for the performance of the Services. Failure to provide the requested Personal Data may substantially impact the quality of the Services or otherwise preclude access to the Services by Customers’ Users. Cord will retain the Customer’s Personal Data only for as long as is necessary for the purposes described under this Section 3.3. In accordance with the requirements of Applicable Data Protection Laws, the Customer has the right to request from Cord access to and rectification or erasure of its Personal Data or restriction of Processing or to object to Processing as well as the right to data portability. The Customer has also the right to lodge a complaint with the appropriate supervisory authority.
3.5 Legally Compelled Disclosure. If a law enforcement authority sends Cord a demand for Customer Personal Data (for example, through a subpoena or court order), Cord will (i) attempt to redirect the law enforcement agency to request such Customer Personal Data directly from Customer; and (ii) promptly notify Customer in writing of any legally binding request for disclosure of the Customer Personal Data, unless otherwise prohibited by law, to allow Customer to seek a protective order or other appropriate remedy. In connection with subsection (i) Cord may provide Customer’s basic contact information to the law enforcement authority.
4.0 Restricted Transfers.
4.1 If the Processing of any Customer Personal Data involves a Restricted Transfer to which European Data Protection Law applies, the transfer shall be made in accordance with the EU Standard Contractual Clauses or the UK Addendum, as applicable, as follows:
-
(a) In relation to Customer Personal Data that is protected by the
GDPR in respect of which the Customer is the controller and Cord is a
processor, the EU Standard Contractual Clauses will apply completed as
follows:
- (i) Module Two will apply (controller to processor transfers);
- (ii) In Clause 7, the optional docking clause will apply;
- (iii) In Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 7.1(a) of this DPA;
- (iv) In Clause 11, the optional language will not apply;
- (v) In Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by Irish law;
- (vi) In Clause 18(b), disputes shall be resolved before the competent EU courts;
- (vii) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Annex I of this DPA
-
(b) In relation to Customer Personal Data that is protected by the
GDPR in respect of which the Customer is a processor and Cord is a
sub-processor, the EU Standard Contractual Clauses will apply
completed as follows:
- (i) Module Three will apply (processor to processor transfers);
- (ii) In Clause 7, the optional docking clause will apply;
- (iii) In Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 8.1(a) of this DPA;
- (iv) In Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by Irish law;
- (v) In Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland;
- (vi) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Annex I of this DPA, as applicable;
- (vii) Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information set out Annex II of this DPA;
-
(c) In relation to Customer Personal Data that is protected by the
FDPA, the EU Standard Contractual Clauses will apply in accordance
with Section 4.1(a) or 4.1 (b) of this DPA, as applicable, but with
the following modifications:
- (i) any references in the EU Standard Contractual Clauses to “Regulation (EU) 2016/679” shall be interpreted as references to the FDPA and the equivalent articles or sections therein;
- (ii) any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be;
- (iii) any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and
- (iv) the EU Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts;
- (d) In relation to Customer Personal Data that is protected by the UK GDPR, the EU Standard Contractual Clauses shall apply in accordance with Section 4.1(a) or Section 4.1(b) of this DPA, as applicable, but as modified and interpreted by the UK Addendum attached hereto as Annex 4, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
5.0 CCPA. Customer has the authority to determine the purposes for and means of Processing the Customer Personal Data. The parties further agree that Cord is acting solely as a Service Provider with respect to Customer Personal Data, and accordingly will not Sell, collect, retain, use, disclose or otherwise Process Customer Personal Data for any purpose other than for the specific purpose of performing the Services, obligations, or actions for the benefit of Customer or Users as specified in the Agreement. Cord will promptly inform Customer of any individuals’ requests with respect to Personal Data for which Customer is responsible, including requests to access or delete such Personal Data, and will promptly refer to Customer any inquiries received by Cord regarding the privacy practices of Customer. Cord will reasonably cooperate with and assist Customer in responding to such requests and inquiries.
6.0 Security Controls. Taking into account the state of the art, the cost of their implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals and the nature of the activities under the Agreement, Cord shall maintain appropriate administrative, physical, and technical and organizational measures to ensure the security of Customer’s Personal Data against unauthorized or unlawful processing, and accidental loss, destruction or damage in accordance with Cord’s Security Standards. Cord will regularly monitor compliance with the Security Standards. Cord will not intentionally decrease the Security Standards during the term of the Agreement.
7.0 Sub-processors.
7.1 Customer acknowledges and specifically authorizes Cord’s use of Cord sub-processors existing as of the Effective Date, Customer hereby gives a general authorization to new or replacement sub-processors, provided Cord follows the following procedure:
- (a) With respect to any new or replacement sub-processor Cord shall (i) execute a written agreement that obligates it to (1) protect Customer’s Personal Data to the same extent as is required of Cord by the Agreement and this DPA, and (2) be in compliance with Applicable Data Protection Laws, and (ii) ensures such new sub-processor is subject to industry-standard external security auditing (collectively, the “Conditions”). Cord agrees to provide Customer with notice at least thirty (30) days in advance of any new or replacement sub-processors that Processes Customer Personal Data under the Agreement (“Sub-processor Notice”) giving the Customer the opportunity to object. Such Sub-processor Notice may be provided either by sending an email to the Account Administrator indicated in the applicable Order, or notifying Customer Users via the Subscription Services. If Customer has a reasonable belief that such new sub-processor cannot comply with the Conditions, Customer may terminate the applicable Order(s) with respect only to those Services which cannot be provided by Cord without the use of the objected-to new sub-processor. Such termination will be made by providing written notice to Cord, on the condition that Customer provides such notice within twenty (20) days of being informed of the engagement of the new sub-processor as described herein. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new sub-processor. For the avoidance of doubt, Customer will be deemed to have consented to such sub-processor absent an objection within the stated time period.
- (b) Customer acknowledges that Cord provides a standardized service to all customers which does not allow using different sub-processors for different customers and, therefore, that the inability to use a particular new or replacement sub-processors for the Services to the Customer may result in delay in performing the Services, inability to perform the Services or increased fees. Cord will notify Customer in writing of any change to Services or fees that would result from Cord’s inability to use a new or replacement sub-processors to which Customer has objected.
- (c) Cord will ensure that sub-processors only access and use Customer Personal Data in accordance with the terms of the Agreement (including this DPA) and that they are bound by written obligations: (i) that require them to provide at least the level of protection for Personal Data as is required by Applicable Data Protection Laws and by the Agreement; and (ii) where applicable, to comply with the Standard Contractual Clauses.
7.2 Cord may replace a sub-processor without advance notice where the reason for the change is outside of Cord’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Cord will inform Customer of the replacement sub-processor as soon as possible following its appointment. Section 7.1(a) applies accordingly.
7.3 Cord shall be liable for the acts and omissions of its or its Affiliate’s sub-processors to the same extent as Cord would be liable if performing the Services of each sub-processors directly under the terms of this DPA.
7.4 A current list of the sub-processors that may be used for Processing Personal Data is available to Customer without charge on demand. Cord will keep the sub-processors list current and inclusive of any new sub-processors and will make available to Customer the updated sub-processors list upon request by Customer.
8.0 Personal Data Breaches. After becoming aware of a confirmed Personal Data Breach relating to Customer Personal Data Cord will (a) notify Customer of the Personal Data Breach without undue delay; (b) investigate the Personal Data Breach; (c) provide Customer with details about the Personal Data Breach; and (d) make best efforts to prevent a recurrence of the Personal Data Breach. Cord agrees to cooperate in Customer’s handling of the matter by: (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records, logs, files, data reporting, and other materials related to the Personal Data Breach’s effects on Customer, as required to comply with Applicable Data Protection Laws.
9.0 Audits and Certifications. Within thirty (30) days of Customer’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement (unless such information is reasonably required to be disclosed as a response to a data subject’s inquiries under Applicable Data Protection Laws), Cord shall make available to Customer (or a mutually agreed upon third-party auditor) information regarding Cord’s compliance with the obligations set forth in this DPA, including reasonable documentation as further set forth in Cord’s Security Standards. For the avoidance of doubt, the scope of any assessment on Cord’s privacy program and compliance with this DPA (“Privacy Assessment”) shall be limited to documents and records allowing the verification of Cord’s compliance with the obligations set forth in this DPA, and shall exclude financial documents or records of Cord or any documents or records concerning other customers of Cord. Without limiting the foregoing if Customer has audited Cord pursuant to Exhibit B, Section 11 (Audit and Testing) of the Master Terms and Conditions (“Security Audit”), Cord may charge the associated costs of any Privacy Assessment that includes an additional Security Audit in the same twelve (12) month period. Cord will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
10.0 Interpretation. The Parties agree that when interpreting Applicable Data Protection Laws in conjunction with either Party’s rights and obligations in this Data Processing Agreement, it shall be interpreted based on the applicable Party’s role in its Processing of Personal Data.
11.0 Warranties.
11.1 Cord warrants that it shall comply with all Applicable Data Protection Laws in respect of the Processing of the Customer Personal Data.
11.2 Customer warrants and represents that Cord’s expected use of the Customer Personal Data in connection with the provision of the Services, and as specifically instructed by Customer, will comply with the Applicable Data Protection Laws.
11.3 Customer warrants that the Customer Personal Data shall not include any Special Categories of Personal Data.
12.0 Miscellaneous.
12.1 Conflicts. In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail. In the event and to the extent of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12.2 Severability. In the event any provision of this DPA, in whole or in part, is invalid, unenforceable or in conflict with the applicable laws or regulations of any jurisdiction, such provision will be replaced, to the extent possible, with a provision which accomplishes the original business purposes of the provision in a valid and enforceable manner, and the remainder of this DPA will remain unaffected and in full force.
12.3 Counterparts. This DPA may be executed in several counterparts, each of which shall be deemed and original and all of which shall constitute one and the same instrument, and shall become effective when counterparts have been signed by each of the Parties and delivered to the other Parties; it being understood that all Parties need not sign the same counterparts. Signatures of the Parties transmitted via facsimile or other electronic means shall be deemed to be their original signatures for all purposes.
12.4 Liability. Each party’s liability for breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Either party’s liability for a breach of this DPA will be subject to the liability cap set out in the Agreement.
Annex 1
Data Processing Description
Nature of the Processing:
As described in the Agreement
Purpose of Data Processing:
To provide the Services
Duration of the Processing Activities:
The duration of the provision of the Services
Frequency of the Processing:
Continuous
Categories of Data Subjects:
Customer’s users of the Services, including Customer’s employees, contractors, contingent workers, business partners, vendors and any other end users that receive access to the Services through Customer
Types of Personal Data:
Internet Information: Browser Make & Version, Browsing Behavior, Device Used, Links Clicked, IP Address, Message Transcripts, Third-Party Tokens, Website Content
Identifiers: Email Address, Picture / Photo, Name, Job Title, Company Name, IP Address, Message Transcripts Biometrics: Picture / Photo
Employment Information: Job Title, Company Name
COMPETENT SUPERVISORY AUTHORITY: As determined by application of Clause 13 of the EU Standard Contractual Clauses.
Annex 2
Technical and Organisational Security Measures
As set forth in (Cord Security Standards)
Annex 3
List of Sub-processors
| Sub-processor | Functional Personal Data Category | Country |
|---|---|---|
| Preset.io | Analytics | US |
| Amazon Web Services | Cloud storage | US |
| Segment.io | Analytics | US |
| Twilio Sendgrid | Email notifications | US |
| GetDBT.com | Analytics | US |
| Sentry.io | Monitoring | US |
Optional, opt-in end-user data sub-processors:
| Sub-processor | Functional Personal Data Category | Country |
|---|---|---|
| Asana.com | Opt-in, user-provided data (integration) | US |
| Atlassian.com | (JIRA, Trello services) Opt-in, user-provided data (integration) | Australia |
| Monday.com | Opt-in, user-provided data (integration) | US |
| Linear.app | Opt-in, user-provided data (integration) | US |
| Slack | Messaging service | US |
Annex 4
UK Standard Contractual Clauses Addendum
This Addendum is entered into with effect from the date of the Service Agreement between Cord (Exporter) and Customer (Importer).
BACKGROUND
(A) This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
AGREED TERMS
Table 1: Parties
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
|---|---|---|
| Parties’ details | Full legal name: As set out in the Agreement | Full legal name: As set out in the Agreement |
| Main address (if a company registered address): As set out in the Agreement | Main address (if a company registered address): As set out in the Agreement | |
| Official registration number (if any) (company number or similar identifier): As set out in the Agreement | Official registration number (if any) (company number or similar identifier): As set out in the Agreement |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs
The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
| Module | Module in Operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior authorization or general authorization) | Clause 9a (Time Period) | Is Personal Data received from the Importer combined with Personal Data collected by the Exporter |
|---|---|---|---|---|---|---|
| 1 | No | N/A | N/A | N/A | N/A | N/A |
| 2 | Yes | No | No | General | 30 days | Case by case |
| 3 | Yes | No | No | General | 30 days | Case by case |
| 4 | No | N/A | N/A | N/A | N/A | N/A |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
| Annex 1A: List of Parties: As set out in the beginning of this Addendum. |
| Annex 1B: Description of Transfer: As set out in Annex 1 to the Service Agreement. |
| Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in the Security Standards. |
| Annex III: List of Sub processors (Modules 2 and 3 only): General authorisation for sub-processors listed in Annex III of the DPA. |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum Changes |
Which Parties may end this Addendum as set out in Section 19:
Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
-
Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
-
Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs, those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
-
1 Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
-
2 Addendum EU SCCS: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
-
3 Appendix Information: As set out in Table 3.
-
4 Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) of the UK GDPR.
-
5 Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
-
6 Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
-
7 ICO: The Information Commissioner.
-
8 Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
-
9 UK: The United Kingdom of Great Britain and Northern Ireland.
-
10 UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
-
11 UK GDPR: As defined in section 3 of the Data Protection Act 2018.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation ((EU) 2016/679), then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
- (a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
- (b) Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
- (c) this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
- (a) references to the “Clauses” mean this Addendum, incorporating the Addendum EU SCCs;
- (b) In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
- (c) Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- (d) Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- (e) Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
- (f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- (g) References to Regulation (EU) 2018/1725 are removed;
- (h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with “the UK”;
- (i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module 1 is replaced with “Clause 11(c)(i)”;
- (j) Clause 13(a) and Part C of Annex I are not used;
- (k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- (l) In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- (m) Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
- (n) Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
- (o) The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
- (a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
- (b) reflects changes to UK Data Protection Laws.
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
- (a) its direct costs of performing its obligations under the Addendum; and/or
- (b) its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
