This Data Processing Agreement (this “DPA”) is entered into by and between Axonius, Inc. and its Affiliates (collectively, “Axonius”) and the entity or organization, including any participating Affiliates of such entity or organization (collectively, “Company”), that has agreed to the Axonius Terms and Conditions, or otherwise executed a License Agreement or other software subscription agreement with Axonius in connection with the provision of Axonius Solutions (as applicable, the “Agreement”), and reflects such parties’ agreement with respect to the Processing of Personal Data by Axonius solely on behalf of Company. Axonius and Company are hereinafter referred to individually as a “Party” and collectively as the “Parties”. This DPA is deemed to be entered into as of the applicable effective date of the Agreement (the “Effective Date”).
- Definitions. For purposes of this DPA, the following capitalized terms shall have the following meanings:
- “Affiliate” of a Party means, as of the applicable date of determination, any other entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with, such Party. The term “control” (including the terms “controlled by” and “under common control with”) means the direct or indirect ownership of more than 50% of the voting securities, or the power in fact to direct or cause the direction of the management, of an entity.
- “Controller” means any natural or legal person, business, entity or authority which determines the purposes and the means of the Processing of Personal Data, within the meaning of the applicable Data Protection Laws.
- “Data Breach” means any Personal Data incident or breach, within the meaning of the applicable Data Protection Laws.
- “Data Protection Laws” means all applicable privacy, security and data protection laws and regulations, as applicable to the Processing of Personal Data hereunder including, without limitation, the “GDPR” (Regulation (EU) 2016/679), the UK Data Protection Act of 1998 and the “UK GDPR” (the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018), the “FADP” (the Swiss Federal Act on Data Protection of 19 June 1992, as revised as of 25 September 2020), and the “CCPA” (California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020), in each case as respectively amended or replaced from time to time.
- “Data Subject” means any natural person, individual or consumer to whom the Personal Data relates, within the meaning of the applicable Data Protection Laws.
- “EU SCCs” means the Standard Contractual Clauses between Controllers and Processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “Household” means a group, however identified, of Data Subjects, within the meaning of the applicable Data Protection Laws.
- “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, to an identified or identifiable Data Subject or, where applicable, a Household, within the meaning of the applicable Data Protection Laws.
- “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, within the meaning of the applicable Data Protection Laws.
- “Processor” means any natural or legal person, service provider, entity or authority which Processes Personal Data on behalf of the Controller, within the meaning of the applicable Data Protection Laws.
- “Sensitive Data” means Personal Data that is protected under a special law or regulation requiring unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses; and/or (e) account passwords in unhashed form.
- “Solutions” means Axonius’ proprietary cybersecurity and IT management products which are made available to Company from time to time by Axonius under the Agreement, whether as a hosted software-as-a-service, an instance installed on site, installed on Company’s private cloud or otherwise. Any such “Solution” includes any applicable technical support and “add-ons” (in each case, as and to the extent expressly purchased by Company), as well as any updates/upgrades made available by Axonius.
- “Sub-processor” means any natural or legal person, service provider or entity engaged by Axonius to Process Personal Data under Axonius’ supervision, within the meaning of the applicable Data Protection Laws.
- “Supervisory Authority” means the authority, entity or agency established in each applicable territory to implement, advise, investigate and/or enforce applicable Data Protection Laws.
- “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022, as issued by the Information Commissioner of the United Kingdom.
- Roles of the Parties. Company authorizes Axonius to Process Personal Data on Company’s behalf for the purpose of providing the Solutions as further specified in Schedule 1 attached hereto. The Parties acknowledge and agree that in this regard (i) Company is the Controller of Personal Data, (ii) Axonius is the Processor of Personal Data, and (iii) providing the Solutions is the business purpose under the CCPA, where applicable.
- Obligations of the Controller.
- Compliance and Instructions. Company represents and warrants that it complies and will comply with applicable Data Protection Laws in its use of the Solutions and in accordance with its obligations as a Controller, and that it will be solely responsible for such compliance including, without limitation, the lawful Processing of Personal Data, the accuracy and quality of Personal Data, and the lawfulness of any instructions to Axonius.
- Provision of Personal Data. Company agrees that it will only provide Axonius with the Personal Data necessary for Axonius to provide the Solutions, and that Company will not provide (or otherwise allow Axonius to access) any Sensitive Data.
- Data Subject and Supervisory Authority Requests. Company will be responsible for the exercise of any Data Subjects rights and all communications with any Supervisory Authority.
- Obligations of the Processor.
- Scope of Processing. Axonius will Process Personal Data on behalf of Company only on documented instructions from Company and for the purpose of providing the Solutions under the Agreement, and/or as required under the laws applicable to Processors, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Axonius shall inform Company of such legal requirement unless such notice is prohibited by law.
- CCPA. With respect to Personal Information to which the CCPA applies: (i) Axonius acknowledges and confirms that it will not receive or Process any Personal Information as consideration for the Solutions; (ii) Axonius shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Company’s behalf; (iii) Axonius certifies that it understands the rules, requirements and definitions of the CCPA, and will refrain from selling or sharing (as such terms are defined in the CCPA) any Personal Information Processed hereunder without Company’s prior written consent; (iv) Axonius shall not Process Personal Information for any purpose other than for the business purpose specified in this DPA or outside the business relationship provided in the Agreement, or combine Personal Information other than as permitted by the CCPA; and (v) Company is enabled to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.
- Compliance. Axonius shall promptly inform Company if, in its opinion, the execution of an instruction could violate any applicable Data Protection Laws, or when any applicable law or legal requirement prevents Axonius from fulfilling its obligations under this DPA or from complying with the instructions received from Company. As a result, Axonius may in part or as a whole, without liability to Company, suspend the Processing of Personal Data until such issue has been resolved. If the Parties do not agree on a resolution to the issue within a reasonable period of time, not to exceed sixty (60) calendar days, each Party may, as its sole remedy, terminate the applicable provisions of the Agreement and this DPA, in each case to the limited extent necessary to eliminate the affected Processing.
- Cooperation and Data Subject Requests. Where required by applicable Data Protection Laws and in particular by articles 32 to 36 of the GDPR, Axonius shall provide cooperation and assistance to Company in fulfilling its legal obligations, including responding to Data Subjects’ requests for exercising data protection rights, the adoption of appropriate security measures, responding to a Data Breach, performing data protection impact assessments or consulting with or responding to a Supervisory Authority’s requests. Axonius shall, to the extent legally permitted and required, promptly inform Company if Axonius receives a request from a Data Subject to exercise their rights or a request from a Supervisory Authority directed to Company.
- Government Requests. Where permitted by applicable laws, Axonius shall promptly inform Company if it receives a legally binding request from a governmental or law enforcement authority, including judicial authorities, relating to the Processing of Personal Data under this DPA, and shall review the legality of such request. If, after careful assessment, Axonius concludes that there are reasonable grounds to believe that the request is unlawful under applicable Data Protection Laws or any other applicable laws, Axonius shall use commercially reasonable efforts where possible to challenge the request and seek interim measures where appropriate to suspend the effects of the request until the competent judicial authority has decided on its merits. In any event, Axonius shall not disclose Personal Data requested until required to do so under the applicable procedural rules. When responding to such a request for disclosure, Axonius shall only provide the minimum amount of Personal Data permissible based on a reasonable interpretation of the request.
- Data Security. Axonius shall maintain technical and organizational measures for the protection of Personal Data appropriate to the nature, scope, context, risks and purposes of the Processing thereof, including those measures set forth in Schedule 2 attached hereto.
- Confidentiality. Axonius shall ensure that its personnel engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation, and are properly instructed on Personal Data Processing in accordance with applicable Data Protection Laws.
- Appointment of Sub-processors. Company acknowledges and agrees that Axonius may engage Sub-processors to Process Personal Data in connection with the provision of the Solutions. A list of Axonius’ current Sub-processors is located at https://www.axonius.com/subprocessor-list and, as of the Effective Date, is hereby deemed authorized. Axonius will provide notification of any new Sub-processor(s) at least thirty (30) calendar days before authorizing any such new Sub-processor(s) to Process Personal Data. To receive such notifications, Company shall sign up at https://www.axonius.com/subprocessor-list.
- Objections. To object to a new Sub-processor, Company shall notify Axonius in writing within fifteen (15) calendar days of receipt of the notification of such Sub-processor’s planned engagement, setting forth the reasonable data protection grounds for the objection. In response to any such objection, Axonius undertakes to provide Company with evidence of the new Sub-processor’s safeguards and its compliance with applicable Data Protections Laws. If Axonius is unable to provide such evidence within a reasonable time period, the Parties will work together in good faith to resolve the remaining ground for the objection, and if such common effort fails, Company may terminate the applicable provisions of the Agreement and this DPA, in each case to the limited extent necessary to eliminate the affected Processing, by providing written notice to Axonius.
- Agreement with Sub-processors. Axonius will enter into written agreements with each Sub-processor containing substantially similar data protection obligations as set out in this DPA, including obligations to implement appropriate technical and organizational measures in accordance with applicable Data Protection Laws. Axonius shall remain responsible to Company hereunder if a Sub-processor fails to fulfill its data protection obligations concerning its Processing of Personal Data.
- Cross-border Data Transfers.
- Transfers by Company. The Parties agree that if Company transfers Personal Data to Axonius within the scope of this DPA from European Union (the “EU”) member states and/or the three other European Economic Area member countries (Norway, Liechtenstein and Iceland) (collectively, the “EEA”), Switzerland or the United Kingdom (the “UK”) to countries which have not been subject to an adequacy decision published by the European Commission or any other relevant data protection authority of the EEA, the EU, the EU member states, Switzerland, and/or the UK (“Adequacy Decisions”): (i) the terms set forth in Part 1 of Schedule 3 attached hereto shall apply to any such transfer from the EEA (“EEA Transfer”); (ii) the terms set forth in Part 2 of Schedule 3 attached hereto shall apply to any such transfer from the UK (“UK Transfer”); (iii) the terms set forth in Part 3 of Schedule 3 attached hereto shall apply to any such transfer from Switzerland (“Swiss Transfer”); and (iv) the terms set forth in Part 4 of Schedule 3 attached hereto shall apply to any such transfers.
- Transfers by Axonius. Personal Data may be transferred by Axonius from the EEA, Switzerland or the UK to: (i) countries that offer an adequate level of data protection under or pursuant to an Adequacy Decisions, as applicable, without any further safeguard being necessary; and/or (ii) other countries provided that Axonius puts in place an alternative recognized compliance mechanism for the lawful transfer of Personal Data pursuant to applicable Data Protection Laws (e.g., EU SCCs, UK Addendum).
- Data Breach Management.
- Notification. Axonius shall notify Company of any Data Breach of Personal Data Processed by Axonius on behalf of Company of which Axonius becomes aware, without undue delay and consistent with the measures necessary to determine the scope of the breach as required by applicable Data Protection Laws. Axonius will use commercially reasonable efforts to investigate the Data Breach and take actions that are reasonably necessary in an effort to remediate and/or mitigate the Data Breach, in each case as required by applicable Data Protection Laws and as appropriate under the circumstances. The obligations set forth herein do not apply to incidents caused by Company or anyone using the Solutions on Company’s behalf.
- Disclosure. Company will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Breach, which directly or indirectly identifies Axonius (including in any legal proceeding or in any notification to Data Subjects, Supervisory Authorities, and/or any other applicable authority or entity), without Axonius’ prior written approval, unless, and solely to the extent that, Company is compelled to do so pursuant to applicable Data Protection Laws. In any such case, (i) unless prohibited by applicable laws, Company shall provide Axonius with reasonable prior written notice to give Axonius the opportunity to object to such disclosure, and (ii) Company will limit the disclosure to the minimum scope legally required.
- Audits. Following Company’s fourteen (14) calendar days prior written requests, but no more often than once every twelve (12) months (except in the event of a Data Breach), and subject to strict confidentiality undertakings by Company, Axonius shall (i) make available to Company information necessary to demonstrate compliance with this DPA, and (ii) allow for and reasonably contribute to records audits conducted by a mutually-agreed accredited third-party auditor acting on Company’s behalf and at Company’s expense to enable Company to verify Axonius’ compliance with its obligations under this DPA. Any such audits will be carried out at mutually agreed times during regular business hours, and Company shall ensure that it and its auditors will not cause any damage, injury or disruption to Axonius’ premises, equipment, personnel and business while conducting such audits. Upon Axonius’ request, Company shall return, or cause to be returned, all records and/or documentation provided by or on behalf of Axonius in the context of any such audit(s).
- Return and/or Deletion of Personal Data. Company’s deployed Solution instance(s) shall be promptly disabled following the termination/expiration of Company’s license subscriptions to such Solutions under the Agreement. Following Company’s written request, Axonius shall either return or delete any Personal Data Processed by Axonius solely on behalf of Company which at the time of such written request still remains available to Axonius, if any (in each case, unless (i) such deletion is otherwise prohibited by applicable laws, and/or (ii) further retention is required or permitted by applicable laws or is otherwise agreed to by the Parties in writing, including pursuant to the Agreement). To the extent and for so long as any such Personal Data continues to be so retained by Axonius, such retention and any further necessary Processing shall be performed in accordance with the obligations set forth in this DPA.
- Incorporation of Agreement Terms. Subject to Section 10.2 below, all of the terms and conditions of the Agreement that are applicable to this DPA are hereby incorporated herein by reference, mutatis mutandis, including without limitation any confidentiality, effective duration, termination, indemnification, exclusions and limitations of liability, and general/miscellaneous terms.
- Hierarchy. In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
Schedule 1 - DETAILS OF THE PROCESSING
Nature and Purpose of Processing
- Providing the Solutions to Company in accordance with the Agreement, this DPA and Company’s instructions.
- Complying with applicable laws and regulations.
Duration of Processing
Axonius will Process Personal Data for the effective duration of the Agreement and Company’s license subscriptions to Axonius Solutions thereunder, as well as any further period either required or permitted by applicable laws or agreed to by the Parties in the Agreement and/or this DPA.
Types of Personal Data
Company may submit Personal Data to the Solutions, the extent of which is determined and controlled by Company in its sole discretion. More specifically, the following categories of Personal Data may be Processed:
- Contact Data, including full name, employer or company name, company department, company address, e-mail address, mobile phone number and/or job title (Identifiers).
- Communication Data, including Personal Data contained in correspondence with Axonius, support tickets, history of interactions with Axonius, chats, surveys, feedbacks and analyses thereof (Commercial Information and related Inferences).
- Device Identifiers, including IP address, approximate geolocation, type, OS, device ID, browser version, locale and language settings used (Electronic network activity Information; Identifiers; Geolocation Data and related Inferences).
No Sensitive Data may be submitted by Company.
Categories of Data Subjects
Company may transmit Personal Data to the Solutions relating to the following categories of Data Subjects: Company’s employees and users who use Company’s network.
Schedule 2 - TECHNICAL AND ORGANIZATIONAL MEASURES
Axonius maintains a formal cybersecurity program to safeguard the Processing of Personal Data. The program is structured according to the ISO 27001 standards and is certified on a regular basis by independent external auditors for compliance with ISO 27001 or an equivalent cybersecurity management framework. The program enables Axonius to establish comprehensive and risk-informed security measures that span the following areas and address the confidentiality and integrity of Personal Data:
- Physical Security: Axonius maintains appropriate physical security measures to protect tangible items, such as physical computer systems and devices, that Process Personal Data.
- Logical Access Controls: Axonius restricts access to Personal Data and related logical infrastructure and applications using formal authentication and authorization measures. Whenever practical, Axonius relies on Single Sign-On to validate the identities of its personnel when deciding whether to grant access. Axonius deploys firewalls and other relevant security measures to protect its networks from unauthorized access.
- Application: Axonius incorporates security requirements and guidance into its Software Development Lifecycle to mitigate the risks associated with inappropriate access to or other misuse of Personal Data through the Solutions. Axonius conducts annual security reviews of the Solutions to identify and help address vulnerabilities.
- Data: Axonius uses modern encryption techniques to safeguard the transfer and storage of Personal Data wherever practical.
- Personnel: Axonius screens its personnel in accordance with local laws and regulations, taking into account the business requirements of the role, the classification of the Personal Data the employee will regularly access, and the perceived risks. Axonius informs its personnel about Axonius’ cybersecurity program and the role they play in it.
- Sub-processors: Axonius uses third-party cloud infrastructure and software-as-a-service providers for certain aspects of the Solutions. Axonius reviews these Sub-processors’ cybersecurity practices according to its vendor review program to confirm that they provide sufficient safeguards to protect Personal Data.
Schedule 3 – CROSS BORDER TRANSFERS
Part 1 – EEA Transfer
The Parties agree that the terms of the EU SCCs are herein incorporated by reference and shall apply to any EEA Transfer, with the following specifications:
- Module Two (Controller to Processor) shall apply where the EEA Transfer is effectuated by Company as the Controller of the Personal Data and Axonius is the Processor of the Personal Data.
- Clause 7 (Docking Clause): shall not apply.
- Clause 9 (Use of sub-processors): Option 2: GENERAL WRITTEN AUTHORISATION shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the DPA.
- Clause 11 (Redress): the optional language will not apply.
- Clause 17 (Governing law): Option 1 shall apply and the governing law is the law of the Republic of Ireland.
- Clause 18 (Choice of forum and jurisdiction), lett. (b): the elected forum is the courts of the Republic of Ireland.
- Annex I.A (List of parties) shall be completed as follows:
Data Exporter: Company.
Contact details: As detailed in the Agreement.
Data Exporter Role: Controller.
Activities relevant to the data transferred: As detailed in Schedule 1 of the DPA.
Signature and Date: By entering into the Agreement and the DPA, Data Exporter is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the Effective Date.
Data Importer: Axonius.
Contact details: firstname.lastname@example.org.
Data Importer Role: Processor.
Activities relevant to the data transferred: As detailed in Schedule 1 of the DPA.
Signature and Date: By entering into the Agreement and the DPA, Data Importer is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the Effective Date.
- Annex I.B (Description of the transfer) shall be completed as follows:
Categories of data subjects whose data is transferred: As detailed in Schedule 1 of the DPA.
Categories of personal data transferred: As detailed in Schedule 1 of the DPA.
Frequency of the transfer: Continuous.
Nature of the processing: As detailed in Schedule 1 of the DPA.
Purpose of the data transfer and further processing: As detailed in Schedule 1 of the DPA.
Period for which the personal data will be retained: As detailed in Schedule 1 of the DPA.
For transfers to Sub-processors, the subject matter, nature, and duration of the processing are as set forth in Schedule 1 of the DPA.
- Annex I.C (Competent supervisory authority) shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authority stipulated in Clause 18.
- Annex II (Technical and organizational measures): As detailed in Schedule 2 of the DPA.
- To the extent there is any conflict between the EU SCCs and any other terms in this Part 1, the DPA or the Agreement, the provisions of the EU SCCs will prevail.
Part 2 – UK Transfer
The Parties agree that the terms of the UK Addendum are herein incorporated by reference and shall apply to any UK Transfer, with the following specifications:
- Table 1 shall be completed with the Parties, as stipulated in Section 7 of Part 1 of this Schedule 3.
- Table 2 shall be completed with the EU SCCs, Modules and Selected Clauses, as stipulated in Part 1 of this Schedule 3.
- Table 3 shall be completed with the EU SCCs Annexes Information (Appendix Information), as stipulated in Part 1 of this Schedule 3.
- Entering into this Part 2:
- Each Party agrees to be bound by the terms and conditions set out in this Part 2, in exchange for the other Party also agreeing to be bound by this Part 2.
- Although Annex 1A and Clause 7 of the EU SCCs require signatures by the Parties, for the purpose of making a UK Transfers, the Parties may enter into this Part 2 in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Part 2. Entering into this Part 2 will have the same effect as signing the EU SCCs and any part of the EU SCCs.
- Interpretation of this Part 2:
- Where this Part 2 uses terms that are defined in the EU SCCs, those terms shall have the same meaning as in the EU SCCs. In addition, the following terms have the following meanings:
The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when the Parties are making a UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
The Information Commissioner.
A transfer which is covered by Chapter V of the UK GDPR.
The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
- This Part 2 must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in Part 1 amend the EU SCCs in any way which is not permitted under the EU SCCs or this Part 2, such amendment(s) will not be incorporated by this Part 2 and the equivalent provision of the EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this Part 2, UK Data Protection Laws apply.
- If the meaning of this Part 2 is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted, and/or replaced after this Part 2 has been entered into.
- Although Clause 5 of the EU SCCs sets out that the EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for a UK Transfer, the hierarchy in Section 6.2 below will prevail.
- Where there is any inconsistency or conflict between the UK Addendum and Part 1 (as applicable), this UK Addendum overrides Part 1, except where (and in so far as) the inconsistent or conflicting terms of Part 1 provide greater protection for data subjects, in which case those terms will override the provisions of this UK Addendum.
- Where this Part 2 incorporates Part 1 which has been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Part 2 impacts that Part 1.
- Incorporation and changes to the EU SCCs:
- This Part 2 incorporates the EU SCCs which are amended to the extent necessary so that:
- together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
- Sections 6 override Clause 5 (Hierarchy) of the EU SCCs; and
- this Part 2 (including Part 1 incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
- Unless the Parties have agreed on alternative amendments which meet the requirements of Section 7.1 above, the provisions of Section 7.4 below will apply.
- No amendments to the EU SCCs other than to meet the requirements of Section 7.1 above may be made.
- The following amendments to the EU SCCs (for the purpose of Section 7.1 above) are made:
- references to the “Clauses” means this Part 2, incorporating the EU SCCs;
- in Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
- Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- to the extent applicable, Clause 8.7(i) of Module One is replaced with: “it is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- Clause 8.8(i) of Modules Two and Three is replaced with: “the onward transfer is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”;
- references to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- references to Regulation (EU) 2018/1725 are removed;
- references to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- to the extent applicable, the reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module One, is replaced with “Clause 11(c)(i)”;
- Clause 13(a) and Part C of Annex I are not used;
- the “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- in Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
- Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
- the footnotes to the EU SCCs do not form part of this Part 2, except for footnotes 8, 9, 10 and 11.
- Amendments to this Part 2:
- The Parties may agree to change Clause 17 and/or 18 of the EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
- If the Parties wish to change the format of the information included in Tables 1, 2 or 3 of this Part 2, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
- From time to time, the ICO may issue a revised UK Addendum which:
- makes reasonable and proportionate changes to the UK Addendum, including correcting errors in the UK Addendum; and/or
- reflects changes to UK Data Protection Laws.
The revised UK Addendum will specify the start date from which the changes to the UK Addendum are effective and whether the Parties need to review this Part 2 including the Appendix Information. This Part 2 is automatically amended as set out in the revised UK Addendum from the start date specified.
- If the ICO issues a revised UK Addendum under Section 8.3 above, if any Party will as a direct result of the changes in the UK Addendum have a substantial, disproportionate and demonstrable increase in:
- its direct costs of performing its obligations under this Part 2; and/or
- its risk under this Part 2,
and in either case, it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Part 2 at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised UK Addendum.
- The Parties do not need the consent of any third party to make changes to this Part 2, but any changes must be made in accordance with its terms.
Part 3 – Swiss Transfer
The Parties agree that the EU SCCs as detailed in Part 1 of this Schedule 3 shall be adjusted as set out below where the FADP applies to Swiss Transfers:
- references to the EU SCCs mean the EU SCCs as amended by this Part 3;
- the Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Transfers exclusively subject to the FADP;
- the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP with respect to (Swiss Transfers);
- references to Regulation (EU) 2018/1725 are removed;
- Swiss Transfers subject to both the FADP and the GDPR, shall be dealt with by the EU Supervisory Authority named in Part 1 of this Schedule 3;
- references to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
- where Swiss Transfers are exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP; and
- where Swiss Transfers are subject to both the FADP and the GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP insofar as the Swiss Transfers are subject to the FADP.
Part 4 – Additional Safeguards
In the event of an EEA Transfer, a UK Transfer or a Swiss Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
- The Processor shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor and between different Processor systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
- The Processor will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”).
- If the Processor becomes aware that any governmental authority, including law enforcement, wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
- the Processor shall inform the relevant governmental authority that the Processor is a Processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing; and
- the Processor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Processor’s control. Notwithstanding the above, (a) the Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (c)(II) shall not apply. In such an event, the Processor shall notify the Controller promptly following the access by the government authority, and provide the Controller with relevant details of the same, unless the Processor is legally prohibited from doing so.
Following the Controller’s written requests, but no more often than once every twelve (12) months, the Processor will inform the Controller of the types of binding legal demands for Personal Data it has received (if any) during the twelve (12)-month period preceding the Controller’s inquiry, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.