Data Processing Addendum

Relationship of Parties

• Content. The parties agree that with regard to the Processing of Personal Data within Content, you may be a Controller or Processor and We will be a Processor or sub-Processor (as applicable).
• Smart Data. The parties agree that with regard to the Processing of Personal Data within Smart Data, you may be a Controller or Processor and We will be a Processor or sub-Processor (as applicable) of Personal Data within that data set which is provided, or otherwise gained, by your and your Users’ use of the Services.
• Ancillary services, Threat Data and System Data. The parties agree that with regard to this Processing We are the Controller. You may yourself be an independent Controller, not a joint Controller with Us, of certain information within these data sets but not of the data sets themselves.
• You acknowledge that We may Process Personal Data relating to the operation, support, or use of the Services for Our own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. We are the Controller for such Processing and will Process such data in accordance with Data Protection Laws.
• Each of us is individually and separately responsible for complying with its own obligations as a Controller or Processor (as applicable) under the DPL.

Data Processing Terms

• Details of Processing. A description of the Processing that may take place in accordance with this DPA and the MSA is set out in Annex 1B.
• Your Instructions. Details as to how We process Content and Smart Data for and on behalf of you, your Group and Users are set out in Section 6 of the MSA.
• Lawful Basis. You represent and warrant on an ongoing basis that you have, and will at all times have, a lawful basis under applicable DPL for: (a) using the Services to send, share, store and receive Content and Smart Data and for the associated Processing by Us and Our Group in accordance with Your Instructions; and (b) transferring third-party email addresses to Us and Our Group to enable your, and your Group’s and Users’, use of the Services.
• Warranty of instruction. You warrant and represent that you are, and will at all relevant times remain, authorized to give Your Instructions.
• No sale of Personal Data. We will not sell or otherwise make Personal Data in Content or Smart Data available to third-parties for Our own commercial purposes.  You acknowledge that: (a) We provide access to the Services in return for the payment of the Fees and that access to, and use of, the Services is not provided in return for disclosure of Personal Data; and (b) disclosure of Personal Data by you, your Group and Users to Us and Our Group (and vice versa) in the course of delivery and use of the Services does not, and shall not, constitute a Sale (as defined in subdivisions (ad)(1) and (ah)(1) of Cal. Civ. Code §1798.140 respectively).  Any sharing of Content or Smart Data is done so with Sub-Processors solely for the delivery of the Services, and limited to Our Privacy Policy and Retention policy.
• Retention and Deletion. Data is retained and deleted as described in Section 9.7 of the MSA.

Confidentiality

• We shall: (a) ensure that Personnel and Sub-Processors authorised by Us in relation to the Processing of Personal Data in Content and Smart Data are subject to a duty of confidentiality (or are subject to an appropriate statutory obligation of confidence); (b) restrict the involvement of such Personnel and Sub-Processors to those that need to know in order to fulfil Our obligations under this DPA, the MSA and Your Instructions; and (c) ensure that Our Personnel undergo regular training on data protection issues, obligations and responsibilities.
• In using the Services, Content may be shared by you, your Group and Users with Recipients.

Security

• Technical measures. We have implemented and will maintain appropriate technical and organizational measures in relation to the Services taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the likelihood and severity of risk to the rights and freedoms of Data Subjects. This includes measures relating to: (a) the physical security of facilities used to deliver them, measures to control access rights to assets and relevant networks, and processes for testing these measures, certain details of which can be found in Annex 2 to this DPA; (b) employee training; and (c) Personal Data retention and disposal, details of which can be found in Our data retention policy available at egress.com/legal from time to time.  You are responsible for reviewing any information made available by Us relating to data security and making an independent determination as to whether the Services meet your requirements.

Security Incidents

• Personal Data Breach. We will, to the extent permitted by applicable law, notify you without undue delay if We become aware of a Personal Data Breach affecting Content and/or your Smart Data. Taking into account the nature of the Services, We will provide, where known: (a) a description of the Personal Data Breach, Data Subjects, Content and Smart Data concerned; (b) the likely consequences of the Personal Data Breach; and (c) the reasonable steps taken or proposed to be taken by Us to address, and where appropriate mitigate, any adverse effects of the Personal Data Breach. Where sent by email, any notice shall be deemed to be served 1 hour after transmission or, if not sent on a Business Day, at 9am on the next Business Day provided that no failure or other DNS message is received by Us.
• Contacting you. To provide any notification under Section 1, We will use the contact details for you that We have on record and that you provide in respect of your DPO contact below. You must ensure these are kept up-to-date.
• Contacting regulators and Data Subjects. Except where any DPL requires Us to do so, We will not inform any third-party of your involvement in any Personal Data Breach without first obtaining your prior written consent. The foregoing will not prevent, restrict or inhibit Our, Our Group’s and Sub-Processors ability to notify other customers and users of any affected Service of the Personal Data Breach, or complying with Our obligations under other applicable laws, provided that in each case We do not disclose your involvement.  We will assist you in relation to any breach notifications to Regulatory Authorities and Data Subjects as reasonably required as a result of a Personal Data Breach affecting your Content and/or your Smart Data.
• No admission. Any notification of a Personal Data Breach is not, and will not be construed as, acknowledgement by Us, a member of Our Group or any Sub-Processor of any fault or liability in respect of it.
• Our Data Protection Officer. Contact details and the name of Our Data Protection Officer can be found at egress.com/legal/your-rights.
• Unsuccessful Security Incidents. We will have no obligation to notify you under Section 1 or otherwise under this DPA, the MSA of any Unsuccessful Security Incident.
• Reporting Content of Concern. We will make available for reporting and notification of any content of concern brought to Our attention as soon as reasonably practicable.

Sub-processors

• Use of Sub-Processors. You agree that We may engage Our Group companies and the Sub-Processors to fulfil Our obligations under this DPA and/or, the MSA. Our up-to-date list of Sub-Processors is always set out at egress.com/subcontractors.
• Responsibility. We remain fully responsible for the acts, omissions, and defaults of the Sub-Processors as if they were Our own. We have in place contracts with each Sub-Processor that require them to protect Personal Data to the standard required by the DPLs.
• Changes to Sub-Processors. You can subscribe to notifications of changes to Sub-Processors on Our website. If you have done so, We shall endeavor to give email notice at least 30 days prior to any change to those Processing Personal Data within the Services. If you object to a change within 30 calendar days of the date of Our email for bona fide compliance or data security concerns, we will discuss commercially reasonably alternative solutions in good faith. If we cannot agree such alternatives within 30 calendar days of your written objection, you may as your sole and exclusive remedy in respect of changes to Sub-Processors, terminate the affected Service under the MSA through not less than 30 calendar days’ written notice and We will refund pro-rata any Fees paid in advance for the terminated Service for the remainder of its current Subscription Period after the effective date of termination.  If you do not object within the notice period, you will be deemed to accept the change. We may use a new or replacement Sub-Processor whilst the procedure in this Section is in process. Any termination under this Section shall be without fault of either party.
• Emergency replacement. We may replace a Sub-Processor without prior notice if the need for change is urgent and the reason for the change is beyond Our reasonable control. In such circumstances, We will make a notify you as soon as reasonably possible and you shall retain your right to object as set out in Section 2.

Data Subject Rights

• Respect. We respect the rights of a Data Subject provided for in the DPL. Details on how Data Subjects can exercise these rights are set out at egress.com/legal/your-rights.  If We receive a Data Subject request in respect of Personal Data in Content and/or Smart Data, We will notify you and in Our role as a Processor or sub-Processor confirm that their request relates to you and attempt to re-direct the Data Subject to exercise that right through you (and may provide your basic contact information to enable them to do this this).
• Assistance. Taking into account the nature of the Processing and Personal Data available to Us: (a) We will assist with any legally required data protection impact assessments and prior notifications that you are required to carry out under the DPLs by providing you with any publicly available documentation for the relevant Services; (b) where We hold Personal Data about a Data Subject that you are the Controller of, We will provide assistance in relation to Data Subject requests in so far as this is technically possible and where you do not have the ability to address the request without Our assistance (including access, erasure, objection and rectification requests). You are responsible for verifying that the requestor is the Data Subject whose information is being sought.  We bear no responsibility for information provided in good faith to you in reliance on this Section.  After a Data Subject’s Personal Data has been deleted from Our active systems, parts of it may continue to exist in back-ups and logs for a period of time until these are overwritten in the normal course of Our business and in accordance with Our documented data retention and destruction policies. You shall cover all reasonable costs incurred by Us in connection with Our provision of such assistance.

Audits

• Your right of audit. Following a written request and subject to the confidentiality obligations set out in the MSA, We will make the Audit Reports or a bridging letter available to you (provided that neither you nor your auditor are a competitor of Us or a company in Our Group). You may use the Audit Reports only for the purposes of meeting your audit obligations under DPL and/or confirming Our compliance with this DPA. Subject to Section 2, if you can, acting reasonably, provide evidence that this information is not sufficient in the circumstances to reasonably enable you to do so, you will be entitled to inspect and audit (or appoint representatives to inspect and audit) at your cost Our premises that relate directly to the Processing of Personal Data in Content and/or Smart Data (subject to all involved signing suitable confidentiality terms and complying with all applicable security, access and other site policies). The rights of audit granted under this paragraph do not extend to a right to audit any Sub-Processor or Sub-Processor premises.  We will co-operate and provide assistance at your cost (including the provision of any reports provided to Us by Sub-Processors where available and where We are permitted to disclose those to you). Audits may be conducted no more than once every 12 months (unless required by Regulatory Authority) whilst this DPA remains in force, during Our normal working hours, and shall be subject to: (a) a written request submitted to Us at least 30 calendar days in advance of the proposed audit date; (b) a detailed written audit plan reviewed and approved by Our security team.  Such audits will take place in the presence of a representative of Our security team or other person designated by Us. You will use reasonable endeavours to avoid causing (and to ensure that any of your representatives avoid causing) damage, injury or disruption to Our premises, Personnel and business whilst conducting an audit. Audits shall not be permitted to disrupt Our Processing activities or to compromise the security and confidentiality of Our Services and Processing pertaining to Our other customers and users.  You will provide a copy of your audit report to Us which shall be treated as Our Confidential Information.
• If your requested audit scope is addressed in the Audit Reports that were completed within the 12 months prior to your audit request and We confirm that there are no known material changes in the controls audited, you agree to accept the Audit Reports in lieu of requesting an audit of the controls covered by the relevant Audit Report(s).

Transfers of Personal Data

• Your use of the Services. Content and/or Smart Data will be hosted in the region agreed with you. You acknowledge that the Services are provided as a software-as-service and that Content and Smart Data may be accessed and Processed by you, your Group, Users and Recipients outside of that region or the country you or they are located in. 
• International Transfers – Privacy Framework. To the extent that We are self-certified or registered with a Privacy Framework that protects transfers of Personal Data under applicable DPL: (a) to the extent they would otherwise have been relied upon, the relevant SCCs shall not apply to any transfer of Personal Data in Content or Smart Data (including any, for example in support tickets) that is transferred between the relevant territories applicable under that Privacy Framework; (b) Our relevant Group company/ies certified or registered with that Privacy Framework agree(s): (i) to provide at least the same level of protection as is required by the relevant Privacy Framework Principles; (ii) to notify you if it/they make(s) a determination that it/they can no longer meet its/their obligation to provide the same level of protection as required by the relevant Privacy Framework Principles; and (iii) upon notice, to work with you to take reasonable and appropriate steps to stop and remediate any unauthorised Processing of Personal Data. In the event that a Privacy Framework is declared invalid or is not applicable to a relevant international transfer, any relevant SCCs shall apply to that transfer.
• International Transfers – SCCs. Subject to Section 2, the SCCs in Annex 4 or 5 will apply to any Personal Data in Content or Smart Data that is transferred through use of the Services and Support outside of the EEA and/or the UK, either directly or via onward transfer, to any country not recognized by the European Commission and/or the UK as providing an adequate level of protection for Personal Data (a Third Country). The following terms shall apply to the SCCs: (a) you may exercise your right of audit under clause 8.9 of the SCCs as set out in and subject to Section 9 of this DPA; and (b) We may appoint Sub-Processors as set out in, and subject to, Sections 7 and 10 of this DPA. Without prejudice to Section 11 of the MSA, if We as the data importer receive a legally binding request for access to Personal Data in Content and/or Smart Data by a public authority in the destination country, We will promptly notify you of such request by email to your DPO contact listed in Annex 1 to enable you as data exporter to seek relief from such disclosure (unless We are prohibited from providing such notice). If We are prohibited: (i) We will use Our commercially reasonable efforts to obtain the right to waive this prohibition in order to communicate with you; and (ii) if, having used Our commercially reasonable efforts, We remain prohibited from notifying you, We will where permitted by law make available to you and/or your competent supervisory authority on an annual basis general information on the requests We have received relating to your Personal Data in the previous 12-months; (b) not make any disclosures that are disproportionate, indiscriminate or in a manner that would go beyond what is necessary in a democratic society.
• Adequacy. In the event that a territory to which Personal Data in Content and/or Smart Data may be transferred in delivering the Services is deemed adequate in accordance with relevant DPL by the territory from which it is being exported, or another mechanism is provided that protects transfers of Personal Data, then Sections 2 and 10.3 shall not apply.
• Replacement SCCs. We reserve the right to amend the terms of this DPA by adding to, changing or replacing, SCCs to ensure continued compliance with applicable DPLs.  We may do this by providing a link to you, directly or through Our website, which enables you to sign such additional, replacement or alternative SCCs.
• Sharing. To operate Our Group effectively We use shared systems, resources and Sub-Processors. CRM Information, Threat Data and System Data may be transferred, shared and Processed between and by these parties which may involve it being transferred, stored or Processed outside the country where you or a User is located. We will ensure that any such transfer is subject to appropriate legal and technical safeguards.

General

• We reserve the right to transfer Our obligations, rights and permissions under this DPA and/or the MSA to any organisation to which We may transfer Our business or assets (including if We, or a relevant part of Us or Our assets, are proposed to be purchased or acquired by a third-party).
• This DPA shall remain in force until the earlier of: (i) the termination or expiry of the MSA; (ii) Us ceasing to Process Personal Data as a Processor on your behalf.
• Nothing in this DPA or elsewhere in the MSA shall limit, exclude, restrict or prohibit the ability of a Data Subject or Regulatory Authority to bring a claim, or take regulatory action, against either of us.
• If any part of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other terms shall remain in force. Any invalid, unenforceable or illegal term will be interpreted to give effect to the parties’ commercial intention.  If that is not possible, it will be severed but the rest shall remain in full force.
• Except where provided in the DPL and/or SCCs there are no third-party beneficiaries under this DPA.
• Our liability under or in connection with this DPA (including under the SCCs and Annexes to it) is subject to the limitations on liability contained in the MSA. Notwithstanding anything to the contrary in this DPA and/or the MSA, neither party shall be responsible for any DPL fines issued or levied against the other party by a regulatory authority or governmental body in connection with the other party’s violation of the DPL.
• This DPA and the MSA shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of the DPL. Both parties agree that this DPA shall be interpreted in favour of their intent to comply with the DPL and therefore any ambiguity shall be resolved in favour of a meaning that complies and is consistent with the DPL.
• This DPA together with the MSA and any documents referred to in each of them is the final, complete and exclusive agreement of the parties with respect to the subject matter of it and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
• Amendments to this DPA may not be made orally. This DPA may be amended by Us from time to time where necessary to comply with changes to applicable law or to reflect how Our Services operate (provided that We may not detract or diminish the protections afforded under the preceding version). Changes will be effective once posted on Our website. This Section shall not apply to any document or information referred to at a URL within the terms of this DPA which may be updated from time to time by Us.
• This DPA shall be governed by the governing law and jurisdiction as set out in the MSA EXCEPT in respect of any claim relating to an obligation or right under the SCCs where the terms of the relevant SCCs in respect of governing law shall control.

Annex 1A: Parties

The parties to this DPA are:

Annex 1B: Description of Processing and Transfer

Annex 1C: Data Protection Authorities

United Kingdom

Australia

European Union and European Economic Area

Annex 2: Technical and Organisational Measures

Physical access controls

• The Egress Software Technologies Group (the Group) leverages industry-leading data centre and cloud infrastructure providers. Access to all third-party data centres is strictly controlled by the Sub-Processor. All third-party data centres are equipped by the Sub-Processor with 24x7x365 surveillance and biometric access control systems. Additionally, all relevant third-party data centre Sub-Processors are SOC 2 Type II audited and/or ISO 27001 certified.
• Third-party data centres are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
• Within a region, data processing occurs across at least 2 availability zones offered by the relevant third-party Sub-Processor. Services are designed to withstand the failure of an availability zone without disruption.

System access controls

• Administrative access to the Group systems and Services follows the principle of least privilege. Administrative accounts are unique accounts, separate from standard user accounts. Access is regularly reviewed.
• Access to systems is based on job role and responsibilities. The Group uses unique usernames or identifiers which are not permitted to be shared or re-assigned to others. Access is regularly reviewed.
• Access to wired office corporate networks is restricted to managed devices. Guest Wi-Fi is available but has no access to the internal network.
• VPN and multi-factor authentication is used for access to all internal infrastructure.
• Network access control lists (ACLs) and security groups are used to limit traffic to and from internal and product infrastructure.
• Intrusion detection systems (IDS) are used to detect potential unauthorized access.
• Network protection has been deployed to mitigate the impact of distributed denial of service (DDoS) attacks.
• Employee onboarding and offboarding processes are documented and enforced consistently to ensure access is properly managed.

Data access controls

• The Group utilises a password management system that enforces minimum password length, complexity, history, and restricts re-use of passwords.
• Workstations and servers automatically lock after a period of inactivity. Systems log users out after a period of inactivity.
• Logs are centrally stored and indexed.
• Patch management process ensures systems are patched regularly.
• Regular monitoring, alerting, and vulnerability scanning is carried out.
• Antivirus software is utilized across endpoints and servers to ensure assets are protected against known viruses. This software is updated regularly.
• Firewall and logical network segregation are in place to prevent unwanted traffic.
• All resources are protected by NSGs and direct administrative access over the internet is prevented.

Data transmission controls

• Data is stored encrypted-at-rest through AES-256 encryption.
• Backups are encrypted in transit and at rest.
• Use of TLS 1.2 or higher is used to encrypt network traffic.
• The Group regularly utilises third-party penetration tests and vulnerability scanning to remediate discovered vulnerabilities.
• All non-public facing resources use private IP addresses where possible (note this is not possible on all Azure SaaS services).

Data input controls

• Systems are monitored for security events to ensure quick resolution.
• Logs can be tracked to individual logins and are kept in line with our retention policies.

Availability controls

• Systems infrastructure are monitored for security events to ensure quick resolution.
• Logs can be tracked to individual logins and are kept in line with our retention policies.

Law enforcement requests

We publish an external law enforcement request policy which reflects Our detailed internal policy documents. Given Our role as a Processor/sub-Processor in the delivery of the Services, and the context of those Services providing you with the ability to apply classification and encryption controls to your Content, Our law enforcement policy combined with those additional security measures provides any transferred Personal Data with a high degree of protection from access by destination country’s law enforcement and public authorities in a manner contrary to the protections afforded under relevant DPLs.

Data Residency

We provide customers with the ability to host Content and/or Smart Data in specific territories.  More details are available from Us on request.  You are reminded that no matter where your Content is stored, We do not control or limit the locations from which you, your Group and Users and recipients may access it and it is your responsibility to ensure that neither you, nor your Group or Users accesses or uses the Software, Services or Support in any country with data localization laws that would require your environment or Content and/or Smart Data to be hosted in that country.

Data minimisation, necessity and proportionality

We have no control over the Content transmitted to or from the Services by you, your Group and Users (including the volume, type and necessity of that Content).  You are responsible for ensuring that your use of the Services complies with these principles and for identifying and ensuring that you have a lawful basis for: (a) using the Services to send, share, store and receive Content and for the associated Processing by Us and Our Group in accordance with Your Instructions; and (b) transferring third-party email addresses to Us and Our Group to enable your, and your Group’s and Users’, use of the Services.

Classification, encryption and advice

You acknowledge that due to the nature of the Services, you and your Users are responsible for determining the level of protection afforded to Content transmitted by them through the Services through your Users use of the tools, advice and functionality provided by the Services (e.g. classification of Content, application of encryption, granting access and rights to Users and Recipients and response to prompts, alerts and guidance).

Annex 3: Sub-Processors

You authorise Us to engage Sub-Processors to fulfil Our obligations under the MSA and this DPA.  We set out the latest list of the Sub-Processors We engage at www.egress.com/legal/subcontractors (as amended from time to time).  We provide a mechanism for you to subscribe to notifications of changes to Sub-Processors at this URL and you are responsible for completing the relevant webform.  If you have subscribed to such notifications, We will provide details of any change in Sub-Processors in accordance with Section 7 of this DPA.

Annex 4:  UK to Third Country Transfers

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

In this Addendum, both you and Us are each a Party, and we are collectively the Parties.

Purpose and scope

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties for the purposes of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the terms shown above in Table 1 shall have the meanings described in Table 1.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Clause 10 of this Addendum will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that: (a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; (Clauses 9 to 10 of this Addendum override Clause 5 (Hierarchy) of the Addendum EU SCCs); and, (c) this Addendum (including the Addendum EU SCCs incorporated into it) is (i) governed by the laws of England and Wales; and, (ii) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Clause 12 of this Addendum, the provisions of Clause 15 of this Addendum will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Clause 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Clause 12) are made:

• references to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
• in Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
• Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
• Clause 8.8(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
• Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
• references to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
• references to Regulation (EU) 2018/1725 are removed;
• references to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
• Clause 13(a) and Part C of Annex I are not used;
• the “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
• in Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
• Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
• Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in the Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which: (a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or, (b) reflects changes to UK Data Protection Laws. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Clause 17, if any Party selected in Table 1 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: (a) its direct costs of performing its obligations under the Addendum; and/or, (b) its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third-party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Annex 5 – EU Commission Standard Contractual Clauses

Commission Implementing Decision (EU) 2021/914

The version of the approved EU SCCs is set out in the ANNEX to Commission Implementing Decision (EU) 2021/914 and are incorporated into this DPA by reference.