Data Transfer Addendum
Version 16.5.23 • Dec 28, 2023 View Previous Versions
Introduction
This Data Transfer Addendum (this “DTA”) between ID123 Inc. (the “Service Provider”) and the Client applies to any transfer of Personal Data subject to Data Protection Law to the Service Provider outside the EEA, Switzerland or the UK. Between the Service Provider and Client, this DTA shall be incorporated into the Master Service Agreement (“MSA”) and Data Processing Addendum(“DPA”) as applicable. The terms “personal data”, “data subject”, “processing”, “controller”, “processor”, “representative” and “supervisory authority” shall have the meanings given in the GDPR or UK GDPR, as applicable, in each case irrespective of whether Data Protection Law applies. In addition, other terms used in this DTA may be defined in those agreements.
1. Definitions
“International Data Transfer” means a processing activity whereby Personal Data which is processed in accordance with Data Protection Law is transferred to the Service Provider (or our premises) in a third country other than the EEA, UK, Switzerland or a country subject to an adequacy decision made by the European Commission or UK Secretary of State (as applicable) in accordance with the relevant provisions of applicable Data Protection Law.
“SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
“UK IDTA Addendum” means the Mandatory Clauses of Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Controller to Controller Data Transfers
EEA / Swiss Data:
Where an International Data Transfer occurs where more than one party is acting as a Controller and a party shares Personal Data of EEA or Swiss data subjects with the Service Provider also as a Controller under the Data Sharing Addendum, then: (i) any International Data Transfers that occur of such data shall be governed by the Standard Contractual Clauses for Controller to Controller Transfers of Personal Data from the European Union (“EEA C2C SCCs”) or the Standard Contractual Clauses for Controller to Controller Transfers of Personal Data from Switzerland (“Swiss C2C SCCs”), which are incorporated into this Data Transfer Addendum; and (ii) Annexes I and II of those SCCs shall be completed with the information set out in Schedules 1 and 2 of the Data Processing Addendum and Data Sharing Addendum, respectively.
UK Data:
Where an International Data Transfer occurs for which more than one party is acting as a Controller and a party shares Personal Data of UK data subjects with the Service Provider also as a Controller under the Data Sharing Agreement, then any Data Transfers that occur of such data shall be governed by the EEA C2C SCCs incorporating the Schedules 1 and 2 of the Data Sharing Processing Addendum and the UK International Data Transfer Agreement (“UK IDTA Addendum”), which is incorporated into this Data Transfer Addendum.
In addition, these provisions are intended to comply with the General Data Protection Regulation (GDPR), the Swiss Federal Data Protection Act (FADP), and the UK Data Protection Act 2018, which regulate the transfer of personal data outside of the European Economic Area (EEA), Switzerland, and the United Kingdom (UK), respectively.
3. Controller to Processor Data Transfers
EEA / Swiss Data:
Where the Controller transfers Personal Data of EEA or Swiss data subjects to the Service Provider acting as a Processor under the Data Processing Addendum, any International Data Transfers of such data must comply with the EEA controller to processor SCCs, which are incorporated into this DTA with the following amendments: (i) the Processor must inform the Controller of any intended changes to the list of sub-processors by updating it online; and (ii) Annexes I and II of the EEA controller to processor SCCs must be completed with the information specified in Appendix 1 and 2 of the Data Processing Addendum, respectively.
UK Data:
Where the Controller transfers Personal Data of UK data subjects to the Service Provider acting as a Processor under the Data Processing Addendum, any International Data Transfers of such data must comply with the EEA controller to processor SCCs incorporating Appendix 1 and 2 of the Data Processing Addendum, and the UK IDTA Addendum.
Relevant laws that govern international data transfers include
The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
4. Supplementary Measures
In respect of any International Data Transfers, the following supplementary measures shall apply:
(a) Processor represents and warrants that, at the time of the transfer, it has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the relevant Personal Data is being exported, for access to (or for copies of) Personal Data that has been transferred to Processor pursuant to this Agreement (“Government Agency Requests”); and
(b) if, during the term of this DTA, Processor receives any Government Agency Requests, it will (unless prohibited by Applicable Law from doing so) inform Controller in writing as soon as reasonably practicable and the parties shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this Agreement should be suspended in the light of such Government Agency Requests.
5. Further Assurance
(a) If Data Protection Law requires the execution of SCCs or UK IDTA Addendum for a specific transfer of Personal Data to the Processor as a separate agreement, the Processor shall promptly execute such SCCs or UK IDTA Addendum upon request, with any necessary amendments to reflect the applicable requirements of the relevant Data Protection Law.
(b) In the event that any of the means of legitimizing transfers of personal data outside of the EEA countries, Switzerland, or the UK referred to in this DTA cease to be valid, or any supervisory authority requires the suspension of transfers of Personal Data pursuant to those means, the Processor may amend or implement alternative arrangements for such transfers as required by the relevant Data Protection Law. The Processor will provide notice to the other party of the effective date of such changes.
6. Conflicts
If there is any conflict or inconsistency between any provision of this DTA and any other applicable agreement, the order of precedence shall be as follows: the UK IDTA Addendum and the relevant SCCs (as applicable), this DTA, the Data Processing Addendum (as applicable), and the MSA.
7. Changes
The Service Provider may update any part or all of the terms of the Addendum as needed to comply with Data Protection Legislation and will become effective and binding upon on the renewal date of the next Product Subscription or upon written agreement of Client, whichever is sooner. If this Addendum is incorporated by reference as a web page URL, the updated version of the Addendum will be posted at the same URL and Client will be notified in writing. If this Addendum is incorporated as part of a commercial agreement executed by the Parties, the updated version of the Addendum will be shared with the Client for approval in writing. If the Client does not agree with an update, the Client shall notify the Service Provider in writing and the prior Addendum will remain in effect while the Parties work together in good faith form a new mutually acceptable Data Transfer Addendum.