Menu

Vydia Data Processing Agreement

This Data Protection Addendum (“DPA”) forms part of the Terms & Conditions between Vydia, Inc. (“Vydia”) and you and the entity you represent, which you agree to this DPA on behalf of (“Client”) (the “Agreement”). The parties hereby agree that the terms and conditions set out below shall govern Vydia’s Processing of Client Personal Data in carrying out the objectives and responsibilities set forth in the Agreement (the “Services”). This DPA does not extend to the Processing of information, including the Processing of Personal Data, that is outside of the scope of the Services or the Agreement, or to the Client or Client Personal Data if neither is subject to Data Protection Laws. Except as modified herein, the terms of the Agreement shall remain in full force and effect. By agreeing to the Terms & Conditions, Client hereby agrees to the terms of this DPA.

1. Definitions.

For purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms used but not otherwise defined in this DPA will have the meaning given to them in the Agreement.

  • 1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with, either Client or Vydia respectively. “Control,” for purposes of this definition, means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
  • 1.2. “Client Personal Data” means only the Personal Data described in Section 2.1 which is Processed by Vydia, or by a Subprocessor, on behalf of Client.
  • 1.3. “Data Protection Laws” means, to the extent that they apply to the Client, the EU’s General Data Protection Regulation and any U.S. comprehensive state privacy law, such as the California Consumer Privacy Act, Colorado Privacy Act, or similar laws, as amended, replaced, or superseded from time to time.
  • 1.4. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
  • 1.5. “Deidentified Information” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.
  • 1.6. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.
  • 1.7. “Security Incident” means any confirmed accidental, unauthorized, or unlawful disclosure of, or access to, Client Personal Data Processed by Vydia or any Subprocessor.
  • 1.8. “Process” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction.
  • 1.9. “Subprocessor” means a subcontractor engaged by Service Provider or its affiliates to Process Client Personal Data as part of the performance of the Services.

2. Processing of Client Personal Data.

  • 2.1. Details of the Processing of Client Personal Data pursuant to the Agreement are set forth below.
    • 2.1.1. The subject-matter of Processing of Client Personal Data by Vydia in the performance of the Services pursuant to the Agreement.
    • 2.1.2. The Client Personal Data processed concern the following categories of Data Subjects: Client employees, contractors and the creators that Client engages and their fans.
    • 2.1.3. The types of Client Personal Data shall be as is contemplated or related to the Processing described in the Agreement, including but not limited to Client contact’s name, email address, physical address, IP address, phone number, and payment information; as well as any applicable creators’ name, stage name, and/or royalty payment information.
  • 2.2. Vydia will only Process Client Personal Data for the purposes of providing the Services specified in the Agreement and only in accordance with Customer’s documented instructions, which may be specific instructions or standing instructions of general application in relation to the performance of Vydia’s obligations under this DPA, unless otherwise required under applicable Data Protection Laws to which Vydia is subject, in which case Vydia shall notify Customer prior to such Processing unless prohibited by law.
    • 2.2.1. Vydia understands, and will comply with, the obligations and restrictions imposed on it by applicable Data Protection Laws in its role as a service provider and/or processor;
    • 2.2.2. Client instructs Vydia to Process Personal Data to perform the Services and as described in this DPA and the Agreement. Vydia shall notify Client immediately if Vydia determines that it can no longer meet its obligations under applicable Data Protection Laws or if, in Vydia’s opinion, Client’s instructions infringe applicable Data Protection Laws;
    • 2.2.3. Vydia shall take reasonable steps to ensure that access to Client Personal Data is limited to those employees, agents, Affiliates, and Subprocessors who have a need to know or otherwise access Client Personal Data to enable Vydia to perform its obligations or responsibilities under this DPA and the Agreement, and who are bound in writing to protect the confidentiality of the Client Personal Data (the restrictions set forth in this section shall not restrict Vydia’s ability to Process Client Personal Data where required to do so by applicable laws to which Vydia is subject; provided, however, Vydia shall promptly notify Client of such legal requirement before Processing, unless such law prohibits such notification);
    • 2.2.4. Vydia shall Process Client Personal Data under the Agreement in compliance with applicable Data Protection Laws, including providing the same level of privacy protection required by applicable Data Protection Laws. Vydia will notify Client if Vydia determines it or its Subprocessor(s) cannot meet its obligations under applicable Data Protection Laws, in which case Client may, upon thirty (30) days’ notice, take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Data.
    • 2.2.5. Notwithstanding any other provision in this Section, Vydia may internally use Client Personal Data to build or improve the quality of the Services it provides to Client.
  • 2.3. Vydia shall not:
    • 2.3.1. retain, use, or disclose Client Personal Data for any purpose other than for the limited and specified purpose of performing its responsibilities under the Agreement;
    • 2.3.2. share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means Client Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged;
    • 2.3.3. aggregate, anonymize, or otherwise deidentify Personal Data without the prior written authorization of Client except as needed to perform the Services. To the extent that it deidentifies Client Personal Data, Vydia will (i) take reasonable measures to ensure that the information cannot be associated with an individual, (ii) publicly commit to maintain and use the information in deidentified form and not to attempt to reidentify it, (iii) implement technical safeguards that prohibit reidentification, (iv) implement business processes that specifically prohibit reidentification, (v) implement business processes that prevent inadvertent release of deidentified information, (vi) make no attempt to reidentify the information, and (vii) contractually obligate any recipients of the deidentified information to comply with all provisions in this paragraph; or
    • 2.3.4. combine Client Personal Data with Personal Data Vydia receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant applicable Data Protection Laws.

3. Security.

Vydia represents and warrants that it shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32 of the GDPR, and shall ensure that all such safeguards comply with applicable Data Protection Laws. Such safeguards are further specified in Exhibit 1 attached to this DPA. In assessing the appropriate level of security, Vydia shall take into account the risks that are presented by Processing, including without limitation the risks of a Security Incident.

4. Security Incident.

  • 4.1. In the event of a Security Incident impacting Client Personal Data, Vydia shall notify Client without undue delay after becoming aware of a Security Incident and shall co-operate with Client and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of a Security Incident.

5. Subprocessors.

  • 5.1. Client authorizes Vydia and each Vydia Affiliate to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the Agreement and applicable Data Protection Laws, including the Standard Contractual Clauses and UK Addendum, if applicable.
  • 5.2. Vydia and each Vydia Affiliate may continue to use those Subprocessors already engaged by Vydia or any Vydia Affiliate as of the date of this DPA list on the Subprocessor Page (defined below). Any changes to the current list of Subprocess will be updated at [insert URL] (“Subprocessor Page”). If Client objects to an update of a Subprocessor listed on the Subprocessor Page, where practicable and at Vydia’s sole discretion, Vydia will use commercially reasonable efforts to: (a) work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Client in its objection and proceed to use the new Subprocessor.
  • 5.3. With respect to any Subprocessor, Vydia shall enter into a written agreement with each Subprocessor obligating the Subprocessor to comply with terms that are at least as restrictive as those imposed on Vydia under this DPA. Vydia shall remain fully liable to Client for the acts or omissions of its Subprocessors.

6. Data Subject Rights.

  • 6.1. Vydia will provide such assistance, including taking any appropriate technical and organizational measures, as Client requests to help Client fulfill its obligations under applicable Data Protection Laws to respond to Data Subject Requests.
  • 6.2. Notwithstanding its obligations under this Section, Vydia is not obligated to respond to a Data Subject Request directly from a Data Subject and does not otherwise assume any liability or responsibility for responding to Data Subject Requests.

7. Deletion or Return of Client Personal Data.

Vydia shall promptly destroy all copies of Client Personal Data in its possession, or in the possession of its Subprocessor (a) upon Client’s request, or (b) within ninety (90) calendar days of the effective date of termination. Notwithstanding the requirements in this paragraph, Vydia may retain Client Personal Data if required by applicable Data Protection Laws, but only to the extent and for such period as required by such legal requirement. Vydia shall notify Client in writing if it believes that such a legal requirement exists. If required by law to retain Client Personal Data, Vydia shall store the Client Personal Data solely on encrypted backup or archive locations, continue to safeguard such data in accordance with this DPA, and only Process such Client Personal Data as necessary for the purpose specified in the applicable Data Protection Laws requiring such storage.

8. Compliance and Audits.

  • 8.1. Upon Client’s request, Vydia shall provide such assistance as Client reasonably requires to ensure compliance with Client’s obligations under applicable Data Protection Laws, including, but not limited to, any data protection impact assessments and/or consultations with government authorities pursuant to applicable Data Protection Laws.
  • 8.2. Vydia shall make available to Client all information necessary to demonstrate Vydia’s compliance with this DPA, as well as any applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, by Client, or a third-party auditor mandated by Client, in order to assess Vydia’s compliance (collectively, “Audits”).
  • 8.3. Client may perform such Audits not more than once per year or more frequently if required by Data Protection Laws applicable to Client. Audits must be conducted off premises during regular business hours, subject to Vydia policies, and may not unreasonably interfere with Vydia business activities.
  • 8.4. Client must provide Vydia with any Audit reports or findings generated in connection with any Audit at no charge, unless prohibited by law. Client may use the Audit reports only for the purposes of meeting its Audit requirements under applicable Data Protection Laws and/or monitoring and confirming compliance with the requirements of this DPA. The Audit reports shall constitute confidential information of the parties.
  • 8.5. Nothing in this Section 8 shall require Vydia to breach any duties of confidentiality owed to any of its customers or employees.
  • 8.6. Under the following circumstances, Client agrees to accept those findings in lieu of requesting an Audit of the controls covered by the report: (a) the requested Audit scope is addressed in a similar Audit report performed by a qualified third-party auditor for Vydia within twelve (12) months of Client’s request, (b) if permitted by applicable Data Protection Laws, and (c) Vydia confirms there are no known material changes in the controls audited. All Audits are at Client’s sole cost and expense. Any request for Audit assistance requiring the use of resources different from or in addition to those required for provision of the Services will be considered an additional Service for which reasonable additional fees may be charged. Vydia reserves the right to require Client’s written agreement to pay for such fees before providing such Audit assistance.
  • 8.7. Information and Audit rights of the Client only arise under this Section 8 to the extent that the Agreement does not otherwise give the Client information and Audit rights meeting the relevant requirements of applicable Data Protection Law.

9. International Data Transfers.

  • 9.1. Vydia will not transfer (nor permit to be transferred) Client Personal Data to a third party or a location outside the territory from which the Client Personal Data originated without Client’s prior written consent. Insofar as the Agreement involves the transfer of Client Personal Data from a jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Vydia agrees to cooperate with Client to take appropriate steps to comply with applicable Data Protection.
  • 9.2. If the Processing (including storage) of Client Personal Data involves the transfer of Client Personal Data from the European Economic Area (“EEA”) to a jurisdiction outside of the EEA where the transfer would be prohibited by applicable Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the European Commission, the parties agree that such transfer(s) will be carried out in accordance with and subject to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) as set out in Exhibit 2 attached to this DPA. To the extent there is any conflict between this DPA and the EU SCCs, the terms of the EU SCCs will prevail.
  • 9.3. If the Processing (including storage) of Client Personal Data involves the transfer of Client Personal Data from the United Kingdom (“UK”) to a jurisdiction outside of the UK where the transfer would be prohibited by applicable Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the UK Information Commissioners Office (“ICO”), the parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Agreement A1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (“UK IDTA”) as set out in Exhibit 3 attached to this DPA. To the extent there is any conflict between this DPA and the UK IDTA, the terms of the UK IDTA will prevail.
  • 9.4. If the Processing (including storage) of Client Personal Data involves the transfer of Client Personal Data from Switzerland to a jurisdiction outside of Switzerland where the transfer would be prohibited by applicable Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), the parties agree that such transfer(s) will be carried out in accordance with and subject to the EU SCCs as amended by the Addendum to the EU SCCs attached hereto as Exhibit 4.
  • 9.5. Insofar as the Agreement involves the transfer of Client Personal Data from any other jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Vydia agrees to cooperate with Client to take appropriate steps to comply with applicable Data Protection Laws.

10. Liability.

The parties each represent and warrant to each other that they have read and understand the requirements of all applicable Data Protection Laws, and will be responsible for their own compliance with them.

  • 10.1. Vydia shall not have any liability to Client to the extent the basis of liability arises from failure by Client to obtain any necessary consents to collect, use, transfer, or otherwise Process Client Personal Data, or failure by Client to fully comply with the Agreement, this DPA, or applicable Data Protection Laws.
  • 10.2. Client represents and warrants that, if required, it has provided notice that the Client Personal Data is being Processed consistent with applicable Data Protection Laws.
  • 10.3. Each party agrees to indemnify, defend, and hold harmless the other party from and against any claims, demands, losses, liabilities, fines, penalties, costs, and expenses arising out of or relating to its own acts and omissions that do not comply with applicable Data Protection Laws. This duty to indemnify, defend, and hold harmless includes fines that may be imposed by a governing authority and any and all reasonable attorneys’ fees and court costs.
  • 10.4. Each party’s liability under or in connection with this DPA is subject to the limitations on liability contained in the Agreement, to the extent permitted by law.

11. General Terms.

This DPA supersedes any prior data processing agreements, addenda, or similar terms between the parties. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision shall be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. In the event of any conflict between the Agreement and this DPA, this DPA will govern. If any variation is required to this DPA as a result of a change in applicable Data Protection Laws, the parties agree to discuss and negotiate in good faith any necessary variation to this DPA. The obligations contained in this DPA, including the Exhibits, Attachments, and Appendices, shall not restrict Vydia in its rights and/or obligations to: (a) comply with federal, state, or local laws, or to comply with a court order or subpoena to provide information or legal holds, or (b) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.

Exhibit 1

Description of Technical and Organizational Security Measures

Vydia will implement and maintain appropriate technical and organizational measures to meet its obligations under applicable Data Protection Laws. For example, Vydia will:

  • 1. inform all employees that Client Personal Data is confidential and subject to contractual and legal protections;
  • 2. instruct employees to access or display Client Personal Data only in secure locations and on secure devices;
  • 3. ensure employees implement the use of a Virtual Private Network (“VPN”), password management tool, and antivirus/anti-malware software on all Company-owned devices;
  • 4. require employees to undergo mandatory cyber security training on an annual basis;
  • 5. require multi-factor authorization and other account protection as available;
  • 6. utilize a firewall to protect our servers with threat-monitoring and continuous vulnerability tests on all cloud-based environments; and
  • 7. use reasonable technical and organizational measures to ensure that Client Personal Data is (i) encrypted when in transit and at rest in a manner designed to prevent access by third parties without appropriate credentials (including government agencies); and (ii) anonymized or pseudonymized where appropriate in light of the purposes of the relevant Processing activities.

Exhibit 2

Standard Contractual Clauses – Controller to Processor

The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. The parties agree that the following terms apply:

  • 1. Clause 7: The parties have chosen to include Clause 7.
  • 2. Clause 9(a): The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 7 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
  • 3. Clause 11(a): The parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.
  • 4. Clause 13(a): The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
  • 5. Clause 17: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights.
  • 6. Clause 18(b): The parties agree that those shall be the courts of the state in which the Exporter is established.
  • 7. ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES

    A. LIST OF PARTIES

    Data exporter(s):

    Name: Refer to Signatories of the Agreement
    Address: Refer to Signatories of the Agreement
    Contact person’s name, position and contact details: Refer to Signatories of the Agreement
    Activities relevant to the data transferred under these Clauses: Provide personal information to Vydia to allow for the provision of Services.
    Signature and date: Refer to Signatories of the Agreement
    Role (controller/processor): Controller

    Data importer(s):

    Name: Vydia Inc.
    Address: 228 Park Ave S, Suite 19266
    New York, New York 10003-1502 USA
    Contact person’s name, position and contact details: Refer to Signatories of the Agreement
    Activities relevant to the data transferred under these Clauses: The provision of Services to Client
    Signature and date: Refer to Signatories of the Agreement
    Role (controller/processor): Processor

    B. DESCRIPTION OF TRANSFER

    Refer to Section 2.1 of the DPA.

    C. COMPETENT SUPERVISORY AUTHORITY

    The competent supervisory authority shall be the authority where the exporter is established.

ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES –

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

A description of the technical and organisational measures implemented by the data importer(s) is set forth in Exhibit 1 of the DPA.

Exhibit 3

UK International Data Transfer Agreement

Part 1: Tables

Table 1: Parties and signatures
Start date The Effective Date of the DPA
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details Refer to Signatories of the Agreement Vydia Inc.
228 Park Ave S, Suite 19266
New York, New York 10003-1502 USA
Key Contact Refer to Signatories of the Agreement Refer to Signatories of the Agreement
Importer Data Subject Contact Refer to Signatories of the Agreement Refer to Signatories of the Agreement
Signatures confirming each party agrees to be bound by this IDTA Refer to Signatories of the Agreement Refer to Signatories of the Agreement
Table 2: Transfer Details
UK country’s law that governs the IDTA:

England and Wales

Northern Ireland

Scotland
Primary place for legal claims to be made by the Parties

England and Wales

Northern Ireland

Scotland
The status of the Exporter

In relation to the Processing of the Transferred Data:

Exporter is a Controller

Exporter is a Processor or Sub-Processor
The status of the Importer

In relation to the Processing of the Transferred Data:

Importer is a Controller

Importer is the Exporter’s Processor or Sub-Processor

Importer is not the Exporter’s Processor or Sub-Processor (and the Importer has been instructed by a Third Party Controller)
Whether UK GDPR applies to the Importer

UK GDPR applies to the Importer’s Processing of the Transferred Data

UK GDPR does not apply to the Importer’s Processing of the Transferred Data
Linked Agreement

If the Importer is the Exporter’s Processor or Sub-Processor – the agreement(s) between the parties which sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data:

Name of agreement: Data Processing Addendum (the “DPA”)

Date of agreement: Refer to Signatories of the Agreement.

Parties to the agreement: Refer to Signatories of the Agreement.

Reference (if any): None.

Other agreements – any agreement(s) between the parties which set out additional obligations in relation to the Transferred Data, such as a data sharing agreement or service agreement:

Name of agreement: N/A

Date of agreement: N/A

Parties to the agreement: N/A

Reference (if any): N/A

If the Exporter is a Processor or Sub-Processor – the agreement(s) between the Exporter and the Party(s) which sets out the Exporter’s instructions for Processing the Transferred Data:

Name of agreement: N/A

Date of agreement: N/A

Parties to the agreement: N/A

Reference (if any): N/A
Term

The Importer may Process the Transferred Data for the following time period:

the period for which the Linked Agreement is in force

time period:

(only if the Importer is a Controller or not the Exporter’s Processor or Sub-Processor) no longer than is necessary for the Purpose.
Ending the IDTA before the end of the Term

the parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the parties agree in writing.

the parties can end the IDTA before the end of the Term by serving: X months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes

Which parties may end the IDTA as set out in Section 29.2:

Importer

Exporter

neither Party
Can the Importer make further transfers of the Transferred Data?

Which parties may end the IDTA as set out in Section 29.2:

The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).

The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data

The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1:

if the Exporter tells it in writing that it may do so.

to: X

to the authorised receivers (or the categories of authorised receivers) set out in the DPA.

there are no specific restrictions.
Review Dates

First review date: Effective Date of the DPA

The parties must review the Security Requirements at least once:

each X month(s)

each quarter

each 6 months

each year

each X year(s)

each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment, to the extent that Importer is made aware of such changes; Importer will conduct a review at the time of contract renewal
Table 3: Transferred Data
Transferred Data

The personal data to be sent to the Importer under this IDTA consists of that data outlined in Section 2.1 of the DPA.

The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
Special Categories of Personal Data and criminal convictions and offences

The Transferred Data includes data relating to that data outlined in Section 2.1 of the DPA.

The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
Relevant Data Subjects

The Data Subjects of the Transferred Data are those data subjects outlined in Section 2.1 of the DPA.

The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
Purpose

The Importer may Process the Transferred Data for the purposes set out in the DPA. The purposes will update automatically if the information is updated in the Linked Agreement referred to.
Table 4: Security Requirements
Security of Transmission

As set out in Exhibit 1 of the DPA.
Security of Storage

As set out in Exhibit 1 of the DPA.
Security of Processing

As set out in Exhibit 1 of the DPA.
Organisational security measures

As set out in Exhibit 1 of the DPA.
Technical security minimum requirements

As set out in Exhibit 1 of the DPA.
Updates to the Security Requirements

The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.

Part 2: Extra Protection Clauses

Extra Protection Clauses:

N/A

Part 3: Commercial Clauses

Commercial Clauses

Commercial Clauses are not used

Part 4: Mandatory Clauses

Mandatory Clauses

Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses.

Exhibit 4

Addendum to the EU SCCs

In accordance with guidance issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC) titled “The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts,” dated 27 August 2021, the parties hereby agree to adopt the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021(the “EU SCCs”) as adapted by this Addendum in order to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a of the Federal Act on Data Protection (“FADP”).

1. Selected SCCs, Modules and Selected Clauses

The version of the EU SCCs which this Addendum is appended to, detailed below:

  • Reference (if any): Module 2 of the EU SCCs as set forth in Exhibit 2 of the DPA.
2. Amendments to the EU SCCs

The following amendments are hereby made to the EU SCCs in order for the EU SCCs to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a FADP.

  • 2.1 Competent supervisory authority in Annex I.C under Clause 13: The competent supervisory authority shall be the FDPIC, insofar as the data transfer is governed by the FADP; and shall be the EU authority referenced in Annex I.C insofar as the data transfer is governed by the GDPR.
  • 2.2 Applicable law for contractual claims under Clause 17: Applicable law for contractual claims under Clause 17 shall be Swiss law or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfers pursuant to the FADP; law of an EU member state for those according to the GDPR (free choice for Module 4)
  • 2.3 Place of jurisdiction for actions between the parties pursuant to Clause 18 b: Free choice for actions concerning data transfers pursuant to the FADP; court of an EU member state for actions concerning data transfers pursuant to the GDPR.
  • 2.4 Adjustments or additions concerning the place of jurisdiction for actions brought by data subjects: The term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
  • 2.5 Adjustments or additions regarding references to the GDPR: References to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP.
  • 2.6 Supplement until the entry into force of the revFADP: The EU SCCs shall also protect the data of legal entities until the entry into force of the revised FADP.