This EEA Data Protection Addendum (“EEA/UK Addendum”) sets forth additional terms governing the transfer of Personal Data by the Disclosing Party to the Receiving Party for the Processing Purposes further defined in Annex A and is applicable where the Disclosing Party is located within the EEA or where the transferred Personal Data is subject to the GDPR / due to its exterritorial effect under Art. 3 (2) GDPR / UK GDPR. This EEA/UK Addendum supplements and forms part of the Global Addendum.
“EU Restricted Transfer” means a transfer of Personal Data by Disclosing Party to the Receiving Party, in each case, where such transfer would be prohibited by GDPR and/or laws implementing or supplementing the GDPR in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses.
“EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority.
“GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament of the Council.
“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
“UK IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018, as amended or replaced from time to time by a competent authority.
“UK Restricted Transfer” means a transfer of Customer Personal Data by Customer or any Customer Affiliate to the Supplier or any Supplier Affiliate (or any onward transfer), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred Customer Personal Data provided by the UK Standard Contractual Clauses.
“UK Standard Contractual Clauses” means, as applicable, (i) the EU Standard Contractual Clauses as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (“UK Addendum”), as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR; or (ii) the UK IDTA as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.
Disclosing Party shall
Communicate to Receiving Party any rectification or erasure of personal data or restriction of Processing carried out in accordance with Art. 16, Art. 17 (1) and Art. 18 GDPR / UK GDPR unless this proves impossible or involves disproportionate effort.
Communicate to Receiving Party any withdrawal of consent (Art. 7 (3) GDPR / UK GDPR) in relation to Personal Data which has been disclosed to Receiving Party.
Ensure that Specific Consent as obtained for processing Sensitive Personal Data complies with the general consent requirements under GDPR / UK GDPR and constitutes explicit consent pursuant Art. 9 (2) (a) GDPR / UK GDPR.
Disclosing Party will
In respect of any EU Restricted Transfer, Disclosing Party (as “data exporter”) and Receiving Party (as “data importer”), with effect from the commencement of any relevant transfer, hereby enter into Module 1 of the EU Standard Contractual Clauses in respect of any transfer of Personal Data from Disclosing Party to Receiving Party and:
In respect of any UK Restricted Transfer, Disclosing Party (as “data exporter”) and Receiving Party (as “data importer”), hereby enter into the UK Standard Contractual Clauses in respect of any transfer from Disclosing Party to the Receiving Party with Module 1 of the EU Standard Contractual Clauses applying between Disclosing Party and Receiving Party. The provisions of Sections 3.1 (a), (b) and (f) of this EEA/UK Addendum shall apply to the UK Addendum.
The EU Standard Contractual Clauses made under Section 3.1 and the UK Standard Contractual Clauses made under Section 3.2 of this EEA/UK Addendum, shall come into effect on the commencement of the EU Restricted Transfer / UK Restricted Transfer to which the EU Standard Contractual Clauses / UK Standard Contractual Clauses relate.
See Attachment C to Order Form.
[Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union/United Kingdom]
[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Categories of data subjects whose personal data is transferred
See Attachment B to Order Form.
Categories of personal data transferred
See Attachment B to Order Form.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
See Attachment B to Order Form.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
See Attachment B to Order Form.
Nature of the processing
See Order Form and Attachment B to Order Form as well as Annex A of the DPA.
Purpose(s) of the data transfer and further processing
See Order Form and Attachment B to Order Form as well as Annex A of the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data will be retained for as long as necessary to fulfill obligations under the Agreement and/or as long as required for the Permitted Use.
Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of GDPR in accordance with its Art 3 (2) and has appointed a representative pursuant to Art. 27 (1) GDPR: The supervisory authority of the Member State in which the representative within the meaning of Art. 27 (1) GDPRis established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of GDPR in accordance with its Art 3 (2) without however having to appoint a representative pursuant to Art. 27 (2) GDPR: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored shall act as competent supervisory authority.
Description of the technical and organisational measures implemented by the parties (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Semasio: See https://hellofyllo.com/datasecurity
Company: See Attachment C to Order Form.