DATA PROTECTION ADDENDUM

This Data Protection Addendum (“Addendum“) is entered into as of the Addendum Effective Date by and between: (1) Century Games Pte. Ltd.(“Customer”); and (2) [PARTNER] (the “Business Partner”), hereinafter referred to as also individually “Party” or jointly “Parties”..

Preamble

Company and Partner have entered into the business Agreement, involving the Processing of certain Personal Data (the “Agreement”).

The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

  1. Definitions
    • In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      • Addendum Effective Date” means the effective date of the Agreement.
      • Authorised Subprocessors” means (a) those Subprocessors set out in Annex 4 (Authorised Subprocessors); and (b) any additional Subprocessors consented to in writing by the Customer in accordance with section 1;
      • Process/Processing“, “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Personal Data Breach” and “Special Categories of Personal Data” shall have the same meaning as in the Data Protection Laws;
      • CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder;
      • Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations as well as government-issued rules, guidelines, directives and requirements pertaining to the Processing of Personal Data under the Agreement currently in effect and as they become effective that may exist in any relevant jurisdiction, including, without limitation, security breach notification laws, Personal Data security laws and Personal Data disposal laws. For the avoidance of doubt, applicable Data Protection Laws include, but are not limited to, the GDPR and the CCPA;
      • EEA” means the European Economic Area;
      • EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
      • GDPR” means the UK GDPR and/or EU GDPR (as applicable), together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018), and any successor, replacement, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly;
      • Customer Personal Data” means the data described in Annex 1 and any other Personal Data Processed by Business Partner or any Business Partner Affiliate on behalf of the Customer or any Affiliate pursuant to or in connection with the Agreement;
      • Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR;
      • Services” means those services and activities to be supplied to or carried out pursuant to the Agreement.
      • Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
      • Subprocessor” means any Data Processor (including any third party and any Business Partner Affiliate) appointed by Business Partner to Process Customer Personal Data on behalf of the Customer or any Affiliate;
      • Supervisory Authority” means an independent public authority responsible for the enforcement of applicable Data Protection Laws which is established pursuant to applicable Data Protection Laws;
      • Transfer Solution(s)” means the SCCs and/or the UK Transfer Addendum, as applicable to the relevant Restricted Transfer;
      • UK GDPR” means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;
      • UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the Mandatory Clauses included in Part 2 thereof.
    • Unless otherwise defined in this Addendum, all capitalized terms in this Addendum shall have the meaning given to them in the Agreement.
  2. Data Processing Terms
    • In the course of providing the Services to the Customer pursuant to the Agreement, Business Partner may Process Customer Personal Data on behalf of the Customer or any Affiliate as per the terms of this Addendum. Business Partner agrees to comply with the following provisions with respect to any Customer Personal Data submitted by or for the Customer or any Affiliate to the Services or otherwise collected and Processed by or for the Customer or any Affiliate by Business Partner or any Business Partner Affiliate.
    • To the extent that Business Partner Processes Customer Personal Data protected by the CCPA, then the terms specified in Annex 5 (California Annex) to this Addendum shall apply in addition to the terms of this Addendum.
  3. Processing of the Customer Personal Data
    • Business Partner shall:
      • comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
      • not Process Customer Personal Data other than:
        • to the limited extent necessary for Business Partner to provide the Services, or on Customer’s other written instructions; or
        • as strictly required by applicable laws; provided that Business Partner shall inform Customer of any such Processing and of the relevant legal requirements requiring such Processing.
      • Where Business Partner receives an instruction from Customer that, in its reasonable opinion, infringes any applicable Data Protection Laws, Business Partner shall immediately inform Customer.
  4. Business Partner Personnel
    • Business Partner shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Customer Personal Data, as strictly necessary for the purposes set out in section 1 above in the context of that individual’s duties to Business Partner, ensuring that all such individuals:
      • are informed of the confidential nature of the Customer Personal Data and are aware of Business Partner’s obligations under this Addendum and the Agreement in relation to the Customer Personal Data;
      • have undertaken appropriate training in relation to the Data Protection Laws;
      • are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
      • are subject to user authentication and log‑on processes when accessing the Customer Personal Data.
  1. Security
    • Business Partner shall implement and maintain appropriate technical and organisational measures to ensure the privacy, integrity and availability of Customer Personal Data and the systems and technologies used for Processing Customer Personal Data, which shall be appropriate to protect Customer Personal Data from and against any accidental, unauthorized or unlawful destruction, loss, alteration, encryption, acquisition, disclosure or access, and such measures shall meet or exceed the minimum standards described in Annex 2 (Technical and Organisational Measures) (the “Security Measures”).
    • Business Partner warrants and represents on an ongoing basis that the Security Measures it applies currently, and further undertakes that at all relevant times any updated Security Measures shall, meet or exceed the standards required by applicable Data Protection Laws and now- or then-current good industry practice.
  2. Subprocessing
    • Customer generally authorises Business Partner to appoint Subprocessors subject to and in accordance with this Section 6 and any restrictions in the Agreement.
    • Business Partner may continue to use those Subprocessors already engaged by Business Partner as at the date on which this Addendum is executed (as listed in Annex 4 (Authorised Subprocessors)) (the “Sub Processor List”) subject to Business Partner meeting or having met the obligations set out in Section 6.4. Business Partner represents and warrants that the Sub Processor List is true, complete and accurate as at the date on which this Addendum is executed.
    • Business Partner shall give Customer prior written notice of the appointment of any proposed new Sub Processor at least [thirty (30) days] in advance of such appointment, including full details of the Processing to be undertaken by any proposed Subprocessor. If Customer does not object to Business Partner’s appointment of a proposed Subprocessor during the aforementioned period, Business Partner may commence use of that Subprocessor to Process Customer Personal Data. If Customer notifies Business Partner in writing of any objections (on reasonable grounds) to the proposed appointment within the aforementioned period:
      • Business Partner shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub Processor; and
      • where such a change cannot be made within [fourteen (14) days] from Business Partner’s receipt of Customer’s notice, notwithstanding anything in the Agreement, Customer may terminate the Agreement or that part of the Agreement requiring such Processing without penalty or liability (other than for fees due and owing to Business Partner for Services rendered prior to the effective date of such termination) on written notice to Business Partner, and Business Partner shall refund Customer any prepaid fees in respect of which Services have not been rendered.
    • With respect to each Subprocessor, Business Partner shall ensure that the arrangement between Business Partner and the Subprocessor is governed by a binding written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and accords with the requirements of applicable Data Protection Law.
    • Business Partner shall remain fully liable to the Customer for all acts, errors and omissions of any Subprocessor as if they were Business Partner’s acts, errors or omissions.
  3. Data Subject Rights
    • Business Partner shall promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Laws in respect of Customer Personal Data.
    • Business Partner shall co‑operate as requested by the Customer to enable the Customer to comply with any exercise of rights by a Data Subject under any Data Protection Laws in respect of Customer Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Customer Personal Data or this Addendum, which shall include:
      • the provision of all data requested by the Customer within any reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Customer Personal Data it holds in relation to a Data Subject;
      • where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the timescales prescribed by the Data Protection Laws; and
      • implementing any additional technical and organisational measures as may be reasonably required by the Customer to allow the Customer to respond effectively to relevant complaints, communications or requests.
  1. Personal Data Breach
    • Business Partner shall notify the Customer without undue delay (and, in any event, within twenty four (24) hours) upon becoming aware of or reasonably suspecting a Personal Data Breach providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
      • describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
      • communicate the name and contact details of Business Partner’s data protection officer or other relevant contact from whom more information may be obtained;
      • describe the likely consequences of the Personal Data Breach; and
      • describe the measures taken or proposed to be taken to address the Personal Data Breach.
    • Business Partner shall co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each Personal Data Breach.
    • In the event of a Personal Data Breach, Business Partner shall not inform any third party without first obtaining the Customer’s prior written consent, unless notification is required by applicable laws to which Business Partner is subject, in which case Business Partner shall to the extent permitted by such law inform the Customer of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Customer before notifying the Personal Data Breach.
  2. Data Protection Impact Assessment and Prior Consultation
    • Business Partner shall provide reasonable assistance to the Customer with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any supervisory authority of the Customer or any Affiliate which are required under Article 36 GDPR, in each case solely in relation to Processing of Customer Personal Data by Business Partner on behalf of the Customer and taking into account the nature of the Processing and information available to Business Partner.
  3. Deletion or return of Customer Personal Data
    • Subject to section 2, Business Partner shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of Processing of Customer Personal Data by Business Partner; or (ii) termination of the Agreement, at the choice of the Customer (such choice to be notified to Business Partner in writing) either:
      • return a complete copy of all Customer Personal Data to the Customer by secure file transfer in such format as notified by the Customer to the Business Partner and securely wipe all other copies of Customer Personal Data Processed by Business Partner or any Authorised Subprocessor; or
      • Securely Wipe all copies of Customer Personal Data Processed by Business Partner or any Authorised Subprocessor, and in each case provide written certification to the Customer that it has complied fully with this section 10.
      • Business Partner may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Business Partner shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Union or Member State law requiring its storage and for no other purpose.
  1. Audit rights
    • Business Partner shall make available to the Customer on request all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by the Customer or another auditor mandated by the Customer of any premises where the Processing of Customer Personal Data takes place. Business Partner shall permit the Customer or another auditor mandated by the Customer to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of this Addendum are being complied with.  Business Partner shall provide full co‑operation to the Customer in respect of any such audit and shall at the request of the Customer, provide the Customer with evidence of compliance with its obligations under this Addendum.  Business Partner shall immediately inform the Customer if, in its opinion, an instruction pursuant to this section 11 (Audit Rights) infringes the GDPR or other Data Protection Laws.
  2. International Transfers of Customer Personal Data

           EU Restricted Transfers

  • To the extent that any Processing of Personal Data under this Addendum involves an EU Restricted Transfer from Customer to Business Partner, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) populated in accordance with Part 1 of Annex 3; and (ii) entered into by the Parties and incorporated by reference into this Addendum.
  • The Parties acknowledge and agree that Customer is acting as the data exporter and Business Partner is acting as the data importer under this Addendum and for the purposes of the SCCs.

           UK Restricted Transfers

  • To the extent that any Processing of Personal Data under this Addendum involves a UK Restricted Transfer from Customer to Business Partner, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Annex 3; and (ii) entered into by the Parties and incorporated by reference into this Addendum.

           General Restricted Transfer Provisions

  • Customer may on notice vary this Addendum and replace the relevant Transfer Solution(s) with: (i) any new form of the relevant Transfer Solution(s) or any replacement therefor prepared and populated accordingly; or (ii) another transfer mechanism, other than the SCCs and/or UK Transfer Addendum, that enables the lawful transfer of Personal Data under this Addendum in compliance with Chapter V of the GDPR.
  • In respect of any given Restricted Transfer, if requested of either Party (“Requesting Party”) by a Supervisory Authority or Data Subject, on specific written request, the other Party shall provide Requesting Party with an executed version of the relevant Transfer Solution(s) responsive to the request made of Requesting Party for countersignature by Requesting Party, onward provision to the relevant requestor and/or storage to evidence Requesting Party’s compliance with the GDPR.
  • Where Business Partner is certified under a scheme (such as the EU–U.S. Data Privacy Framework and/or UK Extension to the EU–U.S. Data Privacy Framework (as applicable)) that benefits from an adequacy decision of the EU Commission and/or UK Government (as applicable), Business Partner can rely on such scheme and corresponding adequacy decision for transfers of Personal Data. In case Business Partner withdraws from such scheme or such scheme and/or respective adequacy decision is invalidated, Customer and Business Partner shall automatically be bound by the additional obligations of this Section 12 with respect to Restricted Transfer(s).
  1. Access to Personal Data by public authorities
    • To the extent permitted by applicable laws, each Party shall notify the other Party promptly in writing of any subpoena or other judicial or administrative order by a public authority or proceeding seeking access to or disclosure of Personal Data. Such notification shall, to the extent permitted by applicable laws, include details regarding the Data Subject concerned, Personal Data requested, the requesting authority, the legal basis for the request, and any responses provided.
    • Where Business Partner receives such request, Customer shall have the right to defend such legal challenge in lieu of and/or on behalf of Business Partner to the extent permitted by applicable laws. Customer may, if it so chooses, seek a protective order. Business Partner shall reasonably cooperate with Customer in such defence.
    • To the extent permitted by applicable laws, each Party shall not disclose the Personal Data requested until all reasonable challenges to the request have been exhausted and shall provide the minimum of information permissible when responding to an order to disclose the Personal Data.
    • Where the notifying Party is prohibited from satisfying Section 7.1 under applicable laws, the notifying Party shall use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Business Partner agrees to document its best efforts in order to be able to demonstrate them on request of Customer.
    • Where a Party becomes aware of any direct access by public authorities to Personal Data (including the reasonable suspicion thereof), this Party shall promptly notify the other Party with all information available, unless otherwise prohibited by applicable laws.
    • Business Partner represents and warrants that (i) Business Partner has not purposefully created backdoors or similar programming that could be used to access its systems or Personal Data, (ii) Business Partner has not purposefully created or changed its business processes in a manner that facilitates access to its systems or to Personal Data by public authorities and shall not voluntarily cooperate with public authorities in relation to the same, and (iii) no applicable law or government policy to which Business Partner is subject requires Business Partner to create or maintain backdoors or to facilitate access to Personal Data or systems or for Business Partner to be in possession of any corresponding encryption keys.
  2. Indemnity
    • Business Partner shall indemnify and hold harmless the Customer against all losses, fines and sanctions arising from any claim by a third party or Supervisory Authority arising from any breach of this Addendum.
  3. General Terms
    • Subject to section 2, the parties agree that this Addendum and the Standard Contractual Clauses shall terminate automatically upon termination of the Agreement or expiry or termination of all service contracts entered into by Business Partner with the Customer pursuant to the Agreement or when Business Partner ceases to Process Customer Personal Data, whichever is later.
    • Any obligation imposed on Business Partner under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum.
    • Any breach of this Addendum shall constitute a material breach of the Agreement.
    • With regard to the subject matter of this Addendum, in the event of inconsistencies between
      • the provisions of this Addendum and any other agreements between the parties, including but not limited to the Agreement, the provisions of this Addendum shall prevail, or
      • any Transfer Solution(s) entered and this Addendum and/or the Agreement, the Transfer Solution(s) (as applicable) shall prevail in respect of the Restricted Transfer to which they apply.
    • Compliance by Business Partner with the provisions of this Addendum will be at no additional cost to the Customer.
    • An Affiliate may enforce any term of this Addendum which is expressly or implicitly intended to benefit it.
    • The rights of the Parties to rescind or vary this Addendum are not subject to the consent of any other person.
    • Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  • ANNEX 1:DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR and the Transfer Solution(s).

Customer / ‘DATA EXPORTER’ DETAILS

Name:Century Games Pte. Ltd.
Address:As set out in the Agreement
Contact Details:As set out in the Agreement
Role:Controller (data exporter)

Business Partner / ‘DATA IMPORTER’ DETAILS

Name:As set out in the Agreement
Address:As set out in the Agreement
Contact Details:As set out in the Agreement
Role:Processor (data importer)

DETAILS OF PROCESSING

Categories of Data Subjects:·         End-users
Categories of Personal Data:Relevant Personal Data includes:[Personal details – for example any information that identifies the Data Subject and their personal characteristics, name, age, date of birth, sex, and physical description.][Contact details – for example home and/or business address, email address, telephone details and other contact information such as social media identifiers/handles.][Authentication details – for example username, password or PIN code, security questions and other access protocols.][Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.]
Sensitive Categories of Data, and associated additional restrictions/safeguards:Categories of sensitive data:NoneAdditional safeguards for sensitive data:N/A
Frequency of transfer:Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing:Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing:Personal Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this Addendum.
Duration of Processing / Retention Period:For the period determined in accordance with the Agreement and Addendum.
Transfers to (sub )processorsTransfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor List.
  • ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES
  1. Security

The Business Partner shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • the pseudonymization and encryption of Personal Data;
  • measures designed to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services and deliverables under the Agreement;
  • the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing;
  • a process and procedures to monitor and log processing systems for unauthorized changes and other evidence the processing environment has been compromised. The Business Partner shall document and monitor compliance with these measures.  Technical and organizational measures are subject to technical progress and further development and the Business Partner may implement alternative adequate measures provided the Business Partner shall not decrease the overall security of the services and deliverables during the term of the Agreement.  The minimum security measures to be implemented by the Business Partner are as follows:
    • Encryption. The Business Partner shall use strong encryption methodologies to protect Customer Personal Data transferred over public networks and shall implement whole disk encryption for all Personal Data at rest and in transit.  The Business Partner will fully document and comply with industry best practice and Business Partner’s key management procedures for crypto keys used for the encryption of Customer Personal Data.
    • Storage. The Business Partner shall retain all Customer Personal Data in a physically and logically secure environment to protect from unauthorized access, modification, theft, misuse and destruction.  The Business Partner shall utilize platforms to host Customer Personal Data that are configured to conform to industry standard security requirements and will only use hardened platforms that are continuously monitored for unauthorized changes.
    • Antivirus; Firewall. The Business Partner shall utilize antivirus programs that are capable of detecting, removing, and protecting against all known types of malicious or unauthorized software with antivirus signature updates at least every four (4) hours.  The Business Partner will implement firewalls designed to ensure that all outbound traffic to Customer and all inbound traffic to the supplier’s systems that host Customer data Systems are restricted to only what is necessary to ensure the proper functioning of the services and deliverables under the Agreement.  All other unnecessary ports and services will be blocked by firewall rules at the Business Partner network.
    • Vulnerability Management
      • Updates and Patches. With regards to the handling of Customer Personal Data, the Business Partner shall establish and maintain mechanisms for vulnerability and patch management that are designed to evaluate application, system, and network device vulnerabilities and apply Business Partner’s operating system and application like Web Servers, Database etc., and Business Partner’s-supplied security fixes and patches in a timely manner taking a risk-based approach for prioritizing critical patches. For critical, zero-day, patches will be applied within 30 days.
      • Data Loss Prevention. The Business Partner shall maintain a data loss prevention (“DLP”) or “extrusion prevention” solution to protect Customer Personal Data, and shall integrate the results of that activity with its program for audit logging and intrusion detection as described below.
      • Audit Logging; Intrusion Detection. The Business Partner shall collect and retain audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events, complying with applicable policies and regulations.  Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (“IDS”) tools shall be implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents.  Physical and logical user access to audit logs shall be restricted to authorized Business Partner Parties.
      • Information Risk Assessment. On an annual basis, the Business Partner shall cooperate with Customer, at Customer discretion, to perform formal risk assessments to determine the likelihood and impact of potential privacy and security risks to Customer Personal Data.  The Business Partner shall conduct the audit annually in accordance with all applicable local laws, regulations and where applicable requirements for credit card and privacy (including without limitation PCI DSS) as well as industry common standards for information security.  An audit report shall be provided to Customer within three (3) months upon the completion of every year’s Services by the Business Partner to Customer
      • Physical Security. Where the Business Partner is Processing Customer Personal Data, such Customer Personal Data shall be housed in secure areas, physically protected from unauthorized access, with appropriate environmental and perimeter controls.  the facilities shall be physically protected from unauthorized access, damage, theft and interference.
      • Disaster Recovery Management. The Business Partner shall provide documentation of its formal and secure disaster recovery plan, meeting a standard of industry best practice standards and redacted for proprietary and confidential information. The Business Partner shall share evidence with Customer that the Business Partner conducts regular testing of that plan on at least an annual basis, which impacts any Customer Systems and Customer Personal Data governed by the Agreement.
  • ANNEX 3: EU and UK Restricted Transfers
Notes:·         In the context of any Restricted Transfer, the SCCs and/or UK Transfer Addendum (as applicable) populated in accordance with this Annex 3 are incorporated by reference into and form an effective part of the Addendum.

Part 1: EU Restricted Transfers

  1. SIGNATURE OF THE SCCs:

Where the SCCs apply in accordance with Paragraph 12 to the Addendum each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

  1. MODULE TWO

Module TWO of the SCCs applies to any Restricted Transfer involving Processing of Personal Data in respect of which Customer is a Controller and data exporter, and Business Partner is a Processor and data importer.

  1. POPULATION OF THE BODY OF THE SCCs
    • The following applies as and where applicable to Module TWO and the Clauses thereof:
      • The optional ‘Docking Clause’ in Clause 7 is used and the language of the body of that Clause 7 is retained.
      • In Clause 9:
        • OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub‑Processors shall be the period specified in Section 6 of this Addendum; and
        • OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the EU SCCs.
      • In Clause 11, the optional language is not used and is deleted.
      • In Clause 13, the following wording is retained “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.” and all other square brackets and all text therein is removed.
      • In Clause 17: OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
      • For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
    • In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.
  2. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
    • Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 to the Addendum, with: Customer being ‘data exporter’; and Business Partner being ‘data importer’.
    • Annex II to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 2 to the Addendum.

Part 2: UK Restricted Transfers

  1. Where relevant in accordance with Paragraph 12 to the Addendum, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
    • Part 1 to the UK Transfer Addendum. The Parties agree:
      • Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 to the Addendum and the foregoing provisions of this Annex 3 (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
      • Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Exporter’ being deemed to have been ticked.
    • Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
  2. As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1 of this Part 2; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
  3. In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the Addendum to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1 of this Part 2.
  • ANNEX 4: AUTHORISED SUBPROCESSORS

[Include here the list of Approved Subprocessors as at the Addendum Effective Date to be included here.]

Name of Subprocessor:Services performed / brief details of Processing activities:Category(ies) of Customer Personal Data concerned:Location of the SubprocessorAddendum/SCC in place with Sub-processor (yes or no)
  • ANNEX 5: California annex
  1. Order of Precedence. To the extent that the terms in this Annex 5 (California Annex) conflict with the terms in the rest of the Addendum, the terms in this Annex 5 (California Annex) prevail. Furthermore, the parties hereby agree that the terms of this California Annex supersede and replace any respective obligations of the parties that relate to the Processing of Personal Data to the extent that such processing is subject to the CCPA.
  2. Definitions. CCPA and other capitalized terms not defined in this Annex 5 (California Annex) are defined in the Addendum.
    • “business purpose”, “commercial purposes”, “sell”, “service provider” and “share” have the meanings given in the CCPA.
    • The definition of “Data Subject” includes “consumer” and “household” as defined in the CCPA.
    • The definition of “Personal Data” includes “personal information” as defined in the CCPA.
    • The definition of “Controller” includes “business” as defined in the CCPA.
    • The definition of “Processor” includes “service provider” as defined in the CCPA.
  3. Obligations.
    • Customer is providing the Customer Personal Data to Business Partner under the Agreement for the limited and specific business purposes as described in Annex 1 (Details of Processing of Customer Personal Data) and otherwise performing under this Agreement.
    • Business Partner shall comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as is required by the CCPA.
    • Business Partner acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 11 (Audit rights) of this Addendum to help to ensure that Business Partner’s use of Customer Personal Data is consistent with Customer’s obligations under the CCPA, (ii) receive from Business Partner notice and assistance under Section 7 (Data Subject Rights) of this Addendum regarding consumers’ requests to exercise rights under the CCPA and (iii) upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
    • Business Partner shall notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.
    • Business Partner shall not retain, use, or disclose Customer Personal Data: (i) for any purpose, including any commercial purposes, other than the business purposes described in Section 2.1 of this Annex 5 (California Annex) or (ii) outside of the direct business relationship between Business Partner with Customer, except, in either case, where and to the extent permitted by the CCPA.
    • Business Partner shall not sell or share Customer Personal Data.
    • Business Partner shall not combine Customer Personal Data with other personal information except to the extent the CCPA expressly permits a service provider to do so.
Top