Data Processing Addendum
This Data Processing Addendum was last updated on June 27, 2024.
THIS DATA PROCESSING ADDENDUM (this “DPA”) supplements and is a part of the Master Services Agreement or other written or electronic agreement (in either case, the “Agreement”) for the purchase of services (identified in the Agreement as either “Services” or otherwise, and hereinafter defined as “Services”) entered into between Route App Inc. (“Route”, “we”, “us” and “our”), and the entity that has offered our services pursuant to the Agreement (“Merchant-Customer”, “you” and “your”). This English language version controls regardless of any translation.
- Defined Terms. The terms used in this Addendum have the meaning set forth in this Addendum. Capitalized terms not defined herein have the meaning given to them in the Agreement.
- “Controller” or “Business” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
- “Consumer-Customer” means a customer of a Merchant that uses Route’s tracking and insurance services.
- “Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (“CPRA”) and any associated regulations and amendments, (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”).
- “Data Subject” means any natural person whose Personal Data is Processed in the context of this Addendum.
- “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Section 4 below and available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN
- “Europe” means the member states of the European Union (“EU”), Switzerland, the United Kingdom (“UK”), the European Economic Area (“EEA”), the European Free Trade Agreement, and Monaco.
- “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws.
- “Processor” or “Service Provider” means the entity which Processes Personal Data on behalf of a Controller.
- “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Route.
- “Services” means the services provided to Merchant-Customer under the Agreement.
- Relationship of the Parties
- Merchant-Customer Personal Data. Pursuant to the Agreement, Route may collect certain data related to a Merchant’s end users (such as Merchant’s personnel) such as their name, email address and credentials to access the Services (“Merchant-Customer Personal Data”). Route acts as a Controller or Business (as applicable under Data Protection Laws) of such Merchant-Customer Personal Data.
- Consumer-Customer Personal Data. Merchant-Customers offer Route’s add-on tracking and insurance services (“Features”) to Consumer-Customers for the Merchant-Customer’s legitimate business purposes. Merchant-Customers determine what Personal Data to collect from Consumer-Customers in the course of offering the Features and are independent Controllers/Businesses of such Personal Data. Depending on the different ways in which you, and we, may interact with Consumer-Customers, our role with respect to Consumer-Customer Personal Data differs depending upon the circumstances. Route acts as:
- A Processor/Service Provider with respect to Consumer-Customer Personal Data that a Merchant-Customer stores in our systems relating to Consumer-Customers that did not affirmatively opt in to the Features (i.e., where Merchant-Customer automatically applies the Features to all orders);
- a Joint Controller/Business, along with you, when you store Consumer-Customer Personal Data in our systems from Consumer-Customers who affirmatively choose to enroll in the Features; and
- an Independent Controller/Business for Consumer-Customer Personal Data provided to us directly by Consumer-Customers (notwithstanding the nature of such Consumer-Customers’ interactions with you, if any), including but not limited to information provided to us by the Consumer-Customer’s use of our online and mobile resources (e.g. our mobile application).
- Route’s Obligations when Acting as a Processor or Service Provider.
- Obligations. Solely to the extent Route is acting as a Processor/Service Provider to Merchant-Customer with respect to Consumer-Customer Personal Data, Route will:
- Process Consumer-Customer Personal Data solely: (1) to fulfill its obligations to Merchant-Customer under the Agreement, including this Addendum, specifically to provide Consumer-Customers with updates regarding packages delivered by Merchant-Customers and to assist in processing claims made under the Agreement; (2) on Merchant-Customer’s behalf; and (3) in compliance with Data Protection Laws. Route will not “sell” Consumer-Customer Personal Data or “share” or Process Customer-Customer Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Consumer-Customer Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Merchant-Customer.
- Not attempt to link, identify, or otherwise create a relationship between Consumer-Customer Personal Data and non-Personal Data or any other data without the express authorization of Merchant-Customer.
- Ensure that the persons it authorizes to Process Consumer-Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Taking into account the nature of the processing, assist Merchant-Customer by implementing appropriate technical and organizational measures to ensure that Merchant-Customer may respond to request(s) from their Consumer-Customers exercising their rights under Data Protection Laws.
- Promptly notify Merchant-Customer of (i) any third-party or Data Subject complaints regarding the Processing of Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider; (ii) its inability to comply with the CCPA or associated regulations or (iii) any government or Data Subject requests for access to or information about Route’s Processing of Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider on Merchant-Customer’s behalf, unless prohibited by applicable Data Protection Laws. Route will provide Merchant-Customer with reasonable cooperation and assistance in relation to any such request. If Route is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Merchant-Customer, Route shall inform Merchant-Customer that it can no longer comply with Merchant-Customer’s instructions under this Addendum without providing more details and await Merchant-Customer’s further instructions.
- Provide reasonable assistance to and cooperation with Merchant-Customer for Merchant-Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Consumer-Customer Personal Data, when required by applicable Data Protection Laws, and at Merchant-Customer’s reasonable expense.
- Provide reasonable assistance to and cooperation with Merchant-Customer for Merchant-Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Consumer-Customer Personal Data, including complying with any obligation applicable to Route under Data Protection Laws to consult with a regulatory authority in relation to Route’s Processing or proposed Processing of Consumer-Customer Personal Data.
- Security Breach. Route will notify Merchant-Customer without undue delay of any known Security Breach of Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider on behalf of Merchant-Customer and will assist Merchant-Customer in Merchant-Customer’s compliance with its Security Breach-related obligations, including without limitation, by:
- Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
- Providing Merchant-Customer with the following information, to the extent known:
- The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Merchant’s Consumer-Customer Personal Data records concerned.
- The likely consequences of the Security Breach; and
- Measures taken or proposed to be taken by Route to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Subprocessors. Solely to the extent Route is acting as a Processor/Service Provider to Merchant-Customer with respect to Consumer-Customer Personal Data:
- Merchant-Customer acknowledges and agrees that Route may use subprocessors to Process Consumer-Customer Personal Data in accordance with the provisions in this Addendum and Data Protection Laws. Where Route sub-contracts any of its rights or obligations concerning Consumer-Customer Personal Data, Route will take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Consumer-Customer Personal Data consistent with applicable Data Protection Laws.
- Route’s current list of subprocessors, and Merchant-Customer hereby consents to Route’s use of such subprocessors. Route will maintain an up-to-date list of its subprocessors, and it will provide Merchant-Customer with commercially reasonable prior notice of any new subprocessor added to the list. In the event Merchant-Customer has a commercially reasonable objection to a new subprocessor, Route will use reasonable efforts to make available to Merchant-Customer a change in the services or recommend a commercially reasonable change to, Merchant-Customer’s use of the services to avoid Processing of Consumer-Customer Personal Data by the objected-to subprocessor without unreasonably burdening the Merchant-Customer. Merchant-Customer may, in its sole discretion, terminate the Agreement in the event that Route is not able to provide a reasonable change to cure Merchant-Customer’s subprocessor objection.
- Audits. Route shall permit Merchant-Customer or its appointed third party auditors (the “Auditors”) to audit Route’s compliance with this Addendum, at Merchant-Customer’s sole expense, and shall make available to the Auditors all information systems and staff reasonably necessary for the Auditors to conduct such audit. Route acknowledges that the Auditors may enter its premises for the purposes of conducting its audit, provided that Merchant-Customer gives at least thirty (30) days’ prior notice of its intention to audit, conducts its audit during normal business hours and takes all reasonable measures to prevent unnecessary disruption to Route’s operations. Merchant-Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (1) required by instruction of a relevant regulator; or (2) following a Security Breach.
- Return or Destruction of Personal Data. When the Agreement terminates or when Route ceases to Process Consumer-Customer Personal Data as a Processor/Service Provider on behalf of Merchant-Customer, upon Merchant-Customer’s request, Route shall either delete or return all Consumer-Customer Personal Data that Route Processes as a Processor/Service Provider, unless Route is required or authorized by applicable Data Protection Law to store such Consumer-Customer Personal Data for a longer period.
- Liability. Notwithstanding anything to the contrary in the Agreement or this Addendum, Route will not be liable for any claim made by a Data Subject arising from or related to Route’s acts or omissions with respect to the Processing of Consumer-Customer Personal Data, to the extent that Route was acting in accordance with Merchant-Customer’s instructions.
- Obligations. Solely to the extent Route is acting as a Processor/Service Provider to Merchant-Customer with respect to Consumer-Customer Personal Data, Route will:
- The Parties’ Obligations as Independent Controllers or Businesses. Where the Parties serve as Independent or Joint Controllers or Businesses under the Agreement, the Parties agree as follows:
- Cooperation. Each party will cooperate with the other party to fulfill compliance obligations under applicable Data Protection Law and enter into any further privacy, confidentiality, or information security agreement reasonably requested by the other party for purposes of compliance with applicable Data Protection Law. In case of any conflict between the Agreement and any such further privacy, confidentiality, or information security agreement, such further agreement shall prevail with regard to the Processing of Consumer-Customer Personal Data covered by it.
- Security Breach. Where the parties act as Joint Controllers, each party will promptly report to the other party any Security Breach related to Consumer-Customer Personal Data processed in connection with the Agreement and use diligent efforts to remedy such Security Breach in a timely manner. Except as prohibited by law, the content of any filings, communications, notices, press releases or reports related to any such Security Breach in connection with the Agreement must be prepared in cooperation with the other party before any such publication or communication.
- Cooperation. The parties agree to cooperate with one another in responding to requests from relevant supervisory authorities and in responding to Data Subject requests related to the Processing of Consumer-Customer Personal Data under the Agreement.
- Liability. Subject to the liability clauses in the Agreement and to the maximum extent permitted by applicable Data Protection Law, each party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of applicable Data Protection Law with regard to Processing of Consumer-Customer Personal Data for which it is a Controller or Business. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. Merchant-Customer will indemnify Route for any damages or claims arising from a violation of Merchant-Customer’s obligations to comply with applicable Data Protection Law, in particular from a failure to provide notice to, and where required under applicable Data Protection Law obtain consent from, individuals as specified under Section 5(c) below.
- Merchant-Customer’s Obligations as a Data Controller. In addition to the obligations in Section 4, where Merchant-Customer serves as a Controller, Merchant-Customer hereby agrees to:
- only provide instructions to Route that are lawful;
- comply with and perform its obligations under applicable Data Protection Law, including with regard to Data Subject rights, data security and confidentiality, and ensuring an appropriate legal basis for the Processing of Consumer-Customer Personal Data; and
- provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) regarding Route’s and Merchant-Customer’s Processing of Consumer-Customer Personal Data for the purposes described in the Agreement and this Addendum.
- Data Security. Route will implement appropriate administrative, technical, physical, and organizational measures to protect Merchant-Customer Personal Data, as set forth in Appendix 1, Annex II.
- Data Transfers.
- Route will not engage in any cross-border Processing of Consumer-Customer Personal Data, or transmit, directly or indirectly, any Consumer-Customer Personal Data to any country outside of the country from which such Consumer-Customer Personal Data was collected, without complying with applicable Data Protection Laws. Where Route engages in an onward transfer of Consumer-Customer Personal Data, Route shall ensure that a lawful data transfer mechanism is in place prior to transferring Consumer-Customer Personal Data from one country to another.
- With respect to Consumer-Customer Personal Data transferred pursuant to applicable Data Protection Laws in Europe, and except as provided below in Sections 7(c) and 7(d), the Parties agree that:
- Where Route acts as a Controller of Consumer-Customer Personal Data, Module 1 of the EU SCCs applies;
- Where Route acts as a Processor of Consumer-Customer Personal Data, Module 2 of the EU SCCs applies;
- Clause 7 (the optional docking clause) is included;
- The optional language in Clause 11 (Redress) is not included;
- Under Clauses 17, 18, and 13(a), the Parties choose the laws of Ireland, the courts of Ireland, and the relevant supervisory authorities in Ireland to govern the Addendum for transfers; and (v) Annex I(A), I(B), and II are completed as set forth in Appendix 1 to this Addendum.
- With respect to Consumer-Customer Personal Data transferred from the United Kingdom for which UK data protection law governs the international nature of the transfer, the EU SCCs shall be supplemented by the additional clauses found in Annex III hereunder.
- For transfers of Merchant-Customer Personal Data that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
APPENDIX 1
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Merchant-Customer, and Merchant-Customer’s details and signature shall be as provided in the Agreement.
Activities relevant to the data transferred under these Clauses: Collect consent and transfer User Data for purposes of Route providing Services under the Agreement.
Role (controller/processor): Controller
Data importer(s):
Name: Route, Inc.
Address: 1441 West Innovation Way, Suite 200, Lehi, Utah 84043
Contact person’s name, position and contact details: Larry Caughlan, Associate General Counsel, legal@route.com.
Activities relevant to the data transferred under these Clauses: Route will process personal data in accordance with the Addendum and the Agreement that governs Route’s insurance and tracking services for retail purchases. Processing may include collecting, storing, using, altering, and otherwise transferring personal data as required to provide the Services.
Role (controller/processor): Controller/Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- Merchant-Customer’s end users of the Services (i.e., Merchant Customer’s personnel)
- Consumer-Customers
Categories of personal data transferred
- Identifiers, such as: phone number, first name, last name, physical address, email address, zip/postal code, device ID, order ID, transaction ID, items purchased, credentials
- Transaction information, such as: transaction amount, payment method, last 4 digits of a payment card number
- Internet or Network Activity, such as: login behaviour, behaviour transaction analyses, IP address
- Professional or Employment Related Data, such as: Merchant-Customer’s end-user contact information
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis per transactions reviewed, as per the Agreement.
Nature of the processing
Route is responsible for performing the services to Merchant-Customers as set forth in the Agreement, in particular providing package protection and tracking services for Merchant-Customers’ products.
Purpose(s) of the data transfer and further processing
N/A
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For Merchant-Customer Personal Data: The duration of the Agreement plus a reasonable period thereafter to ensure deletion of backup and archived copies.
For Consumer-Customer Personal Data: As long as reasonably required to provide the Services to Merchant-Customer, unless Consumer-Customer establishes an independent relationship with Route (in which case retention is governed by Route’s Privacy Policy)
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Subprocessors will be subject to the same nature and purposes of Processing as set out in this Addendum.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Irish Data Protection Authority
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Route has implemented and maintains reasonable and appropriate technical and organizational measures to protect the security, confidentiality, and availability of customer data. The security measures include access control, background checks, security training, perimeter defenses, business continuity and disaster recovery, logging and monitoring, vulnerability management, end-point protection, vendor oversight, and risk management program. Route engages an independent audit firm to conduct a SSAE 18 SOC 2 audit that is renewed on an annual basis. For additional information, see Route’s information security whitepaper here.
Data importer shall implement and maintain appropriate technical and organizational measures that protect personal data in accordance with the Addendum, including but not limited to maintaining compliance with the SOC 2 security attestation standards with respect to the personal information it processes.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.
ANNEX III
- Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
- International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This UK Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | The effective date of the Addendum. | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | Full legal name: Company. Main address (if a company registered address): As set forth in the Notices section of the Agreement. | Full legal name: Service Provider. Main address (if a company registered address): As set forth in the Notices section of the Agreement. |
Key Contact | Contact details including email: Company’s Signatory to the MSA. | Contact details including email: Route’s signatory to the MSA. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | [x] The version of the Approved EU SCCs which this UK Addendum is appended to, detailed below, including the Appendix Information:Date: The effective date of the Addendum. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:
Annex 1A: List of Parties: As set forth in Exhibit B, Annex I. |
Annex 1B: Description of Transfer: As set forth in Exhibit B, Annex I. |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set forth in Exhibit B, Annex II. |
Table 4: Ending this UK Addendum when the Approved UK Addendum Changes
Ending this UK Addendum when the Approved UK Addendum changes | Which Parties may end this UK Addendum as set out in Section 19: Exporter. |
Part 2: Mandatory Clauses
Entering into this UK Addendum
- Each Party agrees to be bound by the terms and conditions set out in this UK Addendum, in exchange for the other Party also agreeing to be bound by this UK Addendum.
- Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this UK Addendum
- Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved UK Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Addendum | This International Data Transfer Addendum which is made up of this UK Addendum incorporating the Addendum EU SCCs. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
- This UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in the UK Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendment(s) will not be incorporated in this UK Addendum and the equivalent provision of the Approved EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws applies.
- If the meaning of this UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this UK Addendum has been entered into.
Hierarchy
- Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
- Where there is any inconsistency or conflict between the Approved UK Addendum and the UK Addendum EU SCCs (as applicable), the Approved UK Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved UK Addendum.
- Where this UK Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this UK Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
- This UK Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
- together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
- Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
- this UK Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
- Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
- No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
- The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
- References to the “Clauses” means this UK Addendum, incorporating the Addendum EU SCCs;
- In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
- Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
- References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- References to Regulation (EU) 2018/1725 are removed;
- References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
- Clause 13(a) and Part C of Annex I are not used;
- The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
- Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
- The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this UK Addendum
- The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
- If the Parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
- From time to time, the ICO may issue a revised Approved UK Addendum which:
- makes reasonable and proportionate changes to the Approved UK Addendum, including correcting errors in the Approved UK Addendum; and/or
- reflects changes to UK Data Protection Laws;
The revised Approved UK Addendum will specify the start date from which the changes to the Approved UK Addendum are effective and whether the Parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified.
- If the ICO issues a revised Approved UK Addendum under Section 18, if any Party selected in Table 4 “Ending the UK Addendum when the Approved UK Addendum changes”, will as a direct result of the changes in the Approved UK Addendum have a substantial, disproportionate and demonstrable increase in:
- its direct costs of performing its obligations under the UK Addendum; and/or
- its risk under the UK Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved UK Addendum.
- The Parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.
Alternative Part 2 Mandatory Clauses:
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved UK Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |