Data Processing Addendum

Last Updated: May 10th 2023

This Data Protection Addendum ("Addendum") forms part of the Agreement ("Agreement") between GroupBy, Inc. ("GroupBy" or "Data Processor") and the Party identified as Data Controller in the Agreement ("Data Controller") and applies where, and to the extent that, GroupBy processes Personal Data on behalf of Data Controller when providing Services under the Agreement.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.

1. Definitions
   1. In this Addendum, the following terms shall have the meanings set out below:
      1. "Affiliate" means an entity that directly or indirectly controls, is controlled by or is under common control with another entity.
      2. "Applicable Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") and any data protection laws in any EU or EEA Member State including laws implementing such Regulation and (ii) the GDPR as incorporated into United Kingdom ("UK") law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 ("UK GDPR"); (iii) Federal Act on Data Protection of Switzerland ("FADP") and (iv) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. ("CCPA"), including as each may be replaced, revised or amended from time to time.
      3. "EEA" means the European Economic Area;
      4. "EU Standard Contractual Clauses" means the standard contractual clauses for the transfer of Personal Data, in accordance with Applicable Laws, to Controllers and Processors established in Third Countries, the approved version of which is in force at the date of signature of this Agreement that are in the European Commission's Decision 2021/914 of 4 June 2021 ((referencing Module Two: Transfer Controller to Processor, and/or other modules as applicable), as such standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, and as may be amended or replaced by the European Commission from time to time. The EU Standard Contractual Clauses also apply to cross-border transfers of Personal Data of Data Subjects located in Switzerland, as set forth herein;
      5. "Personal Data" means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person (a "Data Subject"). Personal Data includes "Personal Information" as defined in Section 1798.140(o) of the CCPA;
      6. "Services" means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Agreement;
      7. "Subprocessor" means any person (including any third party and any Data Processor Affiliate, but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor or any Data Processor Affiliate to Process Personal Data on behalf of any Data Controller in connection with the Agreement; and
      8. "UK Addendum" shall mean the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clause, attached here to as Appendix 4.
   2. The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in Applicable Laws or the Agreement, and their cognate terms shall be construed accordingly.
2. Processing of Personal Data
   1. Data Processor shall:
      1. comply with all Applicable Laws in the Processing of Personal Data;
      2. not Process Personal Data other than on the Data Controller's documented instructions unless Processing is required by Applicable Laws to which the Data Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the Processing of that Personal Data; and
      3. shall inform Data Controller if, in its reasonable opinion, an instruction infringes Applicable Laws.
   2. Data Controller:
      1. designates and instructs Data Processor (and authorises Data Processor to instruct each Subprocessor) to: Process Personal Data; and in particular, transfer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement; and
      2. shall ensure that (i) all instructions to Data Processor with respect to the Processing of Personal Data are at all times in accordance with Applicable Laws; and (ii) all Personal Data provided to Data Processor has been collected in accordance with Applicable Laws and that Data Controller has all authorizations and/or consents necessary to provide such Personal Data to Data Processors
   3. Appendix 1 to this Addendum provides a description of the Data Processor's Processing of the Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Applicable Laws).
   4. Appendix 5 to this Addendum provides a description of the Parties' obligations under the CCPA.
3. Data Processor Personnel
   1. Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Data Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
   2. In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach. A description of Data Processor's security measures is set forth in Appendix 2.
5. Subprocessing
   1. Data Controller provides general written authorization for Data Processor (and each Subprocessor) to appoint Subprocessors in accordance with this Section and any restrictions in the Agreement. A list of Data Processor's current Subprocessors is set forth in Appendix 3 of this Addendum. Any Sub-processor used must qualify as a service provider under the CCPA and Data Processor cannot make any disclosures to a Sub-processor that the CCPA would treat as a sale.
   2. Data Processor may continue to use those Subprocessors already engaged by Data Processor as at the date of this Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in this Section 5.
   3. Data Processor shall-give Data Controller at least 15 day prior written notice (where such notice shall be part of a general communication to Data Processor's customers) of the appointment of any new or replacement Subprocessor, including full details of the Processing to be undertaken by the Subprocessor]. If Data Controller reasonably objects in writing to a new or replacement Subprocessor within 10 calendar days after receipt of such notice, and the parties cannot resolve Data Controller's reasonable objection within 14 calendar days after receipt of such objection, then Data Controller may terminate the Services impacted by the new or replacement Subprocessor on written notice to Data Processor without penalty and receive a pro-rata refund of any fees paid in advance.
   4. Data Processor shall ensure that each Subprocessor performs and shall be responsible for the obligations under this Addendum as they apply to Processing of Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.
6. Inquiries and Data Subject Rights
   1. Taking into account the nature of the Processing, Data Processor shall assist Data Controller by implementing appropriate technical and organizational measures as set forth on Appendix 2, for the fulfilment of the Data Controller's obligations, as reasonably understood by Data Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
   2. Further, Data Processor shall:
      1. promptly notify Data Controller if it receives a request from a Data Subject under any Applicable Laws in respect of Personal Data; and
      2. ensure that it does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Data Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Data Processor responds to the request.
   3. Data Processor shall notify Data Controller without undue delay if a Supervisory Authority or other competent legal authority makes any inquiry or request for disclosure of Personal Data.
7. Personal Data Breach
   1. Data Processor shall notify Data Controller without undue delay, but in no case more than forty-eight (48) hours, upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Data Controller, providing Data Controller with reasonably sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Laws. For avoidance of doubt, Data Processor's notice does not constitute an admission of fault by Data Processor or its Subprocessors for the Personal Data Breach.
   2. Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
   1. At Data Controller's expense, Data Processor shall provide reasonable assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Data Processors.
9. Deletion or Return of Personal Data
   1. Upon termination or expiration of the Agreement, at Data Controller's request, Data Processor will either promptly (i.e., in no more than 90 days) return or destroy the Personal Data in its possession or control. This requirement shall not apply to the extent Vendor is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Data Processor shall securely isolate and protect from any further Processing, except to the extent required by applicable law. Vendor shall extend the protections of the Agreement and this Addendum to such Personal Data and limit processing of such Personal Data to only those purposes required by applicable law, for so long as Data Processor retains the Personal Data.
10. Audit rights
    1. Upon Data Controller's request, and provided that the parties have an applicable NDA in place, GroupBy will make available the certificates issued for the SOC 2 certification (or the certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to SOC 2) (the "SOC 2").
    2. At Data Controller's expense and with a written request no more than once per year, Data Processor shall make available to Data Controller information directly relating to compliance with this Addendum and Applicable Laws and shall allow for reasonable audits of such information by Data Controller, or an auditor appointed by Data Controller, within 30 days' of receipt of such written request.
    3. Data Controller shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to the Data Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
    4. Data Processor need not give access to its premises for the purposes of such an audit or inspection: (a) to any individual unless he or she produces reasonable evidence of identity and authority; or (b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Data Controller or the relevant Data Controller Affiliate undertaking an audit has given notice to Data Processor that this is the case before attendance outside those hours begins.
    5. Taking into account the nature of the processing and the information available to GroupBy, GroupBy will assist Data Controller in complying with Data Controller's obligations in respect of data protection impact assessments and prior consultation, at Data Controller's expense and by providing the information GroupBy makes available under this Section 10.
11. International Transfers
    1. To the extent Data Processor's processing of Personal Data includes Data Subjects in the EEA, UK and/or Switzerland, Data Controller and Data Processor acknowledge and agree that such Personal Data may be transferred to third countries, including countries that are not recognized by the European Commission, UK or Switzerland as providing an adequate level of protection for Personal Data. More specifically, Data Controller acknowledges and agrees that Personal Data may be transferred to Data Processor in the United States, which has not received an adequacy determination. Data Controller hereby consents to the transfer of Personal Data to Data Processor in the United States as set forth herein.
    2. If, in fulfilling its obligations under the Agreement or pursuant to other lawful instructions from Data Controller, Personal Data is to be transferred from the EEA to any country that has not been recognized by the European Commission as providing an adequate level of protection for Personal Data, the parties agree to enter into and abide by the EU Standard Contractual Clauses, which are incorporated into this Addendum as follows:
       • Data Controller is the Data Exporter and Data Processor is the Data Importer;
       • Clause 7, the "Docking Clause (Optional)", shall be deemed incorporated;
       • In Clause 9, the parties choose Option 2, 'General Written Authorisation', with a time period of 15 days;
       • The optional wording in Clause 11 shall be deemed not incorporated;
       • In Clause 17, the Data Exporter and Data Importer agree that the EU Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland and choose Option 1 to this effect;
       • In Clause 18, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Republic of Ireland; and
       • Appendixes 1, 2 and 3 attached hereto serve as Annexes I, II and III of the EU Standard Contractual Clauses.
    3. If, in fulfilling its obligations under the Agreement or pursuant to other lawful instructions from Data Controller, Personal Data is to be transferred from Switzerland to any country that has not been recognized by the Swiss federal government or Swiss Federal Data Protection and Information Commissioner as providing an adequate level of protection for Personal Data, the parties agree to enter into and abide by the EU Standard Contractual Clauses (as implemented herein) as follows:
       • The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for the transfers exclusively subject to the FADP;
       • The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as utilized in the Standard Contractual Clauses shall be interpreted to include the FADP with respect to the transfers;
       • References to Regulation (EU) 2018/1725 are removed;
       • References to the "Union", "EU" and "EU Member State" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses;
       • In Clause 17 and Clause 18, the governing law and forum shall be Switzerland;
       • Where the transfers are exclusively subject to the FADP, all references to the GDPR in the EU Standard Contractual Clauses are to be understood to be references to the FADP;
       • Where the transfers are subject to both the Swiss FADP and the GDPR, all references to the GDPR in the EU Standard Contractual Clauses are to be understood to be references to the FADP insofar as the transfers are subject to the FADP.
    4. If, in fulfilling its obligations under this Agreement or pursuant to other lawful instructions from Data Controller, Personal Data must be transferred from the United Kingdom to any country that has not been recognized by the UK Information Commissioner's Office, UK Parliament or UK Secretary of State as providing an adequate level of protection for Personal Data, the parties agree that the UK Addendum, attached hereto as Appendix 4, shall apply to such cross-border transfers.
    5. The parties further agree that if any of the EU Standard Contractual Clauses or the UK Addendum are updated, replaced or are no longer available for any reason, the parties will cooperate in good faith to implement updated or replacement EU Standard Contractual Clauses or UK Addendum, as appropriate, or identify an alternative mechanism(s) to authorize the contemplated cross-border transfers.
12. General Terms
    Governing law and jurisdiction
    1. This Addendum will be governed by and construed in accordance with governing law set forth in the Agreement, unless required otherwise by Applicable Laws.
    2. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

APPENDIX 1

GDPR DETAILS OF PROCESSING OF PERSONAL DATA

1. LIST OF PARTIES
   1. Data exporter(s):
      Name: Party identified as Data Controller in the Agreement.
      Address: The Data Controller address as provided in the Agreement.
      Contact Person's name, position and contact details: The Data Controller's contact information is provided in the Agreement.
      Activities relevant to the data transferred under the EU Standard Contractual Clauses: To receive the Services from the Data Processor as set forth in the Agreement and this Addendum.
      Where applicable, by signing below we agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses as of the effective date of this Data Processing Agreement.
      Signature and date: See the data exporter's signature on this Addendum.
      Role (controller/processor): Controller
   2. Data importer:
      Name: The GroupBy Affiliate listed on the Order Form entered into with Data Exporter
      Address: The address listed on the Order Form entered into with Data Exporter
      Contact Person's name, position and contact details: Data Processor's contact information is provided in the Agreement.
      Activities relevant to the data transferred under the EU Standard Contractual Clauses: To provide the Services to the Data Controller as set forth in the Agreement and this Addendum.
      Where applicable, by signing below we agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses as of the effective date of this Data Processing Agreement.
      Signature and date: See the data exporter's signature on this Addendum
      Role (controller/processor): Processor
2. DESCRIPTION OF TRANSFER
   Categories of data subjects whose Personal Data is transferred:

   • Data Controller Representatives/Authorized Users
   • Controller customer data and website activity
   Categories of Personal Data transferred:

   • Hashed customer ID/visitor ID
   • Purchase history
   • Data Controller Representatives/Authorized Users:, username, user email and password.
   Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

   • None
   The frequency of the transfer

   • Continuous
   Nature and purpose of the processing

   • The nature and purpose of the processing is described the Agreement. Data Processor will process the Personal Data to provide the Services and to comply with the terms of the Agreement and this Addendum.
   The period for which the personal data will be retained

   • The Personal Data will be retained so long as necessary to provide the Services and to comply with Applicable Laws.
   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   • The subject matter and nature of transfers to sub-processors are to support Data Processor's provisioning of the Services. Duration of transfers is same as the duration of the processing by Data Processor.
3. COMPETENT SUPERVISORY AUTHORITY
   The competent supervisory authority is the Data Protection Commission of Ireland or the Federal Data
   Protection and Information Commissioner of Switzerland, as applicable.

APPENDIX 2

Technical and Organizational Measures

• Policies or procedures requiring the incorporation of data protection mechanisms into the technical specifications of IT systems, networks, processing operations, and business practices.
• Data protection impact assessments specifying the assessment information required by Article 35(7) of the GDPR.
• Completed data protection impact assessments, audits, or other risk assessments which include:
  • identification of risks, including high-risk data processing;
  • risk mitigation plans;
  • identification of the lawful basis for processing Personal Data;
  • verification that data processing complies with Applicable Laws;
  • evidence that the organization integrated necessary safeguards into systems, networks, and processing operations;
  • evidence that the organization reviewed processing activities and risks considering changes to programs, systems, or processes; and
  • confirmation that Data Processor-made updates after program, system, or process changes affecting data protection risk.
• Documentation showing consultation with the relevant supervisory authority in the case of high-risk processing.
• Documentation that the Data Controller sought the Data Protection Officer's advice during the data protection impact assessment process.
• Evidence of regular security measure testing and an evaluation of those measures' effectiveness.
• Detailed data privacy requirements for third parties that receive or access Personal Data such as Subprocessors, including contracts with third parties.
• Undertake an analysis of the risks presented by Data Processor's Processing, and use this to assess the appropriate level of security it needs to put in place.
• Have an information security policy (or equivalent) and take steps to make sure the policy is implemented. Where necessary, have additional policies and ensure that controls are in place to enforce them.
• Ensure that Data Processor regularly reviews its information security policies and measures and, where necessary, improve them.
• Understand that Data Processor may also need to put other technical measures in place depending on its circumstances and the type of personal data it processes.
• Use encryption and/or pseudonymization where it is appropriate to do so.
• Understand the requirements of confidentiality, integrity and availability for the Personal Data of Data Processor's processes.
• Make sure that Data Processor can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
• Conduct regular testing and reviews of measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
• Where appropriate, implement measures that adhere to an approved code of conduct or certification mechanism.

APPENDIX 3

Subprocessors

APPENDIX 4

International Data Transfer Addendum to the EU Commission Standard Contractual Clause
VERSION B1.0, in force 21 March 2022

This International Data Transfer Addendum to the EU Commission Standard Contractual Clause (the "UK Addendum" or the "Addendum") forms part of the EU Standard Contractual Clauses in this Appendix 4 to this Data Processing Agreement (this "DPA").

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules and Selected Clauses

Table 3: Appendix Information – See Appendices 1-3 of the DPA

Table 4: Ending this Addendum when the Approved Addendum Changes

Part 2: Mandatory Clauses

Entering into this Addendum

Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties' obligation to provide the Appropriate Safeguards.

If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter's processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
2. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

1. References to the "Clauses" means this Addendum, incorporating the Addendum EU SCCs;
2. In Clause 2, delete the words:
   "and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";
3. Clause 6 (Description of the transfer(s)) is replaced with:
   "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.";
4. Clause 8.7(i) of Module 1 is replaced with:
   "it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";
5. Clause 8.8(i) of Modules 2 and 3 is replaced with:
   "the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";
6. References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
7. References to Regulation (EU) 2018/1725 are removed;
8. References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all replaced with the "UK";
9. The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module one, is replaced with "Clause 11(c)(i)";
10. Clause 13(a) and Part C of Annex I are not used;
11. The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";
12. In Clause 16(e), subsection (i) is replaced with:
    "the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";
13. Clause 17 is replaced with:
    "These Clauses are governed by the laws of England and Wales.";
14. Clause 18 is replaced with:
    "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."; and
15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

From time to time, the ICO may issue a revised Approved Addendum which:

1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
2. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 "Ending the Addendum when the Approved Addendum changes", will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

1. its direct costs of performing its obligations under the Addendum; and/or
2. its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

APPENDIX 5

CCPA Additional Terms

In connection with the provision of Services, Data Controller will disclose Personal Information of California consumers or households to Data Processor, and Data Processor agrees to provide the services as a "service provider" as defined in CCPA Section 1798.140(v), as applicable.

In connection with the processing of Personal Information of California consumers or households by Data Processor as a Service Provider, the following terms apply:

1. Data Processor acknowledges and agrees that Data Controller discloses Personal Data to Data Processor solely for: (i) a valid business purpose; and (ii) to perform the Services as set forth in the Agreement, this Addendum and further detailed on Schedule 3.
2. Data Processor's processing of Personal Data shall, at all times, be done in compliance with the CCPA, the Agreement, and this Addendum. Data Processor is prohibited from: (a) selling or sharing Personal Data; (b) retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Services to Data Controller; (c) retaining, using, disclosing, or otherwise processing the Personal Data outside of the direct business relationship between Data Processor and Data Controller; or (d) combining or updating Personal Data with personal information it obtains through other sources or directly from the consumer outside of the contract, except as permitted by Data Controller or otherwise allowed under the CCPA
3. The Data Controller will provide consumers with a CCPA-compliant notice at collection when it collects personal information directly from individuals. If the Data Controller requires the Data Processor to collect personal information directly from individuals on the Data Controller's behalf, the Data Controller will provide the Data Processor with a notice at collection that pertains to the Data Controller's CCPA notification requirements, to use for such purpose. The Data Processor will not modify or alter the notice in any way without the Data Controller's prior written consent. The Data Processor is not responsible if the Data Controller-provided notice at collection does not comply with the applicable requirements of the CCPA.
4. If the CCPA permits, Data Processor may aggregate, deidentify, or anonymize personal information so it no longer meets the personal information definition, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes. Data Processor will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.
   1. Data Processor will reasonably and promptly assist Data Controller with meeting the Data Controller's CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the Data Processor's processing and the information available to the Data Processor.
   2. Data Processor must promptly comply with any Data Controller request or instruction requiring the Data Processor to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing, and communicate such request or instructions to Sub-processors or other downstream entities.
   3. Data Processor must notify Data Controller immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party's compliance with the CCPA. Specifically, the Data Processor must notify the Data Controller within three (3) working days if it receives a verifiable consumer request under the CCPA.
5. Data Controller may, upon providing reasonable notice to Data Processor, take all reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of Personal Data.
6. Data Processor agrees to notify Data Controller in writing if it can no longer comply with the CCPA or its obligations under the Agreement or this Addendum.