Jurisdiction Specific Terms
1. European Economic Area and Switzerland
1.1. Definitions
- “Applicable Data Protection Laws” (as used in the Addendum) includes the (i) EEA Data Protection Laws (as defined below) and (ii) Swiss Data protection Laws, as they may be amended from time to time.
- “Controller” (as used in the Addendum) includes “Controller of the Data File” as defined under the FADP.
- “Data Subject” (as used in the Addendum) includes the natural persons whose Sembi Personal Data is Processed.
- “EEA” (as used in this Section) means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
- “EEA Data Protection Laws” means the GDPR and all laws and regulations of the EEA (as defined below), applicable to the Processing of Sembi Personal Data.
- “EU 2021 Standard Contractual Clauses” (as used in this Section) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
- “Sembi Personal Data” (as used in the Addendum) includes “Personal Data” as defined under the FADP.
- “Processing” (as used in the Addendum) includes “Processing” as defined under the FADP.
- “Restricted International Transfer of EEA Personal Data” (as used in this Section) means any transfer of Sembi Personal Data subject to the GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization in a Third Country (including data storage on foreign servers).
- “Restricted International Transfer of Swiss Personal Data” (as used in this Section) means any transfer of Sembi Personal Data (including data storage in foreign servers) subject to the FADP to a Third Country (as defined below) or an international organization.
- “Standard Contractual Clauses” (as used in the Addendum) includes the EU 2021 Standard Contractual Clauses.
- “Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”).
- “Third Country” (as used in this Section) means a country outside of the EEA or, if applicable, outside the Swiss Data Protection Laws.
1.2. With regard to any Restricted International Transfer of EEA or Swiss Personal Data from Sembi to Service Provider within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
- A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country or the international organization in question to which EEA Sembi Personal Data is to be transferred ensures an adequate level of data protection or the inclusion of the Third Country or the international organization in question in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Sembi Personal Data within the meaning of the FADP.
- Service Provider’s certification to any successor/replacement framework to the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to EEA Data Protection Laws or Swiss Data Protection Laws, as the case may be), provided that the Services are covered by such certification.
- The EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR).
- Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws or in Swiss Data Protection Laws, as the case may be.
1.3. EU 2021 Standard Contractual Clauses:
- The Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
- The content of EU 2021 Annex I and Annex II of the EU 2021 Standard Contractual Clauses is set forth in Exhibit A to the Addendum, and the contents of Annex III of the EU 2021 Standard Contractual Clauses, if applicable, is set out in Exhibit B to the Addendum.
- The text contained in Exhibit C to the Addendum supplements the EU 2021 Standard Contractual Clauses.
-
The Parties agree to apply the following modules:
- Module one of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Service Provider and acts as a Controller and the Data Importer is Sembi and acts as a Controller.
- Module two of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Sembi and acts as a Controller and the Data Importer is Service Provider and acts as a Processor.
- Module three of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Sembi and acts as a Processor and the Data Importer is Service Provider and acts as a sub-Processor.
- Module four of the EU 2021 Standard Contractual Clauses when, in accordance with Section 3.1 of the Addendum, the Data Exporter is Service Provider and acts as a Processor and the Data Importer is Sembi and acts as a Controller.
-
For the purposes of Annex I.A:
- The Parties have provided each other with the identity information contact details required under Annex I.A.
- The Parties’ controllership roles are set forth in Section 3.1 of the Addendum.
- The details of the Parties’ data protection officer and data protection representative in the EU are set forth in Exhibit A and Sections 19 and 20 of the Addendum.
- The activities relevant to Sembi Personal Data transferred under the EU 2021 Standard Contractual Clauses are set forth in Exhibit A to the Addendum.
-
Parties’ Choices under the EU 2021 Standard Contractual Clauses:
- For the purpose of Clause 7 of the EU 2021 Standard Contractual Clauses, the Parties choose not to include the optional docking clause.
- With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.
- For the purpose of Clause 11 of the EU 2021 Standard Contractual Clauses, the Parties choose not to include the optional language relating to the use of an independent dispute resolution body.
- For the purpose of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses, the competent supervisory authority is set forth in Exhibit A of the Addendum.
- With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the laws of the Republic of Ireland.
- With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties choose the Swiss courts as an alternative place of jurisdiction for Data Subjects habitually resident in Switzerland.
- The term “member state” included in the EU 2021 Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU 2021 Standard Contractual Clauses.
- The EU 2021 Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.
1.4. In cases where the EU 2021 Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall prevail.
2. Brazil
2.1. Definitions
- "Applicable Data Protection Laws” (as used in the Addendum) includes “Brazilian Data Protection Laws” (as defined below).
- "Brazilian Data Protection Laws” (as used in this Section) includes the Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 (“LGPD”).
- “Controller” (as used in the Addendum) includes “Controlador” as defined under the LGPD.
- “Personal Data Breach” (as used in the Addendum) includes “Security Incident” as defined under the LGPD.
- “Processor” includes “Operador” as defined under the LGPD.
3. California
3.1. Definitions
- “Applicable Data Protection Laws” (as used in the Addendum) includes California Data Protection Laws, as they may be amended from time to time.
- “Business Purpose” (as used in this Section) shall have the meaning ascribed to it by California Data Protection Laws.
- “California Data Protection Laws” includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on 28 June 2018 (“CCPA”), and the California Consumer Privacy Act Regulations (“CCPA Regulations”), and the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the 3 November 2020, state-wide general election, amended, added to, and re-enacted the CCPA (“CPRA”).
- “Commercial Purpose” (as used in this Section) shall have the meaning ascribed to it in the CPRA.
- “Controller” (as used in the Addendum) includes “Business” as defined under the CPRA.
- “Data Subject” (as used in the Addendum) includes “Consumer” as defined under the CPRA.
- “Sembi Personal Data” (as used in the Addendum) includes “Personal Information” as defined under the CPRA.
- “Personal Data Breach” (as used in the Addendum) includes “Breach of the Security of the System” as defined under paragraph (g) of Section 1798.82. of the California Civil Code.
- “Processor” (as used in the Addendum) includes “Service Provider” as defined under the CCPA.
- “Sell” (as used in this Section) shall have the meaning ascribed to it in the CPRA.
- “Share” (as used in this Section) shall have the meaning ascribed to it in the CPRA.
3.2. Sembi discloses Sembi Personal Data to Service Provider solely for: (i) valid Business Purposes; and (ii) to enable Service Provider to perform the Services under the Agreement.
3.3. Service Provider shall not: (i) Sell or Share Sembi Personal Data; (ii) retain, use, or disclose Sembi Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by the California Data Protection Laws; nor (iii) retain, use, or disclose Sembi Personal Data except where permitted under the Agreement between Sembi and Service Provider. Service Provider certifies that it understands these restrictions and will comply with them.
4. Canada
4.1. Definitions
- “Applicable Data Protection Laws” (as used in the Addendum) includes Canadian Data Protection Laws.
- “Canadian Data Protection Laws” includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
- “Sembi Personal Data” (as used in the Addendum) includes “Personal Information” as defined under PIPEDA.
- “Personal Data Breach” (as used in the Addendum) includes “Breach of Security Safeguards” as defined under PIPEDA.
- “Subprocessor” (as used in the Addendum) includes “Third Party Organization” as defined under PIPEDA.
5. United Kingdom
5.1. Definitions
- “Applicable Data Protection Laws” (as used in the Addendum) includes UK Data Protection Laws (as defined below).
- “EU 2021 Standard Contractual Clauses” (as used in this Section) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
- “Restricted International Transfer of UK Personal Data” (as used in this Section) means any transfer of Sembi Personal Data subject to the UK Data Protection Laws (as defined below) to a Third Country (as defined below) or an international organization (including data storage on foreign servers).
- “Standard Contractual Clauses” (as used in the Addendum) includes the EU 2021 Standard Contractual Clauses (as defined under Section 1.1(f) of these Jurisdiction Specific Terms).
- “Third Country” (as used in this Section) means a country outside of the United Kingdom (“UK”).
- “UK Data Protection Laws” (as used in this Section) includes the Data Protection Act 2018 and the UK GDPR (as defined below).
- “UK GDPR” (as used in this Section) means the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
- “UK ICO” (as used in this Section) means the UK Information Commissioner's Office.
- “UK International Data Transfer Agreement” (as used in this Section) means the International Data Transfer Agreement issued by the UK ICO, Version A1.0, in force from 21 March 2022, as may be amended from time to time, available at ICO website at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf.
- “UK Transfer Addendum” (as used in this Section) means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO, Version B1.0, in force from 21 March 2022, as may be amended from time to time, available at ICO website at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.
5.2. With regard to any Restricted International Transfer of UK Personal Data from Sembi to Service Provider within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
- A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR that provides that the Third Country or the international organization in question to which Sembi Personal Data is to be transferred ensures an adequate level of data protection.
- Service Provider’s certification to any successor/replacement framework to the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to the UK GDPR, as the case may be), provided that the Services are covered by such certification.
- The EU 2021 Standard Contractual Clauses (as defined in Section 1.1(d) of these Jurisdiction Specific Terms) (insofar as their use constitutes an “appropriate safeguard” under UK Data Protection Laws, and Data Importer is not directly subject to the UK GDPR on an extra-territorial basis) as they have been adopted for use by the relevant authorities within the UK, including the UK ICO, using the UK Transfer Addendum.
- The UK International Data Transfer Agreement.
- Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
5.3. EU 2021 Standard Contractual Clauses and UK Transfer Addendum:
- The Addendum hereby incorporates by reference any additional modifications and amendments required by the UK Transfer Addendum as they have been adapted for use by the relevant authorities within the UK to make the EU 2021 Standard Contractual Clauses applicable to Restricted International Transfers of UK Personal Data. The Parties are deemed to have accepted, executed, and signed the adapted EU 2021 Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
-
For purposes of the tables to the UK Transfer Addendum:
- Table 1: The content of Table 1 is set forth in Sections 19, 20, and 21 of the Addendum and Exhibit A thereto.
- Table 2: The content of Table 2 is set out in Section 6.3(c) of these Jurisdiction Specific Terms. The Parties agree that Modules two, three, and four are applicable. To the extent that Module four is applicable, the Parties confirm that Personal Data received from the Data Importer [is][is not] combined with personal data collected by the Data Exporter.
-
Table 3: The content of Table 3 (Annex 1(A), 1(B), II, and III) is set forth as follows:
(A) Annex 1(A): The content of Annex 1(A) is set forth in Sections 19, 20, and 21 of the Addendum and Exhibit Athereto.
(B) Annex 1(B): The content of Annex 1(B) is set forth in Section 3.3 of the Addendum and Exhibit A thereto.
(C) Annex II: The content of Annex II is set forth in Section 5 of the Addendum and Exhibit A thereto.
(D) Annex III: This is not required, as “General Written Authorization” has been selected under the EU 2021 Standard Contractual Clauses.
- Table 4: The Parties agree that neither party may terminate the UK Transfer Addendum.
-
Beyond that, the Parties incorporate and adopt the EU 2021 Standard Contractual Clauses as to Restricted International Transfers of UK Personal Data in exactly the same manner set forth in Section 1.3 of these Jurisdiction Specific Terms, with the following distinctions:
- For the purpose of Clause 7 of the EU 2021 Standard Contractual Clauses, the Parties choose not to include the optional docking clause.
- With respect to Clause 9 of the EU 2021 Standard Contractual Clauses, the Parties select the “Option 2 General Written Authorization” and the time period set forth in Section 6.3 of the Addendum.
- For the purpose of Clause 11 of the EU 2021 Standard Contractual Clauses, the Parties choose not to include the optional language relating to the use of an independent dispute resolution body.
- For the purpose of Annex I.C and with respect to Clause 13 (when applicable) of the EU 2021 Standard Contractual Clauses, the competent authority shall be the UK ICO, insofar as the data transfer constitutes a Restricted International Transfer of UK Personal Data.
- With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, including the incorporated UK Transfer Addendum, the Parties select the laws of England and Wales.
- With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, including the incorporated UK Transfer Addendum, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses or the incorporated UK Transfer Addendum shall be resolved by the courts of England and Wales.
- The text contained in Exhibit C to the Addendum supplements the EU 2021 Standard Contractual Clauses.
- In cases where the EU 2021 Standard Contractual Clauses, in conjunction with the UK Transfer Addendum, apply and there is a conflict between the terms of this Addendum and the terms of the EU 2021 Standard Contractual Clauses or UK Transfer Addendum, the terms of the UK Transfer Addendum, and then the EU 2021 Standard Contractual Clauses shall prevail.
5.4. UK International Data Transfer Agreement:
- The Addendum hereby incorporates by reference the UK International Data Transfer Agreement. The Parties are deemed to have accepted, executed, and signed the UK International Data Transfer Agreement where necessary in its entirety.
-
For the purposes of the tables to the UK International Transfer Agreement:
- Table 1: The content of Table 1 is set forth in Sections 19, 20, and 21 of the Addendum and Exhibit A thereto.
-
Table 2:
- The UK International Transfer Agreement shall be governed by the laws of England and Wales.
- The Parties agree that any dispute arising from the UK International Transfer Agreement shall be resolved by the courts of England and Wales.
- The Parties’ controllership roles and data transfer roles are set out in Section 3.1 of the Addendum.
- The UK GDPR applies to the Data Importer’s Processing of the Personal Data.
- These Jurisdiction Specific Terms and the Addendum set out the instructions for Processing Personal Data.
- The Data Importer shall Process Personal Data for the time period set out in Exhibit A of the Addendum. The Parties agree that neither Party may terminate the UK International Transfer Agreement before the end of such time period.
- The Data Importer may only transfer Personal Data to authorized Subprocessors (if applicable), as set out within Section 6 of the Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement.
- Each Party must review the Addendum (including Exhibit A and its appendices) each time there is a change to the transferred data, purposes, importer information, TRA or risk assessment.
- Table 3: The content of Table 3 is set forth in Exhibit A of the Addendum and may be updated in accordance with Section 3.3 of the Addendum.
- Table 4: The content of Table 4 is set forth in Exhibit A of the Addendum and may be updated in accordance with Section 3.3 of the Addendum.
- Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK International Transfer Agreement are noted throughout the Addendum.
- The text contained in Exhibit C to this Addendum supplements the UK International Transfer Agreement.
- In cases where the UK International Transfer Agreement applies and there is a conflict between the terms of the Addendum and the terms of the UK International Transfer Agreement, the terms of the UK International Transfer Agreement shall prevail.
Jurisdiction Specific Terms to the Sembi Group Data Processing Addendum – Service Providers v.110424