Processor DPA
Last updated: 5 September 2024
The clauses of this Data Protection Agreement (DPA) are supplemental to and incorporated by reference into, the Marketing Purchase Agreement or any other agreement (the Agreement) between Expedia (us) and Partner (you) referencing or otherwise incorporating this DPA. Terms that are not defined in this DPA shall have the meaning given to them in the Agreement.
14.1 Definitions: For the purposes of this DPA, appropriate technical and organizational measures, controller, personal data, personal data breach, process/processing/processed, processor and supervisory authority (or reasonably equivalent terms) shall each have the meaning given to them in Applicable Data Protection Law, and:
- API End Customer Data means End Customer Data (other than Merchant of Record Data) submitted by you to the API that is processed by us;
- Applicable Data Protection Law(s) means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of End Customer Data;
- CBPR Country means a country that is a full or associate member of the CBPR System;
- CBPR Party means an organization that holds a current certification under the CBPR System;
- CBPR System means the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System;
- Current Audit Report means a current version of the PCI DSS attestation of compliance and the SSAE 16 Audit Report, or its industry standard successor, for our data center providers;
- DPF means the EU-U.S. Data Privacy Framework and/or Swiss-U.S Data Privacy Framework or any successor self-certification program operated by the U.S Department of Commerce and approved by the European Commission from time to time and which has not been invalidated (and in each case, includes the UK Extension to the EU-U.S. Data Privacy Framework and any other country extension to such framework that operates to extend the application of the EU-U.S. Data Privacy Framework to that country);
- End Customer Data means personal data of an End Customer processed pursuant to the Agreement;
- Merchant of Record Data means End Customer Data submitted to us under Schedule 2 (API) of the Agreement to process a booking payment on behalf of an End Customer as Merchant of Record;
- Permitted Purpose means in relation to Schedule 2 (API) of the Agreement, the purpose of (i) fulfilling Bookings; (ii) providing customer support for Bookings; (iii) using anonymized data to improve our services and user experience, including optimizing the booking experience for End Customers; (iv) generating reports for you, including commission statements and any further processing required for reconciliations, complaints handling and similar activities connected with servicing Schedule 2 (API) of the Agreement; (v) creating aggregated and anonymized reports for analytics, business intelligence and business reporting; (vi) fraud prevention; (vii) responding to law enforcement requests and tax audit requests; (viii) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); (ix) otherwise complying with our obligations under the Agreement, this DPA and/or applicable laws; and (x) for the determination, calculation, reporting of Travel Taxes and other applicable taxation purposes as may be required from time to time, and together these constitute the Permitted Purposes;
- Restricted Transfer Country means a country located in the European Economic Area, Switzerland, the United Kingdom and Brazil;
- Restricted Transfer Data means End Customer Data relating to a Booking made via a point of sale intended by us to be accessed by individuals in a Restricted Transfer Country;
- subprocessor means a third-party data processor engaged by us or any of our third-party data processors who has or will have access to or process the End Customer Data as a processor; and
- Standard Contractual Clauses/ SCCs means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found following this link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
14.2 Relationship of the parties
Any API End Customer Data processed by us in connection with the Agreement will be done in our capacity as processor on behalf of you, acting as controller.
14.3 Your responsibilities
You must in particular:
- satisfy a legal basis in order to make available the API End Customer Data provided by you to us to process for the Permitted Purposes;
- satisfy a legal basis to send any marketing communications to End Customers;
- cooperate with and provide reasonable assistance to us to assist us with our compliance with Applicable Data Protection Law in the course of our processing of API End Customer Data in connection with Schedule 2 (API) of the Agreement and this DPA; and
- display and comply with your lawful and up-to-date cookie notice (if required) and your privacy policy that discloses your data processing relationship with us on each Partner Website. We give no warranties or representations with regards to the adequacy, effectiveness or compliance with applicable laws of your cookies and/or privacy policy. You shall be solely responsible for ensuring that your cookies and/or privacy policy at all times complies with applicable law.
14.4 Our responsibilities
In our capacity as a processor under Schedule 2 (API) for API End Customer Data, we (and our Group Members, where applicable) shall:
- process API End Customer Data only on your written instructions and you hereby confirm that your documented instructions are for us to process API End Customer Data as required in connection with the Permitted Purposes and otherwise in accordance with the Agreement. We acknowledge and agree that we are not permitted to sell or share API End Customer Data as such terms are defined in Applicable Data Protection Law that prohibits such processing; and you and we further agree that the transfer of API End Customer Data in accordance with the Agreement does not constitute any such sale or sharing;
- we shall inform you if, in our opinion, an instruction infringes Applicable Data Protection Laws or if we are unable to meet our obligations under Applicable Data Protection Laws or the DPF;
- unless otherwise requested in writing by you, within 30 days of termination or expiry of the Agreement or, where applicable, Schedule 2 (API) of the Agreement, delete such API End Customer Data save that, in the event that we are unable to destroy the API End Customer Data (due to backup or legal reasons), we shall continue to extend indefinitely the protections of these requirements (until the time of such destruction) and immediately terminate any further processing of the API End Customer Data without your express prior written consent, except where and to the extent required by applicable law. Our obligations under these requirements to protect the security of End Customer Data shall survive termination of the Agreement or this DPA to the extent required to meet the obligations set out in this paragraph. If you require return of the API End Customer Data, you shall submit a request in writing before or concurrent with the expiry or termination of the Agreement and such End Customer Data shall be returned to you in an agreed format;
- ensure appropriate technical and organizational measures are in place to safeguard the API End Customer Data against a personal data breach;
- notify you without undue delay if we become aware of any personal data breach affecting API End Customer Data and shall provide you with reasonable information and cooperation so you can fulfil any data breach reporting obligations you may have under (and in accordance with the timescales required by) Applicable Data Protection Law;
- establish policies and procedures to provide all reasonable and prompt assistance to you in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any API End Customer Data processed by us;
- ensure that any person (including our staff, agents and sub-contractors) who is authorized to process the API End Customer Data is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and shall not permit any person to process the API End Customer Data who is not under such a duty of confidentiality;
- upon written request, provide you with a Current Audit Report. In addition, upon written request and no more than once a year (or exceptionally upon the occurrence of a personal data breach affecting API End Customer Data), we shall complete a questionnaire of reasonable length and in accordance with regulatory requirements, provided by you or a third party on your behalf regarding our compliance with this paragraph, provided that we shall not be required to disclose information that is reasonably considered confidential to our business;
- maintain a record of processing activities carried out on your behalf as required by Applicable Data Protection Law; and
- assist you at your cost to conduct data protection impact assessments to the extent such assessments are required by the Applicable Data Protection Law, and if necessary, consult with relevant supervisory authorities or equivalent under Applicable Data Protection Law.
14.5 If we consider any request by you for support or assistance under paragraph 14.4 to be excessive or unduly onerous, then we reserve the right to charge you for such support to a reasonable level.
14.6 Sub-processors
A list of sub-contractors who process API End Customer Data is listed at our sub-processor website (https://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time) and you hereby confirm your approval of our existing sub-processors. This sub-processor list contains a mechanism for you to subscribe to notifications of any new sub-processors or changes to the sub-processor list. To receive updates or changes to this list, you shall subscribe using the mechanism provided. You agree that we may appoint third-party vendors or service providers as sub-processors of the API End Customer Data where we:
- conclude written contracts with such sub-processors which provide for data protection terms that are no less protective than the terms set out in this DPA; and
- remain fully liable to you for any breaches of this DPA that are caused by the acts, errors and omissions of our sub-processors.
14.7 Where you have reasonable data protection grounds to believe that a sub-processor appointed by us shall render us unable to fulfil our data protection obligations under this DPA you may, within seven (7) days of receipt of notice of their appointment, object to our appointment of such sub-processor, in which case we shall not allow that sub-processor to access the API End Customer Data until you have agreed to the appointment or replacement of the sub-processor or until you withdraw your objection.
14.8 Cross-border data transfers
You and we agree and acknowledge that in this clause 14.8, wherever the word ‘transfer’ is used, it includes access being provided by one controller/processor to another controller/processor and:
- General: neither we nor you shall (and shall not permit any sub-processor to) transfer API End Customer Data outside the territory of origination unless we take any required compliance measures to enable such transfer legally in accordance with Applicable Data Protection Law.
- Asia-Pacific Region and CBPR:
The Parties agree and acknowledge that:
- a CBPR Party is bound by a legally enforceable set of obligations to provide comparable protection to Applicable Data Protections Laws; and
- Expedia is a CBPR Party.
Where the Partner is also a CBPR Party, the provisions of this paragraph (b) will be construed to apply two-way.
Subject to paragraph (iii) below, the Parties agree that where:
- API End Customer Data is being transferred from one CBPR Country to another CBPR Country; and
- the data importer is a CBPR Party,
then, to the extent that and for so long as the CBPR System is a recognized method of transfer by a relevant supervisory authority and the CBPR Party holds a valid current certification that applies to the type of transfer in question, the CBPR System shall be the agreed mechanism for cross-border transfers of API End Customer Data to such CBPR Party.
- The CBPR System will only apply for transfers that involve at least one of the Parties being located in an Asia-Pacific Region country that is also a CBPR Country.
Where Expedia is making a transfer relying on its status as a CBPR Party, Expedia confirms that it will provide at least the same level of protection for the API End Customer Data as is required under the CBPR System; and it will promptly notify the other Party if it makes a determination that it can no longer provide this level of protection. In such event, or if the other Party otherwise reasonably believes that Expedia is not protecting the API End Customer Data to the standard required under the CBPR System, the other Party may either:
- instruct Expedia to take reasonable and appropriate steps to stop and remediate any unauthorized in which event the Parties will promptly cooperate in good faith to identify, agree and implement such steps;
- agree an alternate safeguard that may apply to the processing under Applicable Data Protection Law; or;
- if (A) and (B) fail to resolve the issue, terminate this DPA and the Agreement (or, at the other Party’s election, any affected portion thereof) without penalty by giving notice to Expedia.
If the other Party also holds a current valid CBPR System certification that applies to the transfer in question, then the above provisions will be deemed to be apply as if the obligations are two-way in respect of any such transfer.
DPF: You and we agree that in respect of transfers of Restricted Transfer Data between you and us to the United States or to a country which has not been deemed "adequate" under the Applicable Data Protection Laws of the originating Restricted Transfer Country:
- to the extent that and for so long as the DPF is a recognized method of transfer by a relevant authority, the DPF shall be the agreed mechanism for cross-border transfers of data originating from a Restricted Transfer Country to us in the United States; and
- to the extent that and for so long as the DPF is not a valid method of transfer (including for transfers of Restricted Transfer Data to a country which has not been deemed "adequate" under the Applicable Data Protection Law of the originating Restricted Transfer Country), the SCCs shall apply to such transfers and we will enter into them on the basis set out in paragraph (h) below.
Where you also hold a current DPF certification, transfers of Restricted Transfer Data to you can similarly be made under the DPF with SCCs as a fallback mechanism as set out above.
- With regards to the DPF, we agree that we will provide the same level of protection as required by the DPF. If you reasonably believe we are not protecting API End Customer Data to the standard required by the DPF, we may either:
- rely on the SCCs as set out in paragraph (h) below;
- if SCCs are not a viable or appropriate solution, take your instructions on reasonable and appropriate steps to stop and remediate any unauthorized processing, which we will in good faith implement using commercially reasonable efforts; or
- terminate this DPA and the Agreement without penalty.
- If you are certified under the DPF, you will comply with the Notice and Choice Principles of the DPF (as defined in the EU-U.S. DPF). For the avoidance of doubt, if you are not DPF certified or accessing or receiving the API End Customer Data in a country deemed ‘adequate’ by the DPF-certified European Commission, then the SCCs will be relied on for transfers of Restricted Transfer Data from us to you.
- You and we agree that we may each disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality
- Extension of SCCs to Non-Restricted Transfer Countries: In relation to transfers of API End Customer Data between you and us originating from a country that is not a Restricted Transfer Country but is otherwise subject to safeguards that, according to Applicable Data Protection Law, must be applied before a transfer can be made of that End Customer Data outside of the country of origin (each a Non-Restricted Transfer Country), then you and we agree that:
- the SCCs set out in paragraph (h) below shall be deemed to extend to such additional transfers to the extent that such deemed extension would satisfy the safeguards of that particular country; and/or
- where the measures set out in paragraph (h) below are insufficient or require supplementary measures, the parties agree to take such further measures, including, for example, execution of relevant documents, collection of consent, making of required filings, as may be required from to time in order to satisfy Applicable Data Protection Law.
SCCs. Subject to the paragraphs of clause 14.8 above, you and we hereby agree to enter into the SCCs on an unchanged basis save for the following selections:
- Where Partner is located inside the European Economic Area or otherwise in a country deemed “adequate” in accordance with Article 45 of the GDPR, (Adequate Country) Module two (2) (controller to processor) only of the SCCs will apply. Where Partner is located outside of the European Economic Area or an Adequate Country, Modules two (2) (controller to processor) and four (4) (processor to controller) only of the SCCs apply.
- For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. The period of relevant period of days for prior notification of changes in sub-processors is seven (7) days.
- For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
- For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
- For the purposes of clause 17 of the SCCs, the governing law is Ireland.
- For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:
“Clause 19
UK GDPR and DPA 2018
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a UK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum."
A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:
“Clause 20
Swiss – FADP
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as a Swiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”
A new clause 21 is added to the SCCs to cover transfers of personal data from Brazil to outside of Brazil as follows:
“Clause 21
Brazil – LGPD
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the Brazilian General Data Protection Law No. 13,709/18 (Lei Geral de Proteção de Dados) (LGPD) (referred to in this Clause as a Brazilian transfer). For the purposes of such Brazilian transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and Brazil’s National Data Protection Authority (ANPD) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Brazilian transfer as are deemed necessary by the ANPD to comply with the LGPD, and the Clauses shall be interpreted in accordance with the requirements for Brazilian transfers arising under those laws or as otherwise set out in guidance issued by the ANPD or other relevant Brazilian authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Brazilian transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the LGPD when engaging in Brazilian transfers.”
A new clause 22 is added to the SCCs to cover transfers of personal data from any other country not hitherto specified where the SCCs may be extended to ensure appropriate safeguards for transfers of personal data originating from that country to a party located outside of that country as follows:
“Clause 22
Other third country transfers
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the any other applicable laws and regulations in any relevant jurisdiction, relating to the use or processing of personal data (Applicable Data Protection Laws) requiring terms and protections broadly equivalent to these Clauses in order to transfer personal data from that country to another (referred to in this Clause as a Third Country transfer). For the purposes of such Third Country transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the data protection authority or regulatory body of that country shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Third Country transfer as are deemed necessary by such supervisory authority to comply with the Applicable Data Protection Law of that country, and the Clauses shall be interpreted in accordance with the requirements for Third Country transfers arising under those laws or as otherwise set out in guidance issued by the relevant supervisory authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Third Country transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the Applicable Data Protection Law(s) when engaging in Third Country transfers.”
- Annex I to this DPA (SCCs Processing Overview) constitutes Annex I of the SCCs. Unless the Partner has provided an alternative Annex II (Technical and Organizational Measures) which has been accepted as sufficient by Expedia for the purposes of the SCCs, Annex II to this DPA will apply to both Parties for the purposes of the SCCs to the extent Module four (4) applies, and references to Expedia Group will be deemed to generally apply to both the Expedia Group and the group of companies to which the Partner belongs. The Addendum to this DPA constitutes the UK Addendum for the purposes of the SCCs.
14.9 Additional obligations
- For the purpose of this section: “sale/sell” and “share” will have the meaning given to it in Applicable Data Protection Law in the United States.
- To the extent that API End Customer Data processed by us is within the scope of Applicable Data Protection Law of the United States, we will be deemed to be a “Service Provider” and references to processor in this DPA shall be construed accordingly for such purposes.
- We will not process any API End Customer Data outside of the direct business relationship between the Parties as outlined in the Agreement and this DPA. Additionally, we will not combine API End Customer Data we receive from or on behalf of you with any personal information we receive from another entity or that we collect from our own interactions with individuals, except where allowed under Applicable Data Protection Law.
- If we have access to de-identified API End Customer Data, we will publicly commit to maintain and only use such de-identified data in such form. We will not, and will allow any sub-processor to, re-identify any de-identified API End Customer Data unless so instructed in writing by you.
- For the purposes of Applicable Data Protection Law, we acknowledge and agree that we are not permitted to sell, share or rent the API End Customer Data. You and we agree that the transfer of any API End Customer Data in accordance with the Agreement or this DPA does not constitute a sale or sharing.
14.10-14.12– INTENTIONALLY LEFT BLANK.
14.13 PCI
You warrant and represent that you shall:
- only obtain, use, transmit and store End Customer cardholder data to the extent required to comply with your obligations under the Agreement and this DPA;
- where you obtain, use, transmit, store or process End Customer’s cardholder data, you shall comply with the PCI DSS as issued by the PCI Security Standards Council, as updated from time to time;
- provide us with a copy of your annual certification of compliance; and
- promptly notify us of any breach of the PCI DSS or any personal data breach affecting End Customer cardholder data.
14.14 We acknowledge that we are responsible for the security of cardholder data that we possess, store, process, or transmit and shall comply with the PCI DSS as issued by the PCI Security Standards Council, as updated from time to time. We shall provide you with a copy of our annual certificate of compliance upon request.
14.15 Notices
Any notices under this DPA will be deemed effective if delivered by email to the contact(s) provided by either Party to the other for these purposes in accordance with the notice provisions in the Agreement. In the case of Expedia, this will require an email being sent to the account/relationship manager from time to time and copied to the Expedia privacy mailbox provided from time to time.
ANNEX I – SCCs PROCESSING OVERVIEW
MODULE TWO: Controller to Processor (you to us)
A. LIST OF PARTIES
Data exporter(s):
Party | The party/ies identified as “you”, or Partner |
Address | As specified in the Agreement |
Contact name, position & contact details | Effective notice is deemed made when an email is sent to the account/relationship manager using the email address(es) provided to Expedia from time to time |
Activities relevant to data transferred | Bookings made via the API provided by us to you in accordance with the Agreement |
Role | Controller |
Data importer(s):
Party | The non-EU parties identified as “us” or “Expedia” and being relevant to the API that we make available to you under the Agreement |
Address | As specified in the Agreement |
Contact name, position and contact details | Effective notice is deemed made when an email is sent to both (1) Account/relationship manager; and (2) the Expedia privacy mailbox, in each case using email address(es) provided to Partner from time to time |
Activities relevant to the data transferred | Bookings made via the API provided by us to you in accordance with the Agreement |
Role | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subject | End Customers, employees, agents and suppliers |
Categories of personal data | End Customer Data including names, addresses, email addresses, passport numbers, payment card data, IP address (for fraud detection) |
Sensitive Data | None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Continuous or ad hoc basis in accordance with the needs of Partner’s business |
Nature of the processing | All processing operations required to facilitate purposes set out below |
Purpose(s) of the data transfer and further processing | Permitted Purposes, as defined in the DPA |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | In accordance with the retention policy of the Expedia Group, provided that to the extent that any End Customer Data is retained beyond the termination of the Agreement for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the Agreement |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | https://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time |
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs
IRISH DATA PROTECTION AUTHORITY
MODULE FOUR: Processor to Controller (us to you)
A. LIST OF PARTIES
Data exporter(s):
The Party/ies identified as Data Importers in Module 2 above. See Module 2 for further details. |
Data importer(s):
The Party/ies identified as Data Exporter(s) in Module 2 above. See Module 2 for further details. |
B. DESCRIPTION OF TRANSFER
| As per Module 2 |
| As per Module 2 |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | In accordance with the retention policy of Partner |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | Not applicable |
C. COMPETENT SUPERVISORY AUTHORITY
As per Module 2.
ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES
The technical and organizational measures that apply to us/Expedia for the purposes of Module 1, Part 1 are set out below.
SUBJECT | MEASURE |
Measures of pseudonymisation and encryption of personal data |
|
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
|
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing |
|
Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage |
|
Measures for ensuring physical security of locations at which personal data are processed |
|
Measures for ensuring events logging |
|
Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products |
|
Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability |
|
Measures for allowing data portability and ensuring erasure |
|
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter |
|
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1 Tables
Table 1: Parties | ||
Start Date | The date of the Agreement incorporating the SCCs to which these are attached (Approved EU SCCs) | |
Parties Key Contact | Exporter: As per Approved EU SCCs
| Importer: As per Approved EU SCCs
|
Table 2: Selected SCCs, Modules and Selected Clauses | ||
Addendum EU SCCs | The version of the Approved EU SCCs to which this Addendum is appended | |
Table 3: Appendix Information | ||
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in: | ||
Annex IA: List of Parties Annex 1B Description of Transfer Annex II: Technical and organizational measures | As per Approved EU SCCs | |
Table 4: Ending this Addendum when the Approved Addendum changes | ||
Which Parties may end this Addendum as set out in Section 19 | Neither Party |
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.