Mews Data Processing Addendum
Version: 3.2, Effective date: 1 July 2022
This Addendum forms an integral part of the cooperation agreement, Master Terms and Conditions available at https://www.mews.com/en/terms-conditions/master (“Master Terms and Conditions”) or any other agreement (Master Terms and Conditions or any such other agreement hereinafter referred to also as the “Agreement”) concluded between Mews' Affiliate as defined in the respective Agreement (“Mews”) and you (“Partner”). This Addendum supplements the terms of the Agreement concluded between Mews and Partner; whereas in case of any conflicting terms between Agreement and this Addendum, this Addendum shall prevail unless the Parties explicitly agree in writing on specific derogations from this Addendum in the Agreement.
For the purposes of this Addendum, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or Master Terms and Conditions.
“Affiliate(s)” means with respect to an entity, the “Affiliate” is any other entity directly or indirectly controlling, controlled by, or under direct or indirect common control by the initial entity. An entity controls another entity if such entity, directly or indirectly, either owns (i) 20% or more of the shares having ordinary voting rights for the election of directors of such entity; or (ii) the power to direct or cause the direction of management or policies of the other entity, whether through the ownership of voting securities, by contract, or otherwise.
“Authorised User” means a person authorised by Partner to have access to Mews Platform and/or Mews Account and to provide instructions to and receive communication from Mews, notwithstanding whether via Mews Platform, Mews Account, via e-mail or otherwise.
“Controller” means a person or entity that determines the purposes and means of the Processing of Personal Data.
“Data Protection Legislation” means EU Data Protection Laws, UK Data Protection Laws, CCPA and/or any other applicable data privacy legislation of the country of registration of Mews Affiliate as defined in the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EU Data Protection Laws” means the GDPR and the EU e-Privacy Directive (Directive 2002/58/EC).
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to (i) an identified or identifiable natural person and/or, (ii) an identified or identifiable legal entity (where such information is protected by Data Protection Legislation similarly to data which identifies a living individual); which, for the purpose of this Addendum, shall include personal data of Guests ie. data contained in the contact forms, contact and identification information, including name, title, email, and address, ID and/or passport numbers, payment details, Guests’ preferences, and Partner’s services details and limited connection and location data (city). Personal Data do not contain any special data categories.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; for the avoidance of doubts, the processing of other information than Personal Data (e.g. anonymised data) for the purpose of enhancing the Mews services does not fall under the scope of this Addendum.
“Processor” or “Sub-processor” means a person or entity that Processes Personal Data on behalf of a Controller and/or Processor, as applicable.
“Services” for the purpose of this Addendum means the services provided by Mews to the Partner pursuant to the Agreement.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021.
“Supervisory Authority” means an independent public authority which is established by an EU Member State or other country pursuant to the GDPR or a corresponding law.
“UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
“UK GDPR” means the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018.
2. Data processing
2.1 Processing of Personal Data
Mews and Partner acknowledge that Partner is the Controller or primary Processor with regard to the Processing of relevant Personal Data. Mews shall Process Personal Data only as a Processor or Sub-processor (as applicable to Partner’s use of the Services) on Partner’s behalf and only to the extent and in such a manner as is necessary for the purposes specified by and in accordance with this Addendum, the Agreement or as otherwise instructed by the Partner from time to time. Where Mews reasonably believes that a Partner instruction is contrary to: (i) applicable law and regulations or (ii) the provisions of the Agreement or the Addendum, Mews will undertake all reasonable endeavors to inform the Partner and is authorized to defer the performance of the relevant instruction until it has been amended by Partner to the extent required by Mews to satisfy it that such instruction is lawful, or is mutually agreed by both Partner and Mews to be lawful.
3. Mews' processing
3.1 Mews’ Processing of Personal Data
Mews shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Partner’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Authorised Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Partner (e.g., via email) where such instructions are consistent with the terms of the Agreement. The Partner hereby instructs Mews to inform Data Subjects about the Processing of their Personal Data on behalf of Partner via email and about the possibility to use Mews services to manage Data Subjects’ data, bookings and associated services. Mews shall keep a log of the actually performed Processing operations.
3.2 Technical and Organizational Measures
Mews shall maintain and implement reasonable and appropriate technical and organizational measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration unauthorized disclosure or access, and in relation to the security of Personal Data and the platforms used to provide the Services as described in the Data Protection Legislation. In implementing such measures Mews shall be entitled to take into account the current standard practice in determining what is reasonable, as well as the proportionality of the cost of putting such measures in place when weighed against the potential harm to relevant Data Subjects that the putting into place of those measures is designed to protect against.
Mews shall ensure that its Personnel engaged in the Processing of Personal Data are informed about its obligation and responsibilities hereunder, have received appropriate training, and are informed about the confidential nature of the Personal Data. The “Personnel” means those employees and/or agents, consultants, subcontractors or other third parties: (i) who are engaged by Mews so that it may fulfill its obligations to Partner under the Agreement or Addendum, and (ii) who are subject to confidentiality obligations in substantially the same extent as set out in Agreement and Addendum. Mews shall ensure that Personnel’s access to Personal Data is limited to those performing Services in accordance with the Agreement, and the Personnel confidentiality obligations shall survive the termination of the Personnel engagement.
Mews shall notify the Partner as soon as commercially reasonable in writing:
3.4.1 of any communication received from an individual relating to (i) an individual’s rights to access, modify, correct, delete or block his or her Personal Data; (ii) an individual’s right to rectify, restrict or erase his or her Personal Data, to data portability, to object to the Processing and not to be subject to automated decision-making; and (iii) any complaint about Partner’s Processing of Personal Data; to the extent not prohibited by law, of any subpoena or other judicial or administrative order or proceeding seeking access to, or disclosure of Personal Data;
3.4.2 to the extent not prohibited by law, of any complaint, notice or other communication that relates to Partner’s compliance with data protection and privacy law and the Processing of Personal Data. Mews shall provide the Partner with commercially reasonable cooperation and assistance (at Partner’s expense) in relation to such complaint, notice or communication; and
3.4.3 of a material breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorized access to Personal Data of which we become aware, in accordance with applicable law (“Security Breach”). Mews shall make reasonable efforts to identify the cause of such Security Breach and take those steps as necessary and reasonable, and which are acceptable to Partner, in order to remediate the cause of such Security Breach to the extent remediation is within Mews’ reasonable control. The obligations herein shall not apply to incidents that are caused by Partner.
3.5 No acknowledgement
The Partner agrees that Mews’ obligation to notify the Security Breach is not and will not be construed as an acknowledgment by Mews of any fault or liability of Mews with respect to such Security Breach.
3.6 Data Returns and Deletion
Subject to limitations set out in applicable laws, Mews shall return to Partner all persistent Personal Data (if not already deleted in accordance with applicable law) following standardised procedures and within commercially reasonable deadlines.
3.7 Mews Compliance
Mews shall comply with the Data Protection Legislation applicable to its own operations and provision of the Services under the Agreement and its obligations under this Addendum.
3.8 Data Sharing
By enabling or accepting data sharing within Mews Account with any third party the Partner instructs Mews pursuant to Art. 28 (3)a) GDPR to provide access to all Personal Data and any other data processed within Partner’s Mews Account to such third party. The Partner is responsible for obtaining all necessary consents of the Data Subjects or any other third parties with the data sharing as required by the applicable Data Protection Legislation. The Partner will fully indemnify, defend and hold harmless Mews and its Affiliates from and against any claims brought Data Subject or any third party, arising out of the violation of this clause, including for all liabilities, damages, losses, cost and expenses.
Mews Platform offers several integrations. By connecting or subscribing to the respective integration via Mews Account the Partner instructs Mews pursuant to Art. 28 (3)a) GDPR to provide access to Personal Data processed within Partner’s Mews Account to the respective integration partner as required for the interoperation of the integration partner services or product with Mews Services.
The Partner shall have the right to conduct an audit to verify Mews' compliance with its obligations laid down in Art. 28 GDPR and in this Addendum. Mews shall allow the Partner to carry out the audit under the following conditions:
- the Partner asks Mews to carry out the audit via a written notice at least 30 (thirty) days in advance;
- the Partner will specify the agenda for such audit in the notification under (i);
- the audit shall not take place more than once a year;
- all associated costs and expenses shall be borne by the Partner and reimbursed to Mews on demand; and
- the audit shall last no longer than the equivalent of 1 working day (8 hours) of the Mews representative.
In case the Partner requests the audit via third independent party – external licensed auditor, Mews may object to an external licensed auditor appointed by the Partner to conduct the audit if the auditor is, in Mews’ reasonable opinion, not suitably qualified or independent, a competitor of Mews, or otherwise manifestly unsuitable. Any such objection will require Partner to appoint another auditor. In case the Partner requires more than one audit within one calendar year, the Partner shall obtain prior written permission of Mews and shall bear the cost associated with such audits and reimburse Mews all reasonably incurred costs of such audits. On the request of the Partner, Mews will provide the Partner with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by the Partner.
4. Partner's processing
4.1 Partner’s Processing of Personal Data
Partner shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Legislation. For the avoidance of doubt, Partner warrants that its instructions for the Processing of Personal Data shall comply with Data Protection Legislation and that it shall not make any instruction or order which directs Mews to take any action or course of action which is unlawful or otherwise not in compliance with Data Protection Legislation. Partner shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Partner acquired Personal Data.
4.2 Partner’s Compliance
In addition to Partner’s obligations stated in the Agreement, Partner is responsible for (i) integrity, security, maintenance and appropriate protection of Personal Data, and (ii) ensuring its compliance with any applicable privacy, data protection and security law and regulation relative to: (a) its Processing of the Personal Data; (b) its use of the Services; and (c) any and all data Processing registration or notification requirements to which Partner is subject under the applicable law.
Partner agrees to make any required notifications to, and obtain required consents and rights from, individuals in relation to Mews’ provision of any Services to Partner. Where Mews receives a communication described at Sub-section 3.4.1 or 3.4.3 and notifies Partner of such communication, it is Partner’s responsibility to respond to and take all other appropriate action with regard to the communication. Partner agrees to immediately notify Mews of any unauthorized use of the Services or Partner’s account or of any other breach of security involving the Services.
4.4 Technical and organizational measures
Partner is solely responsible for implementing and maintaining security measures and other technical and organizational measures appropriate to the nature and volume of Personal Data that Partner stores or otherwise Processes using the Services. Partner is also responsible for the use of the Services by any of its employees, any person Partner authorizes to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by Partner.
4.5 Data sharing with other Partners
Within Mews Platform, the Partner may set up the Mews Account(s) as part of a data sharing cluster with other account(s) (“Cluster”) which in effect means that the Partner and the Controller(s) of these other account(s) share with each other and jointly process the Personal Data of their Customers (existing and future Customers including the Customers imported into the Mews Account(s)). The Partner is solely responsible for ensuring that the processing of Personal Data in the Cluster is compliant with all applicable Data Protection Legislation and that Partner has appropriate agreements in place to cover the data sharing.
The Partner acknowledges that the set up of its Mews Account(s) as a part of a Cluster is non-reversible. By setting its Mews Account(s) as part of a Cluster the Partner instructs Mews as a Processor to process the Personal Data within such Cluster. Shall the Partner wish to withdraw from the Cluster, this is only possible by creating a new Mews Account. As the set up in a Cluster is non-reversible, the Partner continues jointly processing Personal Data in its old Mews Account(s) unless such Personal Data is deleted from the Cluster (such deletion is subject to due cooperation provided by other Partners within the Cluster and costs to be reimbursed to Mews upon demand).
5.1 Partner and Mews cooperation
Partner and Mews agree to cooperate in a commercially reasonable fashion as reasonably required to protect the Personal Data under applicable laws, article 35 and 36 of the GDPR to carry out a data protection impact assessment related to Partner’s use of the Services, to the extent Partner does not otherwise have access to the relevant information, and to the extent such information is available to Mews. Partner must cooperate with Mews’ reasonable investigation of the Service outages, security problems, and any suspected Security Breach. Partner shall provide reasonable assistance to Mews in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relation to this Section, to the extent required under the GDPR or applicable law.
5.2 Mews’ Assistance with Partner’s Compliance Requirements
During the term of Partner’s Agreement with Mews, Partner may request that Mews assists Partner’s efforts to comply with Partner’s obligations under an applicable data protection or privacy law and regulations provided (i) such requested assistance is relevant to Services that support the Processing of Personal Data, (ii) such requested assistance is commercially reasonable and proportionate to the objective of the exercise with which Mews is requested to assist, and (iii) if MEWS Systems agrees to so assist, that all of its associated costs and expenses (including the cost of its staff’s time) shall be borne by the Partner and reimbursed to Mews on demand.
6.1 In relation to third parties or sub-contracting the Processing of Personal Data, Mews may only authorise a third party (Sub-processor) to Process the Personal Data with the prior consent of the Partner and provided that provisions relating to data processing and data protection in the Sub-processor’s contract with respect to the Personal Data is on terms which are substantially the same as those set out in this Addendum provided that the sub-processor’s contract with respect to the Personal Data terminates automatically on termination of the Agreement for any reason. For the purpose hereof the following persons are approved by the Partner by signing this Addendum: (i) Sub-processors listed in Annex III hereof, (ii) Mews’ Affiliates and (iii) any Sub-processor authorised by Partner via its Authorised User by authorizing an integration with Mews Services via MEWS Account or otherwise. Mews may during the term of the agreement involve new Sub-processors in Processing, provided that such Sub-processors only access and use Personal Data to the extent required to perform obligations subcontracted to it.
6.2 Objection Right for New Sub-processors
The Partner may object to Mews’s use of a new Sub-processor by notifying Mews promptly in writing within ten (10) business days after receipt of Mews’ notice and specifying the deficiencies. In the event Partner objects to a new Sub-processor, Mews will effort to add additional safeguards (covering the specified deficiencies) or change the Sub-processor (vis a vis the Sub-processor); should Mews Systems be unable to do so, Mews will use reasonable efforts to make available to Partner a change in the Services or recommend a commercially reasonable change to Partner’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Partner. If Mews is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Partner may terminate only those part of Services which cannot be provided by Mews without the use of the objected-to new Sub-processor by providing written notice to Mews. Mews will refund Partner any prepaid fees covering the remainder of the term of Agreement following the effective date of termination with respect to such terminated part of Services, which shall represent the sole and exclusive remedy of the Partner in connection with introduction of new Sub-processor.
Mews shall be liable for the acts and omissions of its Sub-processors to the same extent Mews would be liable if performing the services of each Sub-processor directly under the terms of this Addendum except as otherwise set forth in the Agreement.
7. Data transfer
7.1 Data Transfer
The Parties agree that Personal Data may be transferred from the European Union/European Economic Area to a third country, only if one of the following conditions applies: (a) there is an applicable decision of the European Commission that states that the third country ensures an adequate level of protection; or (b) the transfer may take place because Mews has provided appropriate safeguards according to the Art. 46 of the GDPR, and on condition that enforceable data subject rights and effective legal remedies for Data Subjects are available; or (c) the derogations for specific situation under the Art. 49 of the GDPR apply.
7.2 Standard contractual clauses
For the purpose of Art. 7.1 (b) of this Addendum, the Parties agree that Standard Contractual Clauses are considered as appropriate safeguards.
To enable data transfer from/to third countries to/from European Union/European Economic Area, the Standard Contractual Clauses are hereby incorporated by reference into this Addendum and form an integral part of this Addendum as follows:
7.2.1. For the purposes of Personal Data that is subject to the EU Data Protection Laws ("EU Data"):
(i) Where Partner is Controller Module Two (Controller to Processor) of the SCCs will apply, where Partner is Processor Module Three (Processor to Sub-Processor) of the SCCs will apply;
(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 6 (Sub-Processing) of this Addendum;
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;
(v) in Clause 18(b), disputes shall be resolved before the courts of The Netherlands;
(vi) Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this Addendum; Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this Addendum;
7.2.2. The transfer of Personal Data that is subject to the UK Data Protection Laws ("UK Data") shall be governed by Annex IV – UK Addendum to the SCCs.
8.1 Partner agrees that any Authorised User of Partner may be contacted and shall be entitled to receive any communication in relation to this Addendum.
9.1 Mews acknowledges that it acts as a Service Provider in respect of any Partner Personal Information processed by it hereunder.
9.2 Unless prescribed by applicable law or expressly agreed between the Parties, Mews shall not:
- sell Partner Personal Information;
- retain, use, or disclose Partner Personal Information for any purpose other than the specific purpose of performing the Services in accordance with the Agreement;
- retain, use, or disclose Partner Personal Information for a commercial purpose other than specified in the Agreement; or
- retain, use, or disclose the Partner Personal Information outside of the direct business relationship between Mews and Partner.
9.3 Mews certifies that it understands and will comply with the responsibilities and restrictions imposed by this Addendum, the CCPA and other applicable data protection laws and regulations.
9.4 In this Clause 9:
9.4.1 “CCPA” means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this Addendum; and
9.4.2 “Partner Personal Information” means any Partner data that comprises “personal information” as defined in the CCPA;
9.4.3 “Service Provider” has the meaning set forth in Section 1798.140(v) of the CCPA.
10. Special clauses for US market
10.1 This Clause 10 applies only if the contracting Party to the Agreement is Mews with its registered seat in the United States of America.
Protecting the privacy of children is especially important. The Children’s Online Privacy and Protection Act (“COPPA”) requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children in the United States of America who are under 13. Mews respects the role of parents or guardians in the monitoring of their children’s online activities. Accordingly, Mews limits its collection of personal information from children to no more than is reasonably necessary to participate in the Services and to improve it going forward. Mews does not collect any Personal Data from children other than as set out in the Agreement. Mews reserves the right to refuse to Process data supplied by Partner that is in violation of this Clause 10.2.
10.3 Third Party Use of Partner data
11. Final provisions
11.1 Third Party Beneficiaries
Data Subjects are the sole third party beneficiaries to the SCCs, and there are no other third party beneficiaries to the Agreement and this Addendum. Notwithstanding the foregoing, the Agreement and the terms of this Addendum apply only to the parties and do not confer any rights to any Partner’s affiliate, Partner’s end user or any third-party Data Subjects.
11.2 Governing Law
Nothing in this Addendum amends the Applicable Law section of the Agreement, which shall, for the avoidance of doubt, govern all claims brought under the Agreement and this Addendum.
11.3 Limitation of Liability
Partner’s remedies, including those of its Affiliates, and Mews’ liability, arising out of or related to this Addendum and the SCCs will be subject to those limitations of liability and disclaimers as set forth under the Agreement or if there are no limitations of liability stipulated in the Agreement, the Parties agree and declare that the total damage which may arise out of the breach of this Addendum and / or the SCCs shall not exceed ten thousand euro.
Following the termination of the Agreement, this Addendum will continue to be in effect until Mews ceases to process Personal Data on behalf of the Partner.
Mews may terminate this Addendum if Mews offers alternative mechanisms to Partner that comply with the obligations of the applicable data privacy laws.
This Addendum may be signed in multiple counterparts, which taken together will be considered one original.
- - List of Parties
The data exporter is Partner
The data importer is Mews
- – Description of Transfer
Categories of data data subjects
The personal data transferred may concern individuals about whom personal data is transmitted or stored by data exporter via the Mews hosted system and/or services, which typically include individuals (Guests or prospects) using Partner’s services.
Categories of data
The personal data transferred concerns the following categories of data: Guests’ data contained in the contact forms, contact and identification information, including name, title, email, and address, ID and/or passport numbers, payment details, Guests’ preferences, and Partner’s services details and limited connection and location data (city) in electronic form that is transferred to data importer in the context of Mews’ Services (provided by the relevant sub-processor/importer)
Sensitive data such as disability and dietary requirements may be transferred if data subjects decide to share information of such nature. Technical and Organisational measures as per Annex II apply.
The personal data transferred will be subject to the following basic processing activities: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Partner must use reasonable security precautions in connection with its use of the services, including appropriately encrypting any personal data stored on or transmitted by the hosted system.
Frequency of transfer
Nature and subject matter of processing
- storage (hosting) and other processing necessary to provide, maintain and improve the Services provided to Partner under the Agreement,
- customer support provided to the Partner on a case by case basis,
- disclosures in accordance with the Agreement, as compelled by law, and
- collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Duration of Processing
Purpose(s) of the data transfer and further processing
(i) Processing to provide, maintain, support and improve Services provided to Partner in accordance with the Agreement;
(ii) Processing initiated by Users in their use of the Services; and
(iii) Processing to comply with other documented reasonable instructions provided by Partner (e.g. via email) where such instructions are consistent with the terms of the Agreement (including this Addendum).
- - Competent supervisory authority
With respect to EU Data the competent supervisory authority is the Dutch Data Protection Authority (the "Dutch DPA").
Annex II – Technical and Organisational Measures
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. Data importer shall implement security measures equivalent to those required under the Agreement, the Addendum and any ancillary documents entered into pursuant to the Agreement. The implemented security measures are available here: https://www.mews.com/en/platform-documentation#security
Annex III - Approved Sub-processors
The list of approved sub-processors of Mews is available at https://www.mews.com/en/platform-documentation#subprocessors
Annex IV - UK Addendum to the SCCs
Date of this Addendum
- This UK Addendum is effective from: The same date as the Agreement.
Interpretation of this UK Addendum
- Where this UK Addendum uses terms that are defined in the SCCs those terms shall have the same meaning as in the SCCs.
- This UK Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 (2) (d) UK GDPR.
- If the provisions included in this UK Addendum amend the SCCs in any way which is not permitted under the SCCs or the template addendum issued by the Information Commissioner (hereinafter “Approved UK Addendum”), such amendment(s) will not be incorporated in this UK Addendum and the equivalent provision of the SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws applies.
- If the meaning of this UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this UK Addendum has been entered into.
- Although Clause 5 of the SCCs sets out that the SCCs prevail over all related agreements between the parties, the parties agree that, for transfer of UK Data, the hierarchy in this clause prevails. Where there is any inconsistency or conflict between Approved UK Addendum and the SCCs as incorporated herein, the Approved UK Addendum overrides the SCCs as incorporated herein, except where (and in so far as) the inconsistent or conflicting terms of the SCCs as incorporated herein provides greater protection for data subjects, in which case those terms will override this UK Addendum. Where this UK Addendum incorporates SCCs as incorporated herein which have been entered into to protect transfers subject to the GDPR then the Parties acknowledge that nothing in this UK Addendum impacts those SCCs as incorporated herein.
Incorporation of the SCCs
- This UK Addendum incorporates the SCCs which are amended to the extent necessary sothat:
- together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
- they provide appropriate safeguards for the transfers in accordance with Articles 46 (2) (d) of the UK GDPR Laws.
- where Partner is Controller Module Two (Controller to Processor) of the SCCs will apply, where Partner is Processor Module Three (Processor to Sub-Processor) of the SCCs will apply;
- in Clause 9 of the SCCs, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 6 (Sub-Processing) of this DPA;
- in Clause 11 of the SCCs, the optional language will not apply;
- Clause 2 of the SCCs shall apply without the wording “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”.
- Clause 6 of the SCCs Description of the transfer(s) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B of the Addendum where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
- Clause 8.7(i) of Module 1 of the SCCs is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”
- Clause 8.8 (i) of Module 2 and 3 of the SCCs is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer.”
- Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this Addendum; Annex II of the SCCs shall be deemed completed with the information set out in Annex II to the Addendum; Annex III of the SCCs shall be deemed completed with the information set out in Annex III to this Addendum;
- references to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- references to Regulation (EU) 2018/1725 are removed.
- references to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- the reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one of the SCCs, is replaced with “Clause 11(c)(i) of the SCCs”;
- Clause 13(a) of the SCCs and Part C of Annex II of the SCCs are not used;
- the “competent supervisory authority” and “supervisory authority” are both replaced with the Information Commissioner;
- Clause 16(e), subsection (i) of the SCCs is replaced with:“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”
- Clause 17 of the SCCs is replaced to state “These SCCs are governed by the laws of England and Wales”.
- Clause 18 of the SCCs is replaced to state: “Any dispute arising from these SCCs shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
- the footnotes to the SCCs do not form part of the UK Addendum, except for footnotes 8,9,10 and 11.
- If the Information Commissioner issues a revised version of the Approved UK Addendum this UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified therein unless the parties agree otherwise.