Data Processing Addendum
Last updated: April 2026
Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of, and supplements, the Terms of Service (the "Agreement") between the Customer (as defined in the Agreement) and Chat4U ("Company"). By accepting the Agreement, the Customer enters into this DPA on its own behalf and, to the extent required under applicable Data Protection Laws, on behalf of its Affiliates. Any capitalised terms not defined in this DPA carry the meaning given to them in the Agreement.
Definitions
"Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity under common control with a party by virtue of at least fifty percent (50%) common ownership; in each case only for so long as such ownership continues.
"Authorized Sub-Processor" means a third party who has a need to know or otherwise access Customer's Personal Data to enable the Company to fulfil its obligations under this DPA or the Agreement, and who is either (1) listed in Exhibit B or (2) subsequently authorised under Section 4.2 of this DPA.
"Company Account Data" means personal data that relates to the Company's relationship with the Customer, including the names and contact details of individuals authorised by the Customer to access their account and any billing information associated with that account. Company Account Data also includes information the Company may collect to manage its relationship with the Customer, verify identity, or as required by applicable law.
"Company Usage Data" means service usage data collected and processed by the Company in connection with the provision of the Services, including data used to identify the source and destination of a communication, activity logs, and data used to maintain, optimise, and troubleshoot the Services.
"Data Exporter" means the Customer.
"Data Importer" means the Company.
"Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data, including: (i) the California Consumer Privacy Act ("CCPA"); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR") and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (together, the "GDPR"); (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Act 2018; and (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case as updated, amended, or replaced from time to time. The terms "Data Subject", "Personal Data", "Personal Data Breach", "processing", "processor", "controller", and "supervisory authority" shall have the meanings given to them in the GDPR.
"EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognised as offering an adequate level of protection by the European Commission (as amended and updated from time to time), as modified by Section 6.2 of this DPA.
"ex-EEA Transfer" means the transfer of Personal Data, processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area ("EEA"), where that transfer is not governed by an adequacy decision of the European Commission under the GDPR.
"ex-UK Transfer" means the transfer of Personal Data covered by Chapter V of the UK GDPR, processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom ("UK"), where that transfer is not governed by an adequacy decision of the Secretary of State.
"Services" has the meaning given in the Agreement.
"Standard Contractual Clauses" means the EU SCCs and the UK SCCs collectively.
"UK SCCs" means the EU SCCs as amended by the UK Addendum.
Relationship of the Parties; Processing of Data
The parties acknowledge that, with respect to the processing of Personal Data, the Customer may act as either a controller or a processor and, except as expressly stated in this DPA or the Agreement, the Company acts as a processor. When using the Services, the Customer shall at all times process Personal Data and provide instructions for its processing in compliance with Data Protection Laws. The Customer is responsible for ensuring that processing Personal Data in accordance with its instructions will not place the Company in breach of applicable Data Protection Laws. The Customer bears sole responsibility for the accuracy, quality, and legality of (i) the Personal Data it provides to the Company, (ii) the means by which that Personal Data was obtained, and (iii) the instructions it gives the Company regarding processing. The Customer shall not submit to the Company any Personal Data that is inappropriate for the nature of the Services or that would violate the Agreement, and shall indemnify the Company against all claims and losses arising from any such submission.
The Company shall not process Personal Data (i) for purposes other than those set out in the Agreement and/or Exhibit A; (ii) in a manner inconsistent with the terms of this DPA or any other documented instructions provided by the Customer, including in relation to cross-border transfers of personal data, unless required to do so by law — in which case the Company will, where legally permitted, inform the Customer before processing; or (iii) in violation of Data Protection Laws. The Customer hereby instructs the Company to process Personal Data in accordance with the foregoing and as part of any processing initiated by the Customer's use of the Services.
The subject matter, nature, purpose, and duration of this processing, together with the types of Personal Data and categories of Data Subjects involved, are described in Exhibit A.
Following completion of the Services, and at the Customer's election, the Company shall return or delete the Customer's Personal Data unless continued storage is required or authorised by applicable law. Where return or deletion is not practicable or is prohibited by law, the Company shall block such Personal Data from any further processing (except to the extent required for continued hosting or legally mandated processing) and shall maintain appropriate protection of the remaining data. Where Standard Contractual Clauses apply as described in Section 6, the certification of deletion described in Clause 8.1(d) and Clause 8.5 of the EU SCCs shall be provided by the Company only upon the Customer's written request.
CCPA. Except with respect to Company Account Data and Company Usage Data, the parties acknowledge that the Company is a service provider for the purposes of the CCPA (to the extent it applies) and receives personal information from the Customer in order to provide the Services, which constitutes a business purpose. The Company shall not sell any such personal information. The Company shall not retain, use, or disclose any personal information provided by the Customer under the Agreement except as necessary to perform the Services or as otherwise set out in the Agreement or permitted by the CCPA. The terms "personal information", "service provider", "sale", and "sell" are as defined in Section 1798.140 of the CCPA. The Company certifies its understanding of the restrictions in this section.
Confidentiality
The Company shall ensure that any person it authorises to process Personal Data has agreed to protect that data in accordance with the Company's confidentiality obligations under the Agreement. The Customer agrees that the Company may disclose Personal Data to its advisers, auditors, or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of the Services to the Customer.
Authorised Sub-Processors
The Customer acknowledges and agrees that the Company may (1) engage its Affiliates as well as the Authorised Sub-Processors set out in the list described below to access and process Personal Data in connection with the Services, and (2) from time to time engage additional third parties for the purpose of providing the Services, including the processing of Personal Data. By entering into this DPA, the Customer provides general written authorisation for the Company to engage sub-processors as necessary to perform the Services.
A current list of the Company's Authorised Sub-Processors is available to the Customer upon request at contact@chat4u.ai. The Company will inform the Customer of any new or changed sub-processors through a notification mechanism (which may include email notifications). If the Customer does not subscribe to such notifications, it waives any right it may otherwise have to receive prior notice of changes. At least ten (10) days before enabling any third party not already on the list to access or participate in the processing of Personal Data, the Company will update the list and notify subscribing Customers. The Customer may object to such an engagement in writing within ten (10) days of receipt of that notice, provided that the objection is based on reasonable data protection grounds. The Customer acknowledges that certain sub-processors are essential to the delivery of the Services and that objecting to their use may prevent the Company from providing the Services.
If the Customer reasonably objects to an engagement under the procedure above, and the Company cannot provide a commercially reasonable alternative within a reasonable period, the Customer may discontinue the affected Service by providing written notice to the Company. Discontinuation does not relieve the Customer of any fees owed under the Agreement.
If the Customer does not object within ten (10) days of the Company's notice, the relevant third party shall be deemed an Authorised Sub-Processor for the purposes of this DPA.
The Company shall enter into a written agreement with each Authorised Sub-Processor imposing data protection obligations comparable to those in this DPA. If an Authorised Sub-Processor fails to fulfil its data protection obligations, the Company remains liable to the Customer for the performance of the sub-processor's obligations under that agreement.
Where Standard Contractual Clauses apply as described in Section 6, (i) the above authorisations constitute the Customer's prior written consent to sub-contracting by the Company to the extent required under the SCCs, and (ii) copies of agreements with Authorised Sub-Processors provided pursuant to Clause 9(c) of the EU SCCs may have commercial or unrelated information redacted, and will be provided only upon request.
Security of Personal Data
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing — as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons — the Company shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets out additional details about the Company's technical and organisational security measures.
Transfers of Personal Data
The parties agree that the Company may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. The Company's primary processing infrastructure is located in the European Union (AWS eu-central-1 region). Where transfers to jurisdictions outside the EEA, UK, or Switzerland are required (for example, to sub-processors located in the United States), the Company will ensure that appropriate safeguards are in place under applicable Data Protection Laws.
Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this DPA by reference, completed as follows:
- Module One (Controller to Controller) applies when the Company processes Personal Data as a controller under Section 9 of this DPA.
- Module Two (Controller to Processor) applies when the Customer is a controller and the Company processes Personal Data as a processor under Section 2 of this DPA.
- Module Three (Processor to Sub-Processor) applies when the Customer is a processor and the Company processes Personal Data as a sub-processor.
For each module, where applicable:
- The optional docking clause in Clause 7 does not apply.
- In Clause 9, Option 2 (general written authorisation) applies; the minimum prior-notice period for sub-processor changes is as set out in Section 4.2 of this DPA.
- In Clause 11, the optional language does not apply.
- All square brackets in Clause 13 are removed.
- In Clause 17 (Option 1), the EU SCCs are governed by Irish law.
- In Clause 18(b), disputes are resolved before the courts of Ireland.
- Exhibit B contains the information required in Annex I and Annex III of the EU SCCs.
- Exhibit C contains the information required in Annex II of the EU SCCs.
- By entering into this DPA, the parties are deemed to have signed the EU SCCs, including their Annexes.
Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum set out in Exhibit D.
Transfers from Switzerland. Transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
- References to the "General Data Protection Regulation" or "Regulation (EU) 2016/679" shall be interpreted to include the Swiss Federal Act on Data Protection of 19 June 1992 (and as revised on 25 September 2020) with respect to data transfers subject to Swiss law.
- The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
- Clause 13 of the EU SCCs is modified so that the Federal Data Protection and Information Commissioner ("FDPIC") has authority over transfers governed by Swiss law, and the appropriate EU supervisory authority has authority over transfers governed by the GDPR.
- The term "EU Member State" shall not be interpreted to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence under Clause 18(c) of the EU SCCs.
Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer:
- As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service for access to Customer Personal Data ("Government Agency Requests").
- If, after the date of this DPA, the Data Importer receives any Government Agency Request, the Company shall attempt to redirect the relevant authority to obtain that data directly from the Customer, and may provide the Customer's basic contact information for that purpose. If compelled to disclose Customer Personal Data, the Company shall give the Customer reasonable prior notice and cooperate to allow the Customer to seek a protective order or other appropriate remedy, unless legally prohibited from doing so. The Company shall not voluntarily disclose Personal Data to any government or law enforcement agency. The parties shall discuss whether any transfers should be suspended in light of such requests.
- The parties will meet as needed to consider whether: (a) the protection afforded by the laws of the Data Importer's country is sufficient to provide broadly equivalent protection to that in the EEA or UK; (b) additional measures are reasonably necessary to achieve transfer compliance; and (c) it remains appropriate to transfer Personal Data to the Data Importer.
If Data Protection Laws require the Data Exporter to execute Standard Contractual Clauses as a standalone agreement, the Data Importer shall, upon request, promptly execute such clauses incorporating any amendments reasonably required by the Data Exporter. If any transfer mechanism set out in this DPA ceases to be valid, or a supervisory authority requires its suspension, the Data Importer may, by written notice, amend or replace that mechanism with an alternative arrangement that meets applicable Data Protection Laws requirements.
Rights of Data Subjects
The Company shall, to the extent permitted by law, promptly notify the Customer upon receiving a request from a Data Subject to exercise any of the following rights: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent, and objection to automated decision-making (each a "Data Subject Request"). Where a Data Subject Request relates to Customer data, the Company will direct the Data Subject to submit their request to the Customer directly, and the Customer shall be responsible for responding, including by using the functionality of the Services where available. The Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction, cessation of processing, or withdrawal of consent are communicated to the Company, and for maintaining consent records where applicable.
The Company shall, at the Customer's request and taking into account the nature of the processing, apply appropriate technical and organisational measures to assist the Customer in complying with Data Subject Requests, provided that (i) the Customer cannot respond without the Company's assistance, and (ii) such assistance is possible within applicable legal constraints. The Customer shall be responsible, to the extent legally permitted, for any costs incurred by the Company in providing such assistance.
Actions and Access Requests; Audits
The Company shall, taking into account the nature of the processing and available information, provide reasonable cooperation where necessary for the Customer to conduct data protection impact assessments or demonstrate compliance with GDPR, provided that the Customer does not already have access to the relevant information. Any resulting costs shall be borne by the Customer to the extent legally permitted.
The Company shall similarly provide reasonable cooperation with respect to any prior consultation the Customer is required to undertake with a supervisory authority under the GDPR.
The Company shall maintain records sufficient to demonstrate compliance with its obligations under this DPA for a period of three (3) years following termination of the Agreement. With reasonable prior notice, the Customer shall have the right to review, audit, and copy such records at the Company's offices during regular business hours.
Upon the Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, the Company shall either (i) make available copies of certifications or reports demonstrating compliance with applicable data security standards, or (ii) where that is insufficient under Data Protection Laws, permit the Customer's independent third-party representative to conduct an audit or inspection of the Company's data security infrastructure and procedures — subject to: (a) reasonable prior written notice; (b) the audit occurring during business hours, no more than once per calendar year; and (c) the audit being restricted to data relevant to the Customer. Audit costs shall be borne by the Customer, including reimbursement of the Company's time for any on-site audits. Where Standard Contractual Clauses apply, audits described in Clause 8.9 of the EU SCCs shall be carried out in accordance with this section.
The Company shall promptly notify the Customer if, in its opinion, any processing instruction would infringe applicable Data Protection Laws.
In the event of a Personal Data Breach, the Company shall, without undue delay, notify the Customer and take such steps as it deems necessary and reasonable to remediate the breach, to the extent remediation is within the Company's reasonable control.
The Company shall, taking into account the nature of the processing and available information, provide the Customer with reasonable cooperation to enable the Customer to comply with its GDPR obligations in relation to notifying (i) the relevant supervisory authority and (ii) affected Data Subjects following a Personal Data Breach without undue delay. These obligations do not apply where the breach results from the Customer's own actions or omissions, and the Company's notification obligation does not constitute an acknowledgement of fault or liability.
Company's Role as a Controller. With respect to Company Account Data and Company Usage Data, the Company is an independent controller, not a joint controller with the Customer. The Company processes these categories of data to: (i) manage its relationship with the Customer; (ii) fulfil core business operations such as accounting, tax, and compliance; (iii) monitor, investigate, and prevent fraud, security incidents, and service misuse; (iv) verify identity; and (v) comply with applicable legal or regulatory obligations. The Company may also process Company Usage Data as a controller to provide, optimise, and maintain the Services. Any processing by the Company as a controller shall be conducted in accordance with its privacy policy, available at /privacy.
Conflict. In the event of any conflict or inconsistency, the order of precedence is: (1) the applicable terms of the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; (4) the Company's privacy policy. Any claims brought under this DPA are subject to the terms, exclusions, and limitations of the Agreement.
Exhibit A — Details of Processing
Nature and Purpose of Processing: The Company processes the Customer's Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with the Customer's documented instructions. Processing activities include:
- Receiving data — collection, accessing, retrieval, recording, and data entry
- Protecting data — restricting, encrypting, and security testing
- Holding data — storage, organisation, and structuring
- Erasing data — deletion and destruction
- Analysing data — product usage assessment, performance monitoring
- Sharing data — disclosure to Authorised Sub-Processors as permitted under this DPA
Duration of Processing: The Company will process Customer Personal Data for as long as required to (i) provide the Services under the Agreement; (ii) meet the Company's legitimate business needs; or (iii) comply with applicable law or regulation. Company Account Data and Company Usage Data are processed and stored in accordance with the Company's privacy policy.
Categories of Data Subjects: The Customer's employees, consultants, contractors, and agents; and, where applicable, end users of the Customer's website who interact with the Chat4U widget deployed by the Customer.
Categories of Personal Data: The Company processes Personal Data contained in Company Account Data, Company Usage Data, and any Personal Data provided by the Customer (including Personal Data collected by the Customer from its end users and processed through the Services). Categories include: name, email address, job title, username, account identifiers, IP address, browser type, operating system, chat conversation content, and project content uploaded by the Customer to power AI agent responses.
Sensitive Data or Special Categories of Data: Customers are prohibited from submitting sensitive personal data or special categories of data to the Company, including (without limitation) data revealing criminal history, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data, health data, or data concerning a natural person's sex life or sexual orientation.
Exhibit B — Parties and Transfer Details
The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.
The Parties
Data Exporter:
Name: Customer, as defined in the applicable Order under the Agreement
Address: Customer's registered business address as provided to Chat4U at the time of account creation
Contact: The individual who accepts and binds the Customer to the Agreement, unless another contact is provided in writing
Activities: As described in Section 2 of this DPA
Role: Controller
Data Importer:
Name: Chat4U
Contact: contact@chat4u.ai
Activities: As described in Section 2 of this DPA
Role: As described in Section 2 of this DPA
The EU SCCs and UK SCCs are considered executed upon the Customer's acceptance of the Agreement.
Description of the Transfer
Data Subjects: As described in Exhibit A
Categories of Personal Data: As described in Exhibit A
Special Category Personal Data: As described in Exhibit A
Nature of Processing: As described in Exhibit A
Purposes of Processing: As described in Exhibit A
Duration and Retention: As described in Exhibit A
Frequency of Transfer: As necessary to perform all obligations and rights with respect to Personal Data as provided in the Agreement or this DPA
Recipients of Personal Data: The Company maintains a list of Authorised Sub-Processors available upon request at contact@chat4u.ai
Competent Supervisory Authority: The supervisory authority of the Data Exporter, determined in accordance with Clause 13 of the EU SCCs. For UK Addendum purposes: the UK Information Commissioner's Office.
Exhibit C — Technical and Organisational Security Measures
The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum.
| Measure | Details |
|---|---|
| Pseudonymisation and encryption | All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AWS AES-256 transparent disk encryption across all storage volumes. |
| Confidentiality, integrity, availability, and resilience | Customer agreements and sub-processor agreements include strict confidentiality obligations. The Services are deployed on AWS ECS Fargate with multi-AZ configuration to ensure availability and resilience. |
| Backup and recovery | Daily, weekly, and monthly backups of production data stores (AWS RDS PostgreSQL, S3) are performed. Backups are periodically tested in accordance with information security and data management policies. |
| User identification and authorisation | Access to production systems requires multi-factor authentication (MFA). Network infrastructure is configured to block all unnecessary ports, services, and unauthorised traffic. Role-based access controls limit access to Customer data to authorised personnel only. |
| Protection of data in transit | All traffic between services uses TLS 1.2 or higher. The Company uses only recommended secure cipher suites and protocols for all external and internal communications. |
| Protection of data at rest | Encryption at rest is automated using AWS transparent disk encryption (AES-256) across all RDS PostgreSQL databases, ElastiCache instances, and S3 buckets. Encryption keys are fully managed by AWS KMS. |
| Physical security | All processing takes place in AWS data centres (eu-central-1 primary region). AWS physical security controls are documented at https://aws.amazon.com/compliance/data-center/controls/. |
| Event logging and monitoring | Access to applications, tools, and resources that process or store Customer Data is monitored. Security logs are managed by the security and engineering teams and investigated and escalated as appropriate. |
| System configuration and change management | The Company follows a change management process for all production changes, including changes to underlying software, applications, and systems. Production changes are automated through CI/CD tooling to ensure consistent and auditable configurations. |
| Data minimisation | Customers determine what data enters the Services. The Company provides self-service functionality allowing Customers to delete or suppress data at their discretion. |
| Data quality | Data quality is maintained through unit testing, database schema validation, and a schema-first API design with strong typing across all service boundaries. |
| Limited data retention | Customers control data routing through the Services. If a Customer cannot delete Personal Data via self-service functionality, the Company will delete such data upon written request within the timeframe specified in this DPA. All Personal Data is deleted following termination of the Agreement. |
| Accountability | The Company has adopted information security and data privacy policies, records and reports Personal Data Breaches, and formally assigns roles and responsibilities for security and privacy functions. |
| Data portability and erasure | Personal Data submitted to the Services may be deleted by the Customer or upon the Customer's request. The Company will respond to all data portability requests to meet Customer needs. |
| Sub-processor measures | The Company enters into Data Processing Agreements with all Authorised Sub-Processors, imposing data protection obligations substantially equivalent to those in this DPA. |
Exhibit D — UK Addendum
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
Part 1: Tables
Table 1: Parties
| Exporter | Importer | |
|---|---|---|
| Parties' Details | Customer | Chat4U |
| Key Contact | See Exhibit B of this DPA | See Exhibit B of this DPA |
| Start Date | This UK Addendum has the same effective date as the DPA |
Table 2: Selected SCCs, Modules and Selected Clauses
EU SCCs: The version of the Approved EU SCCs to which this UK Addendum is appended, as defined in the DPA and completed by Sections 6.2 and 6.3 of the DPA.
Table 3: Appendix Information
"Appendix Information" means the information required for the selected modules as set out in the Appendix of the Approved EU SCCs:
- Annex 1A (List of Parties): As per Table 1 above
- Annex 1B (Description of Transfer): See Exhibit B of this DPA
- Annex II (Technical and organisational measures): See Exhibit C of this DPA
- Annex III (List of Sub-processors, Modules 2 and 3 only): See Exhibit B of this DPA
Table 4: Ending this UK Addendum when the Approved UK Addendum Changes
The Importer may terminate this UK Addendum if a revised Approved UK Addendum directly results in a substantial, disproportionate, and demonstrable increase in its direct costs or risk under the UK Addendum, provided it has first taken reasonable steps to reduce those costs or risks, by giving written notice before the start date of the revised Approved UK Addendum.
Entering into this UK Addendum
Each party agrees to be bound by the terms and conditions of this UK Addendum in exchange for the other party also agreeing to be bound. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature, the parties may enter into this UK Addendum in any legally binding manner that allows data subjects to enforce their rights. Entering into this UK Addendum has the same effect as signing the Approved EU SCCs and any relevant part thereof.
Interpretation of this UK Addendum
Where this UK Addendum uses terms defined in the Approved EU SCCs, those terms have the same meaning. In addition:
| Term | Meaning |
|---|---|
| UK Addendum | This International Data Transfer Addendum incorporating the EU SCCs, attached as Exhibit D |
| EU SCCs | The version(s) of the Approved EU SCCs appended to this UK Addendum as set out in Table 2, including Appendix Information |
| Appendix Information | As set out in Table 3 |
| Appropriate Safeguards | The standard of protection for personal data and data subject rights required by UK Data Protection Laws for ex-UK Transfers using standard data protection clauses under Article 46(2)(d) UK GDPR |
| Approved UK Addendum | The template Addendum issued by the ICO and laid before Parliament under s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of the UK Addendum |
| Approved EU SCCs | Standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021 |
| ICO | The Information Commissioner of the United Kingdom |
| ex-UK Transfer | As defined in the DPA |
| UK | The United Kingdom of Great Britain and Northern Ireland |
| UK Data Protection Laws | All laws relating to data protection, processing of personal data, privacy, and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 |
| UK GDPR | As defined in the DPA |
This UK Addendum must always be interpreted consistently with UK Data Protection Laws so as to fulfil the parties' obligation to provide Appropriate Safeguards. Where any provision of this UK Addendum is inconsistent with UK Data Protection Laws, UK Data Protection Laws prevail. Where the meaning is unclear, the interpretation most closely aligned with UK Data Protection Laws applies. References to legislation include that legislation as amended, consolidated, re-enacted, or replaced.
Hierarchy
The parties agree that, for ex-UK Transfers, the following hierarchy applies: where there is any inconsistency or conflict between the Approved UK Addendum and the EU SCCs, the Approved UK Addendum prevails, except where the conflicting EU SCC terms provide greater protection for data subjects — in which case those EU SCC terms prevail. Where this UK Addendum incorporates EU SCCs entered into to protect ex-EU Transfers subject to the GDPR, nothing in the UK Addendum affects those EU SCCs.
Incorporation and Changes to the EU SCCs
This UK Addendum incorporates the EU SCCs, amended to the minimum extent necessary so that together they: (a) operate for data transfers made by the Data Exporter to the Data Importer where UK Data Protection Laws apply; and (b) provide Appropriate Safeguards for those transfers. Sections 9 to 11 of this UK Addendum override Clause 5 (Hierarchy) of the EU SCCs. This UK Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) subject to the exclusive jurisdiction of the courts of England and Wales. No amendments to the Approved EU SCCs other than those required to meet the requirements of this UK Addendum may be made. The following amendments to the EU SCCs are made:
- References to "Clauses" mean this UK Addendum incorporating the EU SCCs.
- In Clause 2, the words "and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679" are deleted.
- Clause 6 is replaced with: "The details of the transfer(s), including categories of personal data transferred and purposes, are those specified in Annex I.B where UK Data Protection Laws apply to the Data Exporter's processing when making that transfer."
- Clause 8.7(i) of Module 1 is replaced with: "it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer."
- Clause 8.8(i) of Modules 2 and 3 is replaced with: "the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer."
- References to "Regulation (EU) 2016/679" and "that Regulation" are replaced with "UK Data Protection Laws". References to specific Articles of Regulation (EU) 2016/679 are replaced with the equivalent Article or Section of UK Data Protection Laws.
- References to Regulation (EU) 2018/1725 are removed.
- References to "European Union", "Union", "EU", "EU Member State", "Member State", and "EU or Member State" are replaced with "UK".
- The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module One is replaced with "Clause 11(c)(i)".
- Clause 13(a) and Part C of Annex I are not used.
- "Competent supervisory authority" and "supervisory authority" are replaced with "Information Commissioner".
- In Clause 16(e), subsection (i) is replaced with: "the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply."
- Clause 17 is replaced with: "These Clauses are governed by the laws of England and Wales."
- Clause 18 is replaced with: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings before the courts of any country in the UK. The parties submit themselves to the jurisdiction of such courts."
- The footnotes to the Approved EU SCCs do not form part of this UK Addendum, except for footnotes 8, 9, 10, and 11.
Amendments to the UK Addendum
The parties may agree in writing to change Clauses 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland. Where the ICO issues a revised Approved UK Addendum, this UK Addendum is automatically amended as set out in the revised version from the specified start date, unless a party has exercised its right to terminate as described above. The parties do not require third-party consent to make changes to this UK Addendum, provided that any changes comply with its terms.