Reference is made to the agreement (“Agreement”) between (1) Customer (as defined in the applicable Order Form) (“Customer”) and (2) the Gett entity that executed the applicable Order Form (“Gett”), which governs your use of the Gett Platform and incorporates by reference the General Terms & Conditions. Customer and Gett are collectively referred to herein as the “Parties” and each a “Party”. Capitalised terms not defined in this DPA shall have the meanings assigned to them in the Agreement.
This data processing addendum (“DPA“) is incorporated by reference into the General Terms and Conditions and the Agreement, and reflects the parties’ agreement with regard to the Processing of Personal Data under the Agreement. Where multiple Agreements have been entered into, the DPA incorporated into each Agreement shall be deemed a separate and independent DPA between the parties to such Agreement.
By using the Services, Customer accepts this DPA and represents and warrants that it has full authority to bind Customer to this DPA. If Customer cannot or does not agree to comply with all the terms of this DPA, Customer shall not provide any Personal Data to Gett.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail solely with respect to the Processing of Personal Data.
1.1 In this DPA, the capitalised terms below shall have the following meanings:
a) “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.
b) “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
c) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
d) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
e) “IDTA” shall mean the International Data Transfer Addendum to the Standard Contractual Clauses issued by the Information Commissioner’s Office in the UK as incorporated in Part 2 of Appendix 2.
f) “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject or Consumer.
g) “Services” means the services provided to Customer by Gett in accordance with the Agreement.
h) “Security Documentation” means the Security Documentation applicable to the Services purchased by Customer, as updated from time to time, and made reasonably available by Gett upon Customer’s request.
i) “Sensitive Data” means any categories of Personal Data that are afforded a higher standard of protection such as “special categories of data” under the UK GDPR and GDPR.
j) “Standard Contractual Clauses” shall mean the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
k) “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Gett.
l) “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
m) The terms, “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the UK GDPR and GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.
n) For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that:
2.1.1 with regard to the Processing of Personal Data by Gett for the sole purposes of, at the request of the Customer, registering and inviting Service Users to use the Gett Platform, ordering rides on behalf of Service Users, and de-registering Service Users (“Registration and De-registration“) the Customer is the Controller of Personal Data; and Gett is the Processor of such Personal Data and paragraphs 2.2 – 10 and 12 shall apply; and
2.1.2 with regard to any Processing of Personal Data obtained by Gett directly from a Service User, Gett is an independent controller of such Personal Data and paragraphs 11 and 12 shall apply.
2.2 Customer’s Processing of Personal Data. Customer’s instructions to Gett in respect of the Registration and De-registration of Service Users shall comply with Data Protection Laws including but not limited to ensuring that it has any and all required legal bases in order to collect, Process and transfer to Gett the Personal Data, and to authorize the Processing by Gett on Customer’s behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.
2.3 Gett’s Processing of Personal Data.
2.3.1 When Processing on Customer’s behalf under the Agreement, Gett shall Process Personal Data in accordance with Customer’s instructions unless required under the laws applicable to Gett, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Gett shall inform Customer of the legal requirement before Processing, unless such law or order prohibits such information on important grounds of public interest.
2.3.2 Gett shall inform Customer without undue delay if, in Gett’s opinion, an instruction for the Processing of Personal Data given by Customer infringes applicable Data Protection Laws.
2.3.3 To the extent that Gett cannot comply with an instruction from Customer, Gett: (i) shall inform Customer, providing relevant details of the issue; and (ii) may, without liability to Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend Customer’s access to the Services. Upon receipt of the written notice in this paragraph 2.3.3(i) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Customer may, as its sole remedy, terminate the Agreement the subject of the affected Processing, and Customer shall pay to Gett all Charges and other sums that were incurred under or in connection with such Agreement before the date of termination and which remains unpaid as at termination. Customer will have no further claims against Gett (including, requesting refunds for Services) as a result of or in connection with the termination of the Agreement pursuant to this paragraph.
2.3.4 Upon Customer’s reasonable request, Gett shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligations under applicable Data Protection Laws to carry out a data protection impact assessment related to the Registration and De-registration of Service Users, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Gett. Gett shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this paragraph 2.3.4, to the extent required under the GDPR or the UK GDPR, as applicable.
2.4 Details of the Processing. The details of the Processing of Personal Data by Gett as a Processor are set out in Appendix 1 (Details of Processing) to this DPA.
2.5 Sensitive Data. The parties agree that the Services are not intended for the Processing of Sensitive Data, and that if Customer wishes to use the Services to Process Sensitive Data, it must first obtain Gett’s explicit prior written consent and enter into any additional agreements as required by Gett.
2.6 CCPA Standard of Care; No Sale of Personal Information. Processor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Processor provides to Customer under the Agreement. Processor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer’s behalf, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement and this DPA. Processor certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information Processed hereunder without Customer’s prior written consent, nor taking any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” such Personal Information under the CCPA.
3. DATA SUBJECT REQUESTS
Gett shall, to the extent legally permitted, notify Customer or refer Data Subject or Consumer to Customer, if Processor receives a request from a Data Subject or Consumer to exercise their rights (to the extent available to them under applicable Data Protection Laws) of access, right to rectification, restriction of Processing, erasure, data portability, objection to the Processing, their right not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against (“Data Subject Request”). Taking into account the nature of the Processing, Gett shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Gett may refer Data Subject Requests received, and the Data Subjects making them, directly to the Customer for its treatment of such Data Subject Requests.
Gett shall ensure that its personnel and advisors engaged in the Processing of Personal Data have committed themselves to duties of confidentiality.
5.1 Appointment of Sub-processors. Customer acknowledges and agrees and hereby authorizes Gett to engage Sub-processors that are: (a) an Affiliate of Gett; and (b) third-party Sub-processors for and on behalf of Gett and/or an Affiliate of Gett, in each case in connection with the provision of the Services.
5.2 List of Current Sub-processors and Notification of New Sub-processors. Gett will make available to Customer the current list of Sub-processors used by Gett to process Personal Data upon written request of Customer. The Customer provides general authorisation to Gett’s use of Sub-processors to Process Customer’s Personal Data on behalf of Customer, including those set out in such list.
5.3 Objection to New Sub-processors. Gett shall provide Customer with notification of any intended new Sub-processor(s) by sending an e-mail to email address given in the “About Your Company” section of the Order Form. Customer may reasonably object to Gett’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying Gett promptly in writing within seven (7) days after receiving the aforesaid notice. Customer shall ensure that such written objection shall include the reasons for objecting to Gett’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within seven (7) days following Gett’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Gett will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. the termination date with respect to the Processing at issue shall be duly paid to Gett. Until a decision is made regarding the new Sub-processor, Gett may temporarily suspend the Processing of the affected Personal Data and/or suspend access to the Customer’s account applicable to the affected Agreement. Customer will have no further claims against Gett (including requesting refunds for Services) as a result of or in connection with the termination of the Agreement [(or any part of it)] pursuant to this paragraph 5.3.
5.4 Agreements with Sub-processors. Gett or Gett’s Affiliate on behalf of Gett has or will enter into a written agreement with each Sub-processor containing appropriate safeguards for the protection of Personal Data including the same or materially similar data protection obligations as set out in paragraphs 2.2 – 10 of this DPA. Where a Sub-processor fails to fulfil its data protection obligations concerning its Processing of Personal Data, Gett shall remain responsible for the performance of the Sub-processor’s obligations.
6. SECURITY & AUDITS
6.1 Controls for the Protection of Personal Data. Gett shall maintain industry-standard technical and organizational measures for protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Security Documentation), as may be amended from time to time. Upon the Customer’s reasonable request, Gett will reasonably assist Customer, at Customer’s cost in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and/or UK GDPR taking into account the nature of the Processing and the information available to Gett.
6.2 Audits and Inspections. Upon Customer providing at least 14 days prior written request (no more than once every 12 months), Gett shall:
6.2.1 make available to Customer, and/or Customer’s independent, reputable, third-party auditor, information necessary to demonstrate Gett’s compliance with paragraphs 2.2 – 10 of this DPA, and
6.2.2 allow for and contribute to audits, including inspections, conducted by them, provided that:
(a) Gett shall not provide information to Customer pursuant to paragraph 6.2.1 where the Customer is a competitor of Gett (as determined by Gett);
(b) prior to receiving any information pursuant to paragraph 6.2.1 or Gett allowing for or contributing to audits or inspections pursuant to paragraph 6.2.2, each of the Customer and any third-party auditor shall enter into confidentiality undertakings satisfactory to Gett; and
(c) all such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by Customer and/or third party auditor to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Gett’s prior written approval.
6.3 Upon Gett’s request, Customer shall return all records or documentation in Customer’s possession or control provided by Gett in the context of the audit and/or the inspection. Nothing in this paragraph 6.2 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses.
6.4 In the event of an audit or inspections as set forth in paragraph 6.2, Customer shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimize) any damage, injury or disruption to Gett’s premises, equipment, personnel and business while conducting such audit or inspection.
7. DATA INCIDENT MANAGEMENT AND NOTIFICATION
Gett will maintain security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Gett as Processor (a “Data Incident“). Gett shall make reasonable efforts to identify and take those steps as Gett deems necessary and reasonable in order to remediate and/or mitigate the cause of such Data Incident to the extent the remediation and/or mitigation is within Gett’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or anyone who uses the Services on Customer’s behalf. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident which directly or indirectly identifies Gett (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Gett’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Customer shall provide Gett with reasonable prior written notice to provide Gett with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required.
8. RETURN AND DELETION OF PERSONAL DATA
Within 60 days following termination of the Agreement and subject thereto, Gett shall, at the choice of Customer (indicated through the Services or in written notification to Gett), delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer as Processor and Gett shall delete existing copies of such Personal Data unless applicable Data Protection Laws require otherwise.
9. CROSS-BORDER DATA TRANSFERS
9.1 Transfers of Personal Data from the Customer in the EEA, Switzerland and/or the United Kingdom to Gett in a country that offers adequate level of data protection. Personal Data may be transferred from the Customer in the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA“), Switzerland and/or the United Kingdom (“UK“) to Gett in a country that offers an adequate level of data protection under or pursuant to the adequacy decisions published in accordance with applicable Data Protection Laws (“Adequacy Decisions“), as applicable.
9.2 Transfers of Personal Data from the Customer in the EEA, Switzerland and/or the United Kingdom to Gett in a country that does not have an Adequacy Decision (“Third Country”). If there is a transfer of Personal Data from the Customer:
a) from the EEA or Switzerland to Gett in a Third Country, (“EEA Transfer”), the terms set forth in Part 1 of Appendix 2 (EEA Cross Border Transfers) shall apply;
b) from the UK to Gett in a Third Country, (“UK Transfer”), the terms set forth in Part 2 of Appendix 2 (UK Cross Border Transfers) shall apply; and
c) the terms set forth in Part 3 of Appendix 2 (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.
10. GETT AS INDEPENDENT CONTROLLER
In relation to its Processing of Personal Data obtained by Gett directly from Service Users as an independent Controller, Gett shall, to the extent applicable under Data Protection Laws comply with its obligations under Data Protection Laws.
11. OTHER PROVISIONS
11.1 Modifications. Each party may by at least forty-five (45) calendar days’ prior written notice to the other party, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under, any Data Protection Laws, to allow Processing of Customer Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. Pursuant to such notice: (a) the parties shall make commercially reasonable efforts to accommodate such modification requested by Customer or Gett believes is necessary; and (b) Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Gett to protect Gett against additional risks, or to indemnify and compensate Gett for any further steps and costs associated with the variations made herein at Customer’s request. The parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s or Gett’s notice as soon as is reasonably practicable. In the event that the parties are unable to reach such an agreement within 30 days of such notice, then Customer or Gett may, by written notice to the other party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof). Customer shall pay to Gett all Charges and other sums that were incurred under or in connection with such Agreement before the date of termination and which remains unpaid as at termination. Customer will have no further claims against Gett (including requesting refunds for the Services) as a result of or in connection with the termination of the Agreement pursuant to this paragraph.
APPENDIX 1 – DETAILS OF THE PROCESSING
Nature and Purpose of Processing
1. Undertaking Registration and De-registration;
2. Performing the Agreement, this DPA and/or other contracts executed by the Parties;
3. Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement;
4. Sharing Personal Data with Sub-processors (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Services and such third party services);
5. Rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder;
6. Complying with applicable laws and regulations;
7. All tasks related with any of the above.
Duration of Processing
Subject to any paragraph of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Gett as Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data
Personal details (e.g. name, home address, business address), contact information (e.g. mobile phone number, pick-up and drop-off locations, employer/organization, position/job title).
Categories of Data Subjects
Customer may submit Personal Data relating to the following categories of Data Subjects:
Service Users, which may include Customer’s employees, consultants, agents, advisors, and guests.
APPENDIX 2 – CROSS BORDER TRANSFERS
PART 1 – EEA Transfers
1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data controller of the Personal Data and Gett is the data processor of the Personal Data.
3. Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
4. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 5.2 of the DPA.
5. In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
6. In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
7. In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
8. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
Data Exporter: Customer.
Contact details: As detailed in the Agreement.
Data Exporter Role:
Module Two: The Data Exporter is a data controller.
Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Gett.
Contact details: As detailed in the Agreement.
Data Importer Role:
Module Two: The Data Importer is a data processor.
Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
9. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
The categories of data subjects are described in Appendix 1 (Details of Processing) of this DPA.
The categories of personal data are described in Appendix 1 (Details of Processing) of this DPA.
The Parties do not intend for Sensitive Data to be transferred.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Appendix 1 (Details of Processing) of this DPA.
The purpose of the processing is described in Appendix 1 (Details of Processing) of this DPA.
The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth at the link detailed in Section 5.2.1 of the DPA.
10. Annex I.C of the Standard Contractual Clauses shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
11. The Security Documentation referred to in the DPA serves as Annex II of the Standard Contractual Clauses.
12. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses will prevail.
PART 2 – UK Transfers
The parties agree that the IDTA shall apply to a UK Transfer and this Part 2 is effective from 21 March 2022.
For the avoidance of doubt, defined terms set out in Part 2 of this Appendix 2 are set out in Part 2 Mandatory Clauses below.
Part 1: Tables
Table 1 of the Addendum shall be completed as follows:
- Data Exporter: Customer.
- Contact details: As detailed in the Agreement.
Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed this Addendum incorporated herein, as of the Effective Date of the Agreement.
- Data Importer: Gett
- Contact details: As detailed in the Agreement.
Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed this Addendum, incorporated herein, as of the Effective Date of the Agreement.
Table 2 of the Addendum shall be completed as follows:
|Addendum EU SCCs||The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:|
|Module in operation||Clause 7 (Docking Clause)||Clause 11|
|Clause 9a (Prior Authorisation or General Authorisation)||Clause 9a (Time period)||Is personal data received from the Importer combined with personal data collected by the Exporter?|
|2||Shall not apply||Shall not apply||General Authorisation||As set out in Paragraph 9.2 of the DPA||No|
Table 3 of the Addendum
Annex IA shall be completed as follows:
- Data Exporter: Customer
- Contact details: As detailed in the Agreement.
- Data Exporter Role: Module Two: The Data Exporter is a data controller.
- Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed the Approved EU SCCs, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Data Importer: Gett
- Contact details: As detailed in the Agreement.
- Data Importer Role: Module Two: The Data Importer is a data processor.
- Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed the Approved EU SCCs, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Annex I.B shall be completed as follows:
- The categories of data subjects are described in Appendix 1 (Details of Processing) of this DPA.
- The categories of personal data are described in Appendix 1 (Details of Processing) of this DPA.
- The Parties do not intend for Sensitive Data to be transferred.
- The frequency of the transfer is a continuous basis for the duration of the Agreement.
- The nature of the processing is described in Appendix 1 (Details of Processing) of this DPA.
- The purpose of the processing is described in Appendix 1 (Details of Processing) of this DPA.
- The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
- In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth at the link detailed in paragraph 5.2.1 of the DPA.
- The Security Documentation referred to in the DPA serves as Annex II.
- Annex III: List of Sub-processors shall not apply as Gett has a general written authorisation to use Sub-processors.
Table 4 of the IDTA
The Importer may end this Addendum as set out in Section 19.
Part 2: Mandatory Clauses
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
|Addendum||This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.|
|Addendum EU SCCs||The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.|
|Appendix Information||As set out in Table 3.|
|Appropriate Safeguards||The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.|
|Approved Addendum||The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.|
|Approved EU SCCs||The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.|
|ICO||The Information Commissioner.|
|Restricted Transfer||A transfer which is covered by Chapter V of the UK GDPR.|
|UK||The United Kingdom of Great Britain and Northern Ireland.|
|UK Data Protection Laws||All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.|
|UK GDPR||As defined in section 3 of the Data Protection Act 2018.|
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.8(i) of Module 2 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
e. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
f. References to Regulation (EU) 2018/1725 are removed;
g. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
h. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
i. Clause 13(a) and Part C of Annex I are not used;
j. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
k. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
l. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
m. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
n. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
PART 3 – Additional Safeguards
1. In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
a. The Processor shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
b. The Processor will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”);
c. If the Processor becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
I. The Processor shall inform the relevant government authority that the Processor is a processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing;
II. The Processor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Processor’s control. Notwithstanding the above, (a) the Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, the Processor shall notify the Controller, as soon as possible, following the access by the government authority, and provide the Controller with relevant details of the same, unless and to the extent legally prohibited to do so.
2. Once in every 12-month period, the Processor will inform the Controller, at the Controller’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.