Yak Data Processing Addendum to Services Agreement

This addendum applies only for Services Agreements where Yak processes personal data on behalf of the customer.
Last Updated Date: October 8, 2025

This Data Processing Addendum (“DPA” or this “Addendum) is entered into as of Effective Date of the Applicable Order Form between Yak and Customer, and is hereby made part of, and incorporated into, the Services Agreement by this reference. This Data Processing Addendum shall only be valid if (i) Customer and Yak are parties to an Order Form for the purchase of Yak’s products and services (“Applicable Order Form”), and (ii) Yak processes Personal Data on behalf of Customer.

Between

  • The party designated as “Customer” in the applicable Order Form (“Customer“);
  • Yak Incorporated, a Delaware corporation (“Yak“).

RECITALS

  1. Yak provides makes available to Customer certain online services (“Services“) under a certain Services Agreement between Yak and Customer (“Main Agreement“). In connection with the Services, Yak may process certain Personal Data in respect of which Customer or any member of the Customer Group (as defined below) may be a controller under the Data Protection Laws (as defined below).
  2. Customer and Yak have agreed to enter into this addendum to the Main Agreement (“DPA”) in order to ensure that adequate safeguards are put in place with respect to the protection of such personal data as required by the Data Protection Laws.

AGREEMENT

Agreement sections hyperlinked for your convenience:

  1. Definitions
  2. Status of the Parties
  3. Yak Obligations
  4. Subprocessing
  5. Audit and Records
  6. Data Transfers
  7. General
  8. Customer Obligations

Schedule A: Scope of Processing
Schedule B: Technical and Organizational Measures
Schedule C: UK Addendum

1 Definitions

1.1 The following expressions are used in this DPA (any defined terms not defined herein shall have the meaning ascribed to them in the Main Agreement):

  1. Adequate Country” means a country or territory recognized under the relevant Data Protection Laws from time to time as providing adequate protection for Personal Data;
  2. Customer Group” means Customer and any corporate entities which are: (i) under Common Control with Customer; and (ii) established and/or doing business in the European Economic Area, Switzerland, or the United Kingdom;
  3. Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Main Agreement, including without limitation, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”) and the UK Data Protection Act 2018 (collectively, “UK Data Protection Law”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); (iv) the EU e-Privacy Directive (Directive 2002/58/EC); and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii), (iii) or (iv); in each case as may be amended or superseded from time to time; (v) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), as amended and the California Privacy Rights Act; (vi) the Virginia Consumer Data Protection Act, VA Code §§ 59.1-571 et seq, as amended (“VCDP”); (vii) the Colorado Privacy Act; and (viii) the Washington My Health My Data Act;
  4. Customer Personal Data” means Personal Data contained in Customer Content.
  5. Data Subject Request” means a request from a data subject relating to access to, or rectification, erasure, data portability, or similar request about that person’s Personal Data or an objection from a data subject to the processing of its Personal Data;
  6. Personal Data” means all data which is defined as ‘personal data,’ ‘personal information,’ ‘personally identifiable information,’ or similar terms under Data Protection Laws.
  7. processing“, “controller“, “data subject“, “supervisory authority” and “processor” shall have the meanings given to them in the Data Protection Laws; and
  8. Yak Group” means Yak and any corporate entities which are from time to time under Common Control with Yak.

2 Status of the Parties

2.1 Customer and Yak each warrant in relation to Customer Personal Data that it will (and will ensure that any of its staff and/or sub-processors will) comply with the Data Protection Laws. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

2.2 The parties hereby acknowledge and agree that Customer is the Controller (or “Business” under CCPA) and Yak is the Processor (or “Service Provider” under CPPA) of Customer Personal Data processed under this Addendum and accordingly Yak agrees that it shall process all Customer Personal Data in accordance with its obligations pursuant to this DPA.

2.3 Yak and Customer shall notify each other of an individual within its organization authorized to respond to enquiries regarding the processing of Customer Personal Data and each of Yak and Customer shall deal with such enquiries promptly.

3 Yak Obligations

3.1 With respect to all Customer Personal Data, Yak warrants that it shall:

  1. only process the Customer Personal Data in order to provide the Services and shall act only in accordance with the Customer’s written instructions as represented by the Main Agreement and this DPA and shall not: (i) sell or share Customer Personal Data as the terms “sell” or “share” are defined by CCPA or (ii) retain, use, combine, or disclose Customer Personal Data for any purpose other than as described in this Addendum, the Main Agreement, or as permitted under Data Protection Laws;
  2. in the unlikely event that applicable law requires Yak to process Customer Personal Data other than pursuant to Customer’s written instructions, notify Customer (unless prohibited from so doing by applicable law);
  3. as soon as reasonably practicable upon becoming aware, inform Customer if, in Yak’s opinion, any instructions provided by Customer under Clause 3.1(a) violate any Data Protection Laws;
  4. implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data;
  5. take reasonable steps to ensure that only authorized personnel have access to such Customer Personal Data and that any persons whom it authorizes to have access to the Customer Personal Data are under obligations of confidentiality;
  6. as soon as reasonably practicable upon becoming aware (but in any event within 48 hours of awareness), notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data (a “Security Breach“);
  7. promptly (1) provide Customer with reasonable cooperation and assistance in respect of the Security Breach and all information in Yak’s possession concerning the Security Breach that is required for Customer to provide adequate notice under the Data Protection Laws and (2) commence all reasonable efforts to investigate and correct the causes of and attempt to mitigate the impact of the Security Breach;
  8. unless required by applicable law, not make any public announcement that references Customer about a Security Breach or notify a relevant privacy authority about a Security Breach (a “Breach Notice”) without:
    (i) the prior written consent of Customer; and
    (ii) prior written approval by Customer of the content, media, and timing of the Breach Notice;
  9. promptly notify Customer if it receives a Data Subject Request. Yak shall not respond to a Data Subject Request received by Yak without Customer’s prior written consent except to confirm that such request relates to the Customer. To the extent Customer does not have the ability to address a Data Subject Request, Yak shall upon Customer’s request provide reasonable assistance to facilitate a Data Subject Request to the extent Yak is able to consistent with applicable law; provided that, Customer shall pay Yak’s charges for providing such assistance, at Yak’s standard consultancy rates;
  10. within ninety (90) days of termination or expiration of the Main Agreement or completion of the Services, delete all Customer Personal Data processed pursuant to the provision of the Services;
  11. provide such assistance as Customer reasonably requests (taking into account the nature of processing and the information available to Yak) in relation to Customer’s obligations under Data Protection Laws with respect to:
    (i) data protection impact assessments (as such term is defined under Data Protection Laws);
    (ii) notifications to, or consultations with, the supervisory authority under Data Protection Laws;
    (iii) communications to data subjects by Customer in response to any Security Breach; and
    (iv) Customer’s compliance with its obligations under Data Protection Laws with respect to the security of processing;
  12. to the extent legally permitted: (i) promptly notify Customer in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Customer Personal Data to any third party, including, but not limited to the United States government for surveillance and/or other purposes; and (ii) not disclose Customer Personal Data to the third party without providing Customer at least forty-eight (48) hours’ notice, so that Customer may, at its own expense, exercise such rights as it may have under applicable laws to prevent or limit such disclosure.
  13. comply with a written information security program (“Information Security Program”) designed to protect personal data that includes physical security, organizational security, network security, access, and antivirus and antimalware controls;
  14. require its personnel to comply with the Information Security Program;
  15. conduct periodic risk assessments and reviews of the Information Security Program at least annually or whenever there is a material change of practices that may affect the security, confidentiality or integrity of Customer Personal Data; and
  16. in the event that any Customer Personal Data is corrupted or lost or sufficiently degraded as to be unusable, provide Customer with the option to require the Service Provider, to restore or procure the restoration of the Customer Personal Data insofar as such is technically possible.

4 Subprocessing

4.1 Customer grants a general authorization (a) to Yak to appoint other members of the Yak Group as sub-processors and (b) to Yak and other members of the Yak Group to appoint third-party data center operators, outsourced support providers, and other third parties as sub-processors to assist in the provision of the Services.

4.2 Yak will maintain a list of sub-processors and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data. Upon request of Customer, Yak will make the then-current list of sub-processors available to Customer. Where required by Data Protection Laws, Yak will notify Customer prior to engaging any new sub-processors that process Customer Personal Data and allow Customer fourteen (14) days to object. If Customer has reasonable objections to the appointment of any new sub-processor, the parties will work together in good faith to resolve the grounds for the objection. Yak will ensure that any sub-processor it engages to assist in the provision of the Services does so only on the basis of a written contract which imposes on such sub-processor terms substantially no less protective of Customer Personal Data than those imposed on Yak in this DPA (the “Relevant Terms”). Yak shall ensure that each sub-processor maintains compliance with the Relevant Terms and shall be liable to Customer for any breach of the Relevant Terms by a sub-processor, subject to any limitations of liability in the Main Agreement.

5 Audit and Records

5.1 Yak shall, in accordance with Data Protection Laws, make available to Customer such information in Yak’s possession or control as Customer may reasonably request to demonstrate Yak’s compliance with the obligations of data processors under Data Protection Laws in relation to its processing of Personal Data.

5.2 Unless Customer is compelled by an applicable regulatory body or by a valid legal request, Customer agrees to exercise its right of audit under Data Protection Laws by means of Yak providing once per calendar year:

  1. an audit report not older than 18 months by a registered and independent external auditor demonstrating that Yak’s third-party hosting providers’ technical and organizational measures are sufficient and in accordance with an accepted industry audit standard such as ISO 27001 or SSAE 16 II SOC1 and SOC2; and
  2. additional information in Yak’s possession or control to an EU supervisory authority when it requests or requires additional information in relation to the data processing activities carried out by Yak under this DPA.

5.3 Customer acknowledges and agrees that any such audit of Yak’s sub-processors shall be in accordance with such sub-processor’s standard audit process.

6 Data Transfers

6.1 Definitions. “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the Swiss DPA applies, a transfer of personal data from Switzerland to any other country which has not been determined to have a legislation that guarantees an adequate level of data protection (binding adequacy decisions will be issued by the Federal Council after the coming into force of the revised Swiss DPA), and (iii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018. “SCCs or Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council; (ii) where the Swiss DPA applies, the EU SCCs with the Swiss amendments as required by the Federal Data Protection and Information Commissioner (FDPIC), and (iii) where the UK GDPR applies, standard data DocuSign Envelope ID: 5EA61742-0BB3-42E6-ABB6-C7E8C42A22B1 3 Version: 16 August 2022 protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR as amended or replaced from time to time.

6.2 The parties agree that when a Restricted Transfer of Personal Data occurs, the Standard Contractual Clauses shall be deemed executed between Company and Customer as follows:

  1. Transfers from the EU. In relation to Personal Data that is protected by the EU GDPR, the SCCs will apply completed as follows:
    • (i) Module Two (Controller to Processor) will apply;
    • (ii) in Clause 7, the optional docking clause will apply;
    • (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in this DPA;
    • (iv) in Clause 11, the optional language will not apply;
    • (v) Annex I of the SCCs shall be deemed completed with the information set out in Schedule A to this DPA;
    • (vi) Annex II of the SCCs shall be deemed completed with the information set out in Schedule B to this DPA;
    • (vii) in Clause 17, Option 1 will apply, and the SCCs will be governed by Irish law; and
    • (viii) in Clause 18(b), disputes shall be resolved before the courts of Ireland.
  2. Transfers from the UK. In relation to transfers of Personal Data that are protected by UK Data Protection Law, the SCCs:
    (i) shall apply as completed in accordance with paragraph (a)(i)-(vii) above; and
    (ii) shall be deemed amended as specified by the UK Addendum in the form of Schedule C, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
  3. Transfers from Switzerland. In relation to transfers of Personal Data that are protected by the Swiss DPA, the SCCs as implemented under sub-paragraph (a) above will apply with the following modifications:
    (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;(ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA;
    (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”;
    (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
    (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner.
    (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection and Information Commissioner” and “applicable courts of Switzerland”;
    (vii) in Clause 17, the SCCs shall be governed by the laws of Switzerland;
    (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland; and
    (ix) the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.

7 General

7.1 If Customer determines that a Personal Data Breach must be notified to any supervisory authority, data subjects, or the public or portions of the public, Customer will notify Yak before the communication is made and provide Yak with copies of any written documentation to be filed with the supervisory authority and of any notification Customer proposes to make which references Yak, its security measures, or its role in the Security Breach. Customer will consult with Yak in good faith and take account of any clarifications or corrections Yak reasonably requests to such notifications and which are consistent with the Data Protection Laws.

7.2 This Addendum is without prejudice to the rights and obligations of the parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this Addendum and the terms of the Main Agreement, the terms of this Addendum shall prevail so far as the subject matter concerns the processing of Customer Personal Data.

7.3 Except where prohibited under applicable law, Yak’s liability to Customer and to each member of the Customer Group (taken together) under or in connection with this Addendum shall be subject to the same limitations and exclusions of liability as apply under the Main Agreement as if that liability arose under the Main Agreement. Nothing in this Addendum will limit Yak’s liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law.

7.4 This Addendum sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. No other representations or terms shall apply or form part of this Addendum.

7.5 A person who is not a party to this Addendum shall not have any rights to enforce this Addendum including (where applicable) under the Contracts (Rights of Third Parties) Act 1999 of the United Kingdom.

7.6 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

7.7 Without prejudice to clause 17 (Governing Law) and 18 (Choice of Forum and Jurisdiction) of the Standard Contractual Clauses, this Addendum shall be governed by and construed in accordance with the laws of the country stipulated for this purpose in the Main Agreement and each of the parties agrees to submit to the choice of jurisdiction as stipulated in the Main Agreement in respect of any claim or matter arising under this Addendum.

7.8 Other than in respect of any accrued liabilities of either party and the provisions of clauses 1, 2 and this clause 7, this Addendum shall terminate automatically on the expiration or termination for whatever reason of the Main Agreement.

7.9 Notwithstanding the foregoing, the Parties acknowledge and agree that should a relevant privacy authority publish new standard contractual clauses (or amendments to the existing Standard Contractual Clauses or UK Addendum) to address Restricted Transfers, and where Customer determines such new or amended clauses are required to address the Restricted Transfers, such new or amended clauses will either be added as new Exhibit for the relevant jurisdiction(s), or replace the Standard Contractual Clauses and/or UK Addendum (as applicable), upon Customer’s notification to Yak thereof; provided that if such new or amended clauses impose material operational burden or risk upon Yak, Yak may notify Customer of such and the parties will work together to determine an alternative means of transfer and if such agreement cannot be reached within sixty (60) days then Customer may terminate the Agreement. Otherwise, all Restricted Transfers will be thereafter made pursuant to such new or amended clauses.

8 Customer Obligations

Customer represents and warrants that:
(i) it has complied and will comply with Data Protection Laws;
(ii) it has provided data subjects whose Customer Personal Data will be processed in connection with this Addendum with a privacy notice or similar document that clearly and accurately describes Customer’s practices with respect to the processing of Customer Personal Data;
(iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the processing of Customer Personal Data as contemplated by the Main Agreement and this Addendum; and
(iv) Yak’s processing of Customer Personal Data in accordance with the Main Agreement and this Addendum will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.

Schedule A: Scope of Processing

Subject Matter of Processing: The context for the Processing of Personal Data is Vendor’s provision of the Services under the Main Agreement.

Duration of Processing: The Processing will begin on the effective date of the relevant Order Form and will end upon expiration or termination of the Order Form.

Nature and Purpose of Processing: Collection, recording, organization, storage, retrieval, use, disclosure, transmission, erasure, or destruction. The precise reasons for processing the data includes maintaining account information, storing and transmitting documents as part of the Services, or providing support services.
Types of Personal Data: first and last name; phone number; email address

Categories of Data Subjects: Employees and contractors of Customer and/or its clients.

Countries where Personal Data is Processed (list all): United States.

Schedule B: Technical and Organizational Measures

Data importer shall implement and maintain appropriate administrative, technical, and physical safeguards designed to protect Customer Personal Data in accordance with the Data Protection Laws, the Main Agreement, this Addendum, and its internal security guidelines, which are designed using security industry frameworks to protect the security, confidentiality, and availability of Customer Personal Data.

Pursuant to Clause 10(b) of the Standard Contractual Clauses and Section 3 of the DPA, data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.

Schedule C: UK Addendum

This UK Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start dateThe effective date of the Addendum.
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties’ detailsFull legal name: Customer.  Main address (if a company registered address): As set forth in the Order Form.Full legal name: Supplier. Main address (if a company registered address): As set forth in the Order Form.
Key ContactContact details including email: Company Designated POC.Contact details including email: Service Provider Designated POC.

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:

Annex 1A: List of Parties: As set forth in Exhibit A, Annex I.
Annex 1B: Description of Transfer: As set forth in Exhibit A, Annex I.
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set forth in Exhibit A, Annex II.

Table 4: Ending this UK Addendum when the Approved UK Addendum Changes

Ending this UK Addendum when the Approved UK Addendum changesWhich Parties may end this UK Addendum as set out in Section ‎19: Exporter or Importer. 

Part 2: Mandatory Clauses

Entering into this UK Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this UK Addendum, in exchange for the other Party also agreeing to be bound by this UK Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this UK Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this UK Addendum. Entering into this UK Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this UK Addendum

  1. Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum EU SCCsThe version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix InformationAs set out in Table ‎3.
Appropriate SafeguardsThe standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved UK AddendumThe template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
Approved EU SCCsThe Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICOThe Information Commissioner.
Restricted TransferA transfer which is covered by Chapter V of the UK GDPR.
UKThe United Kingdom of Great Britain and Northern Ireland.
UK AddendumThis International Data Transfer Addendum which is made up of this UK Addendum incorporating the Addendum EU SCCs.
UK Data Protection LawsAll laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPRAs defined in section 3 of the Data Protection Act 2018.
  1. This UK Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
  2. If the provisions included in the UK Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved UK Addendum, such amendment(s) will not be incorporated in this UK Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  3. If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws applies.
  4. If the meaning of this UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
  5. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this UK Addendum has been entered into.

Hierarchy

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 below will prevail.
  2. Where there is any inconsistency or conflict between the Approved UK Addendum and the UK Addendum EU SCCs (as applicable), the Approved UK Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved UK Addendum.
  3. Where this UK Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this UK Addendum impacts those Addendum EU SCCs.

Hierarchy

  1. This UK Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    b. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    c. this UK Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  1. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.
  2. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.
  3. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:
    a. References to the “Clauses” means this UK Addendum, incorporating the Addendum EU SCCs;
    b. In Clause 2, delete the words:
    “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
    c. Clause 6 (Description of the transfer(s)) is replaced with:
    “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
    d. Clause 8.7(i) of Module 1 is replaced with:
    “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
    e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
    “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
    f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
    g. References to Regulation (EU) 2018/1725 are removed;
    h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
    i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
    j. Clause 13(a) and Part C of Annex I are not used;
    k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
    l. In Clause 16(e), subsection (i) is replaced with:
    “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
    m. Clause 17 is replaced with:
    “These Clauses are governed by the laws of England and Wales.”;
    n. Clause 18 is replaced with:
    “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
    o. The footnotes to the Approved EU SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this UK Addendum

  1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved UK Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  3. From time to time, the ICO may issue a revised Approved UK Addendum which:
    a. makes reasonable and proportionate changes to the Approved UK Addendum, including correcting errors in the Approved UK Addendum; and/or
    b. reflects changes to UK Data Protection Laws;
    The revised Approved UK Addendum will specify the start date from which the changes to the Approved UK Addendum are effective and whether the Parties need to review this UK Addendum including the Appendix Information. This UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified.
  4. If the ICO issues a revised Approved UK Addendum under Section ‎18, if any Party selected in Table 4 “Ending the UK Addendum when the Approved UK Addendum changes”, will as a direct result of the changes in the Approved UK Addendum have a substantial, disproportionate and demonstrable increase in:
    a. its direct costs of performing its obligations under the UK Addendum; and/or
    b. its risk under the UK Addendum,
    and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved UK Addendum.
  5. The Parties do not need the consent of any third party to make changes to this UK Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses:

Mandatory ClausesPart 2: Mandatory Clauses of the Approved UK Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.
Scroll to Top