TEAMSUPPORT LLC & SNAPENGAGE LLC DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the Master Services Agreement, if such has been entered into, or otherwise the Terms of Service available at https://www.teamsupport.com/help-desk-subscription-use-service-terms, or any Order Form (defined below) that incorporates this Addendum (the “Agreement”), between TeamSupport, LLC acting on its own behalf and as agent for each TeamSupport Affiliate, including SnapEngage, LLC (“Company”); and the customer identified as “You” or “Your” in the Agreement, acting on its own behalf and as agent for any of its affiliates (“Customer”). This Addendum will be effective on the earlier of (1) the date Customer first discloses Personal Data to Company in association with Customer’s use of or access to the Services; (2) the date Customer accepts the Agreement; or (3) the date the Customer accepts this Addendum (the “Addendum Effective Date”).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.
1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Company respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
1.2. “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
1.3. “Customer Personal Data” means Personal Data received from or on behalf of Customer that is covered by a Data Protection Law.
1.4. “Data Protection Laws” means, with respect to a party, the data privacy, security, and breach notification laws applicable to such party’s Processing of Customer Personal Data under the Agreement including, in each case to the extent applicable: (a) United States Data Protection Laws; and (b) European Data Protection Laws.
1.5. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
1.6. “European Data Protection Laws” means, in each case to the extent applicable to the relevant Customer Personal Data or Processing thereof under the Agreement: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.
1.7. “Order Form” means the Company-approved form evidencing the initial subscription for the Service and any subsequent order forms submitted online or in written form, specifying, among other things, the number of licenses and other services contracted for, the applicable fees, the billing period, and other charges as agreed to between the parties, each such Order Form to be incorporated into and to become a part of the Agreement.
1.8. “Personal Data” means any information relating to an identified or identifiable natural person where an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity and includes information defined as “personal data,” “personal information,” and “personally identifiable information” in applicable laws pertaining to data or information privacy, security, protection, or breach notification.
1.9. “Process(ed)(ing)” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
1.10. “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.
1.11. “Security Incident” means a breach of Company’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Company’s possession, custody, or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.12. “Service(s)” means the services that Company has agreed to provide to Customer under the Agreement.
1.13. “Standard Contractual Clauses” means the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Controller to Processor or Module Three: Processor to Processor, as applicable) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are hereby incorporated into this Addendum by reference, as supplemented or modified by Appendix 3.
1.14. “Subprocessor” means any Processor (including any third party and any Company Affiliate) appointed by Company to Process Customer Personal Data on behalf of Customer or any Customer Affiliate.
1.15. “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
1.16. “United States Data Protection Laws” means, in each case to the extent applicable to the relevant Customer Personal Data or Processing thereof under the Agreement: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations(“CCPA”); (b) the Virginia Consumer Data Protection Act (VCDPA), when effective; (c) the Colorado Privacy Act (CPA), when effective; (d) the Utah Consumer Privacy Act (UCPA); (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), when effective; and (f) any other applicable law, rule, or regulation related to the protection of Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.
- Data Processing Terms. While providing the Services to Customer and Customer Affiliates pursuant to the Agreement, Company and Company Affiliates may Process Customer Personal Data on behalf of Customer or any Customer Affiliate as per the terms of this Addendum. The parties agree to comply with the following provisions with respect to any Customer Personal Data:
2.1. Roles of the Parties. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement, Customer is a Controller and Company is a Processor. In some circumstances, the parties acknowledge that Customer may be acting as a Processor to a third-party Controller in respect of Customer Personal Data, in which case Company will remain a Processor with respect to the Customer Personal Data. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
2.2. Customer Instructions. Company shall not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by Data Protection Laws to which Company is subject, in which case Company shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before Processing Customer Personal Data. For the avoidance of doubt, the Agreement and any related SOW entered into by Customer shall constitute documented instructions for the purposes of this Addendum. Customer shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Company’s Processing of Customer Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Company and to permit the processing of such Customer Personal Data by Company for the purposes of performing Company’s obligations under the Agreement pursuant to Appendix 1. Customer shall notify Company of any changes in, or revocation of, the permission to use, disclose, or otherwise process Customer Personal Data that would impact Company’s ability to comply with the Agreement, or applicable Data Protection Laws.
2.3. Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Appendix 1.
2.4. Processing Subject to the CCPA. As used in this Section 2.4, the terms “Sell,” “Share,” and “Business Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. Company shall only retain, use, or disclose Customer Personal Data as necessary for Company’s performance of its obligations under the Agreement and only in accordance with Customer’s instructions. Company shall not (1) Sell or Share any Customer Personal Data or (2) combine Personal Information received from or on behalf of Customer with Personal Data received from or on behalf of any third party, or collected from Company’s own interactions with Data Subjects, except to perform any Business Purpose permitted by the CCPA. The parties acknowledge that the Personal Information disclosed by Customer to Company is provided to Company only for the limited and specified purposes set forth in Appendix 1. Company will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that Company uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights in Section 8. Company will notify Customer if it makes a determination that Company can no longer meet its obligations under the CCPA. If Company notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Company, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing. Company hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them.
- Confidentiality. Company shall take reasonable steps to ensure that individuals that process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security. With respect to the security of Customer Personal Data:
4.1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall in relation to Customer Personal Data implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk. Company’s measures will include those set forth at http://teamsupport.com/technical_and_security_measures as updated from time to time (the “Security Measures”).
4.2. Security Incident. In the event of a Security Incident, Company will notify Customer without undue delay after becoming aware of the Security Incident. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. Company will take reasonable steps to provide Customer with information available to Company that Customer may reasonably require to comply with its obligations as Controller, if any, to notify impacted Data Subjects or Supervisory Authorities. Company shall make reasonable efforts to identify and remediate the cause of such Security Incident. Company’s notification of or response to a Security Incident under this Section 4.2 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Security Incident
4.3. Customer Responsibilities. Customer agrees that, without limitation of Company’s obligations under this Section 4, Customer is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Services, where applicable. Without limiting Company’s obligations hereunder, Customer is responsible for reviewing the information made available by Company relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
- Subprocessing. Company’s current list of Subprocessors for the Services is available at http://www.teamsupport.com/subprocessors_list (the “Subprocessor List”), which Customer hereby approves and authorizes. Customer generally authorizes Company to engage new Subprocessors as Company considers reasonably appropriate for the processing of Customer Personal Data in accordance with this Addendum provided that Company shall notify Customer of the addition of a new Subprocessor to the Subprocessor List at least ten (10) days in advance through an in-app notification (the “Subprocessor Notification Mechanism”) and Customer can access the updated list of subprocessors on the Subprocessor List at any time. If Customer in any way disables the Subprocessor Notification Mechanism, Customer shall be deemed to have waived its right to receive notification of new Subprocessors and Customer shall be responsible for periodically checking the Subprocessor List to remain informed of Company’s current list of Subprocessors. Customer may, on reasonable grounds, object to a Subprocessor by notifying Company in writing within 10 days of receipt of Company's notification, giving reasons for Customer's objection. Upon receiving such objection, Company shall: (1) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (2) where such change cannot be made within 10 days of Company's receipt of Customer's notice, Customer may by written notice to Company with immediate effect terminate the portion of the Agreement or relevant SOW to the extent that it relates to the Services which require the use of the proposed Subprocessor. This termination right is Customer's sole and exclusive remedy to Customer’s objection of any Subprocessor appointed by Company. Company shall require all Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum. Company shall remain fully liable for all the acts and omissions of each Subprocessor.
- Data Subject Rights. Company shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data or will advise the Data Subject to submit the request to Customer, and Customer will be responsible for responding to any such request. In the event that any Data Subject makes a request to exercise any of its rights under the Data Protection Laws in relation to Customer Personal Data, Company will taking into account the nature of the Processing of Customer Personal Data and the functionality of the Services, provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, as necessary for Customer to fulfill its obligations under Data Protection Laws to respond to such requests. Company reserves the right to charge Customer on a time and materials basis in the event that Company considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
- Data Protection Impact Assessment and Prior Consultation. In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any Supervisory Authority of Customer, following written request from Customer, Company shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, taking into account the nature of Company’s Processing of Customer Personal Data and the information available to Company. Company reserves the right to charge Customer on a time and materials basis in the event that Company considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
- Relevant Records and Audit Rights. Company shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer, not being competitors of Company (“Mandated Auditor”) of any premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum. Company shall provide reasonable cooperation to Customer in respect of any such audit and shall at the request of Customer, provide Customer with relevant records of compliance with its obligations under this Addendum. Company shall promptly inform Customer if, in its opinion, a request infringes the Data Protection Laws or any other confidentially obligations with Company’s other customers. Customer agrees that: (1) audits may only occur once per year, during normal business hours, and where possible only after reasonable notice to Company (not less than 20 days' advance written notice); (2) audits will be conducted in a manner that does not have any adverse impact on Company's normal business operations; (3) Customer and any Mandated Auditor will comply with Company's standard safety, confidentiality, and security procedures in conducting any such audits; and (4) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit will be deemed to be the Confidential Information of Company. To the extent any such audit incurs in excess of 10 hours of Company personnel time, Company may charge Customer on a time and materials basis for any such excess hours.
- International Data Transfers. Company may Process Customer Personal Data in the United States or anywhere Company or its Subprocessors maintains facilities. Customer is responsible for ensuring that its use of the Services complies with any cross-border data transfer restrictions of Data Protection Laws.
9.1. European Transfers. If Customer transfers Customer Personal Data to Company that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as “data exporter”) and Company (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the parties agree that: (1) the execution of this Addendum shall constitute execution of the applicable Standard Contractual Clauses as of the Addendum Effective Date; (2) the relevant selections, terms, and modifications set forth in Appendix 3 shall apply, as applicable; and (3) the Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis.
9.2. Other Jurisdictions. If Customer transfers Customer Personal Data to Company that is subject to Data Protection Laws other than European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under such Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 9.1.
9.3 Conflicts. In the event of a direct conflict between the terms of this Addendum, including Appendix 3, and the terms of the Standard Contractual Clauses, the Standard Contractual Clauses will control. The Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis and acknowledged by the parties.
- Deletion or Return of Customer Personal Data. Unless otherwise required by applicable Data Protection Laws, following termination or expiration of the Agreement or at any time requested by Customer, Company shall delete or return all Customer Personal Data to Customer.
- General Terms. Any obligation imposed on Company under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the Agreement with regard to data protection obligations for Personal Data of a Data Subject under Data Protection Laws. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA ANNEX I
1. Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing are as described in the Agreement and the Addendum.
2. Nature and purpose of the Processing of Customer Personal Data
The nature of the Processing involves those activities reasonably required to facilitate or support the provision of the Services as described in the Agreement and the Addendum.
The purpose of the Processing of Customer Personal Data includes the following:
- Helping to ensure security and integrity, to the extent the use of Customer Personal Data is reasonably necessary and proportionate for these purposes;- Debugging to identify and repair errors that impair existing intended functionality;- Performing the Services as described in the Agreement and carrying out the instructions indicated therein, including providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing storage, or providing similar services on behalf of Customer;- Undertaking internal research for technological development and demonstration; and- Undertaking activities to verify or maintain the quality or safety of the Services, and to improve, upgrade, or enhance the Services.
3. The categories of Data Subjects to whom Customer Personal Data relates
Data subjects include the individuals about whom personal data is provided to the data importer via by (or at the direction of) the data exporter. This may include: individuals authorized by Customer to use the Services.
4. The categories of Customer Personal Data
Personal Information or personal data including information relating to individuals provided to the data importer via the Services by (or at the direction of) the data exporter. This may include: data relating to individuals provided to Company via the Services by (or at the direction of) the data exporter.
5. The sensitive data included in Customer Personal Data
No sensitive data expected by the parties.
The restrictions or safeguards applied to such data are described in Appendix 2.
6. The frequency of Customer’s transfer of Customer Personal Data to Company:
On a continuous basis for the term of the Agreement.
7. The period for which Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
As set forth in the Addendum or the Agreement.
8. For transfers to Subprocessors, the subject matter, nature and duration of the Processing of Customer Personal Data:
For the duration of the Agreement and as set forth in the Appendix 4.
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data uploaded to the Services in accordance with the security measures set forth at http://teamsupport.com/technical_and_security_measures that are applicable to the specific Services purchased by data exporter, as updated from time to time.
STANDARD CONTRACTUAL CLAUSES
- Application of Modules. If Customer is acting as a Controller with respect to Customer Personal Data, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply. If Customer is acting as a Processor to a third-party Controller with respect to Customer Personal Data, Company is a sub-Processor and “Module Three: Transfer processor to processor” of the Standard Contractual Clauses shall apply.
- Sections I-V. The parties agree to the following selections in Sections I-IV of the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and engagement of new Subprocessors, including the specified time period, shall be the notification time period set forth in Section 5 of the Addendum; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Netherlands will apply; and (d) in Clause 18(b), the parties select the courts of the Netherlands.
- Annexes. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the Addendum shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in Appendix 1 to the Addendum shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 5 or 6 of this Appendix 3. If such determination is not clear, then the competent supervisory authority shall be the Netherlands. The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth in Appendix 2 to the Addendum.
- Supplemental Business-Related Clauses. In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. Company and Customer therefore agree that the applicable terms of the Agreement and the Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:
(a) Instructions. The instructions described in Clause 8.1 are set forth in Section 2.2 of the Addendum.
(b) Protection of Confidentiality. In the event a Data Subject requests a copy of the Standard Contractual Clauses or the Addendum under Clause 8.3, Customer shall make all redactions reasonably necessary to protect business secrets or other confidential information of Company.
(c) Deletion or Return. Deletion or return of Customer Personal Data by Company under the Standard Contractual Clauses shall take place in accordance with Section 7 of the Agreement and Section 10 of the Addendum. Certification of deletion of Customer Personal Data under Clause 8.5 or Clause 16(d) will be provided by Company upon the written request of Customer.
(d) Onward Transfers. Company shall be deemed in compliance with Clause 8.8 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
(e) Audits and Certifications. Any information requests or audits provided for in Clause 8.9 shall be fulfilled in accordance with Section 8 of the Addendum.
(f) Liability. The relevant terms of the Agreement, including Sections 12, 13, and 14, which govern indemnification or limitation of liability shall apply to Company’s liability under Clauses 12(a), 12(d), and 12(f).
(g) Termination. The relevant terms of the Agreement, including Sections 7, 8, and 9, which govern termination shall apply to a termination pursuant to Clauses 14(f) or 16.
5. Transfers from the United Kingdom. If Customer transfers Customer Personal Data to Company that is subject to UK Data Protection Laws, this Section shall apply to the Standard Contractual Clauses to the extent that UK Data Protection Laws apply to Customer’s Processing when making that transfer. As used in this Section, “Approved Addendum” means the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it is revised under Section 18 of such addendum. The parties acknowledge that the information required to be set forth in “Part 1: Tables” of the Approved Addendum shall be completed in accordance with Appendix 1 of this Addendum, as modified by this Appendix 3 of this Addendum. “Part 2: Mandatory Clauses” of the Approved Addendum, as it may be revised pursuant to Section 18 of the Approved Addendum, is hereby incorporated herein by reference. For purposes of Section 19 of the Approved Addendum, either party may end the Approved Addendum in accordance with Section 19 thereof.
6. Transfers from Switzerland. If Customer transfers Customer Personal Data to Company that is subject to the FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the FADP applies to Customer’s Processing when making that transfer: (i) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (ii) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the Swiss FADP on or about 1 January 2023; (iii) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the FADP; and (iv) the parties agree that the supervisory authority as indicated in Annex I.C shall be the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland.
LIST OF SUBPROCESSORS
Data importer’s Subprocessors, including their roles in the Processing of Customer Personal Data can be found at http://www.teamsupport.com/subprocessors_list.
This document was last updated February 27, 2023.