Data Protection Addendum

  1. BACKGROUND

1.1 Telit’s provision of the Services to Customer involves processing ‘personal data’ or ‘personal information’, as defined under applicable data protection and privacy laws. This Data Protection Addendum (the “Addendum”), seeks to regulate Telit’s processing of such data, and is incorporated by reference into the Cloud and Connectivity Services Terms and Conditions, including any of its constituent parts, referenced documents and mutually agreed Subsequent Orders made under it (the “Agreement”).

1.2 The Addendum consists of three parts:

(a) EU Data Security and Privacy, which applies to the extent specified in Section 2 below.

(b) California Privacy, which applies to the extent specified in Section 3 below.

(c) Annex D - General Data Security and Privacy, which applies if neither the EU Data Security and Privacy nor the California Privacy apply.

1.3 In this Addendum, capitalized terms shall the same meaning as set out in the Agreement, unless otherwise defined within any of the parts comprising this Addendum.

  1. EU DATA SECURITY AND PRIVACY

2.1 Subject to Section 2.3 below, Annexes A and B apply to the Processing of personal data where the Telit entity or Customer entity that enters into this agreement is a Controller or a Processor established in the EU, regardless of whether the Processing takes place in the Union or not.

2.2 Subject to Section 2.3 below, Annexes A and B also apply to the Processing of personal data of Data Subjects who are in the EU by a Controller or Processor not established in the Union, where the Processing activities are related to either the offering of goods or services to those Data Subject or to the monitoring of their behavior as far as their behavior takes place within the EU.

2.3 To the extent that the conditions set out in Section 2.1 and 2.2 above are met, then depending on the Services ordered by the Customer the Annexes shall apply as follows:

(a) where the Customer orders Connectivity Services – Annex A shall apply.

(b) where the Customer orders Cloud Services and/or Professional Services – Annex B shall apply.

Accordingly, if the Customer orders Connectivity as well as Cloud and/or Professional services, both Annex A and B shall apply.

2.4 Definitions. In Annexes A and B, the following words shall have the following meanings:

(a) Data Protection Laws” shall mean the GDPR, its implementing legislation and all applicable laws and regulations relating to Personal Data and privacy that are enacted from time to time in any relevant jurisdiction, including (where applicable) relevant guidance and codes of practice issued by any competent authority.

(b) GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as applied, modified, added to, limited, widened, substituted, replaced or repealed by law or regulation (and references to any Article or provision of the Regulation shall be interpreted accordingly).

(c) Personal Data” shall mean any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (including Special Categories of Personal Data defined below and as listed in Article 9(1) of GDPR).

(d) Personal Data Breach” shall mean accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data.

(e) "Privacy Notice" shall mean Telit's EU Privacy Policy as such appears on its website at: https://www.telit.com/eu-privacy-policy/.

(f) Standard Contractual Clauses (SCCs)” shall mean the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, incorporated hereto by reference.

(g) Special Categories of Personal Data” shall mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and data consisting of information as to the commission or alleged commission of any offence or any proceedings for any offence or alleged offence or the disposal of such proceedings or the sentence of any court in such proceedings.

(h) UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office in the UK.

(i) UK GDPR” shall mean the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

(j) "Units" shall mean those modules (and the associated SIM Cards or Virtual Sims therein) used by the Customer or its End Users to receive the Services.

(k) Virtual SIM” shall mean such software and firmware incorporated into modules enabling communication without the necessity of a physical SIM Card.

  1. CALIFORNIA PRIVACY

3.1 Annex C applies to the extent that the Services involve processing personal information governed by the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §1798.100 et seq.).

3.2 Definitions. In Annex C, the following terms shall have the meaning attributed to the under the CCPA (Cal. Civ. Code §1798.140): ‘consumer’, ‘personal information’, ‘processing’, ‘selling’, ‘service provider’.

ANNEX A: EU Connectivity

  1. DATA SECURITY AND PRIVACY

1.1 Telit may Process Personal Data related to the use and provision of the Services (the "Processed Data").

1.2 The Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the Units, the telephone number associated therewith, logs of calls sent from or received by the Units, text messages sent from or received by the Units, mobile network measurements related to the Units, Unit activity times and Unit location. The Processed Data further includes the content (“Content”) of transmissions made as part of the Services.

1.3 Processed Data is subject to the GDPR. Processed Data may be accessed, collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers").

1.4 Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services. 

1.5 Telit may transfer, store and Process the Processed Data outside of the European Economic Area or outside the country in which the end-users of the Units are located and/or outside the country in which the Processed Data is collected (including in the USA, Italy, Israel or Ireland), and in jurisdictions which do not provide the same level of data protection as does the jurisdiction in which the Customer is incorporated or conducts business. 

1.6 Telit Processes the Processed Data for the following purposes:

  1. to provide the Services;

  2. conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services;

  3. to bill and collect fees;

  4. enforce the Agreement;

  5. take any action in any case of dispute, or legal proceeding of any kind involving Customer, End Users, or other third parties, with respect to the Services;

  6. to prevent:

    1. fraud;

    2. misappropriation;

    3. infringements; and

    4. identity theft and other illegal activities and misuse of the Services.

1.7 If Telit is required, or reasonably believes it is required, by law, to share or disclose Processed Data, or if such sharing or disclosure is required pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority, provided that, to the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at Customer’s cost and expense, to intervene and protect its interests in the Processed Data.

1.8 Subject to applicable law, Telit may:

  1. retain the Processed Data for as long as Telit, in its discretion, deems necessary for its business or other legitimate purposes, and

  2. delete the Processed Data from systems under its possession or control, if Telit, in its discretion, determines that it no longer requires the Processed Data for its business or other legitimate purposes.

1.9 TheCustomer agrees that, other than expressly set out in the Agreement, Telit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data pursuant to this Addendum. 

  1. TELIT AS A DATA CONTROLLER

2.1 To the extent Telit acts as a Data Controller in respect of the Units (e.g., for billing and collecting fees, Customer usage data and Customer account data), the following terms in this Section 2 shall apply.

2.2 The Customer must notify Telit immediately if it becomes aware of or suspects an incident that may involve a Personal Data Breach.

2.3 The Customer and Telit each acknowledge that they have their respective obligations to relevant government authorities and, to individuals whose Personal Data they Process, to comply with applicable Data Protection Laws. The Customer and Telit each act as a Controller in their own right, in regard to their respective Processing of Personal Data.

2.4 Telit’s EU Privacy Notice describes Telit’s Processing activities as Controller of the Personal Data relating to Customer, individuals connected to Customer, and other business contacts, in accordance with GDPR requirements. In fulfilling Telit’s duties to relevant government authorities and to individuals whose Personal Data Telit Processes under applicable Data Protection Laws, Telit will Process Personal Data that Customer shares with Telit, or that Telit obtains from other sources on Customer’s behalf, only for the relevant purposes that are set out in Telit’s EU Privacy Notice or any supplemental notice that Telit may provide to Customer. For more detail, please refer to Telit’s EU Privacy Notice.

2.5 If Customer discloses or transfer Personal Data to Telit concerning individuals connected to Customer or otherwise relevant to the provision of the Services (including to Customer), it shall be Customer’s responsibility as the Controller of that data to transfer or otherwise disclose such Personal Data in compliance with GDPR requirements including (without limitation) by:

  1. transferring the Personal Data to Telit only as necessary for Telit to provide the Services;

  2. having a lawful basis for disclosing the Personal Data to Telit;

  3. providing all the information required to be provided by the GDPR, in the applicable circumstances (the "Required Information"), to the relevant individuals concerning the transfer of their Personal Data to Telit (including a link to the EU Privacy Notice published on Telit’s website: https://www.telit.com/eu-privacy-policy/); and

  4. assuming the primary responsibility for responding to Data Subject access requests in relation to Personal Data that Customer has shared with Telit.

2.6 Telitwill cooperate with Customer, upon request and where reasonably possible, to ensure that the Required Information is made accessible to the relevant individuals, including End Users. Telit agrees to meet its own obligations to provide information directly to the individuals concerned, such as any customised privacy notice that Telit may issue to address a specific matter if required by particular circumstances. However, Customer acknowledges that in most cases, it would be impossible, or would require disproportionate effort for Telit to provide notice directly to all such individual third parties when Customer shares their Personal Data with Telit. Customer may also have obligations under the GDPR and Customer will reasonably cooperate with Telit with respect to any Personal Data that is shared between Telit and Customer in order to facilitate compliance with the relevant provisions of the GDPR.

2.7 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision of the European Commission as providing an adequate level of protection for Personal Data pursuant to Articles 45 of the GDPR., the parties hereby enter into the MODULE ONE of the SCCs, as follows:

  1. In Section IV (Final Provisions), Clause 17 for MODULE ONE: Transfer controller to controller: The Parties agree that this shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland.

  2. In Section IV (Final Provisions), Clause 18(b) for MODULE ONE: Transfer controller to controller: The Parties agree that those shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland.

  3. In Annex I, for MODULE ONE: Transfer controller to controller:

    1. Data Exporter: Customer.

      1. Activities relevant to the data transferred under these Clauses: an organization using the Services.

      2. Role: Controller.

    2. Data Importer: Telit.

      1. Activities relevant to the data transferred under these Clauses: Developer, operator and provider of the Services.

      2. Role: Controller.

  4. Description of Transfer:

  1. Categories of data subjects whose personal data is transferred: See Telit’s EU Privacy Notice.

  2. Categories of personal data is transferred: See Telit’s EU Privacy Notice.

  3. Sensitive data transferred: None.

  4. The frequency of the transfer: on a continuous basis.

  5. Nature of the processing: See Telit’s EU Privacy Notice.

  6. Purpose(s) of the data transfer and further processing: See Telit’s EU Privacy Notice.

  7. The period for which the personal data will be retained: See Telit’s EU Privacy Notice.

  8. Transfers to (sub-) processors: See Telit’s EU Privacy Notice.

  9. Competent Supervisory Authority: The data protection authority in the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the Data Protection Commissioner of the Republic of Ireland.

  1. In Annex II, for MODULE ONE (TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): As per Telit’s information security policy.

2.8 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision by the UK as providing an adequate level of protection for Personal Data pursuant the UK GDPR, the parties hereby agree that for are any Personal Data transfer from the UK, the UK Addendum attached hereto as ANNEX D shall apply.

  1. TELIT AS A DATA PROCESSOR

3.1 To the extent that Telit acts as a Data Processor in relation to the Content which is Personal Data, the following terms in this Section 3 shall apply.

3.2 Telit will act only on documented instructions from the Customer in relation to the Processing of Personal Data (including those set out in the Agreement) unless Processing is required by Data Protection Laws to which Telit is subject, in which case Telit shall to the extent permitted by such Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that data.

3.3 Telit shall ensure that all persons authorised to Process Personal Data in relation to the Services have committed themselves to confidentiality in respect of the data.

3.4 Telit shall assist the Customer, as far as is possible, in fulfilling the Customer’s obligation to respond to the requests of Data Subjects seeking to exercise their rights under the GDPR, in so far as such requests relate to the provision of the Services.

3.5 To ensure the security of the Personal Data that Telit Processes on the Customer’s behalf, and to safeguard the rights of Data Subjects, Telit has put in place and will maintain technical and organisational measures appropriate to the risks associated with the Services.

3.6 On receiving a written request, Telit shall assist the Customer in meeting the Customer’s GDPR obligations in relation to the following:

  1. the security of the Processing of Personal Data in relation to the Services;

  2. the notification of Personal Data breaches where required; and

  3. the conduct of data protection impact assessments, where necessary.

3.7 Upon termination of the Services and the Customer’s request, Telit shall either delete or return all Personal Data to the Customer, unless Telit is legally obliged to keep such data.

3.8 Upon Customer’s written request, Telit shall provide the Customer with information necessary to demonstrate Telit’s compliance with the obligations set out in this Section 3, and shall allow for and contribute to audits, including inspections, conducted by the Customer in relation to the Processing activities connected to the provision of the Services. The Customer’s right to audit will be limited to once in any twelve-month period and limited in time and scope to a maximum of two (2) business days and in the scope reasonably agreed in advance between the parties. Reasonable advance notice of at least sixty (60) days is required, unless a Data Protection Law requires earlier audit. Telit will use current certifications or other audit reports to minimise unnecessary and repetitive audits. The parties will each bear their own expenses of audit. If an audit determines that Telit has breached its obligations under the Agreement, Telit will promptly remedy the breach at its own cost.

3.9 Telit will promptly inform the Customer if Telit becomes aware of any Personal Data Breach that is confirmed or suspected with reasonable certainty involving Personal Data of the Customer.

3.10 Telit shall immediately inform the Customer if an instruction relating to this Section 3 would, in Telit’s opinion, infringe the GDPR or other Data Protection Laws of the EU or an EU Member State having jurisdiction over the Services.

3.11 Telitshall not engage any sub-Processors to assist in providing the Services, unless Telit has entered into a written contract with the sub-Processor that obligates the sub-Processor to comply with all relevant obligations applicable to it under this Addendum.

3.12 Alist of Telit’s existing sub-Processors, their roles, and the location of the Processing carried out by them is available online at https://www.telit.com/sub-processor-vendors/.Customer can sign-register online to receive advance notifications of changes to the list of sub-Processors. By entering into the Agreement, the Customer agrees that Telit may use these sub-Processors (as shall be updated from time to time) for the purposes of providing the Services.

3.13 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision of the European Commission as providing an adequate level of protection for Personal Data pursuant to Articles 45 of the GDPR., the parties hereby enter into the MODULE TWO of the SCCs, as follows.

  1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: GENERAL WRITTEN AUTHORISATION. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

  2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland.

  3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland.

  4. In Annex I, for MODULE TWO: Transfer controller to processor:

    1. Data Exporter: Customer.

      1. Activities relevant to the data transferred under these Clauses:an organization using the Services.

      2. Role: Controller.

    2. Data Importer: Telit.

      1. Activities relevant to the data transferred under these Clauses: Developer, operator and provider of the Services.

      2. Role: Processor.

  5. Description of Transfer:

    1. Categories of data subjects whose personal data is transferred: Customer’s ultimate end-users of the Services.

    2. Categories of personal data is transferred: as determined by the end-users of the Services.

    3. Sensitive data transferred: as determined by the end-users of the Services.

    4. The frequency of the transfer: on a continuous basis.

    5. Nature of and purpose(s) of the data transfer and further processing: transmission of the Content.

    6. The period for which the personal data will be retained: the duration of the provision of the Services.

    7. Transfers to (sub-) processors: See https://www.telit.com/sub-processor-vendors/.

    8. Competent Supervisory Authority: The data protection authority in the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the Data Protection Commissioner of the Republic of Ireland.

  6. In Annex II, for MODULE TWO (TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): As per Telit’s information security policy.

3.14 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision by the UK as providing an adequate level of protection for Personal Data pursuant the UK GDPR, the parties hereby agree that for are any Personal Data transfer from the UK, the UK Addendum attached hereto as ANNEX D shall apply.

  1. Liability

4.1 Telit shall only be liable for Process where Telit has not complied with its obligations under this Annex A of the Addendum or where Telit has acted outside or contrary to lawful and agreed written instructions from the Customer.

ANNEX B: EU Cloud Services and Professional Services

  1. DATA SECURITY AND PRIVACY

1.1 Telit may Process Personal Data related to the use and provision of the Services (the "Processed Data").

1.2 The Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the Units, logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Cloud Services, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units.

1.3 Processed Data is subject to the GDPR. Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers").

1.4 Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services. 

1.5 If the Order Form of the Agreement specifies a geographical region in which the servers hosting and operating the Cloud Services shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Cloud Services offerings ordered by Telit, Telit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Telit may transfer, store and Process the Processed Data outside of the European Economic Area or outside the country in which the End-users of the Units are located and/or outside the country in which the Processed Data is collected (including in the USA, Italy, Italy or Ireland), and in jurisdictions which do not provide the same level of data protection as does the jurisdiction in which the Customer is incorporated or conducts business. 

1.6 Telit Processes the Processed Data for the following purposes:

  1. to provide the Services;

  2. conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services;

  3. to bill and collect fees;

  4. enforce the Agreement;

  5. take any action in any case of dispute, or legal proceeding of any kind involving Customer, End Users, or other third parties, with respect to the Services;

  6. to prevent:

    1. fraud;

    2. misappropriation;

    3. infringements; and

    4. identity theft and other illegal activities and misuse of the Services.

1.7 If Telit is required, or reasonably believes it is required, by law, to share or disclose Processed Data, or if such sharing or disclosure is required pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority, provided that, to the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the Processed Data.

1.8 Itis Customer’s responsibility as the Controller of the Personal Data it Processes through Telit to comply with the GDPR requirements including (without limitation) by:

  1. transferring the Personal Data to Telit only as necessary for Telit to provide the Services as a Processors;

  2. having a lawful basis for Processing the Personal Data through Telit;

  3. providing all the information required to be provided by the GDPR, in the applicable circumstances (the "Required Information"), to the relevant individuals concerning the Processing of their Personal Data; and

  4. Exercising responsibility for responding to Data Subject access requests in relation to Personal Data that Customer has Processed through Telit.

1.9 Neither Telit nor its licensors claim ownership of the Processed Data submitted for use with the Services. The Customer shall be the Data Controller and Telit the Data Processor, save in respect of Service security, performance and operability data, for which Telit is the Data Controller. Telit’s EU Privacy Notice describes Telit’s Processing activities as Controller, in accordance with GDPR requirements.

1.10 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision of the European Commission as providing an adequate level of protection for Personal Data pursuant to Articles 45 of the GDPR., the parties hereby enter into the MODULE ONE of the SCCs, as follows:

  1. In Section IV (Final Provisions), Clause 17 for MODULE ONE: Transfer controller to controller: The Parties agree that this shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland.

  2. In Section IV (Final Provisions), Clause 18(b) for MODULE ONE: Transfer controller to controller: The Parties agree that those shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland.

  3. In Annex I, for MODULE ONE: Transfer controller to controller:

    1. Data Exporter: Customer.

      1. Activities relevant to the data transferred under these Clauses: an organization using the Services.

      2. Role: Controller.

    2. Data Importer: Telit.

      1. Activities relevant to the data transferred under these Clauses: Developer, operator and provider of the Services.

      2. Role: Controller.

  4. Description of Transfer:

    1. Categories of data subjects whose personal data is transferred: See Telit’s EU Privacy Notice.

    2. Categories of personal data is transferred: See Telit’s EU Privacy Notice.

    3. Sensitive data transferred: None.

    4. The frequency of the transfer: on a continuous basis.

    5. Nature of the processing: See Telit’s EU Privacy Notice.

    6. Purpose(s) of the data transfer and further processing: See Telit’s EU Privacy Notice.

    7. The period for which the personal data will be retained: See Telit’s EU Privacy Notice.

    8. Transfers to (sub-) processors: See Telit’s EU Privacy Notice.

    9. Competent Supervisory Authority: The data protection authority in the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the Data Protection Commissioner of the Republic of Ireland.

  5. In Annex II, for MODULE ONE (TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): As per Telit’s information security policy.

1.11 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision by the UK as providing an adequate level of protection for Personal Data pursuant the UK GDPR, the parties hereby agree that for are any Personal Data transfer from the UK, the UK Addendum attached hereto as ANNEX D shall apply.

  1. TELIT AS A DATA PROCESSOR

2.1 Telit will act only on documented instructions from the Customer in relation to the Processing of Personal Data (including those set out in the Agreement) unless Processing is required by Data Protection Laws to which Telit is subject, in which case Telit shall to the extent permitted by such Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that data.

2.2 Telit shall ensure that all persons authorised to Process Personal Data in relation to the Services have committed themselves to confidentiality in respect of the data.

2.3 Telit shall assist the Customer, as far as is possible, in fulfilling the Customer’s obligation to respond to the requests of Data Subjects seeking to exercise their rights under the GDPR, in so far as they relate to the provision of the Services.

2.4 To ensure the security of the Personal Data that Telit Processes on the Customer’s behalf, and to safeguard the rights of Data Subjects, Telit have put in place and will maintain technical and organisational measures appropriate to the risks associated with the Service.

2.5 On receiving a written request, Telit shall assist the Customer in meeting the Customer’s GDPR obligations in relation to the following:

  1. the security of the Processing of Personal Data in relation to the Services;

  2. the notification of Personal Data breaches where required; and

  3. the conduct of data protection impact assessments, where necessary.

2.6 Upon termination of the Services and the Customer’s written request, Telit shall either delete or return all Personal Data to the Customer, unless Telit is legally obliged to keep such data.

2.7 Upon Customer’s written request, Telit shall provide the Customer with information necessary to demonstrate Telit’s compliance with the obligations set out in this Section 2, and shall allow for and contribute to audits, including inspections, conducted by the Customer in relation to the Processing activities connected to the provision of the Services. The Customer’s right to audit will be limited to once in any twelve-month period, and limited in time to a maximum of two (2) business days and in the scope reasonably agreed in advance between the parties. Reasonable advance notice of at least sixty (60) days is required, unless a Data Protection Law requires earlier audit. Telit will use current certifications or other audit reports to minimise unnecessary and repetitive audits. The parties will each bear their own expenses of audit. If an audit determines that Telit has breached its obligations under the Agreement, Telit will promptly remedy the breach at its own cost.

2.8 Telit will promptly inform the Customer if Telit becomes aware of any Personal Data Breach that is confirmed or suspected with reasonable certainty involving Personal Data of the Customer.

2.9 Telit shall immediately inform the Customer if an instruction relating to this Section 2 would, in Telit’s opinion, infringe the GDPR or other Data Protection Laws of the EU or an EU Member State having jurisdiction over the Agreement.

2.10 Telit shall not engage any sub-Processors to assist in providing the Services, unless Telit has:

  1. entered into a written contract with the sub-Processor that obligates the sub-Processor to comply with all relevant obligations applicable to Telit under this Addendum.

2.11 A list of Telit’s existing sub-Processors, their roles, and the location of the Processing carried out by them is available online at https://www.telit.com/sub-processor-vendors/. Customer can sign-register online to receive advance notifications of changes to the list of sub-Processors. By entering into the Agreement, the Customer agrees that Telit may use these sub-Processors (as shall be updated from time to time) for the purposes of providing the Services.

2.12 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision of the European Commission as providing an adequate level of protection for Personal Data pursuant to Articles 45 of the GDPR., the parties hereby enter into the MODULE TWO of the SCCs, as follows.

  1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: GENERAL WRITTEN AUTHORISATION. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

  2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to controller: The Parties agree that this shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland.

  3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland.

  4. In Annex I, for MODULE TWO: Transfer controller to processor:

    1. Data Exporter: Customer.

      1. Activities relevant to the data transferred under these Clauses: an organization using the Services.

      2. Role: Controller.

    2. Data Importer: Telit.

      1. Activities relevant to the data transferred under these Clauses: Developer, operator and provider of the Services.

      2. Role: processor.

  5. Description of Transfer:

    1. Categories of data subjects whose personal data is transferred: Customer’s ultimate end-users of the Services.

    2. Categories of personal data is transferred: as determined by the end-users of the Services.

    3. Sensitive data transferred: as determined by the end-users of the Services.

    4. The frequency of the transfer: on a continuous basis.

    5. Nature of and purpose(s) of the data transfer and further processing: transmission of the Content.

    6. The period for which the personal data will be retained: the duration of the provision of the Services.

    7. Transfers to (sub-) processors: See https://www.telit.com/sub-processor-vendors/.

    8. Competent Supervisory Authority: The data protection authority in the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the Data Protection Commissioner of the Republic of Ireland.

  6. In Annex II, for MODULE TWO (TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): As per Telit’s information security policy.

2.13 If the Telit entity contracting with the Customer is established in a territory not recognized by an adequacy decision by the UK as providing an adequate level of protection for Personal Data pursuant the UK GDPR, the parties hereby agree that for are any Personal Data transfer from the UK, the UK Addendum attached hereto as ANNEX D shall apply.

  1. Liability

3.1 Telit shall only be liable Process where Telit has not complied with its obligations under this Annex B of the Addendum or where Telit has acted outside or contrary to lawful and agreed written instructions from the Customer.

 

ANNEX C: California Consumer Privacy Act (CCPA)

 

  1. SCOPE OF PROCESSING

1.1 Telit will, and Customer grants Telit a right to, collect, process, manipulate and retain information and data related to the use and provision of the Services (the "Processed Data"). Customer acknowledges and agrees that Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the devices used in the Connectivity Services or Cloud Services ("Units"), logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Cloud Services, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units. The parties acknowledge and agree that Processed Data may include personal information.

1.2 Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers"). Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services.

1.3 If the Order Form specifies a geographical region in which the servers hosting and operating the Cloud Services shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Cloud Services offerings ordered by Telit, Telit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Telit may store and process the Processed Data elsewhere.

  1. CUSTOMER’S OBLIGATIONS

2.1 The Customer represents and warrants that it has obtained and will maintain valid, and further undertakes to provide Telit upon its request, copies of documents substantiating, any and all authorizations, permissions and informed consents, including those of individuals about whom the Processed Data may include personal information, as may be necessary under applicable laws and regulations, in order to allow Telit to lawfully collect, transfer, store, handle, retain, process and use the Processed Data in the manners and for the purposes set forth in this Annex C.

  1. TELIT’S OBLIGATIONS

3.1 The parties acknowledge and agree that Telit is a service provider. To that end, and unless otherwise requires by law:

  1. Telit is prohibited from retaining, using or disclosing Customer’s personal information for: (i) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide, the Services; (ii) ‘selling’ Customer’s personal information; and (iii) retaining, using or disclosing the Customer’s personal information outside of the direct business relationship between the parties. Telit certifies that it understands the restriction specified in this subsection and will comply with it.

  2. If Telit received a request from a consumer about his or her is personal information, Telit shall not comply with the request itself, promptly inform the consumer that Telit’s basis for denying the request is that the Telit is merely a service provider that follows Customer’s instructions, and promptly inform the consumer that they should submit the request directly to the Customer and provide the consumer with the Customer’s contact information.

  1. SUBCONTRACTING

4.1 Customer authorizes Telit to subcontract any of its Service-related activities consisting (partly) of the processing of the personal information or requiring personal information to be processed by any Third Party Providers. Telit shall ensure that Third Party Providers are bound by obligations consistent with this Annex C. However, Telit has no responsibility for any actions taken by such Third Party Providers with respect to the Processed Data. Customer specifically waive any and all claims against Telit with respect to any actions (or failure to take action) of any Third Party Provider.

  1. RETURN OR DELETION OF INFORMATION

5.1 At the end of the term of the Agreement, if no subsequent further processing is required by Telit, Telit shall, at the choice of the Customer, either delete, destroy or return to Customer, the personal information that Telit and its third party suppliers process for Customer. The Customer agrees that Telit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data, after the end of the term of the Agreement.

  1. ASSISTANCE IN RESPONDING TO CONSUMER REQUESTS

6.1 Telit shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the consumer rights under the CCPA.

  1. DATA SECURITY

7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Telit’s processing of personal information for Customer, as well as the nature of personal information processed for Customer, Telit shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

  1. LIABILITY

8.1 Telit shall only be liable for processing Customer’s personal information where Telit has not complied with its obligations under this Annex C.

  1. EXCLUSIONS

9.1 Forthe avoidance of doubt, this Annex C does not apply to Telit’s processing Customer’s personal information for any of the following:

  1. Administration of the contractual relationship with the Customer (including liaising with Customer’s staff, billing and collecting fees, enforcing the Agreement);

  2. Telit’s marketing activities to the Customer;

  3. Taking any action in any case of dispute, or legal proceeding of any kind involving Relevant Third Parties or relevant vendors, with respect to the Services;

  4. Compiling statistical and other information related to the performance, operation and use of the Services, and using data from the Services in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively, "Service Analyses"). Telit may make Service Analyses publicly available, however, Service Analyses will not incorporate Processed Data in a form that could serve to identify Customer or any individual. Telit retains all intellectual property rights in Service Analyses;

  5. Where Telit is required, or reasonably believes it is required, by law, to share or disclose Customer’s personal information, such as, by way of example only, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority. Tto the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the personal information.

ANNEX D: General Data Security and Privacy

  1. SCOPE OF PROCESSING

1.1 Telit will, and Customer grants Telit a right to, collect, process, manipulate and retain information and data related to the use and provision of the Services (the "Processed Data"). Customer acknowledges and agrees that Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the devices used in the Connectivity Services or Cloud Services ("Units"), logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Cloud Services, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units. The parties acknowledge and agree that Processed Data may include information that relates to individuals (“Personal Information”).

1.2 Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers"). Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services.

1.3 If the Order Form specifies a geographical region in which the servers hosting and operating the Cloud Services shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Cloud Services offerings ordered by Telit, Telit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Telit may store and process the Processed Data elsewhere.

  1. CUSTOMER’S OBLIGATIONS
    2.1 The Customer represents and warrants that it has obtained and will maintain valid, and further undertakes to provide Telit upon its request, copies of documents substantiating, any and all authorizations, permissions and informed consents, including those of individuals about whom the Processed Data may include Personal Information, as may be necessary under applicable laws and regulations, in order to allow Telit to lawfully collect, transfer, store, handle, retain, process and use the Processed Data in the manners and for the purposes set forth in this Annex C.
  1. TELIT’S OBLIGATIONS

3.1 Telit will only use the Processed Data as follows:

  1. To provide the Services, conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services

  2. For administration of the contractual relationship with the Customer (including liaising with Customer’s staff, billing and collecting fees, enforcing the Agreement);

  3. For Telit’s marketing activities to the Customer;

  4. To take any action in any case of dispute, or legal proceeding of any kind involving Relevant Third Parties or relevant vendors, with respect to the Services;

  5. To compile statistical and other information related to the performance, operation and use of the Services, and using data from the Services in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively, "Service Analyses"). Telit may make Service Analyses publicly available, however, Service Analyses will not incorporate Processed Data in a form that could serve to identify Customer or any individual. Telit retains all intellectual property rights in Service Analyses;

  6. Where Telit is required, or reasonably believes it is required, by law, to share or disclose Customer’s Processed Data, such as, by way of example only, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority. To the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the Processed Data.

  1. SUBCONTRACTING

4.1 Customer authorizes Telit to subcontract any of its Service-related activities consisting (partly) of the processing of the Processed Data or requiring Processed Data to be processed by any Third Party Providers. However, Telit has no responsibility for any actions taken by such Third Party Providers with respect to the Processed Data. Customer specifically waive any and all claims against Telit with respect to any actions (or failure to take action) of any Third Party Provider.

  1. RETURN OR DELETION OF INFORMATION

5.1 At the end of the term of the Agreement, if no subsequent further processing is required by Telit, Telit shall, at the choice of the Customer, either delete, destroy or return to Customer, the Processed Data that Telit and its third party suppliers process for Customer. The Customer agrees that Telit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data, after the end of the term of the Agreement.

  1. DATA SECURITY

6.1 Takinginto account the state of the art, the costs of implementation and the nature, scope, context and purposes of Telit’s processing of Processed Data for Customer, as well as the nature of Processed Data processed for Customer, Telit shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the Processed Data from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

  1. LIABILITY

7.1 Telit shall only be liable for processing Customer’s Processed Data where Telit has not complied with its obligations under this Annex D.

ANNEX D – UK Addendum

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date Effective date of Agreement
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties' details Full legal name: As provided in the Agreement Trading name (if different): Main address (if a company registered address): As provided in the Agreement Official registration number (if any) (company number or similar identifier): Full legal name: As provided in the Agreement Trading name (if different): Main address (if a company registered address): As provided in the Agreement Official registration number (if any) (company number or similar identifier):
Key Contact Full Name (optional): Job Title: Contact details including email: Full Name (optional): Job Title: Contact details including email:
Signature (if required for the purposes of Section 2) By entering into the Agreement and Addendum, Data Exporter is deemed to have signed this Addendum incorporated herein, as of the Effective Date of the Agreement. By entering into the Agreement and Addendum, Data Importer is deemed to have signed this Addendum incorporated herein, as of the Effective Date of the Agreement.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs 1 the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module Module in operation Clause 7 (Docking Clause) Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter?  
1 ONE omitted omitted N/A N/A N/A
2 TWO omitted omitted General Authorization 10 days N/A

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Data Exporter: Customer; Data Importer: Telit

Annex 1B: Description of Transfer:

Where Telit acts as a Controller: See Section 2.7(d) to Annex A of the Addendum or Section 1.10(d) to Annex B of the Addendum, as applicable

Where Telit acts as Processor: See Section 3.13(e) to Annex A of the Addendum or Section 2.12(e) to Annex B of the Addendum, as applicable

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:

As per Telit’s information security policy

Annex III: List of Sub processors (Modules 2 and 3 only):

See https://www.telit.com/sub-processor-vendors/

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19:

1 Importer

1 Exporter

0 neither Party

Part 2: Mandatory Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

    Interpretation of this Addendum

  3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

    Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
    Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
    Appendix Information As set out in Table ‎3.
    Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
    Approved Addedum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
    Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    ICO The Information Commissioner.
    Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
    UK The United Kingdom of Great Britain and Northern Ireland.
    UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
    UK GDPR As defined in section 3 of the Data Protection Act 2018.

  4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

  5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

  6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

  7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

  8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

    Hierarchy

  9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

  10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

  11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

    Incorporation of and changes to the EU SCCs

  12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

    1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

    2. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

    3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

  13. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

  14. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

  15. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

    1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

    2. In Clause 2, delete the words:

      “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

    3. Clause 6 (Description of the transfer(s)) is replaced with:

      “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

    4. Clause 8.7(i) of Module 1 is replaced with:

      “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

    5. Clause 8.8(i) of Modules 2 and 3 is replaced with:

      “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

    6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

    7. References to Regulation (EU) 2018/1725 are removed;

    8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

    9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

    10. Clause 13(a) and Part C of Annex I are not used;

    11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

    12. In Clause 16(e), subsection (i) is replaced with:

      “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

    13. Clause 17 is replaced with:

      “These Clauses are governed by the laws of England and Wales.”;

    14. Clause 18 is replaced with:

      “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

    15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

    Amendments to this Addendum

  16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

  17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

  18. From time to time, the ICO may issue a revised Approved Addendum which:

    1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

    2. reflects changes to UK Data Protection Laws;

    The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

  19. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

    1. its direct costs of performing its obligations under the Addendum; and/or

    2. its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses:

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.