Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is concluded between the Customer (“Controller”) and the Service Provider (“Processor”) and forms an integral part of the Terms and Conditions (the “Agreement”) governing the provision of services by the Processor to the Controller.

Definitions

Unless otherwise defined herein, capitalized terms shall have the meanings ascribed to them in the Agreement.

Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with a party. For the purposes of this definition, “control” means the direct or indirect ownership of more than 50% of the voting rights or equity interests of the relevant entity.
Agreement: The main agreement between the Controller and the Processor for the provision of services and associated deliverables.
CCPA: The California Consumer Privacy Act of 2018, including any regulations or amendments thereto.
Controller: The Customer, who determines the purposes and means of the processing of Personal Data.
Data Protection Law: All applicable data protection and privacy laws and regulations, including the EU General Data Protection Regulation (EU GDPR), the UK GDPR, the UK Data Protection Act 2018, the Swiss Federal Data Protection Act (FDPA), the CCPA, as well as any amendments, replacements, or successors, and any national implementing legislation related to the processing of Personal Data.
Data Subject: An identified or identifiable natural person as defined under applicable Data Protection Law; or a “Consumer” as defined under the CCPA.
DPA: This Data Processing Agreement, including its Annexes and Exhibits.
EEA: The European Economic Area.
EU GDPR: Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. For detailed information about the General Data Protection Regulation (GDPR), please visit the official website gdpr-info.eu
FDPA: The Swiss Federal Data Protection Act, including any amendments or updates.
Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Law.
Processor: The entity providing services under the Agreement, responsible for processing Personal Data on behalf of the Controller.
Restricted Transfer:
a) Under the EU GDPR: Any transfer of Personal Data from the EEA to a country outside the EEA not deemed adequate by the European Commission;
b) Under the UK GDPR: Any transfer from the UK to a third country not covered by adequacy regulations;
c) Under Swiss law: Any transfer from Switzerland to a non-adequate third country as per Swiss authority guidance.
Services: The services, software, or platform solutions provided by the Processor as defined in the Agreement.
Security Policy: The Processor’s technical and organizational security measures, as outlined in Exhibit B of this DPA.
SCCs: The Standard Contractual Clauses used to legitimize international data transfers:
- For the EU: The clauses adopted by the European Commission (Decision 2021/914);
- For the UK: The standard data protection clauses approved under UK law;
- For Switzerland: The EU SCCs as adapted by guidance from Swiss authorities.
Sub-Processor: Any third party (including affiliates of the Processor) engaged by the Processor to process Personal Data as part of delivering the Services.
Supervisory Authority: Any regulatory body with authority over the processing of Personal Data under applicable law.
UK GDPR: The UK version of the EU GDPR, incorporated into UK law by virtue of the European Union (Withdrawal) Act 2018.

Purpose of Processing

The Processor agrees to process Personal Data solely for the purpose of delivering the Services to the Controller, in accordance with the Agreement. In the course of providing these Services, the Processor may process Customer Data on behalf of the Controller, which may include Personal Data. Such Personal Data shall be processed and safeguarded in accordance with the terms of this DPA.

Scope of Processing

The Processor shall process Personal Data exclusively to the extent necessary for the provision of the Services, in line with the Agreement, this DPA, and the documented instructions from the Controller, including any updates to such instructions.

Both parties shall take reasonable steps to ensure that any individual acting under their authority who has access to Personal Data does not process such data except in accordance with the Controller’s instructions, unless required to do so by applicable Data Protection Law.

Obligations of the Processor

– The Processor shall only collect, access, use, or otherwise process Personal Data within the scope and purposes set forth in this DPA.

– The Processor affirms that all processing of Personal Data shall be conducted solely on behalf of, and in accordance with, the documented instructions of the Controller.

– Should the Processor determine that any instruction from the Controller appears to violate applicable Data Protection Law, the Processor shall promptly notify the Controller thereof.

– The Processor shall ensure that all personnel (employees, agents, contractors, and representatives) involved in processing Personal Data:

are made aware of the confidential nature of such data and are bound by contractual obligations of confidentiality;
have received appropriate training regarding data protection and privacy;
are bound by and comply with the obligations under this DPA.

– The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the current state of the art, implementation costs, the nature and purpose of processing, and the potential risks to the rights and freedoms of Data Subjects.

-. Such measures shall include, where appropriate:

pseudonymisation and encryption of Personal Data;
the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
procedures to restore data availability and access in the event of a technical or physical incident;
regular testing, assessment, and evaluation of the effectiveness of security measures.

-. The minimum technical and organizational safeguards are described in Exhibit B. These may be amended or replaced by equivalent measures at the discretion of the Processor, provided they remain consistent with the standards and obligations under Sections 4.5 and 4.6.

– The Controller understands that, in order to resolve technical issues or respond to support requests, the Processor may need to access Personal Data. Such access will be strictly limited to what is necessary for these purposes.

– Taking into account the nature of processing and the information available, the Processor shall assist the Controller by implementing suitable technical and organizational measures to support the Controller in fulfilling its obligations with respect to:

Data Subject rights;
compliance with applicable Data Protection Law requirements related to the processing of Personal Data.

– The Processor shall not:

sell Personal Data;
retain, use, or disclose Personal Data for purposes other than those necessary to provide the Services under the Agreement;
retain, use, or disclose Personal Data in any way that is inconsistent with the Agreement.

Obligations of the Controller

The Controller represents and warrants that:

(i) it will comply with this DPA and with its obligations under applicable Data Protection Law;
(ii) it has obtained all necessary consents, permissions, and legal authorisations to allow the Processor, its Affiliates, and any Sub-Processors to fulfil their obligations and exercise their rights under this DPA;
(iii) all Controller Affiliates using the Services will comply with the Controller’s obligations as set out in this DPA.

The Controller shall implement and maintain appropriate technical and organisational measures to protect Personal Data, considering the state of the art, cost of implementation, and the nature, context, and scope of the processing, along with the potential risks to the rights and freedoms of Data Subjects. These measures shall include, where appropriate:

(i) pseudonymisation and encryption;
(ii) ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(iii) timely restoration of data availability and access following a physical or technical incident; and
(iv) regular testing and evaluation of the effectiveness of such measures.

The Controller acknowledges that certain instructions under this DPA, including but not limited to requests for data deletion/return, audit cooperation, DPIA assistance, or other support activities, may incur additional charges. The Processor reserves the right to invoice the Controller for reasonable associated costs.

Sub-Processors

The Controller acknowledges and agrees that:

(i) the Processor may engage its Affiliates as Sub-Processors; and
(ii) both the Processor and its Affiliates may appoint third-party Sub-Processors in connection with providing the Services.

All Sub-Processors processing Personal Data on behalf of the Controller must adhere to the same data protection obligations as those imposed on the Processor under this DPA.

The Controller authorises the Processor to engage the Sub-Processors listed in the List of Sub-Processors. The Processor shall notify the Controller via email at least thirty (30) days in advance of any intended addition or replacement of Sub-Processors.

The Controller may object to any such changes by providing written notice within ten (10) business days from the date of notification. If the Controller objects and the Processor is unable to provide the Services without the proposed Sub-Processor, the Controller may terminate the relevant portions of the Agreement. The Processor will refund any prepaid fees covering the unused portion of the terminated Services.

Prior to any Sub-Processor processing Personal Data, the Processor shall:

(i) enter into a written agreement with the Sub-Processor imposing materially equivalent data protection obligations as those set out in this DPA; and
(ii) ensure the Sub-Processor complies with such obligations.

The Controller consents to the Processor and its Sub-Processors making Restricted Transfers of Personal Data where necessary to provide the Services, provided that any such transfer:

(i) is made to a jurisdiction recognised as adequate by the European Commission or relevant Supervisory Authority;
(ii) is subject to Standard Contractual Clauses (SCCs); or
(iii) is protected by other legally valid safeguards.

Restricted Transfers

Where the transfer of Personal Data constitutes a Restricted Transfer, such transfer shall be governed by the applicable Standard Contractual Clauses (SCCs).

For Restricted Transfers from the European Economic Area (EEA), the EU SCCs shall apply as follows:

(i) Module Two (Controller to Processor) applies when the Controller transfers data to the Processor;
(ii) Module Three (Processor to Processor) applies when the Processor uses a Sub-Processor;
(iii) Clause 7 (docking clause) is excluded;
(iv) Clause 9 (use of sub-processors): Option 2 applies with 30 days’ notice as per clause 6.3;
(v) Clause 11 (redress mechanism) is excluded;
(vi) Clause 17: governed by Irish law;
(vii) Clause 18(b): disputes subject to the courts of Ireland;
(viii) Annex I is completed by Exhibit A of this DPA;
(ix) Annex II is completed by Exhibit B of this DPA.

Where transfers are subject to Swiss data protection law (FDPA):

The Swiss Federal Data Protection and Information Commissioner (FDPIC) shall act as the sole supervisory authority for transfers exclusively governed by the FDPA;
In mixed transfers governed by both the FDPA and the EU GDPR, the designated EU supervisory authority applies;
“Member state” in the EU SCCs must be interpreted to permit Swiss data subjects to assert their rights in Switzerland;
References to the GDPR in the SCCs are deemed references to the FDPA, where applicable;
The SCCs shall also apply to the data of legal entities until the revised FDPA takes effect.

For Restricted Transfers from the United Kingdom, the UK SCCs shall apply as set out in Exhibit C of this DPA.

In the event of any conflict between this DPA and the SCCs, the provisions of the SCCs shall prevail.

Data Subject Requests

The Controller may request the correction, deletion, restriction, or access to Personal Data during or following termination of the Agreement. The Controller acknowledges that the Processor will comply with such requests to the extent legally permissible and will make reasonable efforts to do so in accordance with its standard operational procedures.

If the Processor receives a request directly from a Data Subject concerning their Personal Data, it shall, unless prohibited by law, refer the Data Subject to the Controller. In such cases, the Controller agrees to reimburse the Processor for reasonable costs incurred in providing assistance to the Controller in fulfilling such requests. Where the Processor is legally obligated to respond to the Data Subject, the Controller shall cooperate as reasonably required.

Audit

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with its data processing obligations under this DPA and shall allow for and contribute to audits and inspections.

In general, audits shall consist of reviewing the Processor’s most recent certifications, audit reports, or extracts thereof, conducted by independent third-party auditors bound by confidentiality obligations. Where such documentation is deemed insufficient in the Controller’s reasonable opinion, the Controller may request a broader audit, subject to the following conditions:

(i) the audit shall be at the Controller’s expense;
(ii) it shall be limited in scope to matters relating to the Controller and agreed upon in advance;
(iii) it shall be conducted during the Processor’s normal business hours with a minimum of four (4) weeks’ prior written notice, unless an urgent, material issue justifies shorter notice;
(iv) it shall be conducted in a manner that avoids undue disruption to the Processor’s operations.

This clause does not limit the Controller’s statutory audit rights but clarifies the operational procedures applicable to audits under this DPA.

Personal Data Breach

The Processor shall notify the Controller without undue delay—and in any case within seventy-two (72) hours—upon becoming aware of any actual or suspected Personal Data Breach, defined as any accidental or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data.

Upon discovery of a Personal Data Breach, the Processor will:

Take commercially reasonable steps to contain and mitigate the impact of the breach;
Secure the affected Personal Data;
Provide the Controller with relevant information and assistance required to meet its legal obligations, including those related to notification of Supervisory Authorities and Data Subjects.

Compliance, Cooperation, and Regulatory Response

The Processor shall promptly inform the Controller of any Data Subject complaint or inquiry it receives which may affect the Controller, unless restricted from doing so by applicable law or a court order.

The Processor may retain or copy Personal Data where required to comply with applicable legal or regulatory obligations, including statutory data retention requirements.

The Processor shall provide reasonable assistance to the Controller in fulfilling its obligations to carry out Data Protection Impact Assessments (DPIAs), considering the nature of processing and the information available to the Processor.

The Controller shall inform the Processor in a timely manner of any changes in applicable data protection laws, codes of conduct, or regulatory guidance that may impact the Processor’s obligations under this DPA. The Processor shall respond within a reasonable timeframe to any proposed amendments to this DPA or technical and organisational measures required for compliance. If compliance cannot be achieved, the Controller may terminate those Services affected by the non-compliance. Any unaffected Services shall continue uninterrupted.

The Controller, the Processor, and their respective representatives shall, upon request, cooperate with relevant data protection supervisory authorities in fulfilling their obligations under this DPA and applicable Data Protection Law.

Liability

The liability limitations set forth in the Agreement shall apply equally to any claims arising from a breach of this Data Processing Agreement (DPA).

The parties agree that the Processor shall be liable for any breaches of this DPA caused by the actions, omissions, or negligence of its Sub-Processors, as if such acts were performed by the Processor itself, subject always to the limitations of liability set out in the Agreement.

Similarly, the Controller shall be responsible for any breaches of this DPA resulting from the acts, omissions, or negligence of its Affiliates as though such conduct were that of the Controller.

The Controller shall not be entitled to recover damages more than once in respect of the same loss or breach.

Term and Termination

This DPA shall come into effect on the effective date of the Agreement and shall remain in force for the duration of the Agreement. It shall terminate automatically upon expiration or termination of the Agreement.

The Processor shall only process Personal Data during the term of this DPA and in accordance with its provisions.

Deletion and Return of Personal Data

Upon termination of the Agreement, the Controller may, by written request submitted within thirty (30) days of termination, instruct the Processor to either delete or return all Personal Data.

In the absence of such a request, the Processor shall delete all Personal Data in its active systems no later than sixty (60) days following the effective date of termination, unless:

(i) applicable laws or regulations require retention of the Personal Data; or
(ii) fragments of Personal Data are contained in routine backup archives, in which case the Processor shall ensure such data is overwritten or deleted within one (1) year of termination.

All deletions shall be carried out in a secure manner.

General Provisions

This DPA reflects the full and complete understanding between the parties in relation to the processing of Personal Data and supersedes any prior agreements or understandings, whether written or oral.

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced with a valid one that most closely reflects the original intent and economic purpose of the parties.

Subject to any mandatory provisions of the Standard Contractual Clauses (SCCs), this DPA shall be governed by the laws of England and Wales. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England.

This DPA forms an integral part of the Agreement and shall be read and interpreted in conjunction with its terms.

Exhibit A

List of Parties, Description of Processing and Transfers, Competent Supervisory Authority

MODULE TWO: CONTROLLER TO PROCESSOR

A. List of Parties

Data Exporter (Controller):

Identity: The Customer, as identified in the Agreement.
Address: As specified in the Agreement.
Contact Details: As provided in the Customer’s account for notification and billing purposes.
Relevant Activities: Use of the Cookietrust.io Services under the Agreement.
Signature & Date: By executing the Agreement, the Controller is deemed to have signed the SCCs and this DPA as of the Effective Date.
Role: Data Exporter
Representative (where applicable): Any EU or UK representative named in the Controller’s published privacy policy.

Data Importer (Processor):

Identity: CookieYes Limited (or replace with Cookietrust.io Ltd, if applicable).
Address: 3 Warren Yard, Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom.
Contact Person: Faseela A, Director — [email protected]
Relevant Activities: Provision of consent management, compliance, and web-related analytics solutions as part of the Services, acting on behalf of the Controller.
Signature & Date: By entering into the Agreement, the Processor is deemed to have signed the SCCs and this DPA on the Effective Date.
Role: Data Importer

B. Description of Processing and Transfers

Categories of Data Subjects:

Natural persons affiliated with the Controller, such as employees, contractors, consultants, and advisors.
Authorised Users and affiliates of the Controller who access the Services.

Categories of Personal Data:
The Controller determines the scope of Personal Data submitted to the Services, which may include (but is not limited to):

Names, email addresses, phone numbers, and company names of Authorised Users.
User credentials such as usernames or account IDs.
Metadata derived from communications (e.g., timestamps, subject lines).
IP addresses and geolocation inferred from them.
Data supplied by Authorised Users through Data Subject Requests.
Any additional data uploaded by the Controller during use of the Services.

Sensitive Data:
No sensitive or special category data (as defined under GDPR Article 9) shall be processed or transferred. The Services are not intended to handle such data.

Frequency of Processing and Transfers:
Processing and data transfers occur on a continuous basis throughout the term of the Agreement.

Nature of the Processing:
Includes, but is not limited to:

Hosting, storage, and display of cookie banners
Logging and managing user consent
Reporting and analytics
Providing access control and support to Authorised Users
Supporting compliance obligations

Purpose of Processing and Transfer:
To enable the Processor to deliver the contracted Services to the Controller, including the engagement of Sub-Processors necessary for technical infrastructure, support, analytics, or other operational purposes.

Retention Period:
Personal Data will be retained for the duration of the Agreement unless otherwise agreed in writing, and subject to clause 14 of this DPA regarding deletion timelines.

Transfers to Sub-Processors:
Details about Sub-Processors, including the nature, subject matter, and duration of their processing activities, are provided in the List of Sub-Processors. Each Sub-Processor processes Personal Data solely for the purpose of providing a clearly defined service to the Processor in support of the Controller.

C. Competent Supervisory Authority

The competent supervisory authority shall be determined based on the applicable data protection law, as follows:

For processing subject to the EU GDPR, the competent authority shall be the Irish Data Protection Commission (DPC).
For processing subject to the UK GDPR, the competent authority shall be the UK Information Commissioner’s Office (ICO).
For processing subject to the Swiss Federal Data Protection Act (FDPA), the competent authority shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC).

MODULE THREE: PROCESSOR TO PROCESSOR

A. List of Parties

Data Exporter:

The Processor, acting on behalf of the Controller (i.e., the Company) under the terms of the Agreement and this DPA.

Data Importers:

The authorised Sub-Processors listed in the current Sub-Processor list maintained by the Processor, each identified by:
- Name
- Address
- Contact details
- Description of relevant activities and processing operations carried out on behalf of the Processor.

B. Description of Processing and Transfers

For each Sub-Processor (Data Importer), the following details are included in the Sub-Processor List and govern their processing of Personal Data:

Categories of Data Subjects involved.
Categories of Personal Data processed.
Nature of the processing, such as hosting, support, analytics, or infrastructure.
Purpose of the processing, aligned with providing the services needed to fulfil the Agreement.

Personal Data is:

Processed on a continuous basis;
Handled only as necessary to provide the services under the instructions of the Data Exporter and in accordance with the Agreement;
Retained for the duration of the Agreement and subject to the obligations outlined in clause 14 of the DPA.

C. Competent Supervisory Authority

The applicable supervisory authority for the Data Exporter under this Module shall be:

Irish Data Protection Commission (DPC) if processing falls under the scope of the EU GDPR.
UK Information Commissioner’s Office (ICO) if processing falls under the UK GDPR.
Swiss Federal Data Protection and Information Commissioner (FDPIC) if processing falls under the Swiss FDPA.

Exhibit B

Technical and Organisational Security MeasuresNeed help?

(Annex II to the SCCs)

The Processor has implemented the following technical and organisational measures to ensure an appropriate level of security, taking into account the risks presented by the processing of personal data, in accordance with Article 32 of the GDPR and the SCCs.

Measure	Description
Pseudonymisation and Encryption of Personal Data	Personal Data is encrypted at rest using AES-256 encryption. Data in transit is protected using Transport Layer Security (TLS).
Confidentiality, Integrity, Availability & Resilience	Access controls follow the principles of “least privilege” and “need-to-know”. Role-based access is enforced at application and system level. Encryption is applied where appropriate based on risk assessment.
Restoration of Availability and Access	Redundant IT infrastructure is maintained. Backups are performed on an hourly and daily basis and are subject to routine testing.
Testing and Evaluation of Security Measures	Regular automated vulnerability scans and periodic third-party penetration tests and security audits are conducted.
User Identification and Authorisation	Logical access controls are enforced, using unique user IDs and passwords. Access rights are reviewed periodically and revoked upon employment termination.
Protection of Data During Transmission	TLS is used to encrypt all data transmitted between systems.
Protection of Data During Storage	Personal Data is stored only within certified third-party data centres and encrypted at rest.
Physical Security	Data centres used by the Processor maintain ISO 27001, SOC 1 Type II, or SOC 2 certifications. Physical access to the main office is controlled via secure keypad entry.
Event Logging	All system activities are logged, enabling retrospective analysis of access, deletion, or modification of data.
System Configuration and Management	Configuration management tools ensure systems comply with security baselines and prevent unauthorized changes.
Internal Governance and Security Management	Staff are instructed and trained to handle data securely. Separation of environments (e.g., production vs. test) is enforced. Logical separation of customer data is maintained.
Certifications and Assurance	The Processor and its sub-processors use infrastructure providers that maintain valid ISO 27001 and/or SOC 2 certifications. Reports are available upon request under NDA.
Data Minimisation	Data that is no longer necessary is initially locked and then securely deleted after a controlled delay to mitigate accidental deletion.
Data Quality	Data accuracy is the responsibility of the Controller. The Processor provides tools for validation and reporting but does not alter data quality.
Limited Data Retention	A formal retention policy defines the storage duration for each data type. Deleted data is purged from active systems and removed from backups after expiry.
Accountability	All personnel with access to sensitive data receive annual training and are bound by internal security policies, with disciplinary measures for non-compliance.
Data Portability and Erasure	The Services include built-in tools enabling the Controller to export or permanently delete data.
Assistance to Controller / Exporter	Personal Data is only transferred to third parties with valid agreements in place. Transfers outside the EEA are protected by appropriate safeguards, including SCCs where applicable.

Exhibit C

International Data Transfer Addendum (Version B1.0, effective 21 March 2022)

Purpose:
This Addendum, issued by the UK Information Commissioner’s Office (ICO), supplements the EU SCCs to provide legally binding Appropriate Safeguards for Restricted Transfers of personal data under UK GDPR (Data Protection Act 2018), specifically when personal data is transferred outside the UK.

Part 1: Tables

Table 1: Parties

Role	Details
Exporter	The Customer named in the Agreement (details per Annex I of the Approved EU SCCs)
Importer	CookieYes Limited, 3 Warren Yard Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, UK. Company number: 13074037
Key Contacts	Exporter: per Annex I; Importer: Director, [email protected]
Signature	No signature required for this Addendum

Table 2: Selected SCC Modules & Clauses

Module	In operation	Clause 11 (Option)	Clause 9a General Authorisation	Clause 9a (Time period)	Combined Data?
1	No	Not used	–	–	–
2	Yes	Not used	Yes	30 days	–
3	Yes	Not used	Yes	30 days	–
4	No	Not used	–	–	No

Table 3: Appendix Information

Annex 1A: List of Parties (Modules 2 & 3)
Annex 1B: Description of Transfer (Modules 2 & 3)
Annex II: Technical & organisational measures for security (Module 2)

Table 4: Ending the Addendum

Only the Exporter may end the Addendum as per Section 19.

Part 2: Mandatory Clauses

Entering Into This Addendum

Both Parties agree to be bound by the Addendum’s terms, which have the same legal effect as signing the Approved EU SCCs.
Signing Annex 1A or Clause 7 of Approved EU SCCs is not mandatory for Restricted Transfers if this Addendum is entered into in another legally binding way.

Interpretation & Definitions

Terms used have the same meaning as in the Approved EU SCCs unless otherwise specified.
Key definitions include:
- Addendum: This document.
- Appropriate Safeguards: Required protections under UK Data Protection Laws for Restricted Transfers.
- Restricted Transfer: A data transfer covered by Chapter V of the UK GDPR.
- UK Data Protection Laws: UK GDPR and Data Protection Act 2018.

Hierarchy & Governing Law

In case of conflict:
- The Approved Addendum overrides the Addendum EU SCCs, except where the latter provides greater protection.
- UK Data Protection Laws take precedence.
This Addendum and incorporated SCCs are governed by the laws of England and Wales.
Disputes are resolved by the courts of England and Wales, unless Scotland or Northern Ireland laws/courts are expressly agreed.

Key Amendments to Approved EU SCCs Within This Addendum

References updated from “EU GDPR” to “UK Data Protection Laws”.
Geographic references changed from “EU”/“Member States” to “UK”.
Supervisory authority changed from “competent supervisory authority” to “Information Commissioner”.
Specific clauses replaced or deleted to align with UK laws.
Footnotes mostly excluded except for key ones (8-11).

Changes to the Addendum

Parties may agree to changes to governing law/jurisdiction (Clauses 17 & 18).
Format changes allowed if they don’t reduce protections.
ICO may issue revised versions reflecting law changes or error corrections.
If revisions cause substantial increased costs or risks, the Exporter can terminate the Addendum with reasonable notice.

Miscellaneous

No third-party consent required to amend the Addendum.
Any amendments must comply with Addendum terms.