Preava Data Processing Addendum

This Preava Data Processing Addendum (this “Addendum”), including its three exhibits, is entered into by and between Preava, Inc., a corporation incorporated under the laws of Delaware (“Preava”) and the client that has entered into Preava’s Online Subscription Terms  (the “Agreement”) with Preava (the “Client”) (each, a “Party” and, collectively, the “Parties”). 
This Addendum, which may be updated from time to time, forms an integral part of the Agreement and is effective upon its incorporation into the Agreement. This Addendum may be incorporated by reference in the Agreement or an executed amendment to the Agreement. By using Preava’s Services in any way, Client is agreeing to the terms of this Addendum.
NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties agree as follows:
 

1. Definitions

  1. Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect.
  2. For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below:
    1. Agreement” means the Preava Online Subscription Terms entered into between the Parties for Preava’s provision of Services to Client;
    2. Applicable Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including laws of the European Union (or any member state thereof) and the laws of any other country, province, or state to which the Processing of the Personal Data is subject, including the laws specified in Exhibit B hereto;
    3. Client” means the party that has entered into the Agreement and this Addendum with Preava;
    4. Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
    5. Contracted Processor” means any third party appointed by or on behalf of Preava to Process Personal Data on behalf of Client in connection with the Agreement;
    6. GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC,” as may be amended from time to time;
    7. Personal Data” means any information relating to an identified or identifiable* natural person (a “Data Subject”) pertaining to the Client (and the Data Subjects, respectively) Processed by Preava on behalf of the Client pursuant to or in connection with the Agreement

      *an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
    8. Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data which Preava Processes on behalf of the Client in connection with the Agreement;
    9. Personal Data Recipient” means Preava, a Contracted Processor, or both collectively;
    10. Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller;
    11. Processing” (and any cognate terms) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
    12. Services” means the services and other activities carried out by or on behalf of Preava for the Client pursuant to the Agreement.

2. Applicability

  1. This Addendum will apply to the Processing of all Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor.

3. Processing of Personal Data

  1. This Addendum shall only apply where, and to the extent that, Preava, factually acts as a Processor. In such instances, 1) when Client acts as a Controller, Preava acts as a Processor; and 2) when Client acts as a Processor, Preava acts as a Sub-Processor. For the avoidance of doubt, both situations fall within the scope of and are covered by this Addendum.
  2. Preava shall:
    1. comply with all Applicable Laws in the Processing of Personal Data;
    2. not Process Personal Data other than on Client’s relevant documented instructions (including with regard to international transfers of Personal Data), unless such Processing is required by Applicable Laws to which the relevant Personal Data Recipient is subject, in which case Preava shall to the extent permitted by Applicable Laws, inform Client of that legal requirement before the respective act of Processing of that Personal Data;
    3. only conduct transfers of Personal Data in compliance with all applicable conditions, as laid down in Applicable Laws;
    4. promptly update, when necessary, all information, as provided in Exhibit A, attached hereto and incorporated by reference, and keep all such information complete and up to date; and
    5. immediately inform the Client in the event that, in Preava’s opinion, a Processing instruction given by the Client may infringe Applicable Laws.
  3. The Client instructs Preava (and authorizes Preava to instruct each Contracted Processor) to Process Personal Data, and in particular, transfer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement and this Addendum.
  4. The Client represents and warrants that it has all necessary rights to provide the Personal Data to Preava for the purpose of Processing such data within the scope of this Addendum and the Agreement. Within the scope of the Agreement and in its use of the Services, the Client shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to Preava and the Processing of Personal Data.

4. Preava Personnel

  1. Preava shall take reasonable steps to ensure the reliability of any of its employees, agents, or contractors who may have access to Personal Data.
  2. Preava shall ensure that access to Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfil the documented Processing instructions given to Preava by the Client or to comply with Applicable Laws.
  3. Preava shall ensure that all such individuals are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.

5. Security of Processing

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, Preava shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, as well as assist the Client with regard to ensuring compliance with the Client’s obligations pursuant to the Applicable Laws.
  2. In assessing the appropriate level of security, Preava shall take account, in particular, of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.
  3. The Client is responsible for reviewing the information made available by Preava relating to data security and making an independent determination as to whether the Services meet the Client’s requirements and legal obligations under Applicable Laws. The Client acknowledges that the security measures are subject to technical progress and development and that Preava may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Client.
  4. Notwithstanding the above, the Client agrees that, except as provided by this Addendum, the Client is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of the Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Services.

6. Subprocessing

  1. The Client authorizes Preava to appoint (and permit each Contracted Processor appointed in accordance with this Section 6 to appoint) Contracted Processors in accordance with this Section 6 and any possible further restrictions, as set out in the Agreement, as the case may be.
  2. Preava may continue to use those Contracted Processors already engaged by Preava as of the date of this Addendum, subject to Preava meeting the obligations set out in Section 6.d. The list of Preava’s Contracted Processors as of the effective date is provided here: https://preava.com/legal/sub-processors.
  3. Preava shall provide Client prior notice of the appointment of any new Contracted Processor by updating the list of Preava Contracted Processors. If, within 14 days of posting of each such notice, the Client notifies Preava in writing of any reasonable objections to the proposed appointment, Preava shall not appoint or disclose any Personal Data to that proposed Contracted Processor until reasonable steps have been taken to address the objections raised by the Client and, in turn, the Client has been provided with a reasonable written explanation of the steps taken to account for any such objections. If the Client, nevertheless, objects to the proposed appointment, it shall be entitled to terminate the Agreement. 
  4. With respect to each Contracted Processor, Preava shall:
    1. carry out adequate due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Personal Data required by this Addendum, the Agreement, and Applicable Laws before the Contracted Processor first Processes Personal Data or, where applicable, in accordance with Section 6.b.; and
    2. ensure that the arrangement between Preava and the prospective Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Personal Data as those set out in this Addendum, and that such terms meet the requirements of Applicable Laws.
  5. Where any Contracted Processor fails to fulfill its data protection obligations under such written contract (or in the absence thereof, as the case may be), Preava shall remain fully liable to the Client for the performance of the respective Contracted Processors’ obligations under such contract.

7. Rights of the Data Subjects

  1. Taking into account the nature of the Processing, Preava shall assist Client by implementing appropriate technical and organizational measures, insofar as this is possible, to respond to requests to exercise rights of the Data Subjects under Applicable Laws.
  2. With regard to the rights of the Data Subjects within the scope of this Section 7, Preava shall:
    1. promptly notify Client if any Personal Data Recipient receives a request from a Data Subject under any Applicable Law with respect to Personal Data; 
    2. ensure that the Personal Data Recipient does not respond to that request, except on the documented instructions of Client, or as required by Applicable Laws to which the Personal Data Recipient is subject, in which case Preava shall, to the extent permitted by Applicable Laws, inform Client of that legal requirement before the Personal Data Recipient responds to the request.

8. Personal Data Breach

  1. If Preava discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Personal Data, Preava shall notify the Client without undue delay. 
  2. Preava shall co-operate with Client and take all reasonable commercial steps to assist Client in the investigation, mitigation, and remediation of each such Personal Data Breach. Preava shall provide Client with sufficient information to assist Client, or to allow Client to assist its clients, so that each affected entity can meet its respective obligations pursuant to Applicable Laws, including any obligations to report the Personal Data Breach to the competent supervisory authorities, and/or inform the Data Subjects.
  3. Preava’s notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by Preava of any fault or liability with respect to the Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

  1. Preava shall provide Client with relevant information and documentation, and Preava shall assist Client in complying with its obligations, with regard to any data protection impact assessments, and prior consultations with supervisory authorities when the Client reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Applicable Laws but in each such case solely with regard to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the respective Personal Data Recipient.

10. Deletion or Return of Personal Data

  1. Preava shall provide the Client with the technical means, consistent with the way the Services are provided, to request the deletion of Personal Data upon the request of the Client unless Applicable Laws require storage of any such Personal Data.
  2. Preava shall promptly, following the date of cessation of Services involving the Processing of Personal Data, at the choice of the Client delete or return all Personal Data to the Client, as well as delete existing copies, unless Applicable Laws require storage of any such Personal Data.
  3. Preava shall also cause all Contracted Processors that may have received any Personal Data to delete or return, as applicable, all such Personal Data without undue delay.

11. Audit Rights

  1. The Client may request, and Preava will provide (subject to obligations of confidentiality) information necessary to demonstrate (i) Preava’s compliance with this Addendum, and (ii) Client’s compliance with its undertakings under Applicable Laws with regard to the provision of Services. 
  2. If the Client, after having reviewed such audit report(s), still reasonably deems that it requires additional information, Preava shall further reasonably assist and make available to the Client all such additional information and/or documentation necessary to demonstrate compliance with this Addendum and/or Applicable Laws, including remote inspections of the Services, by the Client or an auditor mandated by the Client with regard to the Processing of the Personal Data by Preava.
  3. Preava shall provide the assistance described in this Section 11, insofar as in Preava’s reasonable opinion such audits, and the specific requests of the Client, do not interfere with Preava’s business operations or cause Preava to breach any legal or contractual obligation to which it is subject.
  4. The Client agrees to pay Preava, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Client exercising its rights under this Section 11 or the Standard Contractual Clauses, as set out in Exhibit B.

12. Jurisdiction Specific Terms

  1. To the extent Preava processes Personal Data originating from, or protected by, Applicable Laws in one of the jurisdictions listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this Addendum.
  2. Preava may update Exhibit B from time to time, to reflect changes in or additions to Applicable Laws to which Preava is subject. If Preava updates Exhibit B, it will provide the updated Exhibit B to the Client. If the Client does not object to the updated Exhibit B within 14 days of receipt, the Client will be deemed to have consented to the updated Exhibit B.
  3. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence.

13. No Selling of Personal Data

  1. Preava acknowledges and confirms that it does not receive any Personal Data as consideration for any services or other items that Preava provides to the Client. The Client retains all rights and interests in Personal Data. The Client agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Preava to qualify as selling Personal Data under Applicable Laws.

14.Liability and Indemnification

  1. Notwithstanding anything to the contrary in this Addendum or in the Agreement, this Addendum shall be subject to the limitations of liability and indemnification provisions included in the Agreement.

15. General Terms

  1. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing addenda entered into between Preava and the Client.
  2. All clauses of the Agreement that are not explicitly amended or supplemented by the clauses of this Addendum remain in full force and effect and shall apply, as long as this does not contradict with compulsory requirements of Applicable Laws under this Addendum.
  3. In the event of any conflict between the Agreement (including any annexes and appendices thereto) and this Addendum, the provisions of this Addendum shall control, except as where the applicable Jurisdiction Specific Terms will apply and take precedence as discussed in Section 12.c. above.
  4. Should any provision of this Addendum be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.
  5. If Preava makes a determination that it can no longer meet any of its obligations in accordance with this Addendum, it shall promptly notify the Client of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate.
  6. If you are accepting the terms of this Addendum on behalf of an entity, you represent and warrant to Preava that you have the authority to bind that entity and its affiliates, where applicable, to the terms and conditions of this Addendum.

16. Data Protection Officer

  1. The Data Protection Officer of Preava is:

VeraSafe, LLC

22 Essex Way #8203 Essex, VT 05451 USA

+1 (617) 398-7067

Email: experts@verasafe.com

 

Web: https://www.verasafe.com/about-verasafe/contact-us/ 

17. EU Representative

  1. The European Union Representative of Preava pursuant to Article 27 of the GDPR is:

VeraSafe Czech Republic s.r.o.

Klimentská 46

Prague 1, 11002

Czech Republic

 

VeraSafe Ireland Ltd

Unit 3D North Point House, 

North Point Business Park, 

New Mallow Road, Cork T23AT2P, Ireland

 

VeraSafe Netherlands BV

Keizersgracht 391 A

1016 EJ Amsterdam 

The Netherlands

 

Contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

 

Exhibit A

Details of Processing

1. Further details of the Processing, in addition to the ones laid down in the Agreement and this Addendum, include:
  1. The subject matter of the Processing of Personal Data is:
    1. The subject matter of the Processing of Personal Data pertains to the provision of Services under the Agreement.
  2. The duration of the Processing of Personal Data is:
    1. The duration of the Processing of Personal Data is generally determined by the Client and is further subject to the terms of this Addendum and the Agreement, respectively, in the context of the contractual relationship between Preava and the Client.
  3. The nature and purpose of the Processing of Personal Data is:
    1. The purpose of Processing of Personal Data pertains to the provision of Services under the Agreement.
  4. The categories of Personal Data to be Processed are:
  5. Generally determined by the Client, and include those categories of Personal Data that the Client provides to Preava in conjunction with the use of the Services under the Agreement, and may include:
    • Biographical information (such as first and last name);
    • Professional information (such as role/job title and company name);
    • Contact information (such as email address, physical address, phone number);
    • Internet or similar network activity (such as browsing history, search history);
    • Other information voluntarily provided by the Data Subjects.
  6. The Special Categories of Personal Data to be Processed are (if appropriate):
    1. Not applicable, unless submitted by the Client or Data Subjects.
  7. The categories of Data Subjects to whom the Personal Data relates are:
  8. Generally determined by the Client, and include those categories of Data Subjects that the Client provides to Preava in conjunction with the use of the Services under the Agreement, and may include:
    • Any additional Data Subjects authorized by Client;
    • Client’s business partners.
    • Client’s employees or contractors;
  9. The basic Processing activities to which the Personal Data will be subject include, without limitation:
    1. Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to Client in accordance with the terms of the Agreement.
  10. Description of the technical and organizational security measures implemented by Preava:
    1. Taking into account the state of the art and the high sensitivity of the Personal Data, Preava implements and maintains appropriate technical and organizational security measures to ensure a level of security appropriate to that risk (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).
2. Countries in which the Personal Data will be processed or stored by Preava:
  1. United States; 
  2. European Economic Area;
  3. Australia.
3. The following is deemed an instruction by Client to process Personal Data: 
  1. Processing in accordance with the Agreement.
  2. Processing initiated by Data Subjects in their use of the Services.
  3. Processing to comply with other reasonable documented instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.

Exhibit B

Jurisdiction Specific Terms

1. European Economic Area
  1. "Controller to Processor Standard Contractual Clauses" (as used in this Section) means the contractual clauses adopted by Decision of the European Commission of 5 February 2010 (decision 2010/87/EU) and updated from time to time for the purpose of adducing adequate protection of Personal Data transferred from a Controller to a Processor established in a Third Country, where the legislation in such Third Country has not been deemed to provide an adequate level of data protection.
  2. European Economic Area” or “EEA” means the EU Member States, and Iceland, Liechtenstein, and Norway.
  3. Restricted Transfer of EEA Personal Data” (as used in this Section) means any transfer of Personal Data subject to the GDPR which is undergoing processing or is intended for processing after transfer to Third Country (as defined below) or an international organization Third Country(including data storage on foreign servers).
  4. Third Country” means a country outside of the EEA.
  5. With regard to any Restricted Transfer of EEA Personal Data from the Client to Preava  within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
    1. a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection. 
    2. the Controller to Processor Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR).
    3. any other lawful data transfer mechanism, as laid down in chapter 5 of the GDPR, as the case may be.
  6. This Addendum hereby incorporates by reference the Controller to Processor Standard Contractual Clauses (updated from time to time if required by law or at the choice of Preava to reflect the latest version promulgated by the European Commission) provided that the content of Appendices 1 and 2 of the Standard Contractual Clauses is set forth in Exhibit A to this Addendum. For the purpose of the Controller to Processor Standard Contractual Clauses and this Section 1, the Client shall be deemed the “data exporter” and Preava the “data importer”. The Parties are deemed to have accepted, executed, and signed the Controller to Processor Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto, and including the “Illustrative Indemnification Clause” as an operative clause). 
  7. To the extent that the Controller to Processor Standard Contractual Clauses are applicable to a Restricted Transfer of EEA Personal Data, Preava shall, if necessary, implement additional safeguards to ensure an adequate level of protection, as required by Applicable Laws. 
  8. In cases where the Controller to Processor Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control. 
2. California
  1. Applicable Laws” (as used in the Addendum) includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (“CCPA”) and the California Consumer Privacy Act Regulations (“CCPA Regulations”)  as may be amended from time to time.
  2. Business Purpose” (as used in this Section) shall have the same meaning as in the CCPA.
  3. Commercial Purpose” (as used in this Section) shall have the same meaning as in the CCPA.
  4. Controller” (as used in the Addendum) includes “Business” as defined under the CCPA.
  5. Data Subject” (as used in the Addendum) includes “Consumer” as defined under the CCPA. 
  6. Personal Data” (as used in the Addendum) includes “Personal Information” as defined under the CCPA. 
  7. Personal Data Breach” (as used in the Addendum) includes “Breach of the Security of the System” as defined under the CCPA.
  8. Processor” (as used in the Addendum) includes “Service Provider” as defined under the CCPA.
  9. The Client discloses Personal Data to Preava solely for: (i) valid Business Purposes; and (ii) to enable Preava to perform the Services under the Agreement.
  10. Preava shall not: (i) sell Personal Data; (ii) retain, use or disclose Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by the CCPA and the CCPA Regulations; nor (iii) retain, use, or disclose Personal Data except where permitted under the Agreement between the Client and Preava or as otherwise permitted by the CCPA and the CCPA Regulations. Preava certifies that it understands these restrictions and will comply with them.
3. Switzerland
  1. Applicable Laws” (as used in the Addendum) includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”) as may be amended from time to time.
  2. Controller” (as used in the Addendum) includes “Controller of the Data File” as defined under the FADP.
  3. Data Subject” (as used in the Addendum) includes “Data Subject” as defined under the FADP.
  4. Personal Data” (as used in the Addendum) includes “Personal Data” as defined under the FADP.
  5. Processing” (as used in the Addendum) includes “Processing” as defined under the FADP.
  6. Restricted Transfer of Swiss Personal Data” (as used in this Section) means any transfer of Personal Data (including data storage in foreign servers) subject to the FADP to a Third Country (as defined below) or an international organization.
  7. Third Country” (as used in this Section) means a country outside of the Swiss Confederation.
  8. With regard to any Restricted Transfer of Swiss Personal Data from the Client to Preava within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
    1. the inclusion of the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Personal Data within the meaning of the FADP. 
    2. the Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 6.2 (a) of the FADP).
    3. any other lawful transfer mechanism, as laid down in the Applicable Laws, as the case may be.
  9. This Addendum hereby incorporates by reference the Controller to Processor Standard Contractual Clauses (updated from time to time if required by law or at the choice of Preava to reflect the latest version promulgated by the European Commission) provided that the content of Appendices 1 and 2 of the Standard Contractual Clauses is set forth in Exhibit A to this Addendum. For the purpose of the Controller to Processor Standard Contractual Clauses and this Section 1, the Client shall be deemed the “data exporter” and Preava the “data importer”. The Parties are deemed to have accepted, executed, and signed the Controller to Processor Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto, and including the “Illustrative Indemnification Clause” as an operative clause). 
  10. In cases where the Controller to Processor Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control. 
  11. Where the Controller to Processor Standard Contractual Clauses apply, the Client shall inform the Federal Data Protection and Information Commissioner about the use of the Controller to Processor Standard Contractual Clauses.
4. United Kingdom
  1. Applicable Laws” (as used in the Addendum) includes the Data Protection Act 2018, and when in full force and effect, the UK GDPR. 
  2. Restricted Transfer of UK Personal Data” (as used in this Section) means any transfer of Personal Data subject to the UK GDPR which is undergoing Processing or is intended for Processing after transfer to Third Country (as defined below) or an international organization (including data storage on foreign servers).
  3. Third Country” (as used in this Section) means a country outside of the United Kingdom.
  4. UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “ on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation),” as may be amended from time to time, as adopted and forming part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdraw) Act 2018.
  5. Withdrawal Agreement” (as used in this Section) means European Union (Withdrawal) Act of 2020.
  6. With regard to any Restricted Transfer of UK Personal Data from the Client to Preava within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
    1. a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR that provides that the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection.
    2. the Controller to Processor Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the UK GDPR).
    3. any other lawful data transfer mechanism, as laid down in Chapter 5 of the UK GDPR, as the case may be.
 

Get started with Preava

Keep safe from unwanted data breaches and the loss of sensitive information. Enter your email and get started!