This Data Processing Addendum (“DPA”) is incorporated into the Call Analog Terms and Conditions of Service (the “Agreement”) between Call Analog and the undersigned customer (“Customer”) with respect to the “Services” as defined in the Agreement.
All capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to such terms in the Agreement. The following definitions and rules of interpretation below apply to this DPA:
“Adequate” in relation to the level of protection given to Personal Data in countries outside the European Economic Area (“EEA”) or United Kingdom means a decision made by the European Commission under Article 25(6) of Directive 95/46/EC (as amended or replaced from time to time) or Information Commissioner’s Office finding that the relevant third country provides an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.
“Applicable Data Protection Law(s)” refers to all laws and regulations applicable in relation to the processing of Personal Data under the Agreement.
“Controller”, “Processor”, “Data Subject”, and “Processing” (and “Process”) have the meanings given in accordance with Applicable Data Protection Law.
“Customer Account Data” means (a) Personal Data that relates to Customer’s relationship with Call Analog including the names, phone numbers, and/or contact information of individuals authorized by Customer to access Customer’s Call Analog account and/or use the Services and billing information; and (b) Personal Data processed by Call Analog for the purposes of storing, transmitting, or exchanging Customer Content, sending goods, and to provide the Services that may include shipping address data used to trace and identify the source and destination of a communication, such as individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration, and type of communication and/or data provided by the channels used by the Customer to communicate with their customers.
“Customer Content” means Personal Data exchanged by use of the Services such as text, call recording, message bodies, conversation transcriptions, voicemail recordings, voicemail transcription, video recording, video files, images, and sound.
“Employees” with respect to any entity refers to such entity’s employees and contractors.
“Personal Data” or “personal data” means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Security Incident” means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise processed.
“Sensitive Personal Data” means Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation, or any other data that falls within the definition of “special categories of data” under Applicable Data Protection Law.
“Standard Contractual Clauses” or “SCC” means (a) for the transfer of data from the EEA outside the EEA to a non-adequate country, the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in the decision (EU) 2021/914 of 4 June 2021 (“EEA SCCs”); (b) for the transfer of data from the United Kingdom to a non-adequate country, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner Version B1.0 in force 21 March 2022 ("UK International Data Transfer Addendum").
“Sub-processor” means any processor engaged by Call Analog for the purposes of the provision of the Services under the Agreement.
2.1 Customer Content
The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor, and Call Analog acts as a processor (where Customer is a controller) or sub-processor (where Customer is a processor); and an independent data controller (and the Customer is a controller) for the purpose of improving and enhancing the Services.
2.2 Customer Account Data
The parties acknowledge that with regard to the processing of Customer Account Data, Customer is a controller, and Call Analog is an independent controller, not a joint controller with Customer.
3.1 Purpose Limitation
Call Analog shall process Customer Content as a data processor (a) for the performance of the Services in accordance with Customer’s instructions as set forth in the Agreement and this DPA and in accordance with Applicable Data Protection Law, (b) as otherwise necessary to provide the Services (which may include responding to support requests and prevention and resolution of security, fraud, and technical issues, the latter may include engaging and providing access to Customer Content to telecommunication carriers to diagnose and solve the issue), (c) as initiated through the use of the Service, and (d) as further instructed by the Customer in writing. Call Analog shall process Customer Content as a data controller to improve and enhance the Services. Call Analog will process Customer Account Data as a data controller in accordance with Applicable Data Protection Law, the Privacy Policy, and the Agreement for the purposes detailed in Schedule 1 of this DPA.
3.2 Customer Instructions
Customer will ensure that its instructions comply with Applicable Data Protection Laws and that Call Analog’s processing of the Customer Content in accordance with Customer’s instructions will not cause Call Analog to violate Applicable Data Protection Laws. Call Analog will notify Customer to the extent permitted by law if it becomes aware or reasonably believes that Customer’s data processing instructions would violate Applicable Data Protection Law.
3.3 Customer Compliance
Customer shall ensure that (a) it has and will continue to comply with Applicable Data Protection Law in its use of the Services; (b) its customers and end users are provided adequate notice of Call Analog’s processing activities for which Call Analog acts as a controller to fulfill the requirements of Applicable Data Protection Laws; (c) it has and will continue to have the right to transfer or provide access to its customers’ and end users’ Personal Data (including as applicable Sensitive Personal Data) to Call Analog for processing in accordance with the terms of the Agreement and this DPA; and (d) appropriate technical and organizational measures and suitable safeguards are in place before transmitting or processing Sensitive Personal Data and/or before permitting Customer’s end users to transmit or process any Sensitive Personal Data via the Services.
3.4 Processing Information
Schedule 1 of this DPA details the duration of processing, the nature and purpose of processing, the type of Personal Data, and the categories of data subjects processed by Call Analog.
4.1 Sub-processors List and Engagement
Customer acknowledges that Call Analog engages Sub-processors in connection with the provision of the Services and Customer provides general consent for Call Analog to appoint Sub-processors subject to this clause 4. The engagement by Call Analog of any such Sub-processor shall be on written terms which impose upon the Sub-processor data protection obligations to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, including providing sufficient guarantees to implement appropriate technical and organizational measures. Call Analog’s up-to-date sub-processors list is set forth at www.Call Analog.com/legal/subprocessors (the “Sub-processors List”).
4.2 General Consent for Call Analog Sub-processors
Customer grants a general authorization to Call Analog to appoint other entities of Call Analog as Sub-processors, conditional on the requirements detailed in Section 4.1.
4.3 Notification Mechanism
When a Sub-processor is replaced or a new one appointed, the Sub-Processors List may be modified pursuant to a notification mechanism (“Notification Mechanism”). In the event Customer subscribes, Call Analog will provide notification of any new or replacement Sub-processor.
4.4 Objection to New Sub-processors
If Customer objects to Call Analog’s appointment or replacement of a Sub-processor based on reasonable grounds relating to data protection, it shall notify Call Analog in writing within 10 days of receipt of notice. In such event, Call Analog will use reasonable efforts to provide the Services to Customer in accordance with the Agreement without using the Sub-processor.
4.5 Sub-Processor Liability
Call Analog shall be liable for its Sub-processors’ processing of Customer Content to the same extent that Call Analog would be liable if performing the processing activities of each Sub-processor directly under the terms of this DPA.
Customer acknowledges that Call Analog may use telecommunication providers in the provision of the Services. Customer further acknowledges that in order to send communications for the provision of the Services, Call Analog may need to transmit Customer’s communications through existing telecommunications networks and suppliers via companies bound to comply with applicable telecommunications and privacy laws but who may not all have direct contracts with Call Analog and/or Customer. Customer further acknowledges that Call Analog may use payment gateways in the provision of Services via companies bound to comply with data protection laws but who may not have direct contracts with Call Analog. Customer hereby instructs Call Analog to transmit the communications through existing telecommunications networks and to use payment gateways as necessary to provide the Services, and acknowledges and agrees that telecommunications networks and payment gateway suppliers are not considered Sub-processors under either the DPA or the Agreement.
4.7 Call Quality
When Customer reports potential issues with the quality of the Services, the Customer instructs Call Analog to engage its relevant telecommunication suppliers for assistance, including by providing them with access to communications data (for example, CDRs or call recordings), which may contain personal data for the purpose of diagnosing and resolving the reported issues.
5.1 Call Analog Data Transfer
To the extent that any Personal Data is transferred from the European Economic Area, the United Kingdom, and/or Switzerland (either directly or via onward transfer) to any country that, according to the European Commission or the competent authority for the UK and Switzerland, does not provide an adequate level of protection for personal data, the parties agree that the Standard Contractual Clauses incorporated by reference to this DPA will apply in respect of the processing of such Personal Data. The Standard Contractual Clauses and this Clause 5 will not apply to Personal Data that is not transferred either directly or via onward transfer outside the EEA, the United Kingdom, and/or Switzerland. In relation to the Standard Contractual Clauses, Call Analog will comply with the obligations of the 'data importer' in the Standard Contractual Clauses, and the Customer will comply with the obligations of the 'data exporter.' Appendices of the EEA SCCs shall be deemed completed as set forth in Schedule 2 of this DPA in relation to the transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to the transfer of personal data outside the United Kingdom shall be deemed completed as set forth in Schedule 3.
5.2 In the event of any conflict or inconsistency between the EU Standard Contractual Clauses (Schedule 2) or UK International Data Transfer Addendum (Schedule 3) and the terms of this DPA, the EU Standard Contractual Clauses or UK International Data Transfer Addendum (Schedule 3) as applicable shall prevail.
5.3 Request for Personal Data
5.3.1 If Call Analog receives a civil or criminal subpoena, search warrant, or other official and written request that is legally binding (“Request”) by a public authority that is not from an EEA country, the UK, or a country considered Adequate (“Requesting Party”) for disclosure of Customer’s personal data, Call Analog may respond to such Requesting Party with respect to any Request that Call Analog reasonably deems to be valid and appropriate in scope. Otherwise, Call Analog may, insofar as legally permissible, redirect the Requesting Party to request that Personal Data directly from Customer instead.
5.3.2 In the event that the information is provided, Call Analog will (a) ensure that the disclosed Personal Data is the minimum required to satisfy the Request, and (b) take all commercially reasonable steps to ensure that such Customer information is afforded confidential treatment by the authorities.
5.4 Sub-processors Data Transfer
If in the performance of the Services, Call Analog permits processing of any Personal Data by a Sub-processor outside the EEA, except if in an Adequate country, without prejudice to Section 4, Call Analog shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place such as:
5.4.1 Standard Contractual Clauses;
5.4.2 affirmative representation or covenant regarding compliance with applicable law; or
5.4.3 the existence of any other specifically approved safeguard for data transfers as recognized under Applicable Data Protection Law and/or a European Commission or Information Commissioner’s Office finding of adequacy.
5.5 Processing in the United States
Customer acknowledges that as of the date hereof, Call Analog’s primary processing facilities are in the United States of America.
6.1 Security Measures
Call Analog has implemented and will maintain appropriate administrative, technical, and organizational measures to protect Personal Data from a Security Incident, having regard to the state of technological development and the cost of implementing such measures as well as the nature, scope, context, and purposes of processing and the likelihood and severity of harm to the interests of data subjects that may be expected to result from any such Security Incident.
6.2 Employee Access
Call Analog shall ensure that only such of its employees who may be required by it to provide the Services to Customer or assist Call Analog in meeting its obligations under this DPA shall have access to Personal Data. Call Analog will ensure that the employees accessing Customer Content are under confidentiality obligations to protect such personal information.
7.1 Security Incident Involving Personal Data
Upon confirming a Security Incident involving personal data for which Call Analog acts as a data processor, Call Analog will:
7.1.1 To the extent permitted by applicable law, notify Customer without undue delay. Such notice shall be delivered in accordance with Section 13 of this DPA;
7.1.2 To the extent such Security Incident is caused by Call Analog’s violation of its obligations under this DPA, take such reasonable remedial steps to address such Security Incident and prevent any further incidents; and
7.1.3 Promptly provide the Customer with all relevant information in its possession as reasonably required by Applicable Data Protection Law to comply with any reporting obligations of a relevant regulatory authority concerning such Security Incident.
7.2 Notification to the Supervisory Authority
If Customer determines that a Security Incident must be notified to any supervisory authority and/or data subjects and/or the public or portions of the public pursuant to the Applicable Data Protection Law, Customer will, to the extent commercially feasible, notify Call Analog before the communication is made (and where not commercially feasible, as soon as is commercially feasible after such communication) and supply Call Analog with copies of any written documentation to be filed with the supervisory authority and of any notification Customer proposes to make (whether to any supervisory authority, data subjects, the public, or portions of the public) which directly or indirectly references Call Analog, its security measures, and/or role in the Security Incident, whether or not by name. Subject to Customer’s compliance with any mandatory notification deadlines under Applicable Data Protection Law, Customer will consult with Call Analog in good faith and take account of any clarifications or corrections Call Analog reasonably requests to such notifications and which are consistent with Applicable Data Protection Law. In the event that impacted data subjects are required to be notified of the Security Incident, Customer will provide reasonable assistance to Call Analog to effectuate appropriate notice to such impacted data subjects.
8.1 Demonstrated Compliance
Upon Customer’s written request no more than once annually and subject to adequate confidentiality provisions, Call Analog shall, in accordance with Applicable Data Protection Laws, make available to Customer such reasonable information in Call Analog’s possession or control to demonstrate Call Analog’s compliance with its obligations as a data processor of Customer Content to satisfy Customer’s audit rights granted by Applicable Data Protection Law (including where applicable the Standard Contractual Clauses).
9.1 Deletion of Personal Data
In respect of the Customer Content that Call Analog processes as a data processor pursuant to the Agreement, Call Analog shall cease to process such personal data and will promptly arrange for its deletion on expiry or termination of the Agreement unless otherwise agreed by the parties in writing, in which case Call Analog shall hold Customer Content in accordance with the data retention term agreed by the parties. Notwithstanding anything to the contrary in this Section 9, Call Analog may retain Customer Content or any portion of it if required by applicable law, in which case Call Analog shall comply with Applicable Data Protection Law regarding the deletion and retention of Personal Data.
10.1 Call Analog shall provide reasonable assistance to Customer (taking into account the nature of processing and the information available to Call Analog and at Customer's expense) with respect to data protection impact assessments or consultations with supervisory authorities that may be required in accordance with Applicable Data Protection Law.
11.1 Self-service Features
As part of certain Services, Call Analog may, but is not obligated to, provide Customer with self-service features to delete, retrieve, or restrict use of Customer Content, which the Customer may use to assist in its compliance with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects.
11.2 Additional Assistance
In addition, upon written request, Call Analog will provide reasonable additional and timely assistance in relation to Customer Content at Customer’s expense to assist Customer in complying with its data protection obligations to respond to requests for exercising the rights of data subject under Applicable Data Protection Law.
12.1 Liability
This DPA is without prejudice to the rights and obligations of the parties under the Agreement, which shall continue to have full force and effect, including any limitations on liability contained therein, which shall apply to this DPA as if fully set forth herein. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
12.2 Penalties
Notwithstanding anything to the contrary in this DPA or in the Agreement, neither party will be responsible for any fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
13.1 All notices given by Call Analog to Customer under or in connection with this DPA shall be validly served by email. Where Customer has subscribed to the Notification Mechanism, Customer shall receive notifications pursuant to Clause 4.3 of this DPA. All other notices given by Call Analog to Customer under or in connection with this DPA shall be sent to Customer’s email address associated to their Call Analog account; and any notice given by Customer to Call Analog shall be sent to enquiry@Call Analog.com.
14.1 Customer further agrees to indemnify and hold harmless Call Analog for any data minimization or other record retention rules violations related to Customer's retention of data under the General Data Protection Regulation ("GDPR") or any other comparable legislation.
15.1 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the law and the jurisdiction of the country or territory which governs the Agreement except as otherwise specified in this DPA, including its Schedules, or required by Applicable Data Protection Law.
15.2 Jurisdiction Specific Terms
To the extent Call Analog processes Personal Data protected by Applicable Data Protection Laws in a jurisdiction listed in Schedule 4, then the terms specified in Schedule 4 (“Jurisdiction Specific Terms”) apply, and in case of any conflict between the Jurisdiction Specific Terms and any term of this DPA, the applicable Jurisdiction Specific Terms will take precedence.
15.3 Updates
Call Analog may update the terms of this DPA from time to time where the changes (a) are required to comply with Applicable Data Protection Law, applicable regulation, a court order, or guidance issued by a regulator or agency; (b) do not have a material adverse impact on Customer’s rights under the DPA; or (c) are required as a result of new products or services or material changes to any of the existing Services.
Details of Processing
1. Nature and Purpose of Processing
1.1 Customer Content
Call Analog will process Customer Content in accordance with Section 3.1 of this DPA.
1.2 Customer Account Data
Call Analog will process Customer Account Data as a controller to perform the functions as a communications service provider, which may include but are not limited to:
(a) managing the relationship with the Customer;
(b) carrying out Call Analog’s business operations such as accounting, tax, billing, audit, and compliance;
(c) investigating security issues, fraud, unauthorized or unlawful use of the service, and other misuses;
(d) improving the Services; and
(e) as required by applicable law, rule, or regulation, including but not limited to Applicable Data Protection Law.
2. Duration of Processing
2.1 Call Analog Acting as Processor for Customer Content
Call Analog will process Customer Content for the duration outlined in Section 9 of this DPA.
2.2 Call Analog Acting as Controller
Call Analog will process personal data as a controller for as long as needed to provide the Services. Upon termination of the Agreement, Call Analog may retain personal data
(a) for the purposes outlined in Section 1.2 of this Schedule 1; or
(b) as required by law. Call Analog will promptly delete or anonymize such personal data when Call Analog no longer requires it for the herein mentioned purposes.
3. Types of Personal Data
Call Analog processes personal data contained in Customer Content and Customer Account Data as defined in Section 1 of this DPA.
4. Categories of Data Subjects
4.1 Customer Content
Customer Content may concern the following categories of data subjects:
4.2 Customer Account Data
Customer Account Data may concern the following categories of data subjects:
Standard Contractual Clauses Decision (EU) 2021/914
Terms applicable to the EEA SCCs:
(i) Clause 7 - the optional docking clause will not apply.
(ii) Clause 9 - Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 (Sub-processors) of this DPA.
(iii) Clause 11 (a) - the optional language will not apply.
(iv) Clause 17 - Option 1 will apply and the Clauses will be governed by the law of Ireland.
(v) Clause 18 - disputes will be resolved before the courts of Ireland.
(vi) Module One (Controller to Controller) of the EEA SCCs applies where Customer is a controller and Call Analog is an independent controller.
(vii) Module Two (Controller to Processor) of the EEA SCCs applies where Customer is a controller and Call Analog is a processor.
(viii) Module Three (Processor to Processor) of the EEA SCCs applies where Customer is a processor and Call Analog is a processor.
A. List of Parties
Data exporter(s):
Name: The company defined as Customer who is a party to the Agreement.
Address: The address of the Customer as provided in the Agreement.
Contact details: Customer’s email address associated with their Call Analog account.
Activities relevant to the data transferred under these Clauses: purchase of Call Analog Services.
Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.
Role: The Data Exporter’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.
Data importer(s):
Name: Call Analog
Address: Call Analog’s address specified in the Agreement.
Contact details: enquiry@Call Analog.com
Activities relevant to the data transferred under these Clauses: Provision of the Services, which includes but is not limited to communications services that enable communications features and capabilities to be embedded into web, desktop, and mobile software applications.
Signature and date: By entering into the Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.
Role: The Data Importer’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.
B. Description of Transfer
Categories of data subjects whose personal data is transferred: As described in Section 4 of Schedule 1 (Details of Processing) of this DPA.
Categories of personal data transferred: Call Analog processes personal data contained in Customer Content and Customer Account Data as defined in Section 1 (Definitions) of this DPA.
Sensitive data: N/A
The frequency of the transfer: The data is transferred on a continuous basis.
Nature of the processing: As per Section 1 of Schedule 1 (Details of Processing) of this DPA.
Purpose(s) of the data transfer and further processing: Call Analog processes personal data for the purposes described in Section 1 of Schedule 1 (Details of Processing) of this DPA.
The period for which the personal data will be retained: Call Analog retains data for the duration described in Section 2 of Schedule 1 (Details of Processing) of this DPA.
For transfers to (sub-) processors, the subject matter, nature, and duration of the processing is set forth in the Sub-processors List (refer to Section 4.1 of this DPA).
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies: The Irish supervisory authority is the competent supervisory authority.Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
Description of the technical and organizational security measures implemented by the data importer are as set forth in Section 6.1 of this DPA. The data importer may update its security document from time to time, provided that there is no material degradation to the security and/or privacy of the services.
Module Two: Transfer Controller to Processor
As per the Sub-Processors List (in Section 4.1 of this DPA).
UK International Data Transfer Addendum
Standard Data Protection International Data Transfer Addendum to the EU Commission
Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018
VERSION B1.0 in force 21 March 2022
Table 1: Parties
Start date: As set forth in the order or Agreement that incorporates these Standard Contractual Clauses by reference or as set forth in the DPA, whichever is later
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
|---|---|---|
Parties' details |
Full legal name: The company defined as Customer who is party to the Agreement. Trading name (if different): Main address (if a company registered address): The address of the Customer as provided in the Agreement. Official registration number (if any) (company number or similar identifier): As provided in the Agreement. |
Full legal name: Call Analog Trading name (if different): Main address (if a company registered address): The Call Analog address specified in the Agreement. Official registration number (if any) (company number or similar identifier): |
Key Contact |
Full Name (optional): Job Title: Contact details including email: Customer’s email address associated to their Call Analog account |
Full Name (optional): Job Title: Contact details including email: enquiry@Call Analog.com |
Signature (if required for the purpose of Section 2) |
By entering into the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum |
By entering into the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum |
Table 2: Selected SCCs Modules and Selected Clauses
Addendum EU SCCs: The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: As provided in Table 1 above
| Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorization or General Authorization) | Clause 9a (Time period) |
|---|---|---|---|---|---|
| 1 | Yes | Does Not Apply | Optional language does not apply | ||
| 2 | Yes | Does Not Apply | Optional language does not apply | Option 2 applies - general authorization | As set forth in Section 4 of the DPA |
| 3 | Yes | Does Not Apply | Optional language does not apply | Option 2 applies - general authorization | As set forth in Section 4 of the DPA |
Table 3: Appendix Information
Appendix Information means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties (as set forth in Annex I.A of Schedule 2 of this DPA).
Annex 1B: Description of Transfer (as set forth in Annex I.B of Schedule 2 of this DPA).
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data (as set forth in Annex II of Schedule 2 of this DPA).
Annex III: List of Sub-processors (Modules 2 and 3 only, as set forth in Annex II of Schedule 2 of this DPA).
Table 4: Ending this Addendum when the Approved Addendum Changes
Which Parties may end this Addendum as set out in Section 19: Importer & Exporter
PART 2: Mandatory Clauses
Mandatory Clauses:
Part 2: Mandatory Clauses of the Approved Addendum being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 as it is revised under Section 18 of those Mandatory Clauses.
Jurisdiction Specific Terms