Customer Data Processing Addendum

Effective date: September 15, 2023

This Bristol Global Mobility Data Processing Addendum (this “Addendum”) is entered into by and between Bristol Global Mobility, LLC, including on behalf of its subsidiaries Bristol Global Mobility Limited, Bristol Global Mobility (Asia) Pte (Singapore), and Bristol Global Mobility Limited (Canada) (collectively, “Bristol Global Mobility”) and the party with whom Bristol Global Mobility has executed the services agreement (the “Services Agreement”) (“You” or the “Customer”) (each a “Party”, and collectively the “Parties”) on the effective date of the Services Agreement or the applicable Bristol Global Mobility Data Processing Addendum Accession Agreement (the “Effective Date”).

RECITALS

WHEREAS, the Parties have entered into the Services Agreement involving the Processing (as defined below) of Shared Personal Data (as defined below) of Data Subjects (as defined below) that the Parties now desire to amend as provided herein;

WHEREAS, in the course of performance of the Services Agreement, Bristol Global Mobility transfers, transmits, and otherwise Processes certain Personal Data of Data Subjects;

WHEREAS, in connection with receiving services under the Services Agreement and operations thereunder, the Customer transfers, transmits, and otherwise Processes certain Personal Data of Data Subjects;

WHEREAS, each of the Parties require the other Party take all necessary measures to handle any information that may be regulated by the Applicable Data Protection Laws and regulations in compliance with such laws; and

WHEREAS, the Parties enter into this Addendum with the intent to comply with the principles and standards for data protection as required by Applicable Data Protection Laws and regulations, with respect to the Processing of Shared Personal Data under the Services Agreement.

NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties hereby agree as follows:

  1. Definitions. For the purposes of this Addendum, the following capitalized terms shall have the meanings ascribed to them as set forth below wherever they appear within the provisions of this Addendum:
    1. Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Shared Personal Data identified in Exhibit B to this Addendum as may be amended, modified, or supplemented from time to time as applicable;
    2. Data Protection Regulator” means any governmental data protection regulator(s) with valid jurisdiction over the transfer, transmission, or Processing of Personal Data pursuant to this Addendum;
    3. Data Subject Rights” means the rights granted to Data Subjects by Applicable Data Protection Laws;
    4. Restricted Transfer” means any transfer of Personal Data that would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Data Protection Laws) in the absence of a valid data transfer mechanism, as set out in Section 10 below;
    5. Shared Personal Data” means any Personal Data Processed by Bristol Global Mobility, Customer, or a Data Processor, exchanged pursuant to or in connection with the Services Agreement;
    6. Standard Contractual Clauses” are the model clauses for Restricted Transfers adopted from time to time by the relevant authorities of the jurisdictions indicated in Exhibit B, insofar as their use is approved by the relevant authorities as an appropriate mechanism or safeguard for Restricted Transfers; and
    7. Capitalized terms which are used but not defined herein shall have the meanings given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect. The terms “Data Controller” or “Controller”, “Data Subject”, “Data Processor” or “Joint Controller”, “Processor”, “Recipient”, “Personal Data”, “Personal Data Breach”, “Processing” and “Sub-Processor” shall have the same meaning as in Applicable Data Protection Laws, and their cognate terms shall be construed accordingly. For the purposes of this Addendum, Data Controller or Data Controllers, Processor or Processors, data importer, and data exporter also refers specifically to a Party or the Parties to this Addendum.

TERMS

  1. Duration. The terms of this Addendum shall take effect on the Effective Date and continue for the duration the Shared Personal Data is Processed pursuant to the Services Agreement.
  2. Scope. This Addendum applies to the Processing of Shared Personal Data under the Services Agreement.
  3. Controllership. Bristol Global Mobility and Customer each act as an independent Controller of the Shared Personal Data Processed pursuant to the Services Agreement. For the avoidance of doubt, the Parties are not Joint Controllers of the Shared Personal Data.
  4. Controllership Representations and Warranties. Each Party represents, warrants, and covenants that:
    1. all Shared Personal Data has been and will be collected, transferred, and otherwise Processed in compliance with the Applicable Data Protection Laws; and
    2. it will independently determine its obligations under the Applicable Data Protection Laws.
  5. Processing of Personal Data. Processing of Shared Personal Data by each of the Parties within the scope of this Addendum is subject to the following:
    1. Processing of Shared Personal Data is limited to Processing necessary for the provision of the Services (as defined under Exhibit A).
    2. Each Party shall ensure that the Processing of the Shared Personal Data for the purposes set out in the Services Agreement is performed only on lawful grounds of any Applicable Data Protection Laws.
    3. Each Party must ensure that persons it authorizes to Process the Shared Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  6. Security Measures. Both Parties will implement appropriate technical and organizational security measures to ensure and to be able to demonstrate that Processing is performed in accordance with Applicable Data Protection Laws. Such measures shall be reviewed and updated where necessary. A description of the security measures adopted by Bristol Global Mobility is set out in Section 1.9 of Exhibit A.
  7. Requests to Exercise Data Subject Rights. Each Party will be responsible for responding to requests it receives for the exercise of Data Subject Rights regarding the Shared Personal Data Processed by that Party. The Parties agree to provide prompt and reasonable assistance to each other, upon the request of the other Party, to enable them to comply with Data Subject requests, as contemplated by this Section 8.
  8. Personal Data Breach Notifications. Each Party shall provide notification of a Personal Data Breach relating to the Shared Personal Data to the applicable Data Protection Regulator and the affected Data Subject(s), as required by Applicable Data Protection Laws, and provide all legally required assistance to the other Party if applicable.
  9. Restricted Transfers.

    1. Restricted Transfers of Shared Personal Data within the scope of this Addendum shall be conducted in accordance with the applicable terms and requirements set out in this Addendum, jurisdiction specific terms applicable to the Shared Personal Data set out in Exhibit B, and Applicable Data Protection Laws. Each Party will, in instances where it acts as a “data exporter” of the Shared Personal Data, upon request, inform the other Party, in that other Party’s capacity as a “data importer”, of all Applicable Data Protection Laws governing the receipt of Shared Personal Data from the data exporter, including citations to and the text of such laws.
    2. With regard to and Restricted Transfer from one Party to the other Party within the scope of this Addendum, the following data transfer mechanisms shall apply, in the following order of precedence:  (i)  A valid adequacy decision adopted by the relevant authority under the Applicable Data Protection Laws that provides that the third country, a territory, or one or more specified sectors within that third country, or the international organization in question to which Shared Personal Data is to be transferred ensures an adequate level of data protection.  (ii)  A valid certification held by the receiving Party under Applicable Data Protection Laws, such as the Data Privacy Framework, held by the receiving Party, or any replacement framework as may be applicable, only to the extent that such certification constitutes an “appropriate safeguard” under Applicable Data Protection Laws, as the case may be; or  (iii) The Standard Contractual Clauses, as may be updated or modified from time to time, as well as any exhibits or additional terms that may be necessary to provide additional safeguards to the Shared Personal Data; or  (iv) Any other lawful data transfer mechanism as agreed between the Parties.
    3. Where the Standard Contractual Clauses are used as the data transfer mechanism, this Addendum hereby incorporates the text of the applicable Standard Contractual Clauses by reference. The parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexes thereto).  For the purposes of clarity, as used in this Sddendum and the Standard Contractual Clauses, a Party is a "data importer" where that party is the receiving party and a "data exporter" where it is teh sending party, as applicable.  Furthermore, with regards to any one particular transfer operation, a Party may only be either a "data exporter" or a "data importer". In consideration of the fact that both Parties may send or receive Shared Personal Data to and from teh other, each Party is deemed to have entered into the Standard Contractual Clauses twice, as outlined above - once as a "data exporter" with the other Party being a "data importer", and once with such roles reversed.
    4. Additional required information for the completion of the Standard Contractual Clauses is contained in the Exhibits to this Addendum.
  10. Liability. Without prejudice to any form of direct liability of a Party to Data Subjects, each Party shall be liable to the other non-defaulting Party for damages the defaulting Party has caused to the non-defaulting Party by any breach of its obligations pursuant to this Addendum.
  11. Contact Points for Notices and Data Protection Inquiries.

    1. Bristol Global Mobility:

      Data Protection Officer
      VeraSafe, LLC
      100 M Street S.E., Suite 600
      Washington, D.C. 20003
      USA
      +1 (617) 398-7067
      experts@verasafe.com
      https://www.verasafe.com/about-verasafe/contact-us/

       

      Representative in the EU:
      VeraSafe Ireland Limited
      Unit 3D
      North Point House
      North Point Business Park
      New Mallow Road
      Cork T23AT2P
      Ireland
      +1 (617) 398-7067
      https://www.verasafe.com/about-verasafe/contact-us/

      Representative in the UK:
      VeraSafe United Kingdom Limited
      VeraSafe United Kingdom Ltd.
      37 Albert Embankment, London SE1 7TL, United Kingdom
      https://verasafe.com/public-resources/contact-data-protection-representative

    2. Customer:

      The Customer shall provide, without undue delay, by way of sending an email to authorizations@bristolglobal.com and privacy@bristolglobal.com, the following contact information for data protection inquiries:

      • E-mail address;

      • Name;

      • Title;

      • Identity and contact details of the data protection representative in the EU (if applicable) and in the UK (if applicable);

      • Identity and contact details of the data protection officer; and

      • Data protection registration information (if applicable).

    3. The Parties shall use the contact point indicated in this Section 12 for all matters related to this Addendum and the Standard Contractual Clauses (where applicable). Each Party shall promptly update, when necessary, all such information, and keep all such information complete and up to date.

  12. Accountability. If either Party determines that it can no longer meet its obligations to provide the level of protection as required by this Addendum or as
    required by the Data Privacy Framework (where applicable), it shall: (i) promptly notify the other Party of that determination; and (ii) either cease the Processing or take other reasonable and appropriate steps to remediate the situation.  Consumer has the right, with respect to the Shared Personal Data, to take reasonable and appropriate steps to ensure that the Bristol Global Mobility uses the Shared Personal Data in a manner consistent with Consumer’s obligations under Applicable Data Protection Laws.

  13. Representations and Warranties of the Customer Regarding Local Laws. The Customer represents and warrants that it has no reason to believe, at the time of entering into this Addendum, in the existence of any local laws, including Applicable Data Protection Laws, that would have a substantial adverse effect on the guarantees provided for under this Addendum or Applicable Data Protection Laws, and it will inform Bristol Global Mobility if it becomes aware of any such laws.

     

  14. Resolution of Disputes with Data Subjects or Data Protection Regulators

    1. In the event of a dispute or claim brought by a Data Subject or a Data Protection Regulator concerning the Processing of the Shared Personal Data against either or both of the Parties, the Parties will promptly inform each other about any such disputes or claims and will cooperate with a view to settling them amicably and in a timely fashion.
    2. The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the applicable Data Protection Regulator. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution proceedings developed for data protection disputes.
    3. Each Party shall abide by a decision of a competent court of the applicable data exporter’s country of establishment or of the applicable Data Protection Regulator which is final and against which no further appeal is possible.

  15. Addendum and the Exhibits.

    1. This Addendum includes the following exhibits:
      1. Exhibit A (Details of Processing of Shared Personal Data).
      2. Exhibit B (Jurisdiction Specific Terms); and
      3. Exhibit C (Supplementary Terms to the Standard Contractual Clauses).
    2. Bristol Global Mobility reserves the right to update the exhibits mentioned in Section 16(a) from time to time by posting updated terms to the page where the exhibits and this Addendum are posted. In particular, Bristol Global Mobility may update:
      1. Exhibit A to reflect changes to the details of Processing of Shared Personal Data resulting from changes to the Services or to provide additional information required to conclude the Standard Contractual Clauses.
      2. Exhibit B to reflect changes in or additions to Applicable Data Protection Laws to which the Processing of Shared Personal Data may be subject to, including the requirements to carry out Restricted Transfers.
      3. Exhibit C reflect changes to the supplementary measures required to conduct Restricted Transfers.
    3. Conflicts between the Addendum and the exhibits. In case of any conflict or ambiguity between the terms in Exhibit B and any other terms of this Addendum, the applicable terms in Exhibit B will prevail.
  16. No Further Amendment. Except as expressly provided in this Addendum, the Parties intend no amendment or modification of the Services Agreement or in any other document signed or otherwise entered into by the Parties.

     

  17. Primary Agreement. The terms of the Services Agreement, together with any other addendum or supplemental agreement executed prior to this Addendum, are preserved and remain in full force and effect. To the extent that any terms of this Addendum conflict with any terms contained within the Services Agreement, the terms of this Addendum shall control with respect to the subject matter described herein.

     

  18. Confidentiality. This Addendum is confidential information. Each Party agrees:

    1. not to disclose this Addendum to any third party except (1) to legal counsel or privacy consultants who have executed a nondisclosure agreement or who are under a statutory obligation of confidentiality; (2) as permitted or reasonably anticipated by this Addendum; or (3) as required by Applicable Data Protection Laws or the Data Privacy Frameworks (each, a “Permitted Disclosure”); and
    2. to exercise at least the same degree of care that each Party generally uses to protect its own information of similar nature, to protect this Addendum from any possession, use, or disclosure that is not a Permitted Disclosure, but in no case less than a reasonable degree of care.

EXHIBIT A

Details of Processing of Shared Personal Data

Further details of the Processing, in addition to the ones laid down in the Services Agreement and the Addendum, include:

1.1. Role of the Parties is:

  • Bristol Global Mobility: Independent Controller.
  • Customer: Independent Controller.

1.2  The activities of each Party relevant to the Processing of Shared Personal Data are:

  • Bristol Global Mobility: Relocation management activities (the “Services”).
  • Customer: Human resources activities.

1.3  The subject matter of the Processing of Shared Personal Data is:

The subject matter of Bristol Global Mobility’s Processing of Shared Personal Data pertains to the provision of the Services to Data Subjects.

1.4  The duration of the Processing of Shared Personal Data is:

The duration of the Processing of Shared Personal Data by Bristol Global Mobility is generally determined by the Party providing the Shared Personal Data and is further subject to the terms of this Addendum and the Services Agreement, respectively, in the context of the contractual relationship between the Parties. The duration of the Processing is limited to the time period necessary for provision of Services.

1.5  The nature and purpose of the Processing of Shared Personal Data is:

The purpose of Bristol Global Mobility’s Processing of Shared Personal Data pertains to the provision of the Services under the Services Agreement, namely facilitating the use of the Services. The nature of the Processing may vary based on the Services and includes collection, storage, disclosure, making available, retention, deletion.

1.6  Depending on the Services chosen by Customer, the types of Shared Personal Data to be Processed by Bristol Global Mobility may include:

Relocating employees, their spouse, or dependents (as applicable):

  • Biographical information, such as first and last name, age.
  • Contact information, such as contact phone number, email address, work, home or temporary physical address.
  • Professional information, such as employer company and employee identifiers.
  • Compensation data, such as what benefits or package the Customer has offered the relocating employee to relocate.
  • National identifiers, such as national ID, social insurance number, passport numbers.
  • Financial data, such as bank account details.
  • Information contained on photo page of passport.
  • Citizenship and residency status.
  • Marital status.
  • Travel information, such as departure and destination location, address, and dates.
  • Education data, such as formal qualifications.
  • Any other Personal Data submitted to Bristol Global Mobility regarding the relocating employee, their spouse, and dependants.

Sensitive category data:

These categories of data are not specifically requested or collected by Bristol Global Mobility unless it is necessary for the Services:

  • Sexual orientation, if this is inferred from the gender or name of spouse if data subject is married and such data is disclosed to Bristol Global Mobility.
  • Membership in a trade union, if this is contained in the relocating employee’s records.
  • Information about health care or health benefits provided to relocating employees or their family by the Customer.
  • In certain countries or states, citizenship and residency status are also considered sensitive or special category data.
  • In certain countries or states, the Personal Data of children is also considered sensitive or special category data.

Delegates or individual representatives of the Customer:

  • Biographical information.
  • Contact information.
  • Professional information.

1.7  Depending on the Services chosen by Customer, the categories of Data Subjects to whom the Shared Personal Data that will be processed by Bristol Global Mobility Global relates may include:

  • Relocating employees
  • Spouse and dependents of relocating employees
  • Individual representatives of the Customer

1.8  The recipients that the Shared Personal Data may be transferred to by Bristol Global Mobility include:

  • The business service providers appointed by or on behalf of Bristol Global Mobility to Process the Shared Personal Data in connection with the Services and are Bristol Global Mobility’s Processors.
  • The suppliers engaged by Bristol Global Mobility to provide the Services and who may be independent Controllers, Joint Controllers, or Processors.

The subject matter, nature and duration of the Processing by the Processors shall be determined by the applicable agreement executed between Bristol Global Mobility and the applicable third-party recipient.

1.9  Description of the technical and organizational security measures implemented by Bristol Global Mobility:

  • Written policies and procedures requiring Bristol Global Mobility employees to maintain the privacy, security, and confidentiality of Shared Personal Data.
  • Contractual requirements for Bristol Global Mobility vendors (including Processors and suppliers) that may receive Shared Personal Data to uphold baseline security and confidentiality measures.
  • Network and database activities are logged and actively monitored for potential security events including intrusion.
  • Bristol Global Mobility-authored applications and IT systems are regularly scanned/monitored for vulnerabilities.
  • Regular vulnerability and penetration testing is performed on the applicable IT systems and applications.
  • Bristol Global Mobility restricts physical and logical access to IT systems, accounts, voicemail, and other applicable documents or systems that process Shared Personal Data to those officially authorized persons with an identified need for such access.
  • External points of connectivity in the Bristol Global Mobility network architecture are protected by firewall(s).
  • All information within the systems and applications is encrypted in transit and at rest using at least Advanced Encryption Standard (AES) 256-level encryption.
  • Encryption of email messages containing sensitive information through the Barracuda encryption service.
  • Known exploitable vulnerabilities in Bristol Global Mobility-authored applications and IT systems are patched expeditiously.
  • All devices that may process Shared Personal Data are outfitted with protective software, must use a VPN, and implement security measures such as automatic lock time and disk encryption.

1.10  Further Processing:

The Party receiving Shared Personal Data is allowed to carry out further Processing on Shared Personal Data provided that it does so in compliance with Applicable Data Protection Laws.

1.11  The frequency of the transfer (e.g., whether the Shared Personal Data is transferred on a once-off or continuous basis):

The frequency of the transfer of Shared Personal Data is determined by the Parties.

Shared Personal Data may be transferred each time it is required for the provision of the Services.

1.12  Maximum data retention periods, if applicable:

The retention period of Shared Personal Data is generally determined by the Parties and is subject to the term of this Addendum and the Services Agreement, respectively, in the context of the contractual relationship between the Parties.

1.13  The basic Processing activities to which the Shared Personal Data will be subject include, without limitation:

Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction for the purpose of providing the Services to Bristol Global Mobility in accordance with the terms of the Services Agreement.

1.14  Activities relevant to the transfer of Shared Personal Data:

For data importer, Processing activities in receiving or rendering (as applicable) the Services.

For data exporter, Processing activities in receiving or rendering (as applicable) the Services.

1.14  The identity and contact information of the Data Protection Officer of Bristol Global Mobility is:

As set forth in Section 12 of the Addendum.

1.15  The identity and contact information of the EU and UK representatives of Bristol Global Mobility are:

As set forth in Section 12 of the Addendum.

1.16  The identity and contact information of the Data Protection Officer of Customer is:

As set forth in Section 12 of the Addendum.

1.17  The identity and contact information of the EU and UK representatives of Customer are:

As set forth in Section 12 of the Addendum.

 

EXHIBIT B

Jurisdiction Specific Terms

  1. European Economic Area
    1. Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of EEA Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.
    2. Definitions.
      1. "EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
      2. EEA Data Protection Laws” EU GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Shared Personal Data.
      3. "EU 2021 Standard Contractual Clauses" means the contractual clauses adopted by the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
      4. EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.
    3. Restricted Transfers.
      1. With regard to any Restricted Transfer subject to EEA Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
        1. a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR;
        2. the EU 2021 Standard Contractual Clauses and any other Standard Contractual Clauses which may be adopted from time to time; or
        3. any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws.
        4. EU 2021 Standard Contractual Clauses.
      2. When the EU 2021 Standard Contractual Clauses apply to Restricted Transfers of Shared Personal Data of EEA Data Subjects in accordance with the terms of Section 10(b) of the Addendum, module 1 of the EU 2021 Standard Contractual Clauses (Controller to Controller) shall be the applicable model clauses for the transfer.
      3. The Parties agree to the following choices under module 1 to the EU 2021 Standard Contractual Clauses:
        1. Clause 7: The Parties choose to include the optional docking clause.
        2. Clause 11(a): The Parties agree not to provide the right to lodge a complaint with an independent dispute resolution body.
        3. Clause 13(a) and Annex I.C: The competent supervisory authority shall be the competent supervisory authority in the jurisdiction where the data exporter is established. If the data exporter is not located in the EEA, the competent supervisory authority shall the competent supervisory authority in the jurisdiction where data exporter's data protection representative in the EEA under Article 27 of the GDPR is established. If the data exporter is not established in an EEA country and its activities related to the Processing of Shared Personal Data are subject to the GDPR by virtue of application of Article 3(2) of the GDPR, and the data exporter does not have a data protection representative under Article 27 of the GDPR, the data exporter chooses the Data Protection Commission (Ireland) as its competent supervisory authority for the purposes of Clause 13 and Annex I.C.
        4. Clause 17: The EU 2021 Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
        5. Clause 18: The Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
        6. Annex 1(A): The content of Annex 1(a) is set forth in Section 12 of this Addendum, and Exhibit A.
        7. Annex 1(B): The content of Annex 1(B) is set forth in Exhibit A.
        8. Annex II: The content of Annex II is set forth in Exhibit A.
      4. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted Transfer in question.
      5. The additional safeguards identified in Exhibit C supplement the EU 2021 Standard Contractual Clauses.
  2. Switzerland
    1. Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Swiss Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.
    2.  Definitions.
      1. FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
      2. Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”), as may be amended from time to time.
    3. Restricted Transfers.
      1. With regard to any Restricted Transfer subject to Swiss Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence: (a) a valid adequacy decision adopted by the FDPIC on the basis of Article 6 of the FADP; (b) the appropriate Standard Contractual Clauses adopted by the FDPIC from time to time; or (c) any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
    4. EU 2021 Standard Contractual Clauses.
      1. When the EU 2021 Standard Contractual Clauses apply to Restricted Transfers of Shared Personal Data of Swiss Data Subjects in accordance with the terms of Section 10(b) of the Addendum, module 1 of the EU 2021 Standard Contractual Clauses (Controller to Controller) shall be the applicable model clauses for the transfer.
      2. The Parties agree to the following choices under module 1 of the EU 2021 Standard Contractual Clauses:
        1. Clause 7: The Parties choose to include the optional docking clause.
        2. Clause 11(a): The Parties agree not to provide the right to lodge a complaint with an independent dispute resolution body.
        3. Clause 13(a) and Annex 1(C): The competent authority shall be the Swiss Federal Data Protection and Information Commissioner, insofar as the data transfer constitutes a Restricted Transfer of Shared Personal Data of Swiss Data Subjects.
        4. Clause 17: The EU 2021 Standard Contractual Clauses shall be governed by the laws of the Swiss Confederation.
        5. Clause 18: With respect to Clause 18, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties choose the Swiss courts as an alternative place of jurisdiction for Data Subjects habitually resident in Switzerland.
        6. Annex 1(A): The content of Annex 1(a) is set forth in Section 12 of this Addendum, and Exhibit A.
        7. Annex 1(B): The content of Annex 1(B) is set forth in Exhibit A.
        8. Annex II: The content of Annex II is set forth in Section 1.9 of Exhibit A.
      3. The term ’member state’ included in the EU 2021 Standard Contractual Clauses must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 (c) of the EU 2021 Standard Contractual Clauses.
      4. The Parties acknowledge that the EU 2021 Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.
      5. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted Transfer in question.
      6. The additional safeguards identified in Exhibit C supplement the EU 2021 Standard Contractual Clauses.

  3. United Kingdom
    1. Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of UK Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.
    2.  Definitions.
      1. UK Data Protection Laws” includes the Data Protection Act 2018 and the UK GDPR.
      2. UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
      3. UK ICO” means the UK Information Commissioner’s Office.
      4. UK IDTA” means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
    3. Restricted Transfers.
      1. With regard to any Restricted Transfer subject to UK Data Protection Laws regarding Shared Personal Data of UK Data Subjects within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
        1. A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR.
        2. The UK IDTA.
        3. Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
          1. The UK IDTA:
            1. This Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.
            2. For the purposes of Part 1 (Tables):

              Table 1: The information required by Table 1 appears within the Addendum and Services Agreement.

              Table 2:
              1. The UK IDTA shall be governed by the laws of England and Wales.
              2. The Parties agree that any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales.
              3. The Parties’ controllership roles are set out in Section 1.1 of Exhibit A.
              4. The Parties’ data transfer roles are set out in Section 10 of the Addendum.
              5. The UK GDPR applies to the data importer’s Processing of the Shared Personal Data to the extent that the data importer is Bristol Global Mobility Limited. If the UK GDPR applies to the Customer, the Customer must communicate this fact to Bristol Global Mobility in writing.
              6. The linked agreements are set out on the first page of the Addendum and include the Services Agreement, the Addendum, and Bristol Global Mobility Data Processing Addendum Accession Agreement (where applicable).
              7. The data importer shall Process the Shared Personal Data for the time period set out in Exhibit A. The Parties agree that neither Party may terminate the UK IDTA before the end of such time period.
              8. The data importer may transfer the Shared Personal Data to another organization or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data) of the UK IDTA, and there are no specific restrictions.
              9. Each Party must review this UK IDTA at regular intervals to ensure that this UK IDTA remains accurate and up to date and continues to provide appropriate safeguards to the Shared Personal Data. Each Party will carry out these reviews as frequently as each two (2) years.

              Table 3: The content of Table 3 is set forth in Exhibit A and may be updated if the information is updated in the linked agreements.

              Table 4: The content of Table 4 is set forth in Exhibit A and may be updated if the information is updated in the linked agreements.
            3. Part 2 (Extra Protection Clauses) of the UK IDTA is set out in Exhibit C which terms supplement the UK IDTA.
            4. Part 3 (Commercial Clauses) of the UK IDTA is set out in the Services Agreement.
            5. In cases where the UK IDTA applies and there is a conflict between the terms of this Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.

  4. United States of America
    1. Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of United States Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.
    2.  Definitions.
      1. “United States Data Protection Laws” include, individually and collectively, enacted state and federal laws, acts, and regulations of the United States of America that apply to the Processing of Personal Data, as may be amended from time to time. Such laws include, without limitation:
        1. the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.)., and the California Consumer Privacy Act Regulations, together with all implementing regulations;
        2. the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations;
        3. the Connecticut Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015;
        4. the Utah Consumer Privacy Act, Utah Code Ann. S 13-61-101 et seq.; and
        5. the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.
          1. “Personal Data Breach” (as used in the Addendum) includes “Breach of Security” and “Breach of the Security of the System” as defined under applicable United States Data Protection Laws.
          2. The terms “Business”, “Sell”, “Share” and “Third Party” used in this Section shall have the meanings assigned to them in United States Data Protection Laws.
        6. Processing of Shared Personal Data.
          1. Bristol Global Mobility is a Business or Third Party (as applicable) in relation to Shared Personal Data.
          2. Where Bristol Global Mobility is a Third Party, Customer discloses Shared Personal Data to Bristol Global Mobility solely to enable Bristol Global Mobility to perform the Services.
          3. Bristol Global Mobility will not Sell or Share Shared Personal Data.

EXHIBIT C

Supplementary Terms to the Standard Contractual Clauses

By this Exhibit C (this “Exhibit”), the Parties provide additional safeguards and redress to the Data Subjects whose Shared Personal Data is transferred pursuant to the EU 2021 Standard Contractual Clauses. This Exhibit supplements and is made part of, but is not in variation or modification of, the EU 2021 Standard Contractual Clauses that may be applicable to a Restricted Transfer.

  1. Definitions
    1. For the purpose of interpreting this Exhibit, the following terms shall have the meanings set out below:
      1. EO 12333” means U.S. Executive Order 12333.
      2. FISA” means the U.S. Foreign Intelligence Surveillance Act.
      3. Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
  2. Applicability of Surveillance Laws to Data Importer
    1. U.S. surveillance laws:
      1. Data Importer represents and warrants that, as of the Effective Date it has not received any national security orders of the type described in paragraphs 150-202 of the Schrems II judgment.
      2. Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
        1. No court has found Data Importer to be an entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication Data Importer” within the meaning of 50 U.S.C. § 1881(b)(4); or (ii) a member of any of the categories of entities described within that definition.
        2. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.
      3. EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to EO 12333.

3.  Backdoors

  1. Data Importer certifies that:
    1. It has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer’s systems or Shared Personal Data subject to the Standard Contractual Clauses;
    2. It has not purposefully created or changed its business processes in a manner that facilitates governmental access to Shared Personal Data or systems; and
    3. National law or government policy does not require Data Importer to create or maintain back doors or to facilitate governmental access to Shared Personal Data or systems.
  2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

4.  Information about Legal Prohibitions

  1. Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Exhibit. Data Importer may choose the means to provide this information.

5.  Additional Measures to Prevent Authorities from Accessing Shared Personal Data

  1. Notwithstanding the application of the security measures set forth in the Addendum, Data Importer will implement internal policies establishing that:
    1. Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Shared Personal Data;
    2. Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid;
    3. If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request; and
    4. If Data Importer receives a request from third parties to cooperate on a voluntary basis, Shared Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.

6.  Termination

This Exhibit shall automatically terminate with respect to the Shared Personal Data transferred in reliance of the EU 2021 Standard Contractual Clauses if the European Commission or a competent supervisory authority approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the EU 2021 Standard Contractual Clauses (and, if such mechanism applies only to some of the data transfers, this Exhibit will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Exhibit.