1.1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 “Company Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.1.2 “Personal Information” means any information defined as “personal information” or “personal data” under Data Protection Laws including data (i) relating to an identified or identifiable natural person; or (ii) that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, that may be:
​

1.1.2.1 processed at any time by Vendor in anticipation of, in connection with or incidental to the performance of the Services under the Principal Agreement and this DPA; or
​

1.1.2.2 derived by Vendor from such information.

1.1.3 “Company Personal Data” means any Personal Data Processed by Vendor on behalf of a Company pursuant to or in connection with the Principal Agreement and according to Company instructions.

1.1.4 “Data Protection Laws” means EU, UK and Non-EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

1.1.5 “EEA” means the European Economic Area.

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

1.1.7 “UK Data Protection Laws” means (a) the UK Data Protection Act 2018 incorporating the GDPR (as may be amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); (b) the GDPR, read in conjunction with and subject to any Member State law that provides for specifications or restrictions of its rules; and (c) any other applicable UK or EU data protection or privacy law to the extent that such law applies to a Company, Vendor Affiliate or Vendor, in each case as amended, replaced or superseded from time to time.

1.1.8 “Non-EU Data Protection Laws” means the “Non-EU Applicable Laws” as described above by the respective governmental institutions.

1.1.9 “GDPR” means EU General Data Protection Regulation 2016/679.

1.1.10 “Restricted Transfer” means:
​

1.1.10.1 a transfer of Company Personal Data from Company to Vendor; or
​

1.1.10.2 an onward transfer of Company Personal Data from Vendor to a Subprocessor, or between two establishments of Vendor and Subprocessor,
in each case, where such transfer would be prohibited by Data Protection Laws defined above (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Schedule 1 below or, on a case by case basis, such other lawful transfer mechanism referred to in Article 46 of the GDPR or derogation referred to in Article 49 of the GDPR as may apply.

1.1.11 “Services” means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Company pursuant to the Principal Agreement.

1.1.12 “Standard Contractual Clauses” means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e, which clauses are incorporated herein by this reference.

1.1.13 “Subprocessor” means any person (including any third party, but excluding an employee of Vendor) appointed by or on behalf of Vendor to Process Personal Data on behalf of Company in connection with the Principal Agreement.

1.1.14 “Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

1.2. The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2.1. Vendor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.1.2 not Process Company Personal Data other than on Company’s documented instructions unless Processing is required by Applicable Laws to which the Vendor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before the relevant Processing of that Personal Data.

2.1.3 maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Company or this DPA specifically authorizes the disclosure, or as required by law. If a law requires the Vendor to process or disclose Personal Information, the Vendor must first inform the Company of the legal requirement and give the Company an opportunity to object or challenge the requirement, unless the law prohibits such notice.

2.1.4 reasonably assist the Company with meeting the Company’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Vendor’s processing and the information available to the Vendor.

2.1.5 promptly notify the Company of any changes to Privacy and Data Protection Requirements that may adversely affect the Vendor’s performance of the Master Agreement.

2.1.6 if additional Processing (including Transfer) requirements are necessary for any specific jurisdiction in order for the Processing by Vendor or its Authorized Subprocessors to be compliant with Applicable Law, Vendor and Company shall negotiate in good faith to amend this Agreement to include such requirements and implement these provisions accordingly.

2.2. Company:

2.2.1 instructs Vendor (and authorizes Vendor to instruct each Subprocessor) to:

2.2.1.1 Process Company Personal Data; and

2.2.1.2 in particular, transfer Company Personal Data to any country or territory, provided it is to a country that provides an adequate level of protection as determined by the standard defined by applicable data protection laws or safeguards are in place to provide an adequate level of protection such as standard contractual clauses approved by the relevant Government or Commissioned bodies or the transfer is otherwise permitted under Data Protection Law,
to the extent and in such a manner as is reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and

2.2.2 warrants and represents that it is and, unless it provides written notice to the Vendor to the contrary, will remain duly and effectively authorized to give the instruction set out in section 2.2.1 on behalf of each relevant Company Affiliate.

2.2.3 retains control of the Company Personal Data and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Vendor.

Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Vendor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Vendor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Company Personal Data implement appropriate physical, technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5.1 Company authorizes Vendor to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this Addendum and add new Subprocessors, subject to in each case as soon as practicable meeting the obligations set out in section 5.3 and 5.4.

5.3 Vendor shall ensure that each Subprocessor performs the obligations under the applicable sections of this DPA, as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Vendor.

5.4 Before replacing or adding a new Subprocessor, Vendor shall give Company reasonable notice of such replacement or addition, giving Company an opportunity to object.

6.1. Taking into account the nature of the Processing, Vendor shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Companys’ obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2. Vendor shall:

6.2.1 promptly notify Company if Vendor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2 ensure that Vendor does not respond to that request except on the documented instructions of Company or the relevant Company Affiliate or as required by Applicable Laws to which Vendor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Vendor responds to the request.

6.3. Company shall:

6.3.1 Promptly notify Vendor if Customer receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;

6.3.2 Assist Vendor as necessary to fulfil Data Subject requests.

7.1 Vendor shall notify Company without undue delay upon Vendor or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Vendor shall co-operate with Company and Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7.3 Company shall co-operate with Vendor and take such reasonable commercial steps as are directed by Vendor to assist in the investigation, mitigation, and remediation of each such Personal Data Breach as necessary.

7.4 The Vendor can claim compensation for support services that are not included in the service description or are not attributable to misconduct on the part of the contractor. If necessary, Vendor will submit a separate offer to the Company for approval. Vendor will charge the following fees:

7.4.1 $187.50 plus tax per hour. On Saturdays a surcharge of 50%, on Sundays and holidays a surcharge of 100% will be charged.

7.4.2 The client must reimburse Vendor separately for the following expenses: Travel costs ($0.70 / mile plus tax), travel time ($95.00 / hour plus tax), hotel costs, expenses according to the law and, if applicable, other costs according to expenditure and as proof.

7.4.3 Each invoice is due for payment within ten working days without deduction.

Vendor shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required of any Company by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, Vendor.

9.1 Subject to sections 9.2 and 9.3, Vendor shall promptly after the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data unless otherwise required by applicable Data Protection Laws or other regulations.

9.2 Subject to section 9.3, Company may in its absolute discretion by written notice to Vendor within 30 days of the Cessation Date require Vendor to (a) return a complete copy of all Company Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to Vendor; and (b) delete and procure the deletion of all other copies of Company Personal Data Processed by Vendor. Vendor shall comply with any such written request within 30 days of the Cessation Date unless otherwise required by applicable Data Protection Laws or other regulations.

9.3 Vendor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Vendor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

9.4 Vendor shall, if requested in writing by Company, provide written certification to Company that it has fully complied with this section 9 within 30 days of the Cessation Date.

10.1 Within thirty (30) days of Company’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement, Vendor shall make available to Company (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate Vendor’s compliance with the obligations set forth in this Addendum.

10.2 The Vendor may assert a claim for remuneration in order to enable the client to carry out audits or inspections. If necessary, Vendor will submit a separate offer to the Company for approval. Vendor will charge the following fees:

10.2.1 $187.50 plus tax per hour. On Saturdays a surcharge of 50%, on Sundays and holidays a surcharge of 100% will be charged.
​

10.2.2 The client must reimburse Vendor separately for the following expenses: Travel costs ($0.70 / mile plus tax), travel time ($95.00 / hour plus tax), hotel costs, expenses according to the law and, if applicable, other costs according to expenditure and as proof.
​

10.2.3 Each invoice is due for payment within ten working days without deduction.

11.1 Subject to section 11.3, Company (as “data exporter”) and Vendor, as appropriate, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Company to Vendor.

11.2 The Standard Contractual Clauses shall come into effect under section 11.1 on the later of:

11.2.1 the data exporter becoming a party to them;
11.2.2 the data importer becoming a party to them; and

11.2.3 commencement of the relevant Restricted Transfer.

11.3 Section 11.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.

Governing law and jurisdiction

12.1 Without prejudice to Clause 17 of the Standard Contractual Clauses:

12.1.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
​

12.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

Order of precedence

12.2 Nothing in this Addendum reduces Vendor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Vendor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

12.3 Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

Changes in Data Protection Laws, etc.

12.4 Company may:

12.4.1 by at least 60 (sixty) calendar days’ written notice to Vendor from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 11.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
​

12.4.2 propose any other variations to this Addendum which Company reasonably considers to be necessary to address the requirements of any Data Protection Law.

12.5 If Company gives notice under section 12.4.1:

12.5.1 Vendor shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.3; and
​

12.5.2 Company shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Vendor to protect the Vendor against additional risks associated with the variations made under section 12.4.1 or

12.5.1.

12.6 If Company gives notice under section 12.4.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Company’s notice as soon as is reasonably practicable.

12.7 Neither Company nor Vendor shall require the consent or approval of any Company Affiliate to amend this Addendum pursuant to this section 12.5 or otherwise.

Severance

12.8 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

This Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date of execution of the Principal Agreement.

1.1 To the extent legally required, the signatories to the Agreement are deemed to have signed the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e (the “2021 Standard Contractual Clauses”), which form part of this DPA and will be deemed completed as follows:

1.1.1 Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Company to Vendor and Module 4 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Vendor to Company;
​

1.1.2 Clause 7 of Modules 2 and 4 (the optional docking clause) is not included;
​

1.1.3 Under Clause 9 of Module 2 (Use of sub-processors). the parties select Option 2 (general authorization). The contents of Annex III (the list of sub-processors already authorized by Company) are attached hereto as Schedule 3 to this DPA;
​

1.1.4 Under Clause 11 of Modules 2 and 4 (Redress). the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
​

1.1.5 Under Clause 17 of Modules 2 and 4 (Governing law). the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of the Federal Republic of Germany;
​

1.1.6 Under Clause 18 of Modules 2 and 4 (Choice of forum and jurisdiction). the parties select the courts of the Federal Republic of Germany.

This Annex forms part of the Standard Contractual Clauses

Entering into this Addendum

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.

Addendum EU SCCs: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.

Appendix: As set out in Table ‎3.

Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.

Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18.

Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

ICO: The Information Commissioner.

Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.

UK: The United Kingdom of Great Britain and Northern Ireland.

UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

UK GDPR: As defined in section 3 of the Data Protection Act 2018.

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.

10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.

14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.

15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:

a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18. From time to time, the ICO may issue a revised Approved Addendum which:

a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

a its direct costs of performing its obligations under the Addendum; and/or
b its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.