NAUTILUS DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA“) is incorporated into and forms part of the agreement from which it was linked (“Agreement”) between Customer and Nautilus (in each case, as defined in the Agreement). In the event of a conflict between the terms of this DPA and the Agreement with respect to the subject matter of this DPA, the terms of this DPA will control.
1.0 DEFINITIONS
Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:
1.1 “Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including the GDPR and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the EEA and all other data protection laws of the EEA, the UK Data Protection Act 2018 and the UK General Data Protection Regulation, and the Swiss data protection laws, each as applicable, and as may be amended or replaced from time to time. “Covered Data” means Personal Data that is: (a) provided by or on behalf of Controller to Processor in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Processor, or its agents or subcontractors, for purposes of providing the Services, in each case as further described in Schedule 1.
1.2 “Data Subject” means a natural person whose Personal Data is Processed.
1.3 “Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
1.4 “EEA” means the European Economic Area including the European Union (“EU“).
1.5 “GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR” as defined in section 3 of the UK Data Protection Act 2018 or, where applicable, the equivalent provision under Swiss data protection law.
1.6 “Member State” means a member state of the EEA, being a member state of the EU, Iceland, Norway, or Liechtenstein.
1.7 “Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
1.8 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process“, “Processes” and “Processed” will be interpreted accordingly.
1.9 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Covered Data.
1.10 “Services” means the services to be provided by Processor pursuant to the Agreement.
1.11 “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to the EU Commission Implementing Decision (EU) 2021/914 of June 4, 2021, as amended or replaced from time to time.
1.12 “Sub-processor” means an entity appointed by Processor to Process Covered Data on its behalf.
1.13 “Swiss Data Protection Laws” means the Swiss Federal Act Data Protection of 25 September 2020 and its ordinances, and any new or revised version of these laws that may enter into force for time to time.
1.14 “UK” means the United Kingdom.
1.15 “US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
2.0 INTERACTION WITH THE AGREEMENT
2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.
3.0 ROLE OF THE PARTIES
The Parties acknowledge and agree that:
(a) for the purposes of the GDPR, Processor acts as “processor” or “sub-processor” (as each term defined in the GDPR) in the performance of its obligations under the Agreement and this DPA. Processor’s function as processor or sub-processor will be determined by the function of the Controller:
(i) Where Controller acts as a “controller” (as defined in the GDPR), Processor acts as a processor;
(ii) Where Controller acts as a processor on behalf of another controller, Processor acts as a sub-processor.
(b) for the purposes of the GDPR, Processor may Process Covered Data relating to the operation, support, or use of Services for its own business purposes, such as user account registration and account management, data analysis, billing, and compliance with applicable law. Processor acts as “controller” (as defined in the GDPR) for such Processing and will Process such data in accordance with Applicable Data Protection Laws.
(c) for the purposes of the US Data Protection Laws, Processor will act as a “service provider” or “processor” (each as defined in US Data Protection Laws), as applicable, in its performance of its obligations under the Agreement and this DPA.
4.0 DETAILS OF DATA PROCESSING
4.1 The details of the Processing of Personal Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
Processor will only Process Covered Data on behalf of and under the documented instructions of Controller and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall constitute Controller’s instructions for the Processing of Covered Data. Controller may reasonably issue additional written instructions in accordance with this DPA as necessary to comply with Applicable Data Protection Laws. Processor may charge a reasonable fee to comply with any additional instructions.
4.2 Unless prohibited by applicable law, Processor will notify Controller if Processor is subject to a legal obligation that requires Processor to Process Covered Data in contravention of Controller’s documented instructions.
5.0 CONFIDENTIALITY AND DISCLOSURE
5.1 Processor will ensure that all personnel authorized to Process Covered Data are subject to an obligation at least as protective of the Covered Data as the terms of this DPA and the Agreement, including of confidentiality.
6.0 SUB-PROCESSORS
6.1 Processor may Process Covered Data anywhere that Processor or its Sub-processors maintain facilities, subject to the remainder of this clause 6.
6.2 Controller grants Processor the general authorization to engage Sub-processors, subject to clause 6.3, as well as Processor’s current Sub-processors.
6.3 Processor will enter into a written agreement with each Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Processor’s obligations under this DPA.
6.4 Processor will provide Controller with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to Process Covered Data. Controller may object to Processor’s use of a new Sub-processor (including, where applicable, when exercising its right to object under clause 9(a) of the SCCs) by providing Processor with written notice of the objection within ten (10) days after Processor has provided notice to Controller of such proposed change (an “Objection“). If Controller does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. In the event Controller objects to Processor’s use of a new Sub-processor, Controller and Processor will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, either Party may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the other Party. During any such Objection period, Processor may suspend the affected portion of the Services.
7.0 DATA SUBJECT RIGHTS REQUESTS
7.1 As between the Parties, Controller will have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Covered Data under Applicable Data Protection Laws (each, a “Data Subject Request“).
7.2 Processor will forward to Controller any Data Subject Request received by Processor or any Sub-processor and may advise the individual to submit their request directly to Controller.
7.3 Taking into account the nature of the Processing, and the information available to Processor, Processor will provide Controller with reasonable assistance, including, as appropriate, by implementing technical and organizational measures, as necessary for Controller to fulfil its own obligation under Applicable Data Protection Laws to exercise Data Subject Requests.
8.0 SECURITY
8.1 Processor will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to it. When assessing the appropriate level of security, account will be taken in particular of the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
8.2 Processor will implement and maintain as a minimum standard the measures set out in Schedule 2. Controller acknowledges that the security measures in Schedule 2 are appropriate in relation to the risks associated with Controller’s intended Processing and will notify Processor prior to any intended Processing for which Processor’s security measures may not be appropriate.
9.0 INFORMATION AND AUDITS
9.1 Upon Controller’s reasonable request, Processor will provide Controller with information necessary to demonstrate compliance with the obligations as set forth in this DPA.
9.2 Upon Controller’s reasonable request, Processor must allow for and contribute to audits, including inspections. Controller will have the right to audit Processor’s compliance with this DPA. The Parties agree that all such audits will be conducted:
(a) upon reasonable written notice to Processor;
(b) only once per year; and
(c) only during Processor’s normal business hours.
9.3 To conduct such audits, Controller may engage a third-party auditor subject to such auditor complying with the requirements under clause 9.1 and provided that such auditor is suitably qualified and independent.
9.4 To request an audit, Controller must submit a detailed proposed audit plan to Processor at least two weeks in advance of the proposed audit date. Processor will review the proposed audit plan and work cooperatively with Controller to agree on a final audit plan. All such audits must be conducted subject to the agreed final audit plan and Processor’s health and safety or other relevant policies.
9.5 Controller will promptly notify Processor of any non-compliance discovered during an audit.
9.6 Controller will bear the costs for any audit initiated by Controller, unless the audit reveals material non-compliance with the requirements of this DPA.
9.7 Upon request, Processor may, in its discretion, provide data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company. If the requested audit scope is addressed in such a certification produced by a qualified third-party auditor within twelve (12) months of Controller’s audit request and Processor confirms there are no known material changes in the controls audited, Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
9.8 Processor will inform Controller if Processor believes that Controller’s instruction under this Section 9 infringes Applicable Data Protection Laws. Processor may suspend the audit or inspection or withhold requested information until Controller has modified or confirmed the lawfulness of the instructions in writing.
9.9 Taking into account the nature of the Processing, and the information available to Processor, Processor will assist Controller, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Controller’s own obligations under Applicable Data Protection Laws to conduct data protection impact assessments, and prior consultations with supervisory authorities.
10.0 SECURITY INCIDENTS
Processor will notify Controller without undue delay after becoming aware of a Security Incident, and reasonably cooperate in any obligation of Controller under Applicable Data Protection Laws to make required notifications, such as to Data Subjects or supervisory authorities.. Processor’s notification of or response to a Security Incident under this clause 10 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Security Incident.
11.0 DELETION AND RETURN
Processor will, within ninety (90) days of the date of termination or expiry of the Agreement (a) if requested to do so by Controller within that period, return a copy of all Covered Data or provide a self-service functionality allowing Controller to do the same; and (b) delete all other copies of Covered Data Processed by Processor.
12.0 CONTRACT PERIOD
This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Processor’s deletion of all Covered Data as described in this DPA.
13.0 STANDARD CONTRACTUAL CLAUSES
13.1 The Standard Contractual Clauses shall, as further set out in Schedule 3, apply to the transfer of any Covered Data from Controller to Processor, and form part of this DPA, to the extent that:
(a) the GDPR or Swiss Data Protection Law applies to the Controller when making that transfer; or
(b) the Applicable Data Protection Laws that apply to the Controller when making that transfer (the “Exporter Data Protection Laws”) prohibit the transfer of Covered Data to the Processor under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
(i) the relevant authority with jurisdiction over the Controller’s transfer of Covered Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws; or
(ii) such authority has issued guidance that entering into standard contractual clauses approved by the European Commission would satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
(iii) established market practice in relation to transfers subject to the Exporter Data Protection Laws is to enter into standard contractual clauses approved by the European Commission to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
(c) the transfer is an “onward transfer” (as defined in the applicable module of the SCCs).
13.2 The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.
14.0 DEIDENTIFIED DATA
If Processor receives Deidentified Data from or on behalf of Controller, then Processor will:
(a) take reasonable measures to ensure the information cannot be associated with a Data Subject.
(b) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.
(c) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
SCHEDULE 1
DETAILS OF PROCESSING
A. List of Parties
| Data exporter | Data importer | |
| Name | Controller (as defined above) | Nautilus (as defined above) |
| Address | As set forth in the Agreement | See signature page above. |
| Contact person’s name, position and contact details | As set forth in the Agreement | General Counsel
legal@nautilus.bio |
| Activities relevant to the data transfer transferred under these Clauses | The receipt of the Services under the Agreement. | The performance of the Services under the Agreement. |
| Signature and date | As set forth in the Agreement | As set forth in the Agreement |
| Role (controller/ processor) | controller | processor or controller |
B. Description of Processing
1. Categories of Data Subjects
The categories of Data Subjects whose Personal Data are Processed: Employees of Controller, as well as Controller’s customers and their employees, as well as the individual recipients of marketing communications and other individuals being targets of other marketing activities of Controller or its customers.
2. Categories of Personal Data
The Processed categories of Personal Data are: name, phone number, email address, time zone, address data, and name of employer.
3. Special categories of Personal Data (if applicable)
The Processed Personal Data includes the following special categories of data: Not applicable
The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: Not applicable
4. Frequency of the Processing
The Processing is performed from time to time.
5. Subject matter and nature of the Processing
The subject matter and nature of the Processing is: The personal data will be processed and transferred as described in the Agreement.
6. Purpose(s) of the data transfer and further Processing
The purpose/s of the data transfer and further Processing is: The personal data will be transferred and further processed as described in the Agreement.
7. Retention Period
The period during which the Personal Data will be Processed, or, if that is not possible, the criteria used to determine that period: Personal data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Applicable Data Protection Laws.
8. Sub-processor (if applicable)
For Processing by sub-processors, specify subject matter, nature, and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs
Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority of Ireland
SCHEDULE 2
TECHNICAL AND ORGANIZATIONAL MEASURES
Processor has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
- Organizational management and staff responsible for the development, implementation, and maintenance of Processor’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Processor’s organization, monitoring and maintaining compliance with Processor’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Utilization of commercially available and industry standard encryption technologies for Covered Data that is:
(a)being transmitted by Processor over public networks (i.e., the Internet) or when transmitted wirelessly; or
(b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, back-up tapes).
- Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Processor’s passwords that are assigned to its employees: (i)be at least eight (8) characters in length, (ii) not be stored in readable format on Processor’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Processor’s technology and information assets.
- Incident / problem management procedures design to allow Processor to investigate, respond to, mitigate, and notify of events related to Processor’s technology and information assets.
- Network security controls that provide for the use of firewall systems, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
SCHEDULE 3
STANDARD CONTRACTUAL CLAUSES
- EU SCCS
With respect to any transfers referred to in clause 13, and for which the Standard Contract Clauses are specifically applicable pursuant thereto, the Standard Contractual Clauses shall be completed as follows:
1.1 Module Two will apply in the case of the Processing under clause 3(a)(i)of the DPA, Module Three will apply in the case of Processing under clause 3(a)(iii) of the DPA and Module One will apply in the case of Processing under clause 3(b) of the DPA.
1.2 Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
1.3 Clause 9(a)option 2 (General written authorization) shall apply, and the time period to be specified is determined in clause 6.4 of the DPA.
1.4 The option in Clause 11(a)of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
1.5 With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option 1 will apply and the governing law will be the law of the Republic of Ireland.
1.6 In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
1.7 For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority
1.8 For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organizational measures.
- UK ADDENDUM
2.1 This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from Controller (as data exporter) to Processor (as data importer), to the extent that:
(a) the UK Data Protection Laws apply to Controller when making that transfer; or
(b) the transfer is an “onward transfer” as defined in the Approved Addendum.
2.2 As used in this paragraph 2:
“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
“UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
2.3 The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.
2.4 The Approved Addendum shall be deemed completed as follows:
(a) in Table 2, the “Approved EU SCCs” shall refer to the SCCs as they are incorporated into this Agreement in accordance with clause 13 and this Schedule 3;
(b) in Table 1 of the Approved Addendum, the “Exporter” is Controller and the “Importer” is Processor, their details are set forth in this DPA, and the Agreement;
(c) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” shall refer to the information set out in Schedule 1 and Schedule 2 respectively.
(d) for the purposes of Table 4 of the Approved Addendum, Processor (as “Importer”) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section 19 of the Approved Addendum; and
(e) Section 16 of the Approved Addendum does not apply.
- SWISS ADDENDUM
3.1 This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.
3.2 Interpretation of this Addendum
(a) Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
“Addendum” means this addendum to the Clauses;
“Clauses” means the Standard Contractual Clauses as incorporated into this DPA in accordance with clause 13 and as further specified in this Schedule 3; and
“FDPIC” means the Federal Data Protection and Information Commissioner.
(b) This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties’ obligation to provide appropriate safeguards as required by the GDPR and/or the Swiss Data Protection Laws, as the case may be.
(c) This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
(d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
(e) In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
(i) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
(ii) to provide appropriate safeguards for the transfers in accordance with the Swiss Data Protection Laws, as the case may be.
3.3 Hierarchy
In the event of a contradiction between the Clauses and the provisions of related agreements between the Parties, the Clauses shall prevail. In the event of a conflict or inconsistency between this Addendum and the provisions of other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
3.4 Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws
To the extent that the data exporter’s Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” (as defined in the Clauses, as amended by the remainder of this paragraph 3.3(a)) the following amendments are made to the Clauses:
(a) References to the “Clauses” or the “SCCs” mean this Swiss Addendum as it amends the SCCs.
(b) Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer.”
(c) References to “Regulation (EU) 2016/679” or “that Regulation” or “”GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
(d) References to Regulation (EU) 2018/1725 are removed.
(e) References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
(f) Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the FDPIC;
(g) Clause 17 is replaced to state
“These Clauses are governed by the laws of Switzerland”.
(h) Clause 18 is replaced to state:
“Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
3.5 Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws
(a) To the extent that the data exporter’s Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” under both the Clauses and the Clauses as amended by paragraph 3.3(c) of this Addendum:
(i) for the purposes of Clause 13(a) and Part C of Annex I:
(A) the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer, or such transfer is an “onward transfer” as defined in the Clauses (as amended by paragraph 3.3 of this Addendum; and
(B) subject to the provisions of paragraph 2 of this Schedule 3 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter’s processing, or such transfer is an “onward transfer” as defined in the Clauses.
(b) the terms “European Union”, “Union”, “EU”, and “EU Member State” shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses; and
- Transfers under the laws of other jurisdictions
4.1 With respect to any transfers of Personal Data referred to in clause 1(b) (each a “Global Transfer“), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.
4.2 For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:
(a) for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter’s Processing when making that transfer; and
(b) to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws.
4.3 The amendments referred to in clause paragraph 2 include (without limitation) the following:
(a) references to the “GDPR” and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;
(b) reference to the “Union”, “EU” and “EU Member State” are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the “Exporter Jurisdiction“);
(c) the “competent supervisory authority” shall be the applicable supervisory in the Exporter Jurisdiction; and
(d) Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.
4.4 Where, at any time during the Processor’s Processing of Covered Data under this DPA, a transfer mechanism other than the SCCs is approved under the Exporter Data Protection Laws with respect to transfers of Covered Data by Controller to Processor, the Parties shall promptly enter into a supplementary agreement that:
(a) incorporates any standard data protection clauses or another transfer mechanism formally adopted by the relevant authority in the Exporter Jurisdiction;
(b) incorporates the details of Processing set out in Schedule 1;
(c) shall, with respect to the transfer of Personal Data subject to the Exporter Data Protection Laws, take precedence over this DPA in the event of any conflict.
4.5 Where required under the Exporter Data Protection Laws, the relevant data exporter shall file a copy of the agreement entered into in accordance with paragraph 4 with the relevant national authority