Terms & Policies

UK GDPR Data Processing Addendum

Nitro Pro

Download a copy

THIS DATA PROCESSING ADDENDUM APPLIES IF YOU HAVE SIGNED UP FOR NITRO SERVICES AS A BUSINESS CUSTOMER UNDER THE NITRO TERMS OF SERVICE AND THE UK GDPR APPLIES TO THE PROCESSING OF PERSONAL DATA IN THE CONTEXT OF THE AGREEMENT. IN CASE YOU SIGNED UP AS AN INDIVIDUAL, PLEASE VISIT NITRO’S PRIVACY POLICY FOR MORE INFORMATION ON HOW NITRO PROCESSES YOUR PERSONAL DATA.

1. Scope; Roles of the Parties

Nitro will receive and process Personal Data for the benefit and on behalf of the Customer when providing the Service, according to the instructions and purpose defined by the Customer in the Data Processing Details. By means of this Data Processing Addendum, Parties wish to lay down their specific agreements in respect to processing Personal Data within the framework of the Agreement.

By default, Nitro shall act as a Processor and the Customer shall act as a Controller in respect of the Services provided by Nitro to the Customer pursuant to the Nitro Terms of Service. This Data Processing Addendum supersedes and replaces all previous agreements made (if any) in respect of processing Personal Data and data protection between the Parties related to the Services offered by Nitro.

This Data Processing Addendum supplements and forms part of the Terms of Service, and together the Terms of Service and this Data Processing Addendum constitute a single legal agreement between the Parties. In case of discrepancies or contradictions between this Data Processing Addendum and the Terms of Service, the Data Processing Addendum will prevail.

2. Definitions

“Annex” means any annex to the present Data Processing Addendum;

“Controller” refers to the Customer as identified in the Terms of Service and the applicable Order Form;

“Data Processing Details” means Annex 1 to the present Data Processing Addendum which includes more details on the Customer’s instructions on the processing of Personal Data such as the purpose, object and nature of processing and the kind of Personal Data being processed;

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

“Personal Data” means personal data as defined under UK GDPR that Nitro processes for the benefit and on behalf of the Customer when providing the Services according to the instructions and purpose defined by the Customer in the Data Processing Details;

“Processor” refers to Nitro Software Inc., supplier of the Services to the Customer and as identified in the Terms of Service;

“Sub-processor List” refers to the list of Sub-processors as made available online by Nitro that includes the Sub-processors engaged by Nitro for the provisioning of the Services and the fulfillment of Nitro’s obligation under the Agreement in general. Nitro may update the Sub-processor List from time to time as per the process set out in this Data Processing Addendum;

“Sub-processor” means any third party processor engaged by Nitro for the processing of Personal Data related to the provisioning of the Services to the Customer;

“UK GDPR” means the EU GDPR as transposed into UK domestic law by virtue of section 3 of the European Union Withdrawal Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended);

“UK Personal Data” means Personal Data to which the UK GDPR is applicable;

“UK Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under Section 119A(1) of the Data Protection Act 2018, in the form and manner set out in Annex 2 to this Data Processing Addendum.

All other terms and definitions written with capital letters and which are not defined expressly in this Data Processing Addendum, are defined as set out in the applicable data protection legislation or Nitro’s Terms of Service.

3. Object of this Data Processing Addendum

3.1 This Data Processing Addendum determines the conditions of the processing by Nitro of Personal Data communicated by or at the initiative of the Customer in the context of the Agreement. The nature and purpose of the processing, a list and the kind of Personal Data as well as the categories of the Data Subjects are listed in the Data Processing Details (Annex 1).  

3.2 The processing will exclusively take place for the benefit of the Customer and for the purpose as defined by the Customer in the Data Processing Details. Nitro shall immediately inform the Customer if, in its opinion, an instruction infringes applicable data protection legislation. Nitro will only process the Personal Data according to the documented instructions of the Customer and will not use these Personal Data for its own purpose, unless as explicitly permitted in the Terms of Service. If Nitro is legally obliged to proceed with any processing of Personal Data, Nitro will, unless this would violate applicable mandatory rules, inform the Customer of such obligation.  

4. Term

4.1 This Data Processing Addendum is applicable to all processing of Personal Data executed in the context of the provisioning of the Services to the Customer by Nitro and applies as long as Nitro processes Personal Data on behalf of the Customer in the context of the Agreement. This Data Processing Addendum supplements the Nitro Terms of Service and is meant to ensure the Parties’ compliance with the requirements imposed by the applicable data protection laws and regulations for Customer´s use of the Services. 

4.2 This Data Processing Addendum ends automatically upon termination of the Agreement (or at the moment the processing by Nitro is terminated). The provisions of this Data Processing Addendum that are either expressly or implicitly (given their nature) intended to have effect after termination of the Data Processing Addendum shall survive the end of the Agreement with regard to the Personal Data communicated by or at the initiative of the Customer in the context of the Agreement.  

5. Technical and Organizational Measures

5.1 Nitro offers adequate guarantees with regard to the implementation of appropriate technical and organizational measures (“TOMs”) to ensure secure processing of Personal data and so the protection of the Data Subject's rights is guaranteed. The TOMs implemented by Nitro are as set out in the Data Processing Details. The TOMs may be updated by Nitro from time to time, however Nitro will ensure not to downgrade the overall security it has implemented at the moment of the Data Processing Addendum’s execution. The Customer acknowledges the TOMs to be adequate for the processing of its Personal Data at the moment of signing or accepting this Data Processing Addendum.   

5.2 Nitro shall take all appropriate technical and organizational measures as referred to in article 32 UK GDPR to ensure an adequate level of security appropriate to the risk. 

5.3 If the Customer provides sensitive Personal Data as referred to in articles 9 and 10 UK GDPR to Nitro in the context of the Agreement, the Customer will notify Nitro thereof in writing via privacy@gonitro.com

5.4 In case the Customer is requesting specific technical and organizational measures to be implemented by Nitro (which Nitro has not implemented by default), the Customer will reimburse Nitro for implementing such additional measures according to Section 14 “Costs” of this Data Processing Addendum. 

5.5 Adherence by Nitro to an approved code of conduct as referred to in article 40 UK GDPR, or an approved certification mechanism as referred to in article 42 UK GDPR may be used as an element of proof of sufficient guarantees as referred to in UK GDPR. 

6. Retention

6.1 Nitro will not keep Personal Data any longer than required for processing of such Personal Data in the context of the Agreement. The Customer will not instruct Nitro to store any Personal Data longer than necessary. The applicable retention period (as defined by the Customer) is set out in the Data Processing Details. 

6.2 At the choice of the Customer, Nitro shall delete or return all Personal Data to the Customer after the end of the provisioning of Services and shall delete existing copies unless applicable law requires storage of the Personal Data. The Customer acknowledges the Services might include download functionalities at the disposal of the Customer to enable Customer to download its data. To the extent such functionalities are available, the Customer shall use such functionalities to extract or delete its data. 

7. Confidentiality

7.1 Parties have agreed on a confidentiality clause in the Terms of Service which applies to the processing of Personal Data in the context of the Agreement.  

7.2 Nitro acknowledges and agrees that only those employees, contractors or agents of Nitro who are involved in the processing of Personal Data may be informed about the Personal Data and only to the extent as reasonably necessary for the performance of the Agreement. Nitro ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality. 

8. Data Subject Rights

8.1 Taking into account the nature of the processing, Nitro shall use all reasonable efforts, by taking appropriate technical and organizational measures, to assist the Customer in the fulfillment of its obligation to respond to requests from Data Subjects. 

8.2 For all assistance performed by Nitro in the context of the treatment of such requests from Data Subjects, the Customer will reimburse Nitro in accordance with Section 14 “Costs” of this Data Processing Addendum. Such reimbursement by the Customer shall not apply (i) in case the Data Subject is invoking its rights because of a Personal Data Breach proven attributable to Nitro or (ii) in case such assistance by Nitro does not exceed four (4) hours of work during the term of the Agreement. 

9. Duty to Notify

9.1 Upon becoming aware of a Personal Data Breach, Nitro shall notify the Customer thereof without undue delay by contacting the contact person indicated in the Agreement or the relevant Order Form (or alternatively via the Customer’s Notification Email Address or (if applicable) any other e-mail address the Customer has shared in the admin portal as privacy contact). Nitro’s contact person for any data protection related matters can be contacted per email: privacy@gonitro.com

9.2 At the request of the Customer, Nitro will inform the Customer of any new developments with regard to any Personal Data Breach and of the measures taken to limit its consequences and to prevent the repetition of such Personal Data Breach. It is the responsibility of the Customer to report any Personal Data Breach to the Supervisory Authority or the Data Subject(s), as required.  

10. Sub-Processing

10.1 The Customer expressly authorizes Nitro to engage Sub-processors for the processing of Personal Data for the performance of the Agreement and to facilitate the provisioning of the Services in general. To this extent, the Customer grants a general written authorization to Nitro to decide with which Sub-processor(s) Nitro cooperates for the fulfilment of its obligations under the Agreement. Nitro publishes a Sub-processor List referring to the Sub-processors engaged by Nitro.  

10.2 Nitro will inform the Customer of any intended changes concerning the addition or replacement of Sub-processors by contacting the contact person indicated in the Agreement or the relevant Order Form (or via the Customer’s Notification Email Address or (if applicable) any other e-mail address the Customer has shared in the admin portal as privacy contact). The Customer will have the right to object to the addition or replacement by addressing Nitro in writing. Parties will in such case discuss the addition, replacement or alternative in good faith and as soon as reasonably possible after the Customer's written notice of objection. 

10.3 Where Nitro engages a Sub-processor for carrying out specific processing activities, the same or similar data protection obligations as set out in this Data Processing Addendum shall be imposed on that Sub-processor by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organizational measures (and complying with the relevant technical and organizational measures). Where a Sub-processor fails to fulfil its data protection obligations, Nitro shall remain fully liable to the Customer for the performance of such Sub-processor’s obligation.  

11. International Data Transfers

11.1 The Customer acknowledges that Nitro is established in the United States of America, and thereby authorizes international transfers of personal data for the purposes of providing the Services. Such international data transfer is considered an instruction of the Customer. 

11.2 If, at any time during the term of this Data Processing Addendum, (i) Nitro is certified under the UK Extension to the EU-U.S. Data Privacy Framework (also known as the UK-U.S. ‘data bridge’) (“Framework”); and (ii) that Framework constitutes a valid adequacy decision for the purposes of article 45 UK GDPR, then the Parties acknowledge that no appropriate safeguards are required in respect of transfers between Customer and Nitro.  

11.3 Where the conditions set out in Section 11.2 do not apply, the Parties enter into the UK Standard Contractual Clauses in the form and manner set out in Annex 2 to this Data Processing Addendum, such UK Standard Contractual Clauses being incorporated into and forming part of this Data Processing Addendum.   

11.4 The Customer acknowledges that Sub-processors authorized under clause 10 may also process Personal Data in third countries. The Customer permits such transfers, subject to Nitro taking all steps necessary to ensure such transfers comply with the provisions of Chapter V of the UK GDPR and other applicable data protection laws.  

11.5 In case the transfer of Personal Data to a third country or an international organization is mandatory under applicable law to which Nitro is subject, Nitro shall be allowed to perform such transfer and shall inform the Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest. 

12. Data Protection Impact Assessment and Prior Consultation

12.1 If the Customer performs a Data Protection Impact Assessment (“DPIA”) (article 35 UK GDPR) or prior consultation (article 36 UK GDPR) linked to the processing of Personal Data in the context of the performance of the Agreement, Nitro shall reasonably assist the Customer by providing assistance upon the Customer’s written request. The Customer will reimburse Nitro for assistance provided according to Section 14 “Costs” of this Data Processing Addendum. Such reimbursement of costs shall not apply in case (i) the assistance requested from Nitro is less than four (4) working hours during the term of the Agreement, or (ii) the DPIA or prior consultation is triggered by a Personal Data Breach proven attributable to Nitro. 

13. Audit Right

13.1 The Customer has the right to perform audits regarding the compliance by Nitro with its obligations under this Data Processing Addendum and the applicable data protection legislation. Nitro shall use its reasonable efforts to cooperate with such audits and to make available all information necessary to prove its compliance with its obligation. The Customer shall notify Nitro of such audit at least one (1) month prior to the date on which the audit will be performed, by given written notice to Nitro via privacy@gonitro.com.  

13.2 In case an audit is being performed, all parties involved shall first sign a specific non-disclosure agreement issued by Nitro with respect to such audit and the audit results before the start of the audit. Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to third parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify its compliance with this Data Processing Addendum and the applicable laws and regulations in respect of data protection. The Customer has the option to perform the audit itself or to assign an independent auditor, however such independent auditor must duly sign the non-disclosure agreement referred to in this Section. 

13.3 Both Parties and where applicable their representatives, shall reasonably cooperate, upon request, with the Supervisory Authority in the performance of its tasks.  

13.4 The Customer will reimburse Nitro for the assistance provided by Nitro in relation to audit(s) in accordance with Section 14 “Costs” of this Data Processing Addendum. It being understood, such reimbursement shall not apply in case (i) the audit is a result of a Personal Data Breach proven attributable to Nitro or, (ii) in case Nitro’s assistance does not exceed four (4) working hours during the term of the Agreement. 

14. Costs

14.1 The assistance to be performed under this Data Processing Addendum for which Nitro may charge the Customer, will be charged on the basis of the hours worked and the applicable standard hourly rates of Nitro (USD 295/hour taxes excluded). Nitro will invoice these amounts on a monthly basis but also has the right to request an upfront retainer fee.  

14.2 The payment by the Customer to Nitro for the assistance and professional services provided by Nitro under this Data Processing Addendum will take place in accordance with the provisions in the Terms of Service.  

15. Liability

15.1 Subject to the maximum extent permitted under applicable law, the provisions of the Terms of Service concerning limitation of liability also apply to this Data Processing Addendum and the damages arising out of it. 

16. Miscellaneous

16.1 The provisions of the Terms of Service concerning changes, entire agreement, severability, applicable law and competent courts are applicable to this Data Processing Addendum. In case of discrepancies or contradictions between this Data Processing Addendum and the UK Standard Contractual Clauses, if applicable, the UK Standard Contractual Clauses will prevail. 

Annex 1 - Data Processing Details

A. LIST OF PARTIES

1. DATA EXPORTER(S)
Name: Customer, as identified in the Agreement and relevant Order Form.

Address: The address of the data exporter is set out in the Agreement and relevant Order Form.

Contact person’s name, position and contact details: The contact details of the contact person for the data exporter are set. out in the Agreement, the relevant Order Form (and if applicable the Customer’s admin portal).

Activities relevant to the data transferred: The activities that are relevant to the data transferred under these UK Standard Contractual Clauses are described below in Section B “Description of processing/transfer”.

Signature and date: By signing or accepting the relevant Order Form, the data exporter will be deemed to have signed this Annex I.

Role (controller/processor): Controller

2. DATA IMPORTER(S)
Name: Nitro Software Inc.

Address: 447 Sutter St, STE 405 #1015, San Francisco, CA 94108, United States.

Contact person’s name, position and contact details: privacy@gonitro.com, 447 Sutter St, STE 405 #1015, San Francisco, CA 94108, United States.

Activities relevant to the data transferred: The activities that are relevant to the data transferred under these UK Standard Contractual Clauses are described below in Section B “Description of processing/transfer”.

Signature and date: By signing or accepting the relevant Order Form, the data importer will be deemed to have signed this Annex I.

Role (controller/processor): Processor

B. DESCRIPTION OF PROCESSING/TRANSFER

1. SUBJECT MATTER OF THE PROCESSING OF THE PERSONAL DATA 

The subject matter is determined by the Customer as set out in the Agreement and relevant Order Form.

2. THE NATURE AND PURPOSE OF THE PROCESSING OF PERSONAL DATA  

The nature and purpose of processing is determined by the Customer as set out in the Agreement and relevant Order Form.

By default, such processing shall have as purpose to make available the Services including all its features and functionalities to the Customer and its Users and more in general to permit Nitro to fulfil its contractual obligations under the Agreement. Such purpose can be making available the Cloud Services (for example but without limitation making available the customer cloud portal, electronic signing services, analytics services etc.) as well as the provisioning of Support.

The nature of processing shall, among other instructions given by the Customer in the Agreement and relevant Order Form, include the processing, collection, storage, communication and transfer of Personal Data.

3. PERSONAL DATA PROCESSED 

Depending on the functionalities used within the Services (e.g. admin portal, electronic signing services, analytics services etc.) and the content of the Customer Data uploaded by the Customer and its Users into the Services, Nitro processes different kinds of Personal Data.

In general, the Personal Data processed by Nitro includes without limitation:

  • Identification details (for example User- and usage details) 
  • Document data (for example Personal Data included in PDF documents processed) 

A detailed overview of the kind of Personal Data being processed when using the Services is available via Nitro’s Trust Center: Processing of Personal Data

4. SENSITIVE DATA 
The data exporter might include sensitive Personal Data in the personal data in accordance with Section 5.3 of this Data Processing Addendum. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: reference is made to the TOMs as listed or referenced in the Data Processing Details below.

5. CATEGORY OF DATA SUBJECTS 

The following categories Data Subjects are by default in scope:

  • All Users having access to the Services (which includes admin users, general users or invited users such as signatories). 
  • All Data Subjects included in the Customer Data uploaded into the Services by the Customer or its Users.  

The Customer confirms those Data Subjects will by default be considered one of the following categories:

  • Customer’s staff 
  • Customer’s customers  
  • Customer’s prospects 
  • Customer’s suppliers 

6. SUB-PROCESSORS 

Nitro engages Sub-processors for ensuring all functionalities are available within the Services. Which Sub-processors are applicable depends on the Services use and the functionalities and set-up requested by the Customer. A detailed listing of the Sub-processors engaged by Nitro (including the procedure we apply when engaging new Sub-processors) is available via our Trust Center: Sub-Processors and Subcontractors

7. TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs) 

Nitro implements appropriate technical and organizational measures to ensure adequate security when using the Services. We are continuously updating such measures. A detailed overview of the measures taken is available via our Trust Center on our Security section: Information Security and in our Information Security Policy. Our Trust Center also lists the certifications Nitro holds in the Compliance section: Compliance.

8. RETENTION PERIOD 

Nitro will not store Personal Data any longer than necessary for the provisioning of the Services. Depending on the Services and the functionalities you are using as a Customer, the applicable retention period(s) might differ. Each Customer can request Nitro to configure specific retention periods on their environment (as far as this is technically feasible).

In case no specific retention periods were configured, Personal Data will by default be stored by Nitro until deletion by the Customer or until termination of the Agreement between Nitro and the Customer (plus maximum 30 days), whichever of both situations comes first. A detailed overview of the retention periods is available via our Trust Center: Processing of Personal Data

9. FREQUENCY OF INTERNATIONAL TRANSFERS 

On an ongoing basis, as necessary to provide the Services to the Customer.

Annex 2 - UK Standard Contractual Clauses

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start dateThe date of the Data Processing Addendum
The Parties

Exporter (who sends the Restricted Transfer)

Customer

Importer (who receives the Restricted Transfer)

Nitro

Parties' details

Full legal name: Customer, as identified in the Agreement and relevant Order Form.

Trading name (if different):

Main address (if a company registered address): The address of the data exporter is set out in the Agreement and relevant Order Form.

Official registration number (if any) (company number or similar identifier): As identified in the Agreement and relevant Order Form, or otherwise N/A

Full legal name: Nitro Software Inc.

Trading name (if different):

Main address (if a company registered address): 447 Sutter St, STE 405 #1015, San Francisco, CA 94108, United States.

Official registration number (if any) (company number or similar identifier): N/A

Key contact

Full Name (optional): The full name of the contact person for the data exporter is set out in the Agreement and relevant Order Form.

Job Title: The job title of the contact person for the data exporter is set out in the Agreement and relevant Order Form.

Contact details including email: The contact details of the contact person for the data exporter are set out in the Agreement and relevant Order Form.

privacy@gonitro.com

Nitro Software Inc.
447 Sutter St, STE 405 #1015, San Francisco, CA 94108, United States.

Signature (if required for the purposes of Section 2)Not required – this Annex 2 forms part of and is incorporated into the Data Processing Addendum.Not required – this Annex 2 forms part of and is incorporated into the Data Processing Addendum.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

26. Date:
27. Reference (if any):
28. Other identifier (if any):
29. Or

the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

ModuleModule in operationClause 7 (Docking Clause)Clause 11 (Option)Clause 9a (Prior Authorisation of General Authorisation)Clause 9a (Time Period)Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2

X

N/A

N/A

General Authorisation

30 days

No

3
4

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Table 1 above.
Annex 1B: Description of Transfer: See Annex 1 to this Data Processing Addendum.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See clause 5 to this Data Processing Addendum.
Annex III: List of Sub processors (Modules 2 and 3 only): See clause 10.1 to this Data Processing Addendum.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19:
Importer
Exporter
neither Party

Part 2: Mandatory Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum. 
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs. 

Interpretation of this Addendum

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings: 

AddendumThis International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs Appendix Information

The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.

As set out in Table 3.

Appropriate SafeguardsThe standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved AddendumThe template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCsThe Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICOThe Information Commissioner.
Restricted TransferA transfer which is covered by Chapter V of the UK GDPR.
UKThe United Kingdom of Great Britain and Northern Ireland.
UK Data Protection LawsAll laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPRAs defined in section 3 of the Data Protection Act 2018.

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.  
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place. 
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies. 
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.  
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.  

Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail. 
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum. 
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs. 

Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that: 

  1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;  
  2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and 
  3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties. 

13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply. 
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made. 
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:  

  1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs; 
  2. In Clause 2, delete the words: 
    “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
  3. Clause 6 (Description of the transfer(s)) is replaced with: 
    “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
  4. Clause 8.7(i) of Module 1 is replaced with: 
    “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
  5. Clause 8.8(i) of Modules 2 and 3 is replaced with: 
    “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
  6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws; 
  7. References to Regulation (EU) 2018/1725 are removed; 
  8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”; 
  9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”; 
  10. Clause 13(a) and Part C of Annex I are not used;  
  11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”; 
  12. In Clause 16(e), subsection (i) is replaced with: 
    “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
  13. Clause 17 is replaced with: 
    “These Clauses are governed by the laws of England and Wales.”;
  14. Clause 18 is replaced with: 
    “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
  15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.  

Amendments to this Addendum

  1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland. 
  2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards. 
  3. From time to time, the ICO may issue a revised Approved Addendum which:  
    1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or 
    2. reflects changes to UK Data Protection Laws; 
  4. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
  5. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:  
    1. its direct costs of performing its obligations under the Addendum; and/or  
    2. its risk under the Addendum,  

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  1. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms. 

Download a copy