Filters

Unless specifically agreed otherwise, these terms shall apply to the processing of personal data been Menwell Ltd and any of its suppliers.

The terms below shall form part of any supply agreement

1. Introduction

1. This Data Processing Agreement (the “Data Processing Agreement”) sets out certain data protection obligations we expect our vendors and other Suppliers (collectively, “Suppliers”) to meet in connection with their provision of products and services to us.

This Data Processing Agreement is supplemental to and forms part of any agreement we have with our Suppliers where these Data Processing Agreement have been incorporated (the “Agreement”).

2. Different sections of this Data Processing Agreement shall apply depending on our relationship with Supplier. Each section states when it will apply.

2. Definitions

1. This section applies to all Suppliers.

2. For purposes of this Data Processing Agreement, the following terms have the following meanings:

a. “Controller” means a person or entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

b. “Customer”, “we”, “us” and “our” means: (i) Menwell Ltd; and (ii) any affiliate or subsidiary that controls, is controlled by or is under common control with the Menwell Ltd;

c. “Data Protection Law” means any domestic, foreign, international, multinational or other jurisdiction, law, statute, treaty, rule, regulation, ordinance, code, and guidance issued by regulatory authorities competent to interpret or enforce the same, relating to processing personal data, privacy, data protection (the protection of Personal Data), or cybersecurity, as may be amended from time to time;

d. “Data Subject” means the individual to whom Personal Data relates;

e. “Data Subject Request” means a request by a Data Subject for Data, access, rectification, erasure, restriction, portability, objection, do-not-sell, deletion, and any other similar requests;

f. “Description of Processing” means the description of Personal Data Processed by Supplier under the Agreement;

g. “EEA” means the European Economic Area;

h. “EEA Data Transfer” means a transfer of Personal Data (a) that is subject to the GDPR; (b) to a recipient in a country or territory outside of the EEA; and (c) which is not subject to an adequacy decision by the EU Commission;

i. “EEA Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021 C(2021) 3972, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en ;

j. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation);

k. “Data Security Obligations” means any applicable Data security obligations which are attached to or otherwise form a part of the Agreement;

l. “Other Data Transfer” means a transfer of Personal Data: (i) that is subject to the laws of a country which restricts the transfer of Personal Data to another country not deemed adequate to receive such Personal Data (a “Restricting Country”); and (ii) which is not an EEA Data Transfer or UK Data Transfer;

m. “Personal Data” means any data relating to an identified or identifiable natural person including any Data defined as “personally identifiable Data,” “personal Data,” “personal data” or similar terms as such terms are defined under Data Protection Laws, limited to that Personal Data Supplier Processes in connection with the Agreement;

n. “Process” or “Processing” or means any operation or set of operations performed upon Personal Data, whether or not by automatic means, including the collection, recording, organisation, structuring, storage, adaption or alteration, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;

o. “Processor” means a person or entity which Processes Personal Data on behalf of the Controller;

p. “Security Incident” shall mean:

(i) any serious interruption of Supplier’s Processing operations;

(i) any unauthorised acquisition, loss, access, use or misuse, loss of access to, or loss of use of Personal Data (including loss of any storage medium on which Personal Data is stored); or

(ii) any breach of security leading to the accidental or unlawful destruction, loss, alteration, use or misuse, unauthorised disclosures of, or access to, Personal Data;

q. “Sensitive Personal Data” shall mean Personal Data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; sex life or sexual orientation; the Processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject; Personal Data relating to criminal convictions and offences or related security measures; government-issued identification number; account credentials;1 financial account numbers including payment card numbers; precise geolocation data; contents of communications not directed to Supplier or Customer; and such subsets of Personal Data that are deemed “sensitive” or require enhanced protections under applicable Data Protection Laws;

r. “Services” has the meaning provided in the Agreement or, if not defined by the Agreement, means the products or services rendered by Supplier to us pursuant to the Agreement;

s. “Sub-Processor” means a person or entity which Processes Personal Data on behalf of a Processor;

t. “Training Data” means Data used to train or otherwise improve or enhance the capabilities of any AI;

u. "UK Data Transfer” means a transfer of Personal Data that is subject to the UK GDPR to a country or territory outside of the UK which has not been deemed adequate by the UK’s Secretary of State;

v. “UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018; and

w. “UK SCC Addendum” means the template addendum issued by the UK’s Data Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18, available at https://ico.org.uk/media/for-organisations/ documents/4019539/international-data-transfer-addendum.pdf.

3. Terms for All Suppliers

1. This section applies to all Suppliers.

2. Compliance with law. Supplier shall comply with all applicable Data Protection Laws and provide privacy protections appropriate to address its obligations thereunder. Supplier shall notify Customer immediately at DPO@Manual.co if it determines that it can no longer meet its obligations under Data Protection Law. Customer shall have the right to take appropriate steps to eliminate and remediate any unauthorised Processing of Personal Data by Supplier.

3. Security. Supplier shall implement and maintain technical and organisational measures appropriate and adequate to protect Personal Data. Supplier’s security measures shall be designed to: (i) ensure the confidentiality, availability, and integrity of Personal Data; (ii) protect against any anticipated threats or hazards to the security or integrity of Personal Data; and (iii) protect against unauthorised Processing.

4. Third party communications. In the event that Supplier receives any communications from an individual, regulator, governmental body or other third party relating to:

a. Supplier’s Processing of Personal Data in connection with the Agreement; or

b. Customer’s Processing of Personal Data,

Supplier shall (unless prohibited by law) promptly notify Customer (at DPO@Manual.co) giving full details of such communication and shall provide all cooperation reasonably requested by Customer to respond to such communication. Supplier shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so.

5. Response to requests and incidents. Supplier will not, without obtaining prior written approval from Customer, name Customer (including any subsidiary or affiliate of Customer) in any: (i) response to a Data Subject; (ii) public disclosure pertaining to Processing; (iii) notice of a Security Incident; or (iv) disclosure to a data protection authority or other legal body relating to Processing.

6. Term and survival.

a. The provisions of these Data Processing Agreement will end when Supplier ceases to Process Personal Data in connection with the Agreement.

b. Notwithstanding anything to the contrary in this Section 3 (Terms for all Suppliers), Sections 3.4, 3.5, 3.8 and Section 7 shall survive termination or expiry of the Agreement and these Data Processing Agreement.

7. Translations. In the event of a conflict between the English language version of these Data Processing Agreement and another version in any other language, the English language version shall prevail.

8. No limitation of liability. For the avoidance of doubt, liabilities of the parties under these Data Processing Agreement shall not be subject to any limitations or exclusions of liability contained in the Agreement.

9. No Suppliership. Nothing in these Data Processing Agreement shall be deemed to create an employment, joint venture, or Suppliership relationship between the parties, and neither party is authorized nor shall act toward any third party, individual entity, or the public in any manner that would indicate any such relationship to the other.

4. Terms for Processors

1. This section applies to the extent:

a. Supplier Processes any Personal Data as a Processor on behalf of Customer; or

b. the Agreement expressly states that this section applies.

2. Instructions. Supplier shall only Process Personal Data in accordance with the documented instructions of Customer (unless otherwise required to Process such Personal Data in accordance with a legal requirement to which Supplier is subject, in which case Supplier shall inform Customer of the legal requirement before commencing such Processing, unless the legal requirement prohibits informing Customer). Customer’s documented instructions are to Process Personal Data: (i) as necessary for Supplier to deliver Services and perform any other obligations under the Agreement; and (ii) as otherwise directed by Customer in writing from time to time. Supplier shall immediately inform Customer if, in Supplier's opinion, a direction or instruction from Customer infringes applicable Data Protection Law.

3. Description of Processing. A description of the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects is set out in the Description of Processing.

4. Use restriction. Supplier shall not:

(i) sell Personal Data or otherwise disclose it in exchange for monetary or other valuable consideration;

(ii) Process Personal Data for any purpose other than the specific purpose of performing the Services or pursuant to the directions of Customer;

(iii) Process Personal Data outside of the direct business relationship between Supplier and Customer; or

(iv) combine the Personal Data with personal Data received from or on behalf of other persons or collected from consumers.

Supplier certifies that it understands and will comply with the restrictions of this section.

5. Data Subject requests. Supplier shall promptly inform Customer of any Data Subject Requests or communication from or on behalf of Data Subjects relating to the Personal Data it Processes in connection with the Services, without responding to the Data Subject except to acknowledge receipt of the Data Subject Request or communication (unless otherwise required by Data Protection Law or instructed by Customer).

Supplier shall assist Customer as necessary to allow it to respond to Data Subject Requests, including by provision of appropriate technical and organizational measures, and any necessary product features and functionality.

Supplier shall provide such assistance promptly, and in any event within five (5) days of the Data Subject Request or Customer’s request for assistance.

In appropriate cases, and upon Customer’s reasonable request, Supplier shall assist Customer to inform individuals about the Processing of Personal Data, including by providing or directing applicable Data Subjects to a privacy policy or notice that complies with Data Protection Laws.

Supplier shall maintain, and provide Customer with reasonable access to, complete and accurate records of Data Subject Requests with respect to which Supplier assists.

6. Personnel confidentiality. Supplier shall ensure that each of its personnel are subject to confidentiality obligations that apply to Personal Data.

7. Security. Supplier will implement and maintain those Data security procedures and practices set out in the Data Security Obligations.

8. Audit and assistance. Notwithstanding any audit provisions in the Data Security Obligations, Supplier shall:

a. provide to Customer such Data and assistance as may be reasonably required to confirm Supplier’s compliance with these Data Processing Agreement, including assistance completing data protection impact assessments and consulting with data protection authorities. Supplier shall further provide such assistance as reasonably necessary for Customer to comply with Data Protection Law; and

b. at the direction of Customer, submit its data protection program and facilities that Process Personal Data for audit as to its compliance with these Data Processing Agreement and/or applicable Data Protection Laws.

The audit may be carried out by Customer, or a delegate appointed on its behalf, provided that the delegate agrees to a confidentiality agreement acceptable to Supplier.

Customer will give reasonable advance notice and will conduct any such audit during regular business hours without unreasonably disrupting Supplier's operations.

9. Security Incidents. Supplier will promptly, and in no case later than forty-eight (48) hours of becoming aware, inform Customer via email to DPO@Manual.co in the event of any actual or reasonably suspected Security Incident.

Supplier will provide all Data and assistance reasonably required by Customer to investigate, mitigate, and respond to a Security Incident, including at a minimum, any Data or assistance required by applicable Data Protection Law or necessary for Customer to provide any notifications of the Security Incident.

Supplier agrees to consult with Customer before making any public statements or notification to a data protection authority or Data Subject in relation to a Security Incident.

Supplier shall be responsible for, and shall pay to Customer on demand, all costs, liabilities, losses, damages and expenses (including attorney’s fees) incurred by Customer arising out of or in connection with a Security Incident impacting Personal Data Processed by Supplier, its affiliates, assignees, or Sub-Processors.

10. Sub-Processing. Supplier may engage or otherwise permit a Sub-Processor to Process Personal Data on its behalf, provided that Supplier:

a. has entered into a written obligation with each Sub-Processor that imposes obligations no less protective than those included in the provisions of these Data Processing Agreement that apply to Supplier;

b. performs appropriate due diligence to ensure each Sub-Processor can perform as necessary for Supplier to meet its obligations under the provisions of these Data Processing Agreement that apply to Supplier;

c. notifies Customer in advance and in writing of any new Sub-Processor that Supplier proposes to engage.

Customer will have thirty (30) days from receiving such notice to object to Supplier’s engagement of the new Sub-Processor. If Customer does not object within this period, Supplier may permit the Sub-Processor to Process Personal Data. If Customer objects to the use of a Sub-Processor, then Supplier will promptly address Customer’s objections within ten (10) days of receipt. If Supplier cannot resolve Customer’s objection to Customer’s satisfaction within this ten (10) day period, then Customer will have the option to immediately terminate the Agreement without penalty at any time upon providing written notice to Supplier. Supplier will not allow the new Sub-Processor to Process Personal Data during: (i) the thirty (30) days after providing notification of its intent to use a new Sub-Processor; or (ii) any period where Customer’s objection to use of a Sub-Processor has not been resolved to Customer’s satisfaction; and

d. remains fully liable for all Processing of Personal Data performed by each Sub-Processor.

11. Disposal or return. Upon termination or expiration of the Agreement or as otherwise instructed by Customer, Supplier shall in accordance with Customer’s instructions: (i) return to Customer a complete copy of the Personal Data it Processed in connection with the Agreement, in a form and format reasonably agreed upon by the parties; and (ii) securely dispose of the Personal Data (including all copies) in its possession or control that it Processed in connection with the Agreement.

5. Terms for Controllers

1. This section applies to the extent:

a. Supplier independently determines the purposes and means of Processing any Personal Data it Processes in connection with the Agreement; or

b. the Agreement expressly states that this section applies.

2. Notice and transparency. Supplier shall have in place and maintain a clear and conspicuously available privacy policy that informs Data Subjects (whose Personal Data Supplier Processes in connection with the Agreement) about how Supplier Processes their Personal Data and which complies with all applicable laws.

3. Security Incidents. Supplier shall promptly notify the relevant Customer of any actual or reasonably suspected Security Incident impacting Personal Data Processed in connection with the Agreement, and promptly provide Customer with Data on the nature of the Security Incident, the Personal Data affected, and Supplier’s response to and mitigation of the Security Incident.

4. Confidentiality. Supplier shall ensure that each of its personnel are subject to confidentiality obligations that apply to Personal Data.

6. Cross-Border Transfers

1. This section applies to Suppliers when an EEA Data Transfer, a UK Data Transfer or an Other Data Transfer occurs.

2. Data transfers (Processors). This paragraph applies when Section 4 (Terms for Processors) applies.

a. EEA Data Transfers. If and to the extent that Personal Data Processed by Supplier is subject to an EEA Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as follows:

i. Application. Supplier shall act as the data importer and Customer shall act as the data exporter;

ii. Docking. For the purposes of Section I, Clause 7, the optional docking clause applies;

iii. Modules. MODULE TWO (transfer controller to processor) applies;

iv. Instructions. For the purposes of Section II, Clause 8.1 (Module Two), the instructions to the data importer shall be instructions to Process Personal Data as necessary to perform the Services and/or supply the products provided by Supplier and as may be specified in accordance with the Agreement;

v. Sub-Processors. For the purposes of Section II, Clause 9 (Module Two), Option 2 applies (and the time period for the data importer to inform the data exporter of any intended changes shall be thirty (30) days in advance);

vi. Redress. For purposes of Section II, Clause 11, the optional language does not apply;

vii. Choice of law. For the purposes of Section IV, Clauses 17 and 18, to the extent permitted by applicable Data Protection Law, the parties agree that their respective obligations under the EEA Standard Contractual Clauses shall be governed by the law(s) of and subject to the jurisdiction of the courts of the England & Wales;

viii. Completion of Annex I, Part A. Annex I, Part A (List of parties) is hereby deemed to be completed with: (i) the details of Customer (as data exporter); and (ii) the details of Supplier (as data importer), in each case as set out in the Agreement;

ix. Completion of Annex I, Part B. Annex I, Part B (Description of the transfer) of the EEA Standard Contractual Clauses is hereby deemed to be completed with the Data provided in the Description of Processing;

x. Completion of Annex I, Part C. With respect to Annex I, Part C (Competent Supervisory Authority) of the EEA Standard Contractual Clauses, to the extent permitted by applicable Data Protection Law, the parties select the data protection authority of The Republic of Ireland;

xi. Completion of Annex II. Annex II of the EEA Standard Contractual Clauses (The Technical and organisational measures including technical and organisational measures to ensure the security of the data) is hereby deemed to be completed with the provisions set out in the Data Security Obligations; and

xii Conflict of terms. In the event of any inconsistency or conflict between the EEA Standard Contractual Clauses and this section, the provisions shall be construed in the manner that affords the greatest protections to Data Subjects.

b. Interpretation of EEA Standard Contractual Clauses for Restricting Countries. If and to the extent that Customer’s disclosure of Personal Data to Supplier amounts to an Other Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as set out above in this paragraph of Section 6, save that: (i) references in the EEA Standard Contractual Clauses to “EU,” “Union,” “EU Member State,” or “Member State” shall refer instead to that Restricting Country; (ii) references to “Regulation (EU) 2016/679” or “that Regulation” shall refer instead to the Data Protection Laws of that Restricting Country and references to specific provisions or articles of the GDPR shall be replaced with the nearest equivalent provision or article of the Restricting Country’s Data Protection Law; (iii) “supervisory authority” shall refer to the data protection authority in that Restricting Country; (iv) references to the “Clauses” means this paragraph as it incorporates and modifies the Clauses.

c. UK Data Transfers. If and to the extent that Personal Data Processed by Supplier is subject to a UK Data Transfer, the UK SCC Addendum is incorporated herein by reference and shall apply as follows:

i. Completion of Table 1. Table 1 of the UK SCC Addendum is completed with the details of Customer (as data exporter) and the details of Supplier (as data importer), as provided in the Agreement. The “start date” is the start date, effective date, or equivalent date of the Agreement. The “key contact” for Customer is “DPO” or that individual’s delegate who can be contacted at dpo@Manual.co and the “key contact” for Supplier will be communicated to Customer from time to time, including the contact’s specific job title and email address.

ii. Completion of Tables 2 and 3. Table 2 of the UK SCC Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Data and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.” For the purposes of Table 2 and Table 3 of the UK SCC Addendum, the “Approved EU SCCs” are completed as set out above in this paragraph of Section 6.

iii. Completion of Table 4. Table 4 of the UK SCC Addendum is completed by selecting “neither party.”

iv. Conflict of terms. In the event of any inconsistency or conflict between the UK SCC Addendum and these Data Processing Agreement, the UK SCC Addendum shall prevail.

3. Data Transfers (Controllers). This paragraph applies when Section 5 (Terms for Controllers) applies.

a. EEA Data Transfers. If and to the extent that Personal Data Processed by Supplier is subject to an EEA Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as follows:

i. Application. Supplier shall act as the data importer and Customer shall act as the data exporter;

ii. Docking. For the purposes of Section I, Clause 7, the optional docking clause applies;

iii. Modules. MODULE ONE (transfer controller to controller) applies;

iv. Redress. For purposes of Section II, Clause 11, the optional language does not apply;

v. Choice of law. For the purposes of Section IV, Clauses 17 and 18, to the extent permitted by applicable Data Protection Law, the parties agree that their respective obligations under the EEA Standard Contractual Clauses shall be governed by the law(s) of and subject to the jurisdiction of the courts of The Republic of Ireland;

vi. Completion of Annex I, Part A. Annex I, Part A (List of parties) is hereby deemed to be completed with: (i) the details of Customer (as data exporter); and (ii) the details of Supplier (as data importer), in each case as set out in the Agreement;

vii Completion of Annex I, Part B. Annex I, Part B (Description of the transfer) of the EEA Standard Contractual Clauses is hereby deemed to be completed with the Data provided in the Description of Processing;

viii Completion of Annex I, Part C. With respect to Annex I, Part C (Competent Supervisory Authority) of the EEA Standard Contractual Clauses, to the extent permitted by applicable Data Protection Law, the parties select the data protection authority of The Republic of Ireland;

ix. Completion of Annex II. Annex II of the EEA Standard Contractual Clauses (The Technical and organisational measures including technical and organisational measures to ensure the security of the data) is hereby deemed to be completed with the provisions set out in the Data Security Obligations; and

x. Conflict of terms. In the event of any inconsistency or conflict between the EEA Standard Contractual Clauses and this section, the provisions shall be construed in the manner that affords the greatest protections to Data Subjects.

b. Interpretation of EEA Standard Contractual Clauses for Restricting Countries. If and to the extent that Customer’s disclosure of Personal Data to Supplier amounts to an Other Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as set out above in this paragraph of Section 6, save that: (i) references in the EEA Standard Contractual Clauses to “EU,” “Union,” “EU Member State,” or “Member State” shall refer instead to that Restricting Country; (ii) references to “Regulation (EU) 2016/679” or “that Regulation” shall refer instead to the Data Protection Laws of that Restricting Country and references to specific provisions or articles of GDPR shall be replaced with the equivalent provision or article of the Restricting Country’s Data Protection Law; (iii) “supervisory authority” shall refer to the data protection authority in that Restricting Country; (iv) references to the “Clauses” means this section as it incorporates and modifies the Clauses.

c. UK Data Transfers. If and to the extent that Personal Data Processed by Supplier is subject to a UK Data Transfer, the UK SCC Addendum is incorporated herein by reference and shall apply as follows:

i. Completion of Table 1. Table 1 of the UK SCC Addendum is completed with the details of Customer (as data exporter) and the details of Supplier (as data importer), as provided in the Agreement. The “start date” is the start date, effective date, or equivalent date of the Agreement. The “key contact” for Customer is “DPO” or that individual’s delegate who can be contacted at DPO@Manual.co and the “key contact” for Supplier will be communicated to Customer from time to time, including the contact’s specific job title and email address.

ii. Completion of Tables 2 and 3. Table 2 of the UK SCC Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Data and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.” For the purposes of Table 2 and Table 3 of the UK SCC Addendum, the “Approved EU SCCs” are completed as set out above in this paragraph of Section 6.

iii. Completion of Table 4. Table 4 of the UK SCC Addendum is completed by selecting “neither party.”

iv. Conflict of terms. In the event of any inconsistency or conflict between the UK SCC Addendum and these Data Processing Agreement, the UK SCC Addendum shall prevail.

4. Additional cross-border transfer provisions. This paragraph applies if and to the extent Personal Data Processed by Supplier is subject to an EEA Data Transfer, UK Data Transfer or Other Transfer.

Supplementary measures

a. The parties acknowledge and agree the judgment of the Court of Justice of the European Union in Case C-311/18 clarifies that supplementary measures may be necessary to ensure that Personal Data, which has been subject to an EEA Transfer or UK Transfer, is afforded an essentially equivalent level of protection to the protections it receives when Processed in its territory of origin (in addition to safeguards contained in the EEA Standard Contractual Clauses). Accordingly, the parties have agreed the measures set out in the following Sections 6.4(b) to (g) as supplementary measures to help ensure such essential equivalence.

b. If Supplier becomes aware of a request or demand from a law enforcement, regulatory, judicial or governmental authority (an “Authority”) to obtain access to or a copy of some or all Personal Data Processed in connection with the Agreement, whether on a voluntary or mandatory basis Supplier shall:

i. immediately notify Customer of such Authority’s request;

ii. where Section 4 (Terms for Processors) applies, inform the Authority that Supplier is a Processor of Personal Data and that Customer has not authorised it to disclose such Personal Data to the Authority;

iii. inform the Authority that any and all requests or demands for access to such Personal Data should be notified to or served upon Customer (as the Controller) in writing; and

iv. subject to Section 6.4(c), not provide the Authority with access to such Personal Data unless and until authorised in writing by Customer.

c. Notwithstanding Section 6.4(b)(iv), Supplier may, without Customer’s prior written authorisation, disclose to an Authority Personal Data following receipt of a request or demand from such Authority, provided that (unless prohibited by law):

i. Supplier has given Customer reasonable prior notice of such request or demand to give Customer a reasonable opportunity to object or to seek a protective order or other appropriate remedy;

ii. Supplier reasonably cooperates with Customer, at Customer’s cost and expense, so that Customer may object to or seek a protective order or other appropriate remedy; and

iii. Supplier in any event discloses only that portion of Personal Data that it is legally required to disclose.

d. If Supplier makes a disclosure of Personal Data to an Authority, Supplier shall only disclose such Personal Data to the extent Supplier is legally required to do so and only in accordance with applicable lawful process.

e. Supplier shall not knowingly disclose Personal Data in a bulk or indiscriminate manner that goes beyond what is necessary and proportionate in a democratic society.

f. Supplier shall have in place, maintain, and comply with a written policy governing requests for Personal Data from Authorities which at minimum prohibits:

i. bulk or indiscriminate disclosure of Personal Data relating to Data Subjects in Europe; and

ii. disclosure of Personal Data relating to Data Subjects in Europe to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such Personal Data.

g. Supplier shall have in place and maintain, in accordance with good industry practice, measures to protect Personal Data from interception (including in transit from Customer to Supplier and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept data and encryption of data whilst in transit to deny attackers the ability to read data.

Additional data transfer provisions

h. Supplier agrees to cooperate in good faith to execute additional documents and apply additional protections, or to restrict Processing to certain territories, as Customer may deem necessary to conduct EEA Transfers, UK Transfers or Other Transfers (as applicable).

i. If Supplier will at any time Process Personal Data originating in any country which restricts the transfer of the Personal Data to another jurisdiction not deemed adequate to receive such Personal Data, then Supplier will, on Customer’s instructions:

i. take all necessary actions and execute such agreements as may be necessary under applicable Data Protection Law in such country to legitimize any Processing; and

ii. ensure an adequate level of protection for Customer’s Personal Data.

j. In the event that any competent data protection authority holds that a data transfer mechanism relied on by the parties is invalid, or any competent data protection authority or applicable law requires transfers of Personal Data to be suspended or restricted to a specific jurisdiction, then Customer may, at its discretion, require Supplier to cease Processing Personal Data and Supplier will co-operate with Customer in good faith to facilitate use of an alternative data transfer mechanism, execute additional documents, apply additional protections, or restrict Processing to certain jurisdictions.

7. Indemnity

1. This section applies to all Suppliers.

2. In addition to any indemnity obligations of Supplier set out in the Agreement, Supplier shall defend, indemnify and hold harmless Customer against any and all third party claims, actions, costs, liabilities, losses, damages and expenses (including attorney’s fees) incurred by Customer which arise out of or in connection with: (i) a Security Incident; or (ii) a violation of this Addendum by Supplier or Supplier’s affiliates, Sub-Processors (including Sub-Processors appointed by Supplier’s affiliates) and assignees, including without limitation a claim or action by data protection authority or Data Subject.

8. Artificial Intelligence

1. This section applies to the extent Supplier:

a. provides Customer with, or access to, AI under the Agreement; or

b. uses AI to provide Services under the Agreement in whole or in part.

2. Supplier shall provide such Data as is reasonably requested by Customer relating to Supplier’s use of AI in connection with the performance of Supplier’s obligations under the Agreement, including as required by Customer to perform data protection impact assessments and AI bias assessments.

3. Supplier represents and warrants that: (i) all Training Data for any AI provided to Customer in connection with the Agreement or used by Supplier in performance of Suppliers obligations under the Agreement: (A) was obtained fully in compliance with applicable law and without violation of any third parties’ rights; (B) did not and does not contain any Personal Data; (ii) Supplier shall not use (or facilitate or permit third parties to use) any Personal Data obtained in connection with the Agreement to train, improve, enhance or prompt AI Outputs from any AI; and (iii) Supplier does not conduct, or facilitate Customer to conduct, any Automated Decision Making in performance of its obligations under the Agreement.