Restricted Transfers

The parties agree that the EU SCCs shall apply to Restricted Transfers from the EEA. The EU SCCs shall be deemed entered into (and incorporated into this DPA by reference) and completed as follows:

1. Module Two (Controller to Processor) shall apply where the Customer is a Controller of Customer Data and we are processing Customer Data.
2. Module Three (Processor to Processor) shall apply where we are a Processor of the Customer Data and we use a Sub-processor to process the Customer Data.
3. In Clause 7 of the EU SCCs, the optional docking clause will not apply;
4. In Clause 9 of the EU SCCs Option 2 applies, and the time period for giving notice of Sub-processor changes shall be 30 days;
5. In Clause 11 of the EU SCCs, the optional language shall not apply;
6. In Clause 17 of the EU SCCs, Option 1 applies and the EU SCCs shall be governed by Irish law;
7. In Clause 18(b) of the EU SCCs, disputes shall be resolved by the courts of Ireland;
8. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA;
9. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 of this DPA;

The Parties agree that the EU SCCs as amended above in clauses (i) to (xi), shall be adjusted as set out below where the FDPA applies to any Restricted Transfer:

1. The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) shall be the sole Supervisory Authority for Restricted Transfers exclusively subject to the FDPA;
2. Restricted Transfers subject to both the FDPA and the EU GDPR, shall be dealt with by the EU Supervisory Authority named in Schedule 1 of this DPA;
3. The term ’member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18I of the EU SCCs;
4. Where Restricted Transfers are exclusively subject to the FDPA, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA;
5. Where Restricted Transfers are subject to both the FDPA and the EU GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA insofar as the Restricted Transfers are subject to the FDPA;
6. The Swiss SCCs also protect the Personal Data of legal entities until the entry into force of the revised FDPA.

The parties agree that the UK SCCs shall apply to Restricted Transfers from the UK and the UK SCCs shall be deemed entered into (and incorporated into this DPA by reference), completed as follows:

1. Appendix 1 of the UK SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and
2. Appendix 2 of the UK SCCs shall be deemed completed with the information set out in Schedule 2 of this DPA.