Last Updated January 14, 2025
This Data Processing Addendum (this “Addendum”) is incorporated into and forms part of the sales agreement (the “Agreement”) between Datacor Inc. or its applicable Affiliate (collectively, “Datacor”) and Customer. Capitalized terms used in this Addendum but not defined herein shall have the meanings given to them in the Agreement. Except as expressly modified below, all provisions of the Agreement shall remain in full force and effect. This Addendum shall only apply to the extent required by Data Protection Laws (defined below) regarding the relevant Customer Personal Data (defined below).
Definitions
“Affiliate” means an entity that directly or indirectly controls, is controlled by, is under common control with, Customer or Datacor, respectively, where control is defined as the power to direct or cause the direction of the subject entity.
“Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means Personal Data Processed by Datacor on behalf of Customer to perform its obligations under the Agreement.
“Data Protection Laws” means the European Data Protection Laws and United States Data Protection Laws.
“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
“European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”); and (d) any other applicable law or regulation related to the protection of Customer Personal Data in the European Economic Area, United Kingdom, or Switzerland.
“Personal Data” means information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws. “Process(es)(ed)(ing)” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
“Processor” means an entity that Processes Personal Data on behalf of a Controller.
“Security Incident” means a breach of Datacor’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Datacor’s possession, custody, or control. “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
“Service” means the services and/or products that Datacor has agreed to provide to Customer under the Agreement.
“Standard Contractual Clauses” means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by the European Commission’s implementing decision (C(2021)3972) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 or the European Parliament and of the Council (available at: https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en ), as supplemented or modified by Appendix 3.
“Subprocessor” means any Processor appointed by Datacor to Process Customer Personal Data on behalf of Customer under the Agreement.
“Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
“United States Data Protection Laws” means, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, when effective, and its implementing regulations, as may be amended during the Subscription Term(s) of the Agreement (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act, when effective, together with any amendments thereto and any implementing regulations, as may be enacted during the Subscription Term(s) of the Agreement (collectively, “VCPDA”); (c) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring, when effective, together with any amendments thereto and any implementing regulations, as may be enacted during the Subscription Term(s) of the Agreement (collectively, “CTDPA”); (d) the Colorado Privacy Act, when effective, together with any amendments thereto and any implementing regulations, as may be enacted during the Subscription Term(s) of the Agreement (collectively, “CPA”); (e) the Utah Consumer Privacy Act, when effective, together with any amendments thereto and any implementing regulations, as may be enacted during the Subscription Term(s) of the Agreement (collectively, “UCPA”); and (f) any other applicable law or regulation related to the protection of Customer Personal Data in the United States .
2. Processing of Customer Personal Data.2.1 Roles of the Parties; Compliance. The Parties acknowledge and agree that, as between the Parties, with respect to the Processing of Customer Personal Data under the Agreement, Customer is a Controller and Datacor is a Processor. In some circumstances, the Parties acknowledge that Customer may be acting as a Processor to a third-party Controller in respect of Customer Personal Data, in which case Datacor will remain a Processor with respect to the Customer. Each Party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
2.2 Customer’s Instructions and Obligations. Datacor will Process Customer Personal Data in accordance with Customer’s documented instructions unless otherwise required by applicable law, in which case Datacor will inform Customer of such Processing unless notification is prohibited by applicable law. Customer hereby instructs Datacor to Process Customer Personal Data: (a) to provide the Service to Customer; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) as necessary to prevent or address technical problems with the Service. Datacor will notify Customer if, in its opinion, an instruction of Customer infringes upon Data Protection Laws and will be under no obligation to follow such instruction. Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Datacor’s Processing of Customer Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Datacor to permit the Processing of such Customer Personal Data by Company for the purposes of performing Company’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Datacor of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact Datacor’s ability to comply with the Agreement, this Addendum, or Data Protection Laws.
2.3 Details of Processing. The Parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Appendix 1.
2.4 Processing Subject to the CCPA. As used in this Section, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. Datacor will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and Datacor; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from Datacor’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. Datacor hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them. The Parties acknowledge that the Personal Information disclosed by Customer to Datacor is provided to Datacor only for the limited and specified purposes set forth in the Agreement and this Addendum. Datacor will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Datacor will notify Customer if Datacor makes a determination that Datacor can no longer meet its obligations under the CCPA. If Datacor notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Datacor or other steps mutually agreed between the Parties in writing.
3. Confidentiality. Datacor shall take reasonable steps to ensure that Datacor personnel who Process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Customer Personal Data.
4. Security.
4.1 Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Datacor shall implement reasonable and appropriate technical and organizational measures designed to ensure the confidentiality, integrity, and accessibility of Personal Data at a level of security appropriate to the risk (the “Security Measures”).
4.2 Security Incidents. After becoming aware of a confirmed Security Incident, Datacor will (a) notify Customer of the Security Incident without undue delay and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Datacor will take reasonable steps to provide Customer with information available to Datacor that Customer may reasonably require to comply with its obligations under Data Protection Laws. Datacor’s notification of or response to a Security Incident under this “Security Incidents” Subsection will not be construed as an acknowledgement by Datacor of any fault or liability with respect to the Security Incident.
4.3 Customer’s Responsibilities. Customer agrees that, without limitation of Datacor’s obligations under the “Security” Section of this Addendum, Customer is solely responsible for its use of the Service, including: (a) making appropriate use of the Service to ensure a level of technical and organizational security measures appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Service, where applicable. Without limiting Datacor’s obligations hereunder, Customer is responsible for reviewing the information made available by Datacor relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
5. Subprocessing. Subject to the requirements of this Section, Customer generally authorizes Datacor to engage Subprocessors that Datacor considers reasonably appropriate for the Processing of Customer Personal Data under this Addendum. A list of Datacor’s Subprocessors, including their functions and locations, is available on request and may be updated by Datacor from time to time in accordance with this Section. Datacor will notify Customer of the addition or replacement of any Subprocessor at least ten (10) days prior to such engagement. Customer may object to such changes on reasonable data protection grounds by providing Datacor written notice of such objection within the aforementioned ten (10) days period. Upon receiving such an objection, where practicable and at Datacor’s sole discretion Datacor will use commercially reasonable efforts to: (a) seek an alternative Subprocessor; (b) work with Customer in good faith to make available a commercially reasonable change in the provision of the Service which avoids the use of that proposed Subprocessor; or (c) take corrective steps requested by Customer in its objection and proceed to use the new Subprocessor. If Datacor informs Customer that such change or corrective steps cannot be made, Customer may, as its sole and exclusive remedy available under this Section, terminate the relevant portion of the Agreement involving the relevant aspect of the Service that requires the use of the proposed Subprocessor by providing written notice to Datacor. When engaging any Subprocessor, Datacor will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those imposed upon Datacor by this Addendum. Datacor shall be liable for the acts and omissions of the Subprocessor to the extent Datacor would be liable under the Agreement and this Addendum.
6. Data Subject Rights. Datacor will, taking into account the nature of the Processing of Customer Personal Data and the functionality of the Service, provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as is possible and to the extent necessary, for Customer to fulfill its obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. Datacor reserves the right to charge Customer on a time and materials basis in the event that Datacor considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming. If Datacor receives a request from a Data Subject under any Data Protection Laws with respect to Customer Personal Data, Datacor will advise the Data Subject to submit the request to Customer and/or forward such request to Customer, and Customer will be responsible for responding to any such request.
7. Assessments And Prior Consultations. In the event that Data Protection Laws require Customer to conduct a data protection impact assessment, transfer impact assessment, prior consultation with a Supervisory Authority, or other similar assessment in connection with Datacor’s Processing of Customer Personal Data, following written request from Customer, Datacor shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, taking into account the nature of Datacor’s Processing of Customer Personal Data and the information available to Datacor. Datacor reserves the right to charge Customer on a time and materials basis in the event that Datacor considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
8. Relevant Records and Audit Rights.
8.1 Review of Information and Records. Upon Customer’s reasonable written request, Datacor will make available to Customer all information in Datacor’s possession reasonably necessary to demonstrate Datacor’s compliance with Datacor’s obligations set out in this Addendum. Such information will be made available to Customer no more than once per calendar year and shall be subject to the confidentiality obligations of the Agreement and/or a mutually agreed upon non-disclosure agreement.
8.2 Audits. To the extent required by law, Datacor will allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by Customer or an auditor mandated by Customer (“Mandated Auditor”), provided that (a) Customer provides Datacor with at least 30 days advance written notice including the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of Datacor; (b) Datacor approves the Mandated Auditor in writing, which such approval shall not be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Datacor’s normal business operations and information systems; (d) Customer or any Mandated Auditor complies with Datacor’s standard safety, confidentiality, and security policies or procedures in conducting any such audits and will not have access to non-Customer data; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Datacor and subject to the confidentiality obligations of the Agreement and/or a mutually-agreed upon non-disclosure agreement; (f) Customer not initiate such audit more than once per calendar year unless otherwise required by a Supervisory Authority or Data Protection Laws; and (g) Customer shall bear all costs and expenses related to the audit.
8.3 Alternative Independent Audit. In Datacor’s sole discretion and at Datacor’s expense, in lieu of the audit procedures specified in the foregoing section, Datacor may, with Customer’s consent which shall not be unreasonably withheld, arrange for a qualified and independent auditor to conduct the required audits under applicable Data Protection Laws (“Alternative Independent Audit”).
8.4 Results of Audits. Customer will promptly notify Datacor of any non-compliance discovered during the course of an audit conducted by Customer or Mandated Auditor and provide to Datacor any reports generated in connection with any such audit, unless prohibited by Data Protection Laws. Customer will receive a copy of any Alternative Independent Audit, upon written request. Customer may only use any audit reports it receives, including from an Alternative Independent Audit, solely for the purposes of meeting Customer’s audit requirements under Data Protection Laws to confirm that Datacor’s Processing of Customer Personal Data complies with this Addendum and as soon as such purpose is completed, Customer will permanently and completely dispose of all copies of the audit report.
9. Data Transfers.9.1 Data Processing Facilities. Datacor may, subject to the Sections of this Addendum covering European Transfers and Transfers Subject to Other Jurisdictions, Process Customer Personal Data in the United States or anywhere Datacor or its Subprocessors maintains facilities. Customer is responsible for ensuring that its use of the Service complies with any cross-border data transfer restrictions of Data Protection Laws.
9.2 European Transfers. If Customer transfers Customer Personal Data to Datacor that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as “data exporter”) and Datacor (as “data importer”) agree that the applicable provisions of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the Parties agree that: (a) the execution of this Addendum shall constitute execution of the applicable Standard Contractual Clauses as of the Addendum Effective Date; (b) the relevant selections, provisions, and modifications set forth in Appendix 2 shall apply, as applicable; and (c) if the Standard Contractual Clauses are invalidated, the Parties will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful transfer of Customer Personal Data by Datacor or its Subprocessors.
9.3 Transfers Subject to Other Jurisdictions. If Customer transfers Customer Personal Data to Datacor that is subject to Data Protection Laws other than European Data Protection Laws and which require the Parties to enter into a data transfer agreement to ensure the protection of the transferred Customer Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the Parties will negotiate in good faith such other data transfer agreement.
10. Deletion or Return of Customer Personal Data. Following termination or expiration of the Agreement or upon written request of Customer, Datacor shall, at Customer's option, delete or return Customer Personal Data and all copies to Customer, except (i) as required by applicable law, (ii) to fulfill legal obligations, (iii) to protect Datacor’s legal rights, and (iv) as stored in Datacor’s backup system. If Datacor retains Customer Personal Data for legal reasons, Datacor will notify Customer of such reasons, except when prohibited by law. Backup systems will be purged in accordance with Datacor’s standard business practices and policies. If Datacor retains Customer Personal Data beyond the termination or expiration of the Agreement, Datacor agrees that all such retained Customer Personal Data will continue to be protected in accordance with this Addendum until it is deleted or returned to Customer
11. General Provisions. This Addendum will, notwithstanding the termination or expiration of the Agreement, remain in effect until, and automatically expire upon, Datacor’s deletion or return of all Customer Personal Data. Should any provision of this Addendum be invalid or unenforceable, the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. To the extent of any conflict or inconsistency between this Addendum and the other provisions of the Agreement regarding the Processing of Customer Personal Data, this Addendum will govern. Unless otherwise expressly stated herein, the Parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent via email. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
APPENDIX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
1. Subject matter and duration of the Processing of Customer Personal DataThe subject matter of the Processing of Customer Personal Data is Datacor’s provision of the Services. The duration of the Processing begins when Datacor receives Customer Personal Data from or on behalf of Customer and ends either (i) as is detailed in the Agreement, (ii) at a time established by Customer instructions, or (ii) as is otherwise permitted by applicable laws.
2. Nature and purpose of the Processing of Customer Personal DataThe nature and purpose of the Processing are those activities reasonably required to facilitate or support the provision of the Service as described in the Agreement and the Addendum, comply with Data Protection Laws and legal obligations, protect legal rights, and as otherwise permitted by Data Protection Laws.
3. The categories of Data Subjects to whom Customer Personal Data relatesData subjects whose Personal Data is uploaded by Customer to, or otherwise received directly or indirectly from Customer (including from a user on Customer’s behalf) by or through, the Service, or provided by Customer to Datacor to input into the Service.
4. The categories of Customer Personal Data. Customer may transfer Personal Data to Datacor the extent of which is determined and controlled by Customer in its sole discretion. Such Personal Data may include any category of Personal Data the Customer or its users may enter into the Service.
5. The sensitive data included in Customer Personal Data. The Parties do not anticipate Processing any sensitive Customer Personal Data other than email address and IP address in the performance of the Services. The restrictions or safeguards applied to such data are described in the Security Measures.
6. The frequency of Customer’s transfer of Customer Personal Data to Datacor: On a continuous basis for the Term of the Agreement.
7. The period for which Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the “Deletion or Return of Customer Personal Data” Section of this Addendum.
8. For transfers to Subprocessors, the subject matter, nature and duration of the Processing of Customer Personal Data: As set forth in the “Subprocessing” Section of this Addendum.
APPENDIX 2: STANDARD CONTRACTUAL CLAUSES
1. Application of Modules. If Customer is acting as a Controller with respect to Customer Personal Data, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply. If Customer is acting as a Processor to a third-party Controller with respect to Customer Personal Data, Datacor is a sub-Processor and “Module Three: Transfer processor to processor” of the Standard Contractual Clauses shall apply.
2. Sections I-V. The Parties agree to the following selections in Sections I-IV the Standard Contractual Clauses: (a) the Parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in the “Subprocessing” Section of this Addendum; (b) the optional language in Clause 11(a) is omitted; (c) the Parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (d) in Clause 18(b), the Parties select the courts of the Republic of Ireland.
3. Annexes. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the Addendum shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in Appendix 1 to the Addendum shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant Supervisory Authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 6 (Transfers from the United Kingdom) or 7 (Transfers from Switzerland) of this Appendix 2. If such determination is not clear, then the competent Supervisory Authority shall be the Irish Data Protection Authority. The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth in Appendix 2 of this Addendum
4. Supplemental Business-Related Clauses. In accordance with Clause 2 of the Standard Contractual Clauses, the Parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. Datacor and Customer therefore agree that the applicable provisions of the Agreement and the Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:
5. Instructions. The instructions described in Clause 8.1 are set forth in the “Customer Instructions” Section of this Addendum.
6. Protection of Confidentiality. In the event a Data Subject requests a copy of the Standard Contractual Clauses or the Addendum under Clause 8.3, Customer shall make all redactions reasonably necessary to protect business secrets or other Confidential Information of Datacor.
7. Deletion or Return. Deletion or return of Customer Personal Data by Datacor under the Standard Contractual Clauses shall be governed by the “Deletion or Return of Customer Personal Data” Section of this Addendum. Certification of deletion of Customer Personal Data under Clause 8.5 or Clause 16(d) will be provided by Datacor upon the written request of Customer.
8. Onward Transfers. Datacor shall be deemed in compliance with Clause 8.8 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
9. Audits and Certifications. Any information requests or audits provided for in Clause 8.9 shall be fulfilled in accordance with the “Relevant Records and Audit Rights” Section of this Addendum.
10. Liability. The relevant provisions of the Agreement that govern indemnification or limitation of liability shall apply to Datacor’s liability including under Clauses 12(a), 12(d), and 12(f) of the Standard Contractual Clauses.
11. Termination. The relevant provisions of the Agreement that govern termination shall apply to a termination pursuant to Clauses 14(f) or 16.
12. Supplemental Measures. If a government or regulatory agency of a country to which Customer Personal Data has been transferred requests access to Customer Personal Data (“Request”), and unless required by a valid court order or if otherwise Datacor may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to Customer Personal Data, or where the access is requested in the event of imminent threat to lives, Datacor will:
-
- not intentionally create ‘back doors’ or similar programming that could be used to access the Customer Personal Data;
- not provide the source code or encryption keys to any government agency for the purpose of accessing the Customer Personal Data;
- upon Customer’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies that Datacor has received in the six (6) months preceding to Customer’s request; and
- notify Customer of the Request to enable the Customer to take necessary actions, to communicate directly with the relevant agency and to respond to the Request. If Datacor is prohibited by law to notify the Customer of the Request, Datacor will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
13. Transfers from the United Kingdom. If Customer transfers Customer Personal Data to Datacor that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for- organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the UK Addendum shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply to Customer’s Processing when making the transfer; (c) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in this Appendix 3 and the Addendum; and (d) either party may end the UK Addendum in accordance with section 19 thereof.
14. Transfers from Switzerland. If Customer transfers Customer Personal Data to Datacor that is subject to the Swiss FDPA, the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FDPA applies to Customer’s Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FDPA on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the Swiss FDPA; and (d) the Parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.