We’ve updated our Data Processing Addendum. Please review it carefully. These updated terms will not apply to existing Customers until their next subscription renewal. For those customers that have executed negotiated agreements with Crossbeam, the agreement will be amended to include these updated terms at the next renewal period.
Updated August 29, 2024
This Data Processing Addendum (“Addendum”) supplements the current version of the Master Cloud Agreement or other written or electronic terms of service or subscription agreement between Customer and Crossbeam, Inc. or the Crossbeam affiliate indicated in the applicable Agreement (collectively, “Crossbeam”), each a “Party” and collectively the “Parties.” This Addendum applies to and takes precedence over that document and any associated contractual document between the Parties, such as a master services agreement, an order form, statement of work or data protection addendum thereunder (collectively, the “Agreement”), to the extent of any conflict. All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.
Customer and Crossbeam agree as follows:
- Definitions.
For purposes of this Addendum:- “Data Protection Laws” means all applicable laws, regulations, and other legal or governmental requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, as they may be amended or updated from time to time, including without limitation, to the extent applicable, the GDPR and the US Data Protection Laws. For the avoidance of doubt, if Crossbeam’s Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this Addendum.
- “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
- “GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“), and, where applicable, the “UK GDPR“, as defined in section 3 of the United Kingdom’s Data Protection Act 2018, and the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP“) and the Swiss Data Protection Ordinance of 31 August 2022 (the “Ordinance“, and collectively with the FADP, the “Swiss Data Protection Laws”).
- “Personal Data” includes data or information that is: “personal data,” “personal information,” “personally identifiable information,” and similar terms as defined under Data Protection Laws, to the extent such data or information is included within Customer Data.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Incident” means any confirmed unauthorized or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Crossbeam. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
- “Subprocessor” means any third party authorized by Crossbeam or its affiliates to Process any Personal Data.
- “US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including without limitation: the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, the California Privacy Rights Act amendments (the “CCPA”), the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).
- The terms “controller“, “processor“, “business” and “service provider” have the meanings given to them in the applicable Data Protection Laws.
- Scope
This Addendum applies to the Personal Data that Crossbeam receives from Customer, or otherwise Processes on Customer’s behalf, in connection with the Service provided by Crossbeam to Customer pursuant to the Agreement (“Covered Data”), except that Annex A (European Annex) to this Addendum applies only to such Processing of Personal Data governed by the GDPR and Annex B (US Annex) to this Addendum applies only to such Processing of Personal Data governed by the US Data Protection Laws. - Roles of the Parties
- The Parties acknowledge and agree that:
- save as set out in paragraph 3.1(b), Crossbeam acts as a processor or service provider in the performance of its obligations under the Agreement and this Addendum and Customer acts as a controller or business; and
- Crossbeam acts as a controller with respect to the Processing of Usage Data (as defined under the Agreement) in accordance with its Privacy Policy (which can be found at https://crossbeam.com/privacy/) for the following purposes (“Controller Purposes”):
- undertaking internal research and development to develop, test, improve and alter the functionality of the Services;
- creating anonymised datasets for training or evaluation of Services; and
- administering the Customer relationship with Crossbeam under the Agreement.
- Purposes of Processing.
- Subject Matter and Details of Processing. The Parties acknowledge and agree that (a) the subject matter of the Processing under the Agreement is Crossbeam’s provision of the Service; (b) the duration of the Processing is from Crossbeam’s receipt of Covered Data until deletion or return of all Covered Data by Crossbeam in accordance with the Agreement; (c) the nature and purpose of the Processing is to provide the Service; (d) the Data Subjects to whom the Processing of Covered Data pertains are Customer’s customers, prospective customers, end users or other individuals to whom Covered Data pertains; and (e) the categories of Covered Data are such categories as Customer Processes through the Service under the Agreement, which in no event should include Prohibited Data. The subject matter and details of Processing are further set out in Annex I of this Addendum.
- Crossbeam will Process Covered Data: (a) to fulfill its obligations to Customer under the Agreement and this Addendum, including to share data provided by Customer with Partners (as defined in the Agreement) as instructed by Customer; (b) on Customer’s behalf; (c) in compliance with Data Protection Laws; and (d) to perform its legal obligations, to respond to legally valid subpoenas or law enforcement requests, to establish, exercise, or defend legal claims in respect of the Agreement, and as otherwise necessary to protection and defend against Security Incidents and fraudulent or other harmful activity.
- If a law or legal process or order to which Crossbeam is subject requires Crossbeam to Process Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, Crossbeam will inform Customer of that legal requirement before Processing, unless that law or order prohibits Crossbeam from providing such information.
- Crossbeam will immediately inform Customer if, in Crossbeam’s opinion, an instruction from Customer infringes a Data Protection Law.
- Personal Data Processing Requirements.
Customer will:
- Comply with its obligations as a controller, business or equivalent term under the Data Protection Laws, and shall:
- Provide such information to Data Subjects regarding the Processing of their Covered Data in connection with the Customer’s use of the Services as required under Data Protection Laws;
- Implement appropriate technical and organisational measures to give effect to Data Subject rights under applicable Data Protection Laws, and shall comply with requests from Data Subjects to exercise their rights under Data Protection Laws within the timeframe and subject to any exemptions prescribed in the Data Protection Laws; and
- Enter into any data sharing agreements or other contracts with all Partners required to enable Crossbeam’s sharing of Covered Data with each Partner and to comply with Customer’s obligations under Data Protection Laws.
Crossbeam will:
- Ensure that the persons it authorizes to Process the Covered Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws (such as rights to access or delete Personal Data).
- Promptly notify Customer by email of (a) any third-party or Data Subject complaints regarding the Processing of Covered Data; or (b) any requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws; or (c) any government request for access to or information about Crossbeam’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws.
- Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Covered Data, when required by applicable Data Protection Laws.
- Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Covered Data, including complying with any obligation applicable to Crossbeam under Data Protection Laws to consult with a regulatory authority in relation to Crossbeam’s Processing or proposed Processing of Covered Data.
- Security.
- Security Measures. Crossbeam shall implement and maintain technical and organizational security measures designed to protect Covered Data from Security Incidents, taking into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data, in accordance with Crossbeam’s Security Policy which can be found here https://www.crossbeam.com/legal/security-policy/ (“Security Measures”). Crossbeam may update the Security Measures, provided, however, that such modifications shall not diminish the overall level of security.
- Security Incidents. Upon becoming aware of a confirmed Security Incident, Crossbeam shall notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Crossbeam’s legitimate needs to investigate or remediate the matter before providing notice shall not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Crossbeam recommends Customer take to address the Security Incident. Without prejudice to Crossbeam’s obligations under this Section 6, Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. Crossbeam’s notification of or response to a Security Incident under this Section 6 will not be construed as an acknowledgement by Crossbeam of any fault or liability with respect to the Security Incident.
- Subprocessors.
- Customer specifically authorizes Crossbeam to use its affiliates as Subprocessors, and generally authorizes Crossbeam to engage Subprocessors to Process Covered Data.
- Crossbeam shall enter into a written agreement with each Subprocessor, imposing data protection obligations that, in substance, are no less protective of Covered Data than those set out in this Addendum; and
- Crossbeam remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Crossbeam to breach any of its obligations under this Addendum.
- A list of Crossbeam’s Subprocessors is available at https://www.crossbeam.com/subprocessors/ or such other website as Crossbeam may designate (“Subprocessor Page”), and may be updated by Crossbeam from time to time in accordance with this Addendum.
- When any new subprocessor is engaged, Crossbeam will notify Customer of the engagement, which notice may be given by updating the Subprocessor Page. Crossbeam will give such notice at least fourteen (14) calendar days before the new Subprocessor Processes any Personal Data, except that if Crossbeam reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Personal Data or avoid material disruption to the Service, Crossbeam will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies Crossbeam in writing that Customer objects to Crossbeam’s appointment of a new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith and whether they can be resolved. If the Parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the portion of the Agreement relating to the Services affected by such change for convenience.
- Audits and Reviews of Compliance.To the extent applicable Data Protection Laws include a right for Customer to audit Crossbeam’s Processing of Covered Data, Customer will exercise such audit right, and Crossbeam will fulfill its corresponding obligations, as follows:
- Crossbeam shall make available to Customer relevant information regarding Crossbeam’s Processing of Covered Data under this Addendum in the form of Crossbeam’s most recent SOC 2 Type II certifications or similar audit reports (“Third-Party Reports”).
- Not more than once per calendar year and at Customer’s expense, Customer may audit Crossbeam’s Processing of Covered Data for compliance with its obligations under this Addendum by submitting reasonable requests for information, including security and audit questionnaires. Crossbeam will provide written responses to the extent the requested information is necessary to confirm Crossbeam’s compliance with this Addendum. However, if the requested information is addressed in a Third-Party Report issued within the 12-month period prior to Customer’s request and Crossbeam confirms there have been no material changes in the interim relevant to Customer’s request, Customer agrees to accept such Third-Party Report in lieu of a written response. Any information provided by Crossbeam under this Section 8 constitutes Crossbeam’s Confidential Information under the Agreement.
- If a third party is to conduct an audit under this Section 8, all such audits will be conducted (a) upon reasonable written notice to Crossbeam, (b) only during Crossbeam’s normal business hours; and (c) in a manner that does not materially disrupt Crossbeam’s business operations. Crossbeam may object to the auditor if the auditor is, in Crossbeam’s reasonable opinion, not independent, a competitor of Crossbeam or otherwise unqualified. Such objection by Crossbeam will require Customer to appoint another auditor. Crossbeam shall not be required to facilitate any such audit unless and until the Parties have agreed in writing the scope and timing of such audit.
- Customer will promptly notify Crossbeam of any non-compliance discovered during the course of an audit and provide Crossbeam any audit reports generated in connection with any audit under this Section 8, unless prohibited by GDPR or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and confirming that Crossbeam’s Processing of Covered Data complies with this Addendum.
- Customer shall reimburse Crossbeam for any time expended by Crossbeam or its Subprocessors in connection with any audits under this Section 8 at Crossbeam’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Crossbeam to furnish more information about Subprocessors in connection with such audits than such Subprocessors make generally available to their customers. Nothing in this Section 8 shall require Crossbeam to breach any duties of confidentiality.
- Return or Destruction of Personal Data.
Except to the extent required otherwise by Data Protection Law, Crossbeam will within sixty (60) days after written request by Customer following the termination or expiration of the Agreement, return to Customer and/or securely destroy all Covered Data. Except to the extent prohibited by Addendum, Crossbeam will inform Customer if it is not able to return or delete the Personal Data. - General.
- This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
- Notwithstanding any provision to the contrary of the Agreement or this Addendum, Crossbeam may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate federal, state, or local law.
- Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.
- This Addendum will automatically terminate upon expiration or termination of the Agreement.
- European Data Protection Clauses
- Definitions; Processing of Data.
- Definitions. For purposes of this Section, the terms “controller”, “processor” and “supervisory authority” have the meanings given in GDPR; “Standard Contractual Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Schedule A to this Addendum; and “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.
- Regulatory Compliance. The Parties acknowledge and agree that each party will comply with the obligations applicable to it under the GDPR with respect to the Processing of Personal Data.
- Data Transfers.
- The Standard Contractual Clauses shall, as further set out in Annex III, apply to the transfer of any Covered Data from Customer to Crossbeam, and form part of this Addendum, to the extent that:
- the EU GDPR, UK GDPR or Swiss Data Protection Laws applies to the Customer when making that transfer; or
- the Data Protection Laws that apply to the Customer when making that transfer (the “Exporter Data Protection Laws”) prohibit the transfer of Covered Data to Crossbeam under this Addendum in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
- the relevant authority with jurisdiction over the Customer’s transfer of Covered Data under this Addendum has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws; or
- such authority has issued guidance that entering into standard contractual clauses approved by the European Commission would satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
- established market practice in relation to transfers subject to the Exporter Data Protection Laws is to enter into standard contractual clauses approved by the European Commission to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
- the transfer is an “onward transfer” (as defined in the applicable module of the SCCs).
- The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.
- US Data Protection Clauses
This Section 12 solely applies to the processing of “Covered Data” subject to the US Data Protection Laws.- Crossbeam will not “sell” , “share” or Process Covered Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable US Data Protection Law), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer.
- Crossbeam will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.
- Crossbeam will not retain, use, or disclose the Personal Data outside of the direct business relationship between Crossbeam and Customer.
- Crossbeam will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Customer’s express written permission.
- Crossbeam will not, except as otherwise instructed by Customer or permitted by Data Protection Laws, combine Covered Data with Personal Data that Crossbeam receives from or on behalf of another person or persons, or collects from its own interaction with a Data Subject.
- Notwithstanding anything in the Agreement or any order form entered in connection therewith, the Parties acknowledge and agree that Crossbeam’s access to Personal Data does not constitute part of the consideration exchanged by the Parties in respect of the Agreement.
- Crossbeam certifies that it understands its obligations under this Addendum, including under this Annex B, and that it will comply with them.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
The data exporter is: each of the Customer and/or Customer affiliates operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or Customer and/or Customer Affiliates in any other country to the extent the GDPR applies.
- Contact person’s name, position and contact details: Contact details set forth on the applicable Order Form or account registration
- Activities relevant to the data transferred under these Clauses: Provision of the Subscription Services
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
- 1. Name: Crossbeam, Inc.
- Address: 30 S 15th St Ste 1550, PMB 15987, Philadelphia, Pennsylvania 19102-4826, United States
- Contact person’s name, position and contact details: … Amy Rose, General Counsel, legal@crossbeam.com
- Activities relevant to the data transferred under these Clauses: the data importer Processes Personal Data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further described in section B of this Annex and in the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- Customer business contacts and customer employees
Categories of personal data transferred
- Business contact information, IP addresses and log data
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Purpose(s) of the data transfer and further processing; Nature of the processing
- Personal Data is subject to the following basic Processing activities:
- use of Personal Data to set up, operate, monitor, provide and support the Services (including operational and technical support), as further described in the Agreement;
- communication to Users;
- storage of Personal Data in dedicated data centers (multi-tenant architecture);
- release, development and upload of any fixes or upgrades to the Services;
- back up and restoration of Personal Data stored in the Services;
- continuous improvement of Services features and functionalities provided as part of the Services including automation and machine learning;
- computer processing of Personal Data, including data transmission, data retrieval, data access;
- aggregating and anonymising Personal Data so that it no longer can be used to identify any natural person, business or Customer.
- network access to allow Personal Data transfer;
- monitoring, troubleshooting and administering the underlying Service infrastructure and databases;
- security monitoring, network-based intrusion detection support, penetration testing; and
- execution of instructions from Customer in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- Personal Data will be retained for the length of the Agreement or in accordance with applicable Data Protection Laws.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- Subprocessors shall Process Personal Data for purposes of assisting Crossbeam in providing the Services to Customer under the Agreement and shall continue to Process Personal Data for the length of the applicable Agreement governing provision of the Services or as otherwise required under applicable Data Protection laws.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
- Same as Clause 13 above, and where possible, the Irish Data Protection Authority.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES
Crossbeam’s Security Measures describe Crossbeam’s technical and organizational measures designed to secure the Personal Data Crossbeam processes.
ANNEX III – STANDARD CONTRACTUAL CLAUSE PROVISIONS
- EU SCCS
With respect to any transfers referred to in Section 10.2, the Standard Contractual Clauses shall be completed as follows:- Module One (controller to controller) of the SCCs will apply with respect to Crossbeam’s Processing of Personal Data for the Controller Purposes; otherwise, Module Two (controller to processor) of the SCCs will apply.
- Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
- Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in clause 6.1 of the Addendum.
- The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
- With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.
- In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.
- For the Purpose of Annex I of the Standard Contractual Clauses, Annex I of the Addendum contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
- For the Purpose of Annex II of the Standard Contractual Clauses, Annex II of the Addendum contains the technical and organisational measures.
- UK Addendum
- This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from Customer (as data exporter) to Crossbeam (as data importer), to the extent that:
- the UK Data Protection Laws apply to Customer when making that transfer; or
- the transfer is an “onward transfer” as defined in the Approved Addendum.
- As used in this paragraph 2:“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
- “UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
- The Approved Addendum will form part of this Addendum with respect to any transfers referred to in paragraph 2.1, and execution of this Addendum shall have the same effect as signing the Approved Addendum.
- The Approved Addendum shall be deemed completed as follows:
- the “Addendum EU SCCs” shall refer to the SCCs as they are incorporated into this Agreement in accordance with clause 13 and this Annex III;
- Table 1 of the Approved Addendum shall be completed with the details in paragraph A of Annex I;
- the “Appendix Information” shall refer to the information set out in Annex I and Annex II
- for the purposes of Table 4 of the Approved Addendum, Crossbeam (as data importer) may end this Addendum, to the extent the Approved Addendum applies, in accordance with Section 19 of the Approved Addendum; and
- Section 16 of the Approved Addendum does not apply.
- Swiss addendum
- This “Swiss Addendum” will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.
- Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:“Clauses” means the Standard Contractual Clauses as incorporated into this Addendum in accordance with clause 13 and as further specified in this Annex III; and
- “FDPIC” means the Federal Data Protection and Information Commissioner.
- This Swiss Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties’ obligations under Article 16(2)(d) of the FADP.
- This Swiss Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
- In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
- for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
- as standard data protection clauses approved, issued or recognised by the FDPIC for the purposes of Article 16(2)(d) of the FADP.
- Hierarchy
- In the event of a conflict or inconsistency between this Swiss Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Swiss Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
- Changes to the Clauses for transfers exclusively subject to Swiss Data Protection LawsTo the extent that the data exporter’s Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” (as defined in the Clauses, as amended by the remainder of this paragraph 3.4) the following amendments are made to the Clauses:
- References to the “Clauses” or the “SCCs” mean this Swiss Addendum as it amends the SCCs.
- Clause 6 Description of the transfer(s) is replaced with:“The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Annex I of this Addendum where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer.”
- References to “Regulation (EU) 2016/679” or “that Regulation” or “”GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
- References to Regulation (EU) 2018/1725 are removed.
- References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
- Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the FDPIC;
- Clause 17 is replaced to state:“These Clauses are governed by the laws of Switzerland”.
- Clause 18 is replaced to state:“Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
- Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws
- To the extent that the data exporter’s Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” under both the Clauses and the Clauses as amended by paragraph 3.4 of this Annex III to the Addendum:
- for the purposes of Clause 13(a) and Part C of Annex I:
- the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer, or such transfer is an “onward transfer” as defined in the Clauses (as amended by paragraph 3.3 of this Addendum; and
- subject to the provisions of paragraph 2 of this Schedule 3 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter’s processing, or such transfer is an “onward transfer” as defined in the Clauses.
- the terms “European Union”, “Union”, “EU”, and “EU Member State” shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.
- Transfers under the laws of other jurisdictions
- With respect to any transfers of Personal Data referred to in clause 13.1(b) (each a “Global Transfer“), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.
- For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:
- for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter’s Processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws.
- The amendments referred to in paragraph 4.2 include (without limitation) the following:
- references to the “GDPR” and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;
- reference to the “Union”, “EU” and “EU Member State” are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the “Exporter Jurisdiction”);
- the “competent supervisory authority” shall be the applicable supervisory in the Exporter Jurisdiction; and
- Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.
- Where required under the Exporter Data Protection Laws, the relevant data exporter shall file a copy of the agreement entered into with the relevant national authority.