Hidden Road Vendor Personal Data Terms

The Parties:

1. The legal entity which has entered into an agreement (“Agreement“) with the Vendor, being Hidden Road Partners UK LLP, Hidden Road Partners LP or another Hidden Road entity as applicable (“HRP“); and
2. The legal entity which has entered into an agreement with HRP to provide services to HRP (the “Vendor“).

WHEREAS This Personal Data Addendum (“Addendum“) is entered into by and between the Parties to ensure compliance with:

a) The EU General Data Protection Regulation 2016/679 (“EU GDPR“),

b) The EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the UK Data Protection Act 2018 (together “UK GDPR“), and

c) The Abu Dhabi Global Market (“ADGM“) Data Protection Regulations 2021 (“ADGM DPR“).

1. Definitions

a) “Data Protection Laws” means the EU GDPR, UK GDPR, and ADGM DPR (and “Data Protection Law” means any one of them).

b) “Data Importer” refers to the Vendor.

c) “Data Exporter” refers to HRP.

d) “Personal Data” refers to any information relating to an identified or identifiable natural person.

e) “Agreement” refers to the Vendor’s terms of service entered into between the Parties and any related addenda and order forms, as updated and supplemented from time to time.

f) “Restricted International Transfer” means a transfer of Personal Data in circumstances where, in the absence of appropriate safeguards being implemented in relation to the transfer, the transfer would be in breach of a Data Protection Law.

2. Scope and Purpose

a) This Addendum governs Restricted International Transfers of Personal Data to ensure that appropriate safeguards are implemented in relation to such transfers and the transfers are conducted in compliance with the Data Protection Laws mentioned above.

b) This Addendum incorporates:

(1) the Standard Contractual Clauses approved by the European Commission, as set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“SCCs“);

(2) the UK International Data Transfer Addendum to the SCCs issued by the Information Commissioner under Section 119A of the Data Protection Act 2018 (“UK Addendum“); and

(3) the addendum to the SCCs issued by the ADGM’s Commissioner of Data Protection in accordance with Section 49(2)(j) of the ADGM Data Protection Regulations 2021 on 1 November 2023 (“ADGM Addendum“).

c) To the extent there exists a data transfer, data processing, data sharing or similar terms between the Parties as of the date of this Addendum (whether signed or incorporated by reference from the Vendor’s website) which is sufficient to provide appropriate safeguards in relation to a Restricted International Transfer under the EU GDPR and UK GDPR, then this Addendum shall not apply in respect of such Restricted International Transfers and this Addendum shall only apply in respect of Restricted International Transfers under the ADGM DPR.

d) The execution of the Agreement is deemed to be execution of this Addendum and by doing so the Parties agree to be legally bound by its terms.

3. Jurisdiction Specific Methods

a) Restricted International Transfers under EU GDPR

The Parties agree to comply with the SCCs to provide the necessary appropriate safeguards in respect of any Restricted International Transfers under the EU GDPR. The SCCs are hereby incorporated into this Addendum as if they were set out in this Addendum in full. The provisions of Module 1 of the SCCs (Controller-to-Controller) and Module 2 of the SCCs (Controller-to-Processor) shall apply (depending on whether the Vendor is a controller or processor of the relevant Personal Data) and the SCCs shall be deemed to be completed as follows:

• Clause 7 (Docking clause) is included;
• Clause 9 (Use of sub-processor) – the parties select Option 2 (General Written Authorisation) and the time period shall be 30 days;
• Clause 11 (Redress) – the optional requirement that the data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply;
• Clause 17 (Governing law) – the parties select Option 1 and the law of the Netherlands;
• Clause 18 (Choice of forum and jurisdiction) – the parties select the Courts of the Netherlands;
• Annexes I, II and III of the SCCs shall be deemed to be populated with the information set out in paragraph 3(d), below.

b) Restricted International Transfers under UK GDPR

The Parties agree to comply with the UK Addendum to provide the necessary appropriate safeguards in respect of any Restricted International Transfers under the UK GDPR. The UK Addendum is hereby incorporated into this Addendum as if it were set out in this Addendum in full and shall be read in conjunction with the SCCs. The UK Addendum shall be deemed to be completed with the information set out in paragraph 3(d), below.

c) Restricted International Transfers under ADGM DPR

The Parties agree to comply with the ADGM Addendum to provide the necessary appropriate safeguards in respect of any Restricted International Transfer under the ADGM DPR. The ADGM Addendum is hereby incorporated into this Addendum as if it were set out in this Addendum in full and shall be read in conjunction with the SCCs. The ADGM Addendum shall be deemed to be completed with the information set out in paragraph 3(d), below.

d) Provisions applicable to the SCCs, UK Addendum and ADGM Addendum

In respect of Part 1, Table 2 of the UK Addendum and the ADGM Addendum respectively, the version of the ‘Addendum EU SCCs’ and the ‘Approved EU SCCs’ (as applicable for the UK Addendum and ADGM Addendum, respectively) deemed to be appended, is the SCCs. In respect of Part 1, Table 1 and Table 3 of the UK Addendum and the ADGM Approved Addendum, respectively, and Annexes I, II and III of the SCCs, the Appendix Information shall be set out in the Agreement as follows:

• Annex 1A: List of Parties:
  a. HRP is a controller and the Vendor is the processor/ controller (as set out in the Agreement).
  b. The Vendor is the data importer and HRP is the data exporter.
  
  
• Annex 1B: Description of Transfer:
  As set out in the Agreement.
  
  
• Annex 1C: The Competent Authority shall be in the case of issues pertaining to:
  • EU GDPR: Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
    Address: The Hague, The Netherlands
    Website: https://autoriteitpersoonsgegevens.nl
    Telephone: +31 (0)70 888 85 00
    Email: Usually via web forms (they don’t use direct contact email for public inquiries)
  • UK GDPR: Information Commissioner
    Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
    Website: https://ico.org.uk/
    Telephone: 0303 123 1113
    Email: ca******@*****rg.uk 
  • ADGM DPR: The Abu Dhabi Global Market (ADGM) Commissioner of Data Protection
    Address: ADGM Building, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates.
    Website: https://www.adgm.com/operating-in-adgm/office-of-data-protection
    Telephone: +971 2 3338888
    Email: da*************@**gm.com
    
    
• Annex II: Technical and Organisational Measures:
  Vendor to summarize in specific non-general terms their data security measures in the Agreement.
  
  
• Annex III: List of Processor or Sub-processors (as applicable):
  Vendor to set out their sub-processors in the Agreement.
  
  

In respect of Part 1, Table 4 of the UK Addendum and the ADGM Approved Addendum respectively, only the data exporter may end the UK Addendum and ADGM Addendum.

4. Conflict Resolution Clause

In the event of any conflict between the provisions of the Agreement and the SCCs, UK Addendum, or ADGM Addendum, the SCCs, UK Addendum, or ADGM Addendum shall prevail.

5. Jurisdiction and Governing Law

This Addendum shall be governed by the same laws as the Agreement and HRP and the Vendor agree to accept the same dispute resolution forum as provided for in the Agreement for resolving any dispute arising out of or in connection with this Addendum.

6. Data Subject Rights and Requests

The Parties shall implement procedures to:

a) Respond to data subject requests under all applicable Data Protection Laws.

b) Cooperate to ensure data subjects can exercise their rights effectively, including access, correction, erasure, and data portability.

7. Data Security Measures

The Vendor shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8. Amendments and Updates

This Addendum may be amended from time to time to comply with applicable data protection laws.

9. Data sharing/processing agreement terms for non-Restricted Transfers

If the personal data is disclosed or otherwise made available to a Vendor located either (i) in the same jurisdiction as HRP, or (ii) in a jurisdiction that is recognised as providing an adequate level of protection for personal data by each of the UK, EU and ADGM, and the parties do not otherwise have a data processing or data sharing agreement in place, then the above terms shall apply and shall constitute the required data processing or data sharing agreement (as applicable). For the avoidance of doubt, any provisions in the above terms relating solely to cross-border transfers shall not apply in these circumstances and references to ‘transfers’ in the remaining provisions shall be interpreted to exclude such cross-border context.