WHEREAS This Personal Data Addendum (“Addendum“) is entered into by and between the Parties to ensure compliance with:
a) The EU General Data Protection Regulation (“EU GDPR”),
b) The UK Data Protection Act 2018 and UK GDPR (together “UK GDPR”), and
c) The Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 (“ADGM DPR”).
a) “Data Protection Laws” means the EU GDPR, UK GDPR, and ADGM DPR.
b) “Data Importer” refers to the Vendor
c) “Data Exporter” refers to HRP.
d) “Personal Data” refers to any information relating to an identified or identifiable natural person.
e) “Agreement” refers to the Vendor’s terms of service entered into between the Parties and any related addenda and order forms, as updated and supplemented from time to time.
a) This Addendum governs transfers of Personal Data to ensure that such transfers are conducted in compliance with the Data Protection Laws mentioned above. It supplements the contractual obligations under the SCCs and UK Addendum, ensuring additional safeguards where required under ADGM DPR.
b) This Addendum supplements and incorporates the Standard Contractual Clauses approved by the European Commission (“SCCs”), the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) and includes provisions to ensure compliance with the ADGM DPR where applicable.
c) To the extent there exists a data transfer, data processing, data sharing or similar terms between the Parties as of the date of this Addendum (whether signed or incorporated by reference from the Vendor’s website) which comply with the EU GDPR and UK GDPR, then Module 1 and 2 of the Addendum shall not apply and only Module 3 in respect of ADGM DPR shall apply.
d) The execution of the Agreement is deemed to be execution of this Addendum and by doing so the Parties agree to be legally bound by its terms.
a) Module 1: EU GDPR
The Parties agree to comply with the EU Standard Contractual Clauses (SCCs) as set forth in Commission Implementing Decision (EU) 2021/914. The SCCs apply to data transfers from the European Economic Area (EEA) to third countries outside the EEA.
b) Module 2: UK GDPR
The Parties agree to comply with the UK Addendum issued by the UK Information Commissioner’s Office (ICO). The UK Addendum shall be read in conjunction with the EU SCCs.
UK Addendum Details:
The information required by Part 1, Table 1 of the UK Addendum is set out in the Agreement.
In respect of Part 1, Table 2 of the UK Addendum, the version of the Approved EU SCCs which this Addendum is deemed appended to, is the version dated 4 June 2021.
In respect of Part 1, Table 3 of the UK Addendum the Appendix Information is set out in the Agreement as follows:
In respect of Part 2 UK Addendum: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
c) Module 3: ADGM DPR
The Parties agree to comply with the ADGM Data Protection Regulations 2021 (ADGM DPR), including:
i. Breach Notification: The Data Importer shall notify the Data Exporter without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting ADGM data subjects. The Data Exporter shall notify the ADGM Commissioner of Data Protection within 72 hours, where required.
ii. Data Protection Impact Assessments (DPIAs): DPIAs shall be conducted for processing activities likely to result in a high risk to the rights and freedoms of data subjects.
iii. Data Subject Rights: The Parties shall uphold data subject rights under the ADGM DPR, including rights to access, rectify, erase, restrict processing, data portability, and object to processing.
iv. Record keeping: The controller must maintain a record of processing activities under its responsibility, and the data processor must maintain its own record of all categories of processing activities carried out on behalf of the controller. The records will be live documents and regularly updated, and the format must comply with the requirements of ADGM DPR.
v. Special Category Data: the Parties acknowledge that criminal convictions and offences and related security measures are categorised as “Special Category Data” under ADGM DPR, and if there is any processing of any Special Category Data, it requires an additional condition to the lawful basis for processing, which will be Performance of a Contract. In such case, the Parties will each maintain their own appropriate policy document from the time the personal data is processed and will retain for minimum of 6 months after processing has ceased. The Parties agree to regularly review, update and make such appropriate policy document available to the ADGM Commissioner of Data Protection, if requested.
vi. Onward Transfers: The Data Importer shall not transfer personal data to any third party unless equivalent safeguards are in place as required under ADGM law.
In the event of any conflict between the provisions of this Addendum and the SCCs, UK Addendum, or ADGM Addendum, the terms offering the highest level of protection to data subjects shall prevail. Where such conflicts cannot be reconciled, the mandatory provisions of the applicable data protection law (EU GDPR, UK GDPR, or ADGM DPR) shall apply.
Disputes arising under:
In the case of overlapping jurisdictional claims, the Parties shall cooperate in good faith to determine the appropriate forum based on the specific data protection law implicated.
The Parties shall implement procedures to:
a) Respond to data subject requests under all applicable Data Protection Laws.
b) Cooperate to ensure data subjects can exercise their rights effectively, including access, correction, erasure, and data portability.
The Data Importer shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
This Addendum may be amended from time to time to comply with applicable data protection laws.
If the personal data is being transferred to a jurisdiction recognised as adequate by each of UK, EU and ADGM and the Vendor does not have any data processing or data sharing agreement in place, then the above terms shall apply save that the transfer related terms shall be disregarded and such terms shall constitute the data processing or data sharing agreement, as applicable.
