Current as of SEPT 25, 2025

Data Processing Addendum

This Data Processing Addendum (“DPA”) governs Suzy, Inc.’s (“Suzy”) Processing of Personal Data on behalf of its clients. For purposes of this DPA, “Client” means the entity or individual that has entered into an agreement with Suzy for the provision of services (“Agreement”). This DPA applies to and forms part of the Agreement and is effective as of the effective date of the Agreement.

‍

Definitions

1.1. For purposes of this DPA, the following terms shall have the following meanings. Any capitalized term used but not defined herein shall have the meaning set forth in the Agreement.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.

“Applicable Data Protection Law” means all data protection, privacy, and security laws applicable to the respective Party in its respective role in the Processing of Personal Data under the Agreement, which may include without limitation Canadian Data Protection Law, European Data Protection Law, UK Data Protection Law, or U.S. Data Protection Law.

“BCRs" means the binding corporate rules approved pursuant to Article 47 and 63 of the GDPR.

“Business Data” means Personal Data shared between the Parties for the purposes of doing business together, including, but not limited to, the Personal Data of Client’s personnel who negotiate agreements between the parties, administer Client’s financial account with Suzy, or discuss new services for purchase from Suzy.

“Canadian Data Protection Law” means the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any update, amendment, or replacement of same.

“Client Personal Data” means Personal Data that Client controls and discloses, provides, or otherwise makes available to Suzy pursuant to the Agreement or to which access was provided to Suzy by or at the direction of Client.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as that term is defined by the CCPA.

"Data Personnel” means a Party’s personnel who have access to the other Party’s Personal Data.

“Data Subject” means the identified or identifiable person to whom Personal Data relates, or as otherwise termed and defined by Applicable Data Protection Law.

“Data Subject Request” means any request from a Data Subject to exercise rights afforded to the Data Subject under Applicable Data Protection Law in relation to Personal Data, including, as applicable, the following: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or objection to automated individual decision making.

“EEA” means the Member States of the European Union (“EU”) and Iceland, Liechtenstein, and Norway.

"European Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) as implemented by countries within the EEA; (ii) the European Union e-Privacy Directive 2002/58/EC as implemented by countries within the EEA; (iii) other EU, EEA or European single market Member State laws or regulations that are similar, equivalent to, successors to, or that are intended to or implement the laws that are identified in (i) and (ii) above, including UK Data Protection Law; and/or (iv) any update, amendment, or replacement of same.

“Instruct” or “Instruction” means a direction, either in writing (e.g., an Order), in textual form (e.g., by e-mail), or by using a software or online tool (e.g., the Platform), issued by Client to Suzy and directing Suzy to Process Client Personal Data.

“Personal Data” or “Personal Information” means any information (a) relating to Data Subjects; or (b) “personally identifiable information”, “personal information”, “personal data” or similar terms, as such terms are defined under Applicable Data Protection Law.

“Process”, “Processed”, “Processes” or “Processing” means any activity, operation, or set of operations performed upon Personal Data, individually or in sets, whether or not by automated means, such as collecting, retrieving, obtaining, holding, accessing, using, structuring, recording, organizing, storing, adapting or altering, consultation, disclosure by transmission, transferring, sharing, dissemination or otherwise making available to third parties, alignment or combination, blocking, erasing, or destruction. For the avoidance of doubt, the definition includes any activity that the Applicable Data Protection Law may otherwise include.

“Processor” means an entity that engages in the Processing of Personal Data on behalf of the Controller, including as applicable any “service provider” or “contractor” as defined by the CCPA.

“Regulator Correspondence” means any correspondence or communication received from a Supervisory Authority relating to Personal Data.

“Relevant Transfer” means any transfer of Personal Data: (a) made by a Party; (b) from the European Union, the EEA and/or their member states, the United Kingdom and/or Switzerland to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Law; and (c) subject to Applicable Data Protection Law.

“Respondent(s)” means independent third-party member(s) of the public that participate in Surveys. It includes:

“Member(s)”: an individual who either registered with Suzy via its CrowdTap interface, or accepted an email invitation from CrowdTap.
“External Audience(s)”: non-Member individuals sourced by Suzy via a third-party panel provider or exchange.
“Client Audiences”: individuals sourced by Clients, such as Client CRMs, who respond to Survey(s) initiated using the Platform.

“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored, or otherwise Processed.

“Sell” or “Sale” has the meaning ascribed in the CCPA, as does “Share”.

“Services” means the services provided pursuant to the Agreement.

“SCCs” or “Standard Contractual Clauses” means (i) where the GDPR applies, the SCCs (EU Controller to Controller), the SCCs (EU Controller-to-Processor), or the SCCs (EU Processor-to-Processor), as applicable; and (ii) where the UK Data Protection Law applies, the UK Addendum.

“SCCs (EU Controller-to-Controller)” means the SCCs for the transfer of Personal Data to third countries approved by the European Commission’s decision 2021/914/EC of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), Module One, in accordance with the terms of Schedule 2 (EEA Addendum).

“SCCs (EU Controller-to-Processor)” means the EU SCCs, Module Two, in accordance with the terms of Schedule 2.

“SCCs (EU Processor-to-Processor)” means the EU SCCs, Module Three, in accordance with the terms of Schedule 2.

“SCCs (EU Processor-to-Controller)” means the EU SCCs, Module Four, in accordance with the terms of Schedule 2.

“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner, Version B1.0, as currently provided at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and as revised under Section 18 of the International Data Transfer Addendum, as set out in Schedule 4 to this DPA.

“Subprocessor” means any Processor engaged to assist in fulfilling the Services and/or obligations under the Agreement.

“Supervisory Authority” means an independent public authority established under, or tasked with the regulation and enforcement of, Applicable Data Protection Law, including (but not limited to) supervisory authorities established by an EU Member State pursuant to the GDPR, the UK’s Information Commissioner’s Office, or the California Privacy Protection Agency.

“Survey(s)” means research conducted in connection with the Services, including but not limited to: surveys, interviews, focus groups, and the like.

“UK Data Protection Law” means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended), together with all data protection, privacy, and security laws applicable in the United Kingdom.

“U.S. Data Protection Law” means all U.S. laws and regulations that apply to Processing of Personal Data under the Agreement, including without limitation: the Colorado Privacy Act (Colo. Rev. Stat. § 6-1-1301 et seq.); the Illinois Biometric Information Protection Act (740 ILCS 14 et seq.); the Virginia Consumer Data Protection Act (Va. Code § 59.1-571 et seq.); the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as expanded by the California Privacy Rights Act (together, the “CCPA”); and the implementation regulations, amendments, or replacements of same.

2.0. Relationship of the Parties; Scope of DPA

2.1. Roles. The Parties acknowledge that the factual arrangements between them dictate the classification (e.g., Controller or Processor) of each Party under Applicable Data Protection Law. The Parties acknowledge that each Party may serve in different capacities when performing different Processing activities or when Processing different categories of Personal Data.

2.1.1. Suzy acts as an independent Controller for: (a) Member registration data and profiles;(b) Member engagement and participation data; (c) External Audience sourcing and management data; (d) platform Usage Data and performance data, and (d) Business Data. In such situations, this DPA shall not apply; Suzy acknowledges and agrees that Suzy is independently responsible for compliance and will comply with Applicable Data Protection Law with respect to obligations of Controllers.

2.1.2. Suzy acts as Processor for Client when processing: (a) Client-provided survey questions and research parameters; (b) Client Audience data uploaded by Client; (c) External Audience survey response data collected on Client’s behalf; and (d) any other Client Personal Data that Client Instructs Suzy to process on Client’s behalf. In such situations, this DPA applies.

2.1.3. For joint controller situations, if any, the parties will execute a separate joint controller agreement specifying respective responsibilities under Article 26 GDPR.

3.0. Processing Activities; Mutual Cooperation

3.1. Processing Details. The Parties acknowledge and agree that Schedule 1 (Processing Details) to this DPA is an accurate description of the intended Processing carried out under this DPA at the time of execution of this DPA. Both Parties shall be permitted to make amendments to Schedule 1 regarding the nature, duration, purpose, scope, types, and categories of Personal Data, on written notice to the other Party. For purposes of this section, notice to Suzy shall be by Instruction.

3.2. Mutual Cooperation to Prevent Re-Identification. Each Party shall take reasonable steps to maintain and use Anonymous Data or De-Identified Data (if applicable, and as defined in Applicable Data Protection Law) only in an anonymous or de-identified form and not attempt to re-identify the data.

3.3. Security Breach Notification and Cooperation. If Suzy becomes aware of a Security Breach involving Client Personal Data, Suzy will notify Client without undue delay and no later than twenty-four (24) hours after discovery of the Security Breach, providing sufficient information (to the extent such information is known or available) and cooperation to Client to enable Client to comply with its obligations under Applicable Data Protection Law. Any such notification does not constitute acceptance of liability. At Suzy’s own expense, Suzy shall take reasonable steps to: (a) remedy or mitigate the effects of the Security Breach; and (b) reduce the risk to Data Subjects whose Personal Data was involved; and (c)keep Client informed of material developments in connection with the Security Breach.

4.0. Client’s Responsibilities as Controller

4.1. Client shall, in its use of the Services and provision of Instructions: (i) control Client Personal Data and Instruct in accordance with the requirements of Applicable Data Protection Law; and (ii) provide to Suzy, or Instruct Suzy to Process, the minimum amount of Personal Data necessary for the provision of the Services.

4.2. Client is responsible for its use of the Suzy Platform and its storage of any copies of Client Personal Data outside Suzy’s or Suzy’s Subprocessors’ systems, if applicable.

5.0. Suzy’s Responsibilities as Processor

5.1. Suzy will comply with the following provisions when acting as Processor for Client:

5.1.1. Instructions. Suzy shall Process Client Personal Data only on Client’s Instructions, unless, in Suzy’s opinion, such Instruction(s) conflict with or infringe Applicable Data Protection Law, in which case, Suzy shall take reasonable steps to inform Client of such conflict or infringement. Notwithstanding the foregoing, Suzy shall have no obligation to monitor or review the lawfulness of any Instruction received from Client.

5.1.2. Confidentiality. Suzy shall ensure that all Suzy Data Personnel whom Suzy authorizes to Process Client Personal Data are subject to a duty of confidentiality (whether contractual or statutory).

5.1.3. Access. Suzy will reasonably limit Client Personal Data access to only those Data Personnel who require access to fulfill the Services or for the performance of their duties. Suzy will take reasonable steps to ensure: (a) Data Personnel are informed of the confidential nature and use restrictions of Client Personal Data; (b) Data Personnel are trained on Personal Data protection under Applicable Data Protection Laws; and (c) the reliability, integrity, and trustworthiness of Data Personnel with access to Client Personal Data, including conducting background checks consistent with applicable law.

5.1.4. Security measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Suzy shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Client Personal Data. Suzy shall, taking into account the nature of the Processing and the information available to Suzy, provide Client with reasonable cooperation and assistance where necessary for Client to comply with Client’s obligations pursuant to Article 32 of the GDPR or equivalent provision of Applicable Data Protection Law. Specific measures implemented by Suzy include, but are not limited to, those set forth in the Security Measures Statement as published on Suzy’s Trust Portal, accessible at www.trust.suzy.com ( (as may be updated by Suzy from time to time but in no event shall degrade the security of Client Personal Data) (“Security Measures”).

5.1.5. Record-keeping. Suzy shall maintain records and information required by Applicable Data Protection Law to demonstrate its compliance with this DPA during the term of this DPA and for one (1) year thereafter.

5.1.6. Assessments & Audits. As provided in the Agreement.

5.1.7. Data Subject Requests. To the extent required by Applicable Data Protection Law, Suzy will provide commercially reasonable assistance to Client in responding to Data Subject Requests and will notify Client without undue delay if Suzy receives a Data Subject Request related to Client Personal Data that Suzy Processes on behalf of Client. Due to Suzy’s direct relationship with Members, the Parties agree that Suzy will manage Data Subject Requests related to Members.

5.1.8. Regulator Correspondence. Suzy shall promptly notify Client upon receipt of any Regulator Correspondence, unless Suzy is prohibited from doing so by applicable law. Suzy will not disclose any Client Personal Data in response to such Regulator Correspondence without first consulting with and obtaining Client’s authorization, unless legally compelled to do so by final court order or equivalent legal mandate. If a law enforcement agency or Supervisory Authority sends Suzy a demand for Client Personal Data (e.g., a subpoena or court order), Suzy will attempt to redirect the law enforcement agency or Supervisory Authority to request that data directly from Client. If compelled to disclose Client Personal Data to a law enforcement agency or Supervisory Authority, Suzy will immediately notify Client of the demand to allow Client to seek a protective order or other appropriate remedy, to the extent Suzy is legally permitted to do so. Suzy will limit any disclosure to the minimum information required by the legal mandate.

5.1.9. Data Destruction. As provided in the Agreement or, if unspecified, as follows: Upon expiration or termination of this Agreement, Client shall immediately discontinue all use of the Suzy IP and shall promptly delete and destroy all copies of the Suzy IP in its possession or control and, upon request, certify such deletion and destruction in writing. Suzy shall (i) securely archive or render unreadable all Client Data and Derived Works stored on the Platform in its possession or control within six (6) months and thereafter (ii) securely purge all Client Data and Derived Works from all systems, archives, and backups within twelve (12) months, unless a longer retention period is required by applicable law. Upon Client’s written request to legal@suzy.com, Suzy will certify in writing that it has taken such measures or note the legal basis for why it is not able to along with a timeline for destruction once the prolonged retention requirement ends.

5.1.10. Prohibition on Sale. To the extent required by CCPA, Suzy will not Sell or Share Client Personal Data to a third party, except to authorized Sub-Processors or as Instructed.

6.0. Subprocessing

As provided in the Agreement or, if unspecified, as follows:

6.1 Authorization for Subprocessors. Client provides a general authorization for Suzy to engage the Subprocessors listed at https://suzy.com/subprocessor-list (“Subprocessor List”) in order to provide the Services, conditioned on the following:

6.1.1. Suzy will restrict the Subprocessor’s access to Client Personal Data only to what is necessary to provide the Services;

6.1.2. Suzy agrees to impose on the Subprocessor contractual data protection obligations, including appropriate technical and organizational measures, to protect Client Personal Data to the standard required by Applicable Data Protection Law and this DPA; and

6.1.3. Suzy will remain liable for any breach of this DPA that is caused by an act, error, or omission of its Sub-processors, except to the extent such breach arises out of or results from Client’s Instructions or circumstances outside of Suzy’s reasonable control.

6.2 Notification of Changes to Subprocessor List. Suzy will notify Client of any updates or changes to the Subprocessor List by sending notice to the email address submitted to at the change notification list (available at https://engage.suzy.com/suzy-subprocessor). Suzy will provide notice of any update or change to the Subprocessor List as soon as reasonably practicable, but no less than thirty (30) days prior to any such update or change. Client may object to Suzy’s appointment or replacement of a Subprocessor prior to its appointment or replacement, provided such objection is in writing to legal@suzy.com and based on reasonable grounds relating to data protection, security, or regulatory compliance. If the parties cannot agree on a commercially reasonable alternative solution within thirty (30) days of Client’s objection, Client may terminate the Agreement with respect to the affected Services upon thirty (30) days’ written notice.

7.0. International Data Transfers

7.1. Depending on Instructions, the Services may involve international data transfers and/or Relevant Transfers. Where applicable, Suzy will not transfer Client Personal Data from the EEA, Switzerland, or the UK to any country or recipient not recognized as providing an adequate level of protection for Client Personal Data by the relevant Supervisory Authority unless Suzy first takes necessary measures to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include transferring such data to a recipient that:

7.1.1. is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant Supervisory Authorities or courts;

7.1.2. has achieved BCRs; or

7.1.3. has executed appropriate SCCs. Unless otherwise agreed in writing by the Parties, by executing the Agreement or an Order incorporating this DPA, Client is deemed to execute the SCCs as set out in full, which will have legally binding force on the Parties as follows:

If Suzy Processes Client Personal Data related to EEA Data Subjects, the EEA Addendum as set out in Schedule 2 shall apply in addition to the DPA and is incorporated by reference into the SCCs;
If Suzy Processes Client Personal Data related to Swiss Data Subjects, the Switzerland Addendum as set out in Schedule 3 shall apply in addition to the DPA and is incorporated by reference into the SCCs; and
If Suzy Processes Client Personal Data related to UK Data Subjects, the UK Addendum as set out in Schedule 4 shall apply in addition to the DPA and is incorporated by reference into the SCCs.

7.2. If any Personal Data transfer between Client and Suzy requires separate execution of SCCs in order to comply with the Applicable Data Protection Laws, upon Client’s written request, Suzy will cooperate in good faith to do so and take all other reasonable actions required to legitimize the transfer.

7.3 Each Party will only transfer Applicable Personal Data on to another country if the transfer complies with Applicable Data Protection Law.

‍

8.0. General Provisions

8.1. Termination. This DPA will terminate contemporaneously and automatically with the termination or expiration of the Agreement, subject to additional provisions in any Schedule attached hereto. If a change in any Applicable Data Protection Laws prevents either Party from fulfilling all or part of its obligations under this DPA, the Parties may suspend the Processing of Personal Data until that Processing complies with the new requirements.

8.2. Survival. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Client Personal Data will remain in full force and effect.

8.3. Modification. Notwithstanding anything to the contrary in the Agreement, the Parties may periodically cooperate in good faith to make modifications to this DPA as may be required to comply with Applicable Data Protection Laws.

8.4. Conflicts and Interpretation. To the extent there is a conflict between: (1) this DPA and the Agreement, with respect to the subject matter of this DPA, the DPA takes precedence; or (2) this DPA and any Schedule, the provision in the Schedule shall prevail. Notwithstanding the foregoing, this DPA is to be read and interpreted in the light of the provisions of the Applicable Data Protection Laws and must not be interpreted in a way that runs counter to the rights and obligations provided for in Applicable Data Protection Laws, or in a way that prejudices the fundamental rights or freedoms of Data Subjects.

8.5. No further amendment. All terms and conditions in the Agreement save as amended herein remain in full force and effect and are binding upon the Parties.

‍

Data Exporter (where applicable)	Name: Client Address: As specified in the Agreement Contact person’s name, position, and contact details: Contact details for the data exporter are specified in the Agreement. Data Protection Officer and/or Representative in the EU (if applicable): If applicable, Client’s DPO and/or Representative in the EU shall be shared in writing to Client’s Suzy Representative. Activities relevant to the data transferred: The data importer provides the Services to the data exporter in accordance with the Agreement.
Data Importer (where applicable)	Name: Suzy Address: As specified in the Agreement Contact person’s name, position, and contact details: General Counsel, legal@suzy.com Data Protection Officer and/or Representative in the EU (if applicable): If applicable, Suzy’s DPO and/or Representative in the EU shall be shared on the Suzy Trust Center. Activities relevant to the data transferred: The data importer provides the Services to the data exporter in accordance with the Agreement.
Purpose(s) of Processing	Delivering Services pursuant to the Agreement and as further Instructed by Client
Scope of Processing	As Processor, Suzy will Process Client Personal Data solely: (a) to fulfill its obligations to Client under the Agreement, as is necessary to provide the Services as Instructed; (b) on Client’s behalf; and (c) in compliance with Applicable Data Protection Law. Without limiting the foregoing, Client directs Suzy, and Suzy agrees, to Process Client Personal Data in accordance with Client’s Instructions.
Subject matter and nature of Processing	Market research and insights
Duration	The duration of the Processing described herein corresponds to the duration of the Agreement and the DPA.
Categories of Personal Data	Data Categories ☒ Survey data & analysis ☒ Demographic attributes ☒ Text and voice transcripts (if audio or video Actions are applicable) ☒ Audio and video files (if audio or video Actions are applicable) ☒ Matched data (if applicable and as Instructed by Client) ☒ Contact information (if applicable and as Instructed by Client) ☒ Referral data (how External Audiences were invited, if applicable) ☒ Device & browser data (if applicable and as Instructed by Client) Sensitive Data (if applicable and as Instructed by Client) ☒ Racial or ethnic origin ☒ Political opinion ☒ Religious or philosophical beliefs ☒ Trade union membership ☐ Genetic data ☒ Biometric data (only if and to the extent Applicable Data Protection Law consider video or audio recordings to be ‘biometric data’) ☒ Health data ☒ Sexual orientation or sex life ☐ Data relating to criminal convictions
Categories of Data Subjects	Data subjects include: ☒ Members and External Audiences ☒ Client’s Audiences, if applicable and as Instructed by Client ☐ Client’s employees, personnel, representatives, or other business contacts and/or Client’s users who are authorized by Client to access and use Suzy’s Platform ☐ Other (please specify)
Frequency of data transfer	☐ One-off ☒ Continuous, for the Term of the Agreement and DPA
Retention period	As stated in the Agreement and DPA, and thereafter only insofar as required in order to comply with applicable law, including Applicable Data Protection Law.
Specific Restrictions	The Processing of Client Personal Data shall be subject to the restrictions described in the Agreement and DPA.

‍

SCHEDULE 2

EEA ADDENDUM

1.0. Scope

1.1 This Schedule (also “EEA Addendum”) shall apply in the event that: (i) Suzy, as a Processor, Processes Client Personal Data in the course of providing the Services; and (ii) the Processing is subject to European Data Protection Law.

‍

1.2. All terms used herein not defined in the DPA will have the meaning assigned to them in the applicable European Data Protection Law. All references to laws in the DPA shall be read in the context of EU or Member State law for the purpose of this EEA Addendum.

‍

2.0. SCCs

2.1. If any of the SCCs in sections 2.2 through 2.4 are applicable, the Parties agree that:

‍

2.1.1. Docking clause. The optional docking clause under Clause 7 shall not apply.

‍

2.1.2. Redress. The optional clause under Clause 11 shall not apply.

‍

2.1.3. Notification of Government Access Requests. The Parties agree that, for the purposes of Clause 15(1)(a), the notification of government access requests shall be carried out in accordance with the DPA.

‍

2.1.4. Governing Law. The governing law for the purposes of Clause 17 shall be the law of Ireland.

‍

2.1.5. Certification of Deletion. The Parties agree that the certification of deletion of Client Personal Data that is described in Clauses 8.5 and 16(d) shall be provided as set forth in the DPA.

‍

2.1.6. Choice of forum and jurisdiction. For the purposes of Clause 18, any dispute arising from the SCCs shall be resolved by the courts of Ireland.

‍

2.2. If applicable, the Parties agree that the SCCs (Controller-to-Controller) shall apply as follows: as described in 2.1 of this EEA Addendum.

‍

2.3. If applicable, the Parties agree that the SCCs (Controller-to-Processor) and the SCCs (Processor-to-Processor) shall apply as follows, in addition to section 2.1 of this EEA Addendum:

‍

2.2.1. Security of Processing. For the purposes of Clause 8.6(a), Client is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in the Agreement and DPA meet Client’s requirements. For the purposes of Clause 8.6(c), Security Breaches will be handled in accordance with Section 3.3 of the DPA.

‍

2.2.2. Use of Sub-processors. Option 2 under Clause 9 shall apply and the time period specified is thirty (30) days.

‍

2.2.3. Data Subjects. The Parties agree that Suzy has been authorized, under Clause 10, to respond to Data Subject Requests as set forth in the DPA.

‍

2.2.4 Liability. Suzy’s liability under Clause 12(b) of the Standard Contractual Clauses shall be limited to any damage caused by its Processing where Suzy has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Client, as specified in Article 82 GDPR.

‍

2.4. If applicable, the Parties agree that the SCCs (Processor-to-Controller) shall apply as follows: as described in 2.1 of this EEA Addendum.

‍

2.5. Appendix. The Appendix shall be completed as follows:

‍

2.5.1. Annex I.A. The contents of Schedule 1 to the DPA shall form Annex I.A.

‍

2.5.1. Annex I.B. The contents of Schedule 1 to the DPA shall form Annex I.B.

‍

2.5.2. Annex I.C. The competent Supervisory Authority shall be the Data Protection Commission - Ireland for the purposes of Annex I.C.

‍

2.5.3. Annex II. The contents of the Security Measures and any security terms set forth in the Agreement shall form Annex II.

‍

2.5.4. Annex III. The contents of the Subprocessor List shall form Annex III.

‍

2.6. Alternative transfer mechanisms. The Parties agree that the data export solution identified herein will not apply if and to the extent that Suzy adopts an alternative data export solution for the lawful transfer of Client Personal Data (as recognized under European Data Protection Laws) outside of the EEA, in which event, Suzy shall take any action (which may include execution of documents) required to give effect to such solution and the alternative transfer mechanism will apply instead.

‍

2.7. UK Addendum. The following language is inserted before the signatures for the SCCs: Where applicable, by signing we agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses.

‍

SCHEDULE 3 - SWITZERLAND ADDENDUM

1.0. Scope

‍

1.1. This Schedule (the “Swiss Addendum”) applies to and is a part of the EEA Addendum.

‍

2.0. Applicable Terms

‍

2.1. The Parties agree that the following provisions shall apply with respect to data transfers that are governed by the Federal Act on Data Protection (“FADP”), e.g., Personal Data transferred by a data exporter from Switzerland to a data importer outside of Switzerland (including Personal Data located in Switzerland that a data exporter makes accessible to the data importer) (the “Swiss Personal Information”):

‍

2.1.1. the term “Personal Data” shall be deemed to include information relating to an identified or identifiable legal entity;

‍

2.1.2. references to (articles in) the EU GDPR 2016/679 shall be deemed to refer to (respective articles in) the FADP;

‍

2.1.3. reference to the competent Supervisory Authority in Annex I.C. under Clause 13 shall be deemed to refer to the Federal Data Protection and Information Commissioner (“FDPIC”);

‍

2.1.4. references to Member State(s)/EU Member State(s) shall be deemed to include Switzerland;

‍

2.1.5. reference to the European Union in Annex I(A) shall be deemed to include Switzerland; and

‍

2.1.6. where the Clauses use terms that are defined in the EU GDPR 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP.

‍

2.2. The list of Data Subjects and categories of data indicated in Annex I.B. to the Clauses shall not be deemed to restrict the application of the SCCs to the Swiss Personal Information.

‍

SCHEDULE 4 - UK ADDENDUM

1.0. Scope

‍

1.1. This Schedule (the “UK Addendum”) shall apply in the event that: (i) Suzy, as Processor, Processes Client Personal Data in the course of providing the Services; and (ii) the Processing is subject to UK Data Protection Law.

‍

1.2. All terms used herein not defined in the DPA will have the meaning assigned to them in the applicable UK Data Protection Law. All references to Data Protection Law or laws in the DPA shall be read in the context of English law for the purpose of this UK Addendum.

‍

2.0. Tables

‍

2.1. Table 1 (Parties). The contents of Schedule 1 to the DPA shall form Table 1.

‍

2.1. Table 2 (Selected SCCs, Modules and Selected Clauses) shall be completed as follows: the second checkbox shall be selected with the modules, clauses, or optional provisions of the SCCs as set out in Schedule 2 (EEA Addendum) to the DPA.

‍

2.2 Table 3 (Appendix Information) shall be completed as follows: the contents of Schedule 1 shall form Annex I.B; the contents of the Security Measures shall form Annex II; and the contents of the Subprocessor List shall form Annex III.

‍

2.3. Table 4 (Ending this Addendum) shall be completed as follows: neither Party.

‍

APPENDIX 1 TO UK ADDENDUM

Mandatory Clauses

‍

Entering into this Addendum

‍

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

‍

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

‍

Addendum	This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs	The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information	As set out in Table 3.
Appropriate Safeguards	The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum	The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
Approved EU SCCs	The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO	The Information Commissioner.
Restricted Transfer	A transfer which is covered by Chapter V of the UK GDPR.
UK	The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws	All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR	As defined in section 3 of the Data Protection Act 2018.

‍

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.

5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

‍

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

‍

Incorporation of and changes to the EU SCCs

12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

(a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

(b) Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

(c) this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

14. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

15. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

(a) References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

(b) In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

(c) Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

(d) Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

(e) Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

(f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

(g) References to Regulation (EU) 2018/1725 are removed;

(h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

(i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

(j) Clause 13(a) and Part C of Annex I are not used;

(k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

(l) In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

(m) Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;

(n) Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

(o) The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

‍

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18. From time to time, the ICO may issue a revised Approved Addendum which:

(a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

(b) reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

19. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

(a) its direct costs of performing its obligations under the Addendum; and/or

(b) its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

‍

Prior versions