Über
Sprache 
Data Processing Addendum
Effective: February 20, 2026
This Data Processing Addendum („DPA„) is made available at the following URL: https://mtch.com/match-group-data-processing-addendum/ (the „DPA URL„), to be incorporated by reference into any existing, current, or future agreement(s) (the „Agreement”) made between Match Group Holdings I, LLC, with its principal place of business at 8750 N. Central Expressway, Suite 1400, Dallas, TX 75231 (“MG”) and the MG contracting party or parties under the Agreement (“Customer”), and the entity you represent („Provider„) (together, the “Parties”). Where the Agreement incorporates this DPA by reference to the DPA URL, the terms of this DPA shall apply and form an integral part of such Agreement as if set out in full therein.
BACKGROUND
Provider provides certain services in accordance with the Agreement (the “Services”). This DPA governs the processing of Personal Data by Provider, in the course of providing the Services. By referring to the DPA URL in the Agreement, the parties agree that this DPA is incorporated into the Agreement and shall be binding as of the effective date of the Agreement or, if later, the date the Provider begins processing Personal Data on behalf of Customer.
IT IS AGREED:
- Definitions. All capitalized terms used in this DPA shall have the meanings given to them below or as otherwise defined in this DPA:
“Data Protection Laws” means all laws, rules, regulations and data protection authorities’ binding decisions applicable to the processing of personal data under the Agreement, including but not limited to Regulation (EU) 2016/679 (the “GDPR„) or, where applicable the „UK GDPR“ as it forms part of the law of England and Wales, Scotland and Northern Ireland (the “UK”) by virtue of section 3 of the UK European Union (Withdrawal) Act 2018.
„processing“ („process“, „processes“ and „processed“ shall be interpreted accordingly) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, creation, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
„Personal Data“ means any information (i) that is linked or reasonably linkable to an identified or identifiable person; or (ii) that identifies, relates to, describes, is reasonably capable of being associated , directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, that may be:
a. processed at any time by Provider in anticipation of, in connection with or incidental to the performance of the Services under the Agreement ; or
b. derived by Provider from such information.
2. Details of Processing. Unless otherwise set forth in the Agreement, the details of processing are as set forth below:
2.1 Subject Matter, Nature and Purpose of Processing. Provider processes (including, as applicable, collects, records, organises, structures, stores, alters, retrieves, uses, discloses, combines, erases and destroys) personal data in the context of the Services provided to Customer under the Agreement. More information can be found in the Vendor Security Questionnaire
2.2 Duration of Processing. Provider processes Personal Data for the duration of the Agreement and then disposes of the Personal Data as set forth in Section 3.8 of the DPA. The Parties may identify additional protocols in the Agreement and/or in the Vendor Security Questionnaire for the secure and verifiable deletion of Personal Data.
2.3 Categories of Individuals whose Personal Data is processed. The categories of individuals whose Personal Data is processed is set out in the Agreement and/or in the Vendor Security Questionnaire.
2.4 Types of Personal Data. The types of Personal Data to be processed by Provider is set out in the Agreement and/or in the Vendor Security Questionnaire .
2.5 Subcontractors. The list of subcontractors is as set out in the Agreement and/or in the Vendor Security Questionnaire. Further, Subcontractor processes (including, as applicable, collects, records, organises, structures, stores, alters, retrieves, uses, discloses, combines, erases and destroys) personal data in the context of the Services provided to Customer under the Agreement. More information can be found in the Vendor Security Questionnaire
3. Data Protection Obligations.
3.1 Compliance with Laws. Provider shall comply with Data Protection Laws applicable to its role and scope of responsibility with respect to the processing of Personal Data.
3.2 Instructions. Provider shall process Personal Data only on behalf of Customer and in compliance with its instructions (which shall include this DPA and any further written agreement or documentation through which Customer instructs Provider to perform specific processing of Personal Data). Provider represents and warrants that it has determined it can meet its obligations under applicable Data Protection Law and this DPA and has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from Customer and its obligations under this DPA. In the event of a change in this legislation which is likely to have an adverse effect on the warranties and obligations provided under this DPA or a change in Provider’s determination that it can meet its obligations under Laws and this DPA, Provider will notify Customer of the change as soon as it becomes aware of it, in which case Customer shall be entitled to take appropriate steps to stop and remediate the unauthorized use of Personal Data, including suspending the processing of Personal Data by Provider and/or terminating all or part of the Agreement immediately, at no cost and as of right, without prejudice to Customer’s other rights and remedies.
3.3 Access and Use. Provider shall treat Personal Data as confidential information and process Personal Data only as necessary to provide the Services to Customer (which the Parties acknowledge and agree are for Customer’s business purpose, as such term is defined under Data Protection Laws). Provider shall not process Personal Data, works derived from Personal Data or anything that includes Personal Data: (i) for any other purpose other than those specified in the Agreement; (ii) for any commercial purpose other than the specific business purposes specified in the Agreement; (iii) outside of the direct business relationship between Customer and Provider, except as otherwise expressly set out in or permitted by Customer’s prior written instructions; or (iv) to combine Personal Data with any other personal data or information it collects (directly or via any third party) other than as expressly permitted by Customer under Data Protection Laws. To the extent that Provider processes any “deidentified data,” as defined by Data Protection Laws, Provider represents and warrants that it shall (a) not, nor attempt to, reidentify the deidentified data; (b) implement and maintain reasonable measures to prevent reidentification of the deidentified data; and (c) publicly commit to processing the deidentified data only as set forth in this section.
3.4 Limited Disclosure. Without limiting the generality of the foregoing, Provider shall not “sell” or “share” (as such terms are defined under Data Protection Laws) any Personal Data and the Parties acknowledge and agree that Customer does not “sell” or “share” (as such terms are defined under Data Protection Laws) Personal Data to Provider in connection with the Services rendered by Provider to Customer pursuant to the Agreement. Provider shall not transfer, disclose, or make accessible Personal Data to any third party, employees, contractors, agents or representative, except as necessary to provide the Services to Customer or with Customer’s prior written consent, and shall keep tamper-proof logs of any such transfer, disclosure or access. Provider warrants that any such employees, agents and representatives who participate in the processing of Personal Data are trained on data protection principles, obligations of Provider under this DPA and Data Protection Laws and have committed themselves to confidentiality through appropriate contractual arrangements.
3.5 Notification of Disclosure Requests / Question. Provider shall notify Customer without delay upon – and in any event no later than twenty-four (24) hours after – becoming aware of any: (i) request, order or inspection activity by a data protection authority or other competent authority relating to Personal Data; (ii) request, complaint or question received from individuals in relation to their Personal Data, such as requests for access, rectification, portability or deletion of their Personal Data; or (iii) request, order, demand, warrant or other document for the disclosure or direct access to Personal Data by a public or law enforcement authority (each of the foregoing, a “Request”). In any event, Provider shall not respond independently to any such Request unless otherwise expressly agreed in writing by Customer. Where Provider is legally prohibited from notifying Customer as laid out above, Provider shall use reasonable efforts to waive such prohibition and challenge the Request. If Provider remains compelled to disclose Personal Data without notifying Customer, Provider shall disclose only the minimum amount necessary to satisfy the Request.
3.6 Assistance to Customer. Provider shall assist Customer, through appropriate technical and organizational measures, in the fulfillment of its obligations under Data Protection Laws, including responding and acting upon requests from individuals to exercise their privacy rights under Data Protection Laws.
3.7 Notification of Data Breaches. Provider shall notify Customer without delay upon – and in any event no later than twenty-four (24) hours after – becoming aware of any breach of security leading to the accidental, unauthorized or unlawful destruction, loss, damage, alteration, disclosure of, or access to, Personal Data. Provider shall provide to Customer all information relating to such breach and provide any necessary assistance to enable Customer to remedy any such breach, including satisfying Customer’s notification obligations imposed by Data Protection Laws, and shall do so in a timely manner. In particular, and without prejudice to any other right or remedy available to Customer, following discovery of a breach, Provider shall, at its own costs and expenses, promptly take: (i) corrective action to mitigate any risks or damages involved with such breach and to protect the Personal Data from any further compromise; and (ii) any other actions that may be required by Data Protection Laws as a result of such breach, provided both (i) and (ii) are subject to Customer’s prior written approval. Provider shall promptly reimburse Customer for costs and expenses (including legal fees) incurred by Customer in connection with such breach.
3.8 Deletion. Upon the earlier of any request by Customer or immediately following expiration or termination of the Agreement, for whatever reason, Provider shall delete all Personal Data and copies thereof (or, at the choice of Customer, return all such Personal Data to Customer). Provider shall certify to Customer in writing that neither it nor any person or legal entity it gave access to Personal Data in accordance with this DPA holds or has access to any such Personal Data anymore within 15 days of such deletion. Where Data Protection Laws prevent Provider from returning or deleting all or part of the Personal Data, Provider shall (i) notify Customer of such requirement, the Personal Data it will retain and for how long, (ii) keep the Personal Data confidential, (iii) cease actively processing it, (iv) delete it as soon as legally allowed and (v) provide a written certification of the same to Customer.
3.9 Inspections. Customer is entitled to take reasonable and appropriate steps to help ensure that the Provider uses Personal Data consistent with Data Protection Laws. Provider shall make available to Customer all information necessary to demonstrate compliance with this DPA and Data Protection Laws. Further, at least once every 12 months, Customer, or an independent auditor selected by Customer bound by a duty of confidentiality or a data protection authority with jurisdiction over Customer or, where relevant, Customer’s affiliates’ activities, shall be entitled to conduct an audit of Provider’s (and/or any of its subcontractors’) data processing facilities to ensure compliance with this DPA. Such audits shall be performed during normal business hours and in a way that does not interfere with normal business activities of Provider and, where relevant, Provider’s subcontractors. In the event that such an audit reveals that Provider is not compliant with its obligations under this DPA, Provider shall promptly bring itself into compliance and pay reasonable costs associated with the audit, without prejudice to any other right or remedy available to Customer.
3.10 Subcontracting. Provider shall be allowed to engage subcontractors for carrying out specific Personal Data processing activities, subject to the following: (i) Provider shall only retain subcontractors that Provider reasonably expects to appropriately protect the privacy, confidentiality and security of Personal Data; (ii) Provider will provide Customer with notice of subcontractors in existence as of the effective date of this DPA; (iii) Provider shall provide Customer reasonable prior notice, at least 15 business days, of any intended changes concerning the addition or replacement of subcontractors, thereby giving Customer the opportunity to object to such changes; (iv) Provider shall impose on its subcontractor(s), by way of a written agreement, the same obligations as are imposed on Provider under this DPA; (v) Provider shall keep a list and a copy (in which commercial information may be removed) of all such subcontracting agreements, which shall be made available to Customer upon request and allow Customer to share the same to competent data protection authorities as necessary to comply with Data Protection Laws; and (vi) Provider shall at no charge to Customer, actively monitor, regularly audit and, where applicable, take steps to enforce compliance of subcontractors with their obligations, reporting promptly to Customer any detected or reported non-compliance and all actions taken to remedy the same. If a subcontractor fails to remedy non-compliance within a reasonable time after notice from Customer, Customer shall be entitled, without prejudice to any other right or remedy, to require Provider to cease using the corresponding subcontractor and resume the provision of that part of the Services itself as per the Agreement. In any event, Provider remains fully liable to Customer for the performance of its subcontractor’s obligations.
3.11 Cross-Border Data Transfers. Provider shall abide by any Data Protection Laws requiring that measures be taken to secure transfers of Personal Data outside the country or region the Personal Data originates from. Without limiting the generality of the foregoing, where Data Protection Laws mandate it, Provider shall not process in or transfer Personal Data to a third country that has not been deemed to offer an adequate level of data protection at the time of such transfer (‘Non-Adequate Country’) without (i) performing a data transfer impact assessment prior to the transfer to ensure its compliance with Data Protection Laws and making such assessment available to Customer upon request and (ii) relying on appropriate safeguards , and (iii) where necessary, putting in place supplementary measures to ensure an essentially equivalent level of data protection. In the event that any such adequacy, safeguard or measure is invalidated or be deemed inadequate under Data Protection Laws, Provider shall, as soon as possible, adopt an appropriate alternative transfer mechanism. In the event that Provider fails to adopt an alternative transfer mechanism within one (1) month of the invalidation, Customer may terminate the Agreement, at no cost, as of right and without prejudice to Customer’s other rights and remedies under the Agreement.
In the event of a transfer of Personal Data to Non-Adequate Countries, the Parties shall cooperate to ensure compliance with the Data Protection Laws and rely on the data transfer mechanisms laid down in Schedule 1 of this DPA.
4. Security. Provider shall implement appropriate physical, technical and organizational measures to protect Personal Data against accidental or unauthorized loss, theft, alteration, damage, destruction, disclosure, access and against all forms of unlawful processing. Such measures shall comply with requirements under Data Protection Laws and ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and/or encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) the protection against viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents, or programs, including code that is intended to or has the effect of misappropriating, commandeering, or disrupting access to or use or operation of any information, device, or system; and (v) a process for regularly testing, assessing and evaluating the effectiveness of technical, physical and organisational measures for ensuring the security of the processing. Provider certifies that: (a) it has not and will not purposefully create back doors or similar programming that could be used to access systems and/or Personal Data; (b) it has not and will not purposefully create or change its business processes in a manner that facilitates access to Personal Data or systems; and (c) Data Protection Laws or government policy do not require Provider to create or maintain back doors or to facilitate access to Personal Data or systems or for Provider to be in possession or to hand over encryption keys, if any. Provider shall in any event comply with data security documentation that Customer may provide, from time to time. Provider commits to maintaining security measures that are at least as protective as those identified during the precontractual process including, without limitation, representations made by Provider during the vendor review process (the “Vendor Security Questionnaire”).
5. Liability. Notwithstanding anything to the contrary in the Agreement, Provider’s liability for any breach of this DPA shall not be subject to the limitations of liability provisions included in the Agreement, if any.
6. Term. This DPA enters into force at the earliest of the execution of the Agreement or this DPA. It will be in force and effect until the Agreement has been terminated or expires and Provider has destroyed (or returned upon request from Customer) all Personal Data. This DPA will survive termination or expiry of the Agreement.
7. Miscellaneous.
7.1 The Parties acknowledge and agree that the activities performed by Provider under this DPA do not involve any right to specific compensation other than that compensation owed to Provider for the supply of Services in accordance with the Agreement.
7.2 This DPA sets out the entire agreement and understanding between Customer and Provider with respect to the processing of Personal Data by Provider for the purpose of providing the Services and supersedes all other agreements made between Customer and Provider on the same subject matter. In case of conflict between the Agreement, this DPA, and the EU SCCs or similar mandatory contractual clauses under Data Protection Laws (if applicable), regardless of any language to the contrary in the Agreement, the conflict will be resolved by giving precedence to the documents in the following order: (i) EU SCCs (or similar mandatory contractual clauses under Data Protection Laws); (ii) this DPA; and (iii) the Agreement. In the event of conflict, the English version of the DPA prevails over the DPA in any other language.
7.3 Except as mandated under Data Protection Laws, any dispute relating to this DPA shall be governed by and interpreted in accordance with the law of the country and subject to the jurisdiction referred to in the Agreement.
8. Certification. By signing the Agreement, Provider certifies that it understands and will comply with the requirements and restrictions set forth in this DPA.
Schedule 1: Cross-border Personal Data Processing Terms
- Cross-border Data Processing. In certain cases, and in accordance with Data Protection Laws, Customer and Provider need to enter into specific transfer mechanisms for the transfer of Personal Data to Non-Adequate Countries. The Parties agree that these transfer mechanisms, to the extent applicable, constitute valid and binding agreements between them and are modified only to the extent required and / or permitted under Data Protection Laws. Provider shall promptly comply with any request by Customer to enter into these transfer mechanisms in any alternative format that may be required by Data Protection Laws (e.g., wet-ink signature), which shall be executed in accordance with this Schedule. Those transfer mechanisms are listed below.1.1 The EU Standard Contractual Clauses
a. The EU Standard Contractual Clauses (meaning the standard contractual clauses as approved by EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (as amended or supplemented from time to time) (“EU SCC”)) apply to the Processing of Personal Data subject to the GDPR, where Provider is located in or Personal Data is transferred to any Non-Adequate Country.
b. If the EU SCC are not required pursuant to the GDPR, the EU SCC shall become applicable if during the Service the country where Personal Data is transferred or Provider is located becomes a Non-Adequate Country.
c. The EU SCC are incorporated by reference, as available on the EU Commission website. The EU SCC and its Appendix are completed as below. The parties acknowledge that the applicable module of the EU SCC is the module two “Transfer Controller to Processor” where Customer is the Controller and Provider the Processor.
| Section Reference | Subject | Selection by the Parties |
| Section I, clause 7 | Docking Clause | This clause shall apply |
| Section II, Clause 9 | Approval of Subprocessors | General Written Authorization shall apply in accordance with the section 3.0 of the DPA |
| Section II, Clause 11 | Redress | The optional language shall not apply |
| Section II, Clause 13 | Supervision | All options under clause 13(a) shall apply |
| Section IV, Clause 17 | Governing law | These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland |
| Section IV, Clause 18(b) | Choice of forum and jurisdiction | The courts of Ireland are selected as the choice of forum and jurisdiction |
Appendix of the EU SCC
ANNEX I
A. List of Parties
Data exporter(s):
| Data Exporter(s)’s name and address | When the data transfer falls under the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection:
When the services provided by Provider to Customer(s) relates to the Plenty of Fish, OkCupid, Hinge, Tinder, Azar, The League, Salams and/or Affinity services: MTCH Technology Services Limited, located at 1 Hatch Street Upper, Dublin 2, D02 PY28, Ireland. When the services provided by Provider to Customer(s) relate to the Meetic services: Meetic SAS, 53 rue de Châteaudun, 75009 Paris, France. When the services provided by Provider to Customer(s) relate to the Azar service provided to UK end-users: Hyperconnect LLC, 517 YEONGDONG-DAERO GANGNAM-GU Seoul, South Korea. Additionally, where Customers’ employees’ personal data is processed as part of the Services under the Agreement, as applicable: Match Group Europe Limited located at 27 Old Gloucester Street, London, United Kingdom, WC1N 3AX
MG Spain Solutions S.L. located at C. de Espronceda, 40 Chamberí, 28003 Madrid, Spain Match.com Europe Limited, French Branch located at 53 rue de Châteaudun, 75009 Paris, France When the services provided by Provider to Customer(s) relate to Tinder the Data Exporter is Tinder LLC, 8750 North Central Expressway, Suite 1400, Dallas, TX 75231. When the services provided by Provider to Customer(s) relate to Azar the Data Exporter is Hyperconnect LLC, 20F, ASEM Tower, 517, Yeongdong-daero, Gangnam-gu, Seoul. When the services provided by Provider to Customer(s) relate to Plenty Of Fish the Data Exporter is Plentyoffish Media ULC, 1133 Melville Street, Vancouver, BC V6E 4E5. When the services provided by Provider to Customer(s) relate to Hinge the Data Exporter is Hinge, Inc.,8750 North Central Expressway, Suite 1400, Dallas, TX 75231.
|
| Contact person’s name, position and contact details | DPOVendors@match.com |
| Activities relevant to the data transferred under these Clauses | Data exporter receives Services from data importer under the Agreement. |
| Signature and date | By entering into the Agreement, Customer is entering into these Clauses, unless both Customer and Provider are located in a country considered to have an adequate level of data protection pursuant to Data Protection Laws or a decision of the responsible Supervisory Authority, in which case these Clauses are not required between Customer and Provider. |
| Role (controller/processor): | Controller |
Data Importer(s):
| Data Importer(s)’s name and address | Data Importer is the Provider with a place of business as set out in the Agreement. |
| Contact person’s name, position and contact details | As set out in the Agreement |
| Activities relevant to the data transferred under these Clauses | Data importer provides Services to data exporter pursuant to the Agreement. |
| Signature and date | By entering into the Agreement, Provider is entering into these Clauses, unless both Customer and Provider are located in a country considered to have an adequate level of data protection pursuant to Data Protection Laws or a decision of the responsible Supervisory Authority, in which case these Clauses are not required between Customer and Provider. |
| Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
As set out in Section 2 of the DPA (Details of Processing)
Categories of personal data transferred:
As set out in Section 2 of the DPA (Details of Processing)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed organization training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
No, unless specified in Section 2 of the DPA (Details of Processing). Where sensitive data are transferred, the technical and organizational measures set out in Annex II of the EU SCC and the Vendor Security Questionnaire include the applied restrictions and safeguards that fully take into consideration the nature of the sensitive data and the risks involved.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): As set out in the Agreement and/or the Vendor Security Questionnaire.
Nature of the processing:
As set out in Section 2 of the DPA (Details of Processing)
Purpose(s) of the data transfer and further processing:
The purpose(s) is to provide and secure the Services, or as otherwise set out in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The period for which the Personal Data will be retained is set out in Section 2 of the DPA (Details of Processing) and in the Vendor Security Questionnaire.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter, nature of processing and duration of processing are set out in Section 2 of the DPA (Details of Processing) and / or in the Vendor Security Questionnaire.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE ONE TO THREE
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority is identified in accordance with Clause 13 depending on where the data exporter is established or data subject is located as determined by the circumstances of each case.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE ONE TO THREE
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
The technical and organizational measures are set out in the Vendor Security Review questionnaire, in the DPA and the Agreement.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
The technical and organizational measures are as set out in the Vendor Security Review questionnaire, in the DPA and the Agreement. Further, the Services are designed to enable Customer to deal with any inquiries and requests that Customer receives from a data subject related to the processing of her/his Personal Data and the exercise of her/his rights. If Customer requires further assistance, Provider has implemented organizational measures to assist Customer and Customer may contact them via the contact details provided in the Agreement.
ANNEX III – LIST OF SUB-PROCESSORS
MODULE TWO AND THREE
This Annex III does not apply since the general authorization specified in Section 3.10 of the DPA (Subcontracting) applies. A list of the subprocessors is made available to Customer in accordance with that same section.
1.2 The UK addendum to the EU SCC
a. The Section 1.1 The EU Standard Contractual Clauses above and the United Kingdom’s International Data Transfer Addendum to the EU SCC (together, the (UK Addendum to the EU SCC)) will be implemented for transfers to Non-Adequate Countries subject to the UK General Data Protection Regulation and where Provider is located in or Personal Data is transferred to Non-Adequate Countries.
b. The UK Addendum to the EU SCC is completed as below and modifies the Section 1.1.c. above.
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
a. Part 1: Tables
Table 1: Parties
| Start date | Date of signature of the DPA. | |
| The Parties | Exporter(s) listed in annex I of Appendix 1 who makes a Restricted Transfer subject to the UK Data Protection Act 2018 (as revised) | Importer(s) listed in annex I of Appendix 1 who receives the Restricted Transfer subject to the UK Data Protection Act 2018 (as revised) |
| Parties’ details | Full legal name: as set forth in Annex I of the EU SCC
Main address (if a company registered address): as set forth in Annex I of the EU SCC Official registration number (if any) (company number or similar identifier): if any, as set forth in Annex I of the EU SCC |
Full legal name: as set forth in Annex I of the EU SCC
Main address (if a company registered address): as set forth in Annex I of the EU SCC Official registration number (if any) (company number or similar identifier): if any, as set forth in Annex I of the EU SCC |
| Key Contact | As set forth in Annex I of the EU SCC | As set forth in Annex I of the EU SCC |
| Signature (if required for the purposes of Section 2) | Not required | Not required |
Table 2: Selected SCCs, Modules and Selected Clauses
| Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information.
Date: Date of the signature of the Agreement. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
| Annex 1A: List of Parties: As set forth under “Parties’ details” above. |
| Annex 1B: Description of Transfer: As set forth in Annex I of the EU SCC |
| Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set forth in Annex II of the EU SCC |
| Annex III: List of Sub processors (Module 2 only): As set forth in Annex III of the EU SCC |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19:
Neither Party |
b. Part 2: Mandatory Clauses
| Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
1.1.3 Swiss Amendments to the EU SCC
In case of a transfer of Customer Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992; as of September 1, 2023, its totally revised version of 25 September 2020 (‘FADP’) where Provider is located in or Personal Data is transferred to Non-Adequate Countries, the EU SCC included in Section 1.1 apply, with the following amendments:
a. The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority in accordance with Clause 13 and Annex I.C of the EU SCC;
b. The governing law in accordance with Clause 17 of the EU SCC shall be Swiss law in case the data transfer is exclusively subject to the FADP;
c. The term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EU SCC; and
d. References to the GDPR in the EU SCC shall also include the reference to the equivalent provisions of the FADP (as amended or replaced).
1.1.4 Thai Amendments to the EU SCC
In case of a transfer of Customer Personal Data subject to the Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (‘PDPA’), where Provider is located in or Personal Data is transferred to Non-Adequate Countries, the EU SCC included in Section 1.1 apply, with the following amendments:
e. The Thai Personal Data Protection Committee is the competent supervisory authority in accordance with Clause 13 and Annex I.C of the EU SCC;
f. The governing law in accordance with Clause 17 of the EU SCC shall be Thailand law in case the data transfer is exclusively subject to the PDPA;
g. The term “member state” must not be interpreted in such a way as to exclude data subjects in Thailand from the possibility of suing for their rights in their place of habitual residence (Thailand) in accordance with Clause 18 of the EU SCC; and
h. References to the GDPR in the EU SCC shall also include the reference to the equivalent provisions of the PDPA (as amended or replaced).
1.1.5 Applicability of the EU SCC for other Data Protection Laws
The EU SCC apply to the processing of Personal Data subject to any other Data Protection Laws endorsing the EU SCC as a valid transfer mechanism, or allowing the use of the EU SCC to the extent not in conflict with the respective model clauses requirements, where Provider is located in or Personal Data is transferred to Non-Adequate Countries. In this case, the EU SCCs included in Section 1.1 apply, with the following amendments:
a. The supervisory authority in accordance with Clause 13 and Annex I.C of the EU SCC shall be the competent supervisory authority as stated in the applicable Data Protection Law;
b. The governing law in accordance with Clause 17 of the EU SCC shall be the law of the country of applicable Data Protection Law;
c. The choice of forum and jurisdiction in accordance with Clause 18 of the EU SCC shall be the one applicable under the law of the country of applicable Data Protection Law; and
d. Any references to the GDPR in the EU SCC shall also include the reference to the equivalent provisions of the applicable Data Protection Law.
1.2 The Serbian Law on Personal Data Protection (Serbian SCC)
a. The Serbian SCC apply to the Processing of Customer Personal Data subject to the Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018) where Provider is located in or Personal Data is transferred to Non-Adequate Countries.
b. By entering into the Agreement, Provider and Customer are entering into the Serbian SCC as adopted by the “Serbian Commissioner for Information of Public Importance and Personal Data Protection”, published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx to provide an adequate level of protection.
c. Information required to complete Appendices 1 to 8 of the Serbian SCC for the purpose of governing the transfer of Personal Data to a Non-Adequate Country can be found in the DPA.
1.3 The Turkish Law on the Protection of Personal Data (Turkish SCC)
a. The Turkish standard contractual clauses (as approved by the Turkish Personal Data Protection Board and published at https://www.kvkk.gov.tr (‘Turkish SCC’)) apply to the Processing of Customer Personal Data subject to the Law on the Protection of Personal Data no 6698 dated April 7, 2016, and its implementing regulations (‘Turkish Data Protection Law’), where Provider is located in or Personal Data is transferred to Non-Adequate Countries. The parties acknowledge that the applicable module of the Turkish SCC is the module covering the Personal Data transfer from Customer acting as the Controller to the Provider acting as the Processor.
b. For the purposes of Clauses 8 (Sub-Processors) and 10 (Redress) of the Turkish SCC, the options set forth under Section 1.1.c of Schedule 1 of the DPA , Clause 9 and Clause 11 of the EU SCC apply respectively. Information required to complete the Annexes I to II of the Turkish SCC can be found in the Appendix of the EU SCC.
1.4 The Saudi Arabia Personal Data Protection Law (SA SCC)
a. The Saudi Arabia standard contractual clauses (as approved by the Saudi Data and AI Authorityand published at https://sdaia.gov.sa/en/SDAIA/about/Pages/RegulationsAndPolicies.aspx (‘SA SCC’)) apply to the Processing of Customer Personal Data subject to the Saudi Arabia Personal Data Protection Law issued pursuant to Royal Decree No. (M/19) dated 9/2/1443 AH, as amended from time to time, and its implementing regulations (‘Saudi Arabia Data Protection Law’), where Provider is located in or Personal Data is transferred to Non-Adequate Countries. The parties acknowledge that the applicable module of the SA SCC is the module covering the Personal Data transfer from Customer acting as the Controller to the Provider acting as the Processor.
b. Information required to complete the Appendices 1 to 3 of the SA SCC can be found in the Appendix of the EU SCC.
1.5 The Brazilian General Data Protection Law (Brazilian SCC)
a. The Brazilian standard contractual clauses, as adopted by the National Data Protection Authority under Resolution n. 19/2024 and its Annex II of August 23,2024 (‘Brazilian SCC’), apply to the Processing of Customer Personal Data subject to the Brazil General Data Protection Law (Federal Law n. 13.709/2018 – Lei Geral de Proteção de Dados Pessoais (‘LGPD’)) where Provider is located in or Personal Data is transferred to Non-Adequate Countries. The parties acknowledge that Customer acts as the Controller transferring the Personal Data to Provider acting as the Processor.
b. Information required to complete Clauses 1 (Identification of the Parties) and 2 (Object) of the Brazilian SCC is provided in the Annex IA of the EU SCC. The designated contact for data subjects is the contact person specified in the Annex IA of the EU SCC. For the purposes of Clause 3 (Onward Transfers) of the Brazilian SCC, Option B applies and is completed in accordance with the details set out in Annex IB of the Appendix of the EU SCC.
c. For the purposes of Clause 4 (Responsibilities of the Parties) of the Brazilian SCC, Customer shall be the Designated Party (as defined in the Brazilian SCC) for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting).
d. Information required to complete Section 3 (Security Measures) of the Brazilian SCC is set forth in the Annex II of the Appendix of the EU SCC.