DATA PROCESSING ADDENDUM
Created: 25，09, 2024

1. How this Data Processing Addendum (DPA) Applies

1.1 This Data Processing Addendum ("DPA") forms part of PICO's Enterprise User Terms of Service (hereinafter the “Enterprise User Terms”) when an Enterprise User has entered into the Enterprise User Terms with PICO for any of the Services. Pursuant to the Terms, PICO provides the Services to the Enterprise User and processes certain personal data of the Enterprise User and its Authorised Users, as described in further detail in Schedule 1 (Processing Details).
1.2 This DPA is to ensure that PICO processes Enterprise User Controlled Data, as described in our Privacy Policy, on the Enterprise User’s documented instructions and in compliance with Applicable Data Protection Laws.
1.3 Enterprise User and PICO hereby agree to be bound by the obligations in this DPA.

2、Definitions

2.1 All terms capitalised but not defined in this DPA have the meaning set out in the Enterprise User Terms and/or the Privacy Policy. For the purposes of this DPA, the following expressions shall have the following meanings:
(a) “Applicable Data Protection Laws” means any applicable law, rule, statute, regulation, order, standard and other similar instrument or other enactment pertaining to data protection or the processing of Enterprise User Controlled Data, in each case as amended, consolidated, re-enacted or replaced from time to time;
(b) “DPA” means this Data Processing Addendum and incorporates the terms and conditions set out in the Local Law Schedules hereto;
(c) “Enterprise User Controlled Data” means personal data shared by the Customer which PICO processes in its capacity as a processor;
(d) “Local Law Schedule(s)” means the schedules attached hereto which set forth specific local law requirements relevant to the processing of Enterprise User Controlled Data hereunder.
(e) “Services” means services provided by PICO; and
(f) “controller”, "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in Applicable Data Protection Laws.

3、Local Law Schedules

3.1 To the extent PICO processes any Enterprise User Controlled Data which is subject to the Applicable Data Protection Laws of a jurisdiction for which there is a Local Law Schedule, the terms of that Local Law Schedule will apply to PICO’s processing of such Enterprise User Controlled Data. If there is any conflict between the terms set forth in Clauses 1 to 7 of this DPA and the terms of the relevant Local Law Schedule, the terms of the relevant Local Law Schedule shall prevail.

4、Relationship of the Parties

4.1 The Customer (the controller) appoints PICO as a processor to process the Enterprise User Controller Data described in Schedule 1 of this DPA. Each party shall comply with the obligations that apply to it under Applicable Data Protection Laws.

5、Enterprise User’s Obligations

5.1 Enterprise User acknowledges and agrees that PICO collects, uses, discloses and/or processes Enterprise User Controlled Data in accordance with the Enterprise User’s documented instructions, and solely for purposes of performing the Services and PICO’s obligations except where otherwise required by law(s) that are not incompatible with the Applicable Data Protection Laws. Enterprise User remains at all times the controller of Enterprise User Controlled Data that determines the means and purposes of processing of Enterprise User Controlled Data and shall be primarily responsible for Enterprise User Controlled Data.
5.2 Enterprise User warrants that:
(a) the legislation applicable to it does not prevent PICO from fulfilling the instructions received from the Enterprise User and performing PICO’s obligations under this DPA; and
(b) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to enable the processing of the Enterprise User Controlled Data by PICO as set out in this DPA and as envisaged by the Enterprise User Terms.
5.3 Notwithstanding anything to the contrary hereunder, the Enterprise User acknowledges and agrees that it is Enterprise User’s sole and exclusive responsibility to:
(a) prior to disclosing any Enterprise User Controlled Data to PICO, inform the relevant data subjects of the purposes for which their personal data may be collected, used, disclosed and/or processed by PICO on behalf of the Enterprise User, obtain all necessary consents from the relevant data subjects for such collection, use, disclosure and/or processing of Enterprise User Controlled Data by PICO on behalf of the Enterprise User (if such consents are required under Applicable Data Protection Laws), fulfill any requirements applicable to the international transfer of Enterprise User Controlled Data (including by providing any required agreements or terms, such as any recognized standard contractual clauses, and/or related assessments to be completed for this purpose), and provide PICO with written records of the same (“Records”). For the avoidance of doubt, PICO shall be under no obligation to collect, use, disclose or process any Enterprise User Controlled Data until it is reasonably satisfied that the Enterprise User has secured the Records in relation thereto;
(b) convey the information notices as required by Applicable Data Protection Laws;
(c) make any necessary filings or reporting to the appropriate data protection authority(ies);
(d) ensure the accuracy, quality, completeness and legality of the Enterprise User Controlled Data that is disclosed to PICO by the Enterprise User;
(e) enforce and comply with any request from any data subject to exercise their rights under Applicable Data Protection Laws, including without limitation requests to access, correct, and/or erase any Enterprise User Controlled Data of such data subjects, and to promptly notify PICO of the same;
(f) promptly notify PICO if any data subject withdraws his/her consent for his/her personal data to be collected, used, processed or disclosed as contemplated under PICO’s Privacy Policy;


(h) at the request of PICO, promptly execute such documents, as PICO may reasonably require, in order to facilitate PICO’s compliance with any Applicable Data Protection Laws.
5.4 The Enterprise User acknowledges and agrees that PICO shall not be required to, and shall be entitled to refuse to collect, use, disclose and/or process any Enterprise User Controlled Data:
(a) for which there are no Records or for which PICO reasonably believes there are no Records; or
(b) in a way that does not comply with the terms hereunder or Applicable Data Protection Laws,
provided that PICO shall promptly notify the Enterprise User of such refusal in writing stating its reasons, and such refusal shall not constitute a basis for the Enterprise User to allege that PICO has repudiated this DPA, Enterprise User Terms or any agreements.

6、PICO’s Obligations

6.1 PICO shall only process Enterprise User Controlled Data (including with regard to data transfers) in accordance with, and for the purposes documented in this DPA and any further written instructions from the Enterprise User documented and agreed by PICO as constituting further instructions.
6.2 PICO will comply with the instructions described in this DPA unless other processing of Enterprise User Controlled Data is otherwise required by Applicable Data Protection Laws to which PICO is subject; in such a case, PICO shall notify Enterprise User prior to the processing activities not in accordance with Enterprise User’s instructions provided that such notification is not prohibited based on public interests under Applicable Data Protection Laws.
6.3 PICO shall ensure that personnel authorised to process Enterprise User Controlled Data maintain the confidentiality of such Enterprise User Controlled Data.
6.4 Technical and organisational security measures. PICO shall implement appropriate technical and organisational security measures for the protection of Enterprise User Controlled Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Personal Data Breach"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person.
For further information, please refer to ANNEX II of Schedule 4 (as updated from time to time).
6.5 Data Subject Rights. Where applicable, PICO will provide reasonable assistance (including by appropriate technical and organisational measures) to the Customer, in a manner consistent with the functionality of the Services, to enable Enterprise User to fulfil its obligations to respond to requests for the exercise of rights by a data subject under Applicable Data Protection Laws.
6.6 Sub-processors. Enterprise User hereby authorises PICO to subcontract its processing obligations under this DPA to its affiliates, and to other third party sub-processors as listed here. PICO ensures that it has a written agreement in place with all sub-processors which imposes obligations on such sub-processors which are commensurate with PICO’s obligations under this DPA, and PICO shall remain responsible for processing by such sub-processors.
6.7 International Transfers.PICO may process Enterprise User Controlled Data in jurisdictions other than where such Enterprise User Controlled Data was collected only in accordance with this DPA and Applicable Data Protection Laws, including by entering into any additional agreements with Enterprise User (such as standard contractual clauses recognized by the relevant Applicable Data Protection Law), and/or implementing any additional measures required.
6.8 Deletion or Return of Data. PICO shall delete Enterprise User Controlled Data in accordance with the Enterprise User Terms.
6.9 Personal Data Breaches. PICO shall promptly notify Enterprise User about any Personal Data Breach relevant to Enterprise User Controlled Data. At the time of notification or as soon as possible after notification, such notice shall include relevant details of the Personal Data Breach, where possible.

7、Indemnity

Without prejudice to the indemnity obligations already covered in the Enterprise User Terms, Enterprise User agrees to defend, indemnify and hold PICO harmless from and against any and all loss, costs, expenses (including reasonable legal fees) suits, actions, claims or proceedings arising from an actual or potential breach of this DPA by Enterprise User and/or Authorised Users, or any regulatory, private lawsuit or governmental action related to the processing conducted in relation to this DPA.

8、Miscellaneous

8.1 This DPA shall remain in force for the duration of the Enterprise User Terms, for which this DPA forms a part thereof or for so long as PICO processes Enterprise User Controlled Data, whichever is longer.
8.2 Unless indicated otherwise, if there is any conflict between the provisions of this DPA and the remainder of the Enterprise User Terms, this DPA shall prevail to the extent of such conflict.
8.3 This DPA and any dispute or claim in connection with it shall be governed by and construed in accordance with the governing law of the Enterprise User Terms, for which this DPA forms a part thereof. The Enterprise User and PICO hereby submit to the jurisdiction of the dispute resolution venue(s) as set out in the Enterprise User Terms.

SCHEDULE 1
Processing Details
Data exporter / Sharing Party
Enterprise User, as the data exporter / sharing party, is using Services provided by PICO. These Services may include the processing of Enterprise User Controlled Data by PICO as the data importer / receiving party.
Data importer / Receiving Party
PICO is providing Services and support to Enterprise User as described in this DPA.
Processing Operations
Processing activities, nature and purpose: Personal data is processed for the purpose of providing the Services. Personal data will be collected, analysed, used, retained, deleted for the purpose of providing the Services. The processing activities are more fully described in the Privacy Policy.
Data Subjects: Individuals about whom data is provided to PICO via the Services, include the following:
Enterprise Users and/or Authorised Users
Employees of Enterprise User
Enterprise User’s prospects and Enterprise Users
Enterprise User’s vendors and suppliers
Enterprise User’s business partners
Prospects, Enterprise Users, vendors, suppliers, and business partners of Enterprise User (who are natural persons)
Other data subjects that Enterprise User and/or Authorised Users conduct business or have relationships with.
Categories of Data: Data relating to the data subjects provided to PICO by the Enterprise User in the course of PICO providing the Services as described in PICO’s Privacy Policy.
Special Categories of Data (if appropriate): No sensitive data or special categories of data are intended to be transferred, but may be contained in the Enterprise User’s contents.
Subject Matter: PICO’s provision of the Services to Enterprise User.
Duration: The term as set out in the Enterprise User Terms plus the period from expiry of the aforesaid term until deletion of personal data by PICO in accordance with the Enterprise User Terms.


SCHEDULE 2
US Local Law Schedule
In addition to clauses 1 to 7 of this DPA, Enterprise User and PICO will comply with the following terms to the extent that PICO collects, uses, retains, discloses or otherwise Processes Personal Information about an individual in the U.S. included in Enterprise User Controlled Data (“U.S. Personal Information”) when providing Services to Enterprise User. In this Schedule, the following terms shall have the following meanings:

• “Controller” means a party that determines the purposes and means of Processing Personal Information, or any analogous term in Applicable Data Protection Laws;
• “Personal Information” means any information that is linked or reasonably linkable to an identified or identifiable natural person, or any analogous term in Applicable Data Protection Laws;
• “Processor” means a party that Processes Personal Information on behalf of another party, or any analogous term in Applicable Data Protection Laws; “U.S. Data Protection Law” means any federal, state, or local law that applies to the Processing of U.S. Personal Information, including, without limitation, the CCPA (defined below) as amended by the California Privacy Rights Act (“CPRA”); the Colorado Privacy Act, CO Code §§ 6-1-1301, et seq. (2022) (“CPA”); the Connecticut Data Privacy Act, Conn. Gen Stat § 42-515, et seq. (2022) (“CTDPA”); the Utah Consumer Privacy Act, Utah Code § 13-61 (“UCPA”); the Virginia Consumer Data Protection Act, Va. Code Va. Code § 59.1-577, et seq. (“VCDPA”); the Oregon Consumer Privacy Act (“OCPA”) (Or. 619) and all other US data protection laws in effect, each as amended, repealed, consolidated or replaced from time to time, including any implementing regulations.

1. PICO’s Obligations

1.1 Compliance. PICO and Enterprise User agree that Enterprise User is Controller and PICO is Enterprise User’s Processor. PICO shall comply with Applicable Data Protection Laws in the U.S. Data Protection Laws.
1.2 Confidentiality. PICO shall ensure that its personnel who are authorized to Process U.S. Personal Information are subject to an appropriate duty of confidentiality.
1.3 Sub-Processors. Enterprise User hereby authorises PICO to subcontract its processing obligations under this DPA to its affiliates, and to other third party sub-processors as listed here. PICO ensures that it has a written agreement in place with all sub-processors which contains obligations on the sub-processors which are no less onerous on the relevant sub-processors than the obligations on PICO under this DPA. If PICO appoints any new sub-processors or intends to make any changes concerning the addition or replacement of the sub-processors, it shall provide the Enterprise User with prior notice, during which the Enterprise User can object against the appointment or replacement by terminating the DPA on written notice to PICO. If Enterprise User does not object within five (5) days of the date of the notice, PICO may proceed with the appointment or replacement of the relevant sub-processor(s).
1.4 Documentation and Audits. PICO shall make information available to the Controller upon reasonable request to demonstrate PICO’s compliance with its obligations under this DPA, including by permitting and cooperating with Controller (or an independent third party designated by controller) to conduct reasonable assessments for this purpose;
1.5 California. To the extent that PICO Processes Personal Information on behalf of Enterprise User that is subject to the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100-1798.199 (“CCPA”), PICO shall:
1.5.1 comply with the CCPA and provide the same level of privacy protection as required of Enterprise User by the CCPA;
1.5.2 Process such Personal Information only for limited and specified business purpose(s) and shall not “sell” or “share” (as defined in the CCPA) such Personal Information, nor retain, use, or disclose such Personal Information for any other purpose outside the direct business relationship with Enterprise User unless expressly permitted to do so by the CCPA;
1.5.3 enable Enterprise User to take reasonable and appropriate steps to ensure PICO Processes Personal Information in accordance with the CCPA, including by conducting audits in accordance with Clause 1.4 of this Schedule 3, and to stop and remediate any unauthorized Processing; and
1.5.4 notify Enterprise User if it makes a determination that it can no longer meet its obligations under the CCPA.

SCHEDULE 3
EU and UK Local Law Schedule
In addition to clauses 1 to 7 of this DPA, Enterprise User and PICO will comply with the following terms to the extent that PICO processes personal data in providing the Services which is subject to the EU GDPR and/or the UK GDPR.

1. Definitions and Interpretation

(a) “Alternative Safeguards” means a solution, other than the EU Standard Contractual Clauses and/or the UK Addendum to the EU Standard Contractual Clauses(as applicable), that enables the lawful transfer of Personal Data to a country which has not been deemed adequate for the purposes of: (a) the EU GDPR by the European Commission (as updated from time to time); or (b) the UK GDPR by the UK Secretary of State (as updated from time to time);
(b) “EU GDPR” means the General Data Protection Regulation 2016/679;
(c) “ICO” means the UK Information Commissioner’s Office;
(d) “UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;


(f) “EU Standard Contractual Clauses” means the standard contractual clauses (including the provisions of module two: transfer controller to processor) for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 set out in the European Commission Decision of 4 June 2021 (2021/914/EU), as set out in Schedule 4; and
(g) “UK Addendum to the EU Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the ICO and laid before the UK Parliament in accordance with s119A of the UK Data Protection Act 2018 on 2 February 2022, as amended from time to time.

2、PICO’s Obligations

2.1 Instructions. PICO shall inform the Enterprise User if it becomes aware that an instruction from the Enterprise User would infringe the Applicable Data Protection Laws (but without obligation to actively monitor the Customer’s compliance with Applicable Data Protection Law).
2.2 Confidentiality. PICO shall ensure that any person authorised to process Enterprise User Controlled Data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.3 Data Protection Impact Assessment. If the Customer believes or becomes aware that its processing of the Enterprise User Controlled Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform PICO and PICO shall provide the Customer with reasonable assistance to enable the Customer to conduct a data protection impact assessment in accordance with Applicable Data Protection Laws.
2.4 Deletion. Upon termination of this DPA in accordance with the Enterprise User Terms, PICO shall (at the Enterprise User’s election) destroy or return to the Enterprise User all of the Enterprise User Controlled Data in its possession or control and delete existing copies unless PICO is required by any Applicable Data Protection Laws to retain some or all of the Enterprise User Controlled Data.
2.5 Audit
(a) PICO shall, upon written request from Enterprise User, permit the Enterprise User to audit PICO’s compliance with the obligations laid down in this DPA and shall make available to the Customer all information, systems and staff necessary for the Customer to conduct such audit. The Customer will not exercise its audit rights more than once in any twelve calendar month period.
(b) In the event that the information provided in accordance with paragraph 2.5(a) above is insufficient to reasonably demonstrate compliance, PICO shall permit Enterprise User upon thirty (30) days’ written notice, to procure an independent third party auditor chosen by the Enterprise User on reasonable notice to audit PICO’s compliance with PICO’s obligations under this DPA. Such audits shall (i) be at Enterprise User’s cost; (ii) be conducted between 9am-5pm on business days (excluding, for the avoidance of doubt, weekends and public holidays); (iii) not be conducted by any competitor of PICO; (iv) not interfere with PICO’s day-to-day business; and (v) shall, to the extent an inspection is required, be limited to an inspection of PICO’s processing facilities in order to review compliance with this DPA.

3、Data Transfers

3.1 Enterprise User agrees that PICO may transfer Enterprise User Controlled Data to: (a) any country subject to an adequacy decision or adequacy regulation for the purposes of the EU GDPR and/or UK GDPR (as applicable) (an “Adequacy Decision”); and (b) any country outside the European Economic Area or the UK (as applicable) that is not subject to an Adequacy Decision (a “Restricted Transfer”), provided that such a transfer is made in compliance with Applicable Data Protection Law and pursuant to the EU Standard Contractual Clauses, the UK Addendum to the EU Standard Contractual Clauses incorporated into this DPA or Alternative Safeguards (as applicable).
3.2 Where there is Restricted Transfer from the European Economic Area, the EU Standard Contractual Clauses as set out in Schedule 4 shall apply.


3.3 Where there is a Restricted Transfer from the UK, the UK Addendum to the EU Standard Contractual Clauses as set out in Schedule 5 shall apply.


3.4 In the event that any provision of this Agreement contradicts, directly or indirectly, the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail.

4、Alternative Safeguards

4.1 If the parties’ compliance with EU GDPR or UK GDPR requirements relating to international transfers of Enterprise User Controlled Data is affected by circumstances outside of the parties’ control, including if the EU Standard Contractual Clauses and/or the UK Addendum to the EU Standard Contractual Clauses or any other legal instrument for international transfers of Personal Data is invalidated, amended or replaced, then the parties will work together in good faith to reasonably resolve any non-compliance.
4.2 If PICO is notified by any law enforcement, regulatory, judicial or governmental authority (an “Authority”) that such Authority wishes to access some or all of the Enterprise User Controlled Data, whether on a voluntary or a mandatory basis, PICO shall: (i) promptly notify Enterprise User of such Authority’s request; (ii) inform the Authority that Enterprise User has not authorised PICO to disclose that Personal Data to the Authority; (iii) inform the Authority that such requests should be made to Enterprise User in writing; and (iv) not provide the Authority with such Personal Data unless and until authorised by Enterprise User.
4.3 In the event PICO is prohibited from complying with paragraph 4.2 of this Schedule 2, PICO shall use reasonable efforts to challenge such prohibition.
4.4 If PICO makes a disclosure of Enterprise User Controlled Data to an Authority, it shall do so only to the extent required by the Authority.
4.5 Paragraphs 4.2 and 4.3 of this Schedule 2 shall not apply in the event that PICO has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, PICO shall notify Enterprise User as soon as possible following such Authority’s access and provide Enterprise User with full details of the same, unless and to the extent prohibited from doing so.

5、Sub-Processors

5.1 In addition to clause 6.5, if PICO appoints a new sub-processor or intends to make any changes concerning the addition or replacement of the sub-processors, it shall provide the Enterprise User with 5 days prior notice through listing such sub-processors here, such that the Enterprise User can object on reasonable grounds to the appointment or replacement by terminating the DPA on written notice to PICO. If Enterprise User does not object within five (5) days of the date of the notice, PICO may proceed with the appointment or replacement of the relevant sub-processor(s).


SCHEDULE 4
EU Standard Contractual Clauses: Module Two: Controller to Processor Transfers
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking clause
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the relevant Appendices and signing Annex I.A.
(b) Once it has completed the relevant Appendices and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the relevant Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 5 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub- processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C., shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.


SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.


SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third- party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Ireland.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.


APPENDIX


ANNEX I


A. LIST OF PARTIES
Data exporter(s):
Name: The entity which is the “Enterprise User” under the Enterprise User Terms.
Address: The address of the “Enterprise User” under the Enterprise User Terms.
Contact person’s name, position and contact details: The contact details for the Enterprise User’s account.
Activities relevant to the data transferred under these clauses: The activities set out in Schedule 1 to the DPA.
Signature and date: The Enterprise User as data exporter is deemed to have signed this Annex I by using the Services and transferring Enterprise User Controlled Data.
Role (controller/processor): Controller
Data importer(s):
Name: The “PICO” contracting entity as set out in the Enterprise User Terms.
Address: The address for the PICO contracting entity as set out in the Enterprise User Terms.
Contact person’s name, position and contact details: The contact details set out in the Enterprise User Terms.
Activities relevant to the data transferred under these Clauses: The activities set out in Schedule 1 to the DPA.
Signature and date: PICO as data importer is deemed to have signed this Annex I by providing the Services and receiving Enterprise User Controlled Data.
Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
As set out in Schedule 1 to the DPA.

Categories of personal data transferred
As set out in Schedule 1 to the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures
As set out in Schedule 1 to the DPA.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data is transferred on a continuous basis.

Nature of the processing
As set out in Schedule 1 to the DPA.

Purpose(s) of the data transfer and further processing
As set out in Schedule 1 to the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As set out in Schedule 1 to the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing is as set out in Schedule 1 to the DPA.

C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority for the data exporter will be determined in accordance with the GDPR.

ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
PICO shall implement appropriate technical and organisational security measures for the protection of Enterprise User Controlled Data. These include:


(a) Information Security Policies

• Approved security policies aligned to the highest industry standards
• a policy governing access to data;
• a policy governing data sharing with third parties; and
• process for reporting suspected violations of our policies

(b) Organization of Information Security

• Dedicated information security function responsible for security initiatives and operations
• Designated roles and responsibilities within the security function
• Dedicated internal audit function

(c) Human Resource Security

• Contractually binding confidentiality obligations on all personnel handling confidential and/or personal data
• Security awareness, education, and training upon onboarding and at regular intervals
• Background checks for all employees to the extent permitted by the applicable laws
• Disciplinary process for policy violations to the extent permitted by internal policy and local applicable law
• Termination or change of employment controls

(d) Asset Management

• Management oversight of assets such as servers, databases and user endpoints
• Assigned ownership for all assets
• Classification and handling of assets

(e) Access Control

• Remote access to the IT systems via VPN tunnels, where appropriate, or other state-of-the-art secure, encrypted connections
• Least privilege, and need-to-know basis security concepts embedded into the access management process
• Access authentication program
• Access termination within 48 hours for separated users
• Use of multi-factor authentication (MFA) and/or single signon (SSO) to access ByteDance systems
• Password complexity and configuration requirements in accordance with ByteDance standards

(f) Cryptography

• Encryption of data at rest as instructed by the Transferor
• Key management system with applicable security control

(g) Physical and Environmental Security

• Physical entry controls
• Security of equipment and assets off-premises
• Secure disposal or reuse of equipment
• Where Bytedance Transferee is engaged to provide data storage services:
• appliances for the monitoring of temperature and humidity in data centers
• redundant power supply units are built into the systems, where appropriate, to help ensure an uninterrupted supply of power to the data center and storage locations,
• Fire/smoke detectors and fire extinguishers or fire suppression system in data centers;
• Visitor access and authorization program

(h) Operations Security

• Approved change management process for changes to products and infrastructure
• An appropriate backup methodology to ensure data integrity and timely restoration of core operational data
• Secure event log preservation
• Quarterly vulnerability scanning of systems and environment
• Annual penetration testing of systems and environment

(i) Communications Security

• Network protection including security intrusion-detection-system, anti-malware software, anti-distributed denial of service software, firewalls deployed across the environment, etc.
• Segregation of networks into zones
• Network monitoring services in place 24 x 7 x 365 to detect unauthorised activities

(j) System acquisition, development and maintenance

• Secure software development process to enable the creation of software that incorporates security into every phase of the software development life cycle (SDLC). Security is baked into the code from inception rather than addressed after testing reveals critical product flaws.
• Separation of development and production environments
• Periodic review of open-source and third-party source code libraries
• Static and dynamic scanning of source code.
• Static scans review the code for vulnerabilities before it is packaged into the front-facing application. These are performed annually to address vulnerabilities in sourced code and compiled applications.
• Dynamic scans are performed during code changes after the compilation of the code and is to identify run-time errors in the application

(k) Supplier relationships

• Third party risk management program enables ongoing identification, assessment, monitoring and mitigation processes to manage the risks that occur with using vendors, establishing partnerships and outsourcing services.

(l) Information security incident management

• Incident management program
• Forensic capability for collecting incident data
• Business Continuity program to ensure redundancy of products and infrastructure
• Business Disaster program to ensure recovery of personnel and infrastructure in the event of a disaster
• Business impact analysis to identify critical systems and processes

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
The technical and organisational measures that the data importer will impose on sub-processors are described above. The list of sub-processors is available here.

SCHEDULE 5
UK Addendum to the EU Standard Contractual Clauses
Part 1: Tables
Table 1: Parties
The party details set out in Annex IA of Schedule 4 shall apply and be deemed inserted into Table 1 of the UK Addendum.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs
The version of the Approved EU SCCs which this Addendum is appended to, including the Appendix Information as set out in Schedule 4. Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: The party details set out in Annex IA of Schedule 4 shall apply and be deemed inserted into Table 3 of the UK Addendum.Annex 1B: Description of Transfer: The information set out in Annex IB of Schedule 4 shall apply and be deemed inserted into Table 3 of the UK Addendum.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: The technical and organisational measures set out in Annex II of Schedule 4 shall apply and be deemed inserted into Table 3 of the UK Addendum

Annex III: List of Sub processors (Modules 2 and 3 only): The information set out in Clause 5 of Schedule 2 shall apply and be deemed inserted into Table 3 of the UK Addendum.
Table 4: Ending this Addendum when the Approved Addendum Changes



Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19 of the Mandatory Clauses:

Either the Importer or the Exporter.
Part 2: Mandatory Clauses



Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.SCHEDULE 6
Brazil Local Law Schedule
In addition to clauses 1 to 7 of this DPA, Enterprise User and PICO will comply with the following terms to the extent that any Enterprise User Controlled Data Processed by PICO pursuant to the Enterprise User Terms is within the jurisdictional scope of Brazil’s LGPD.

1. DEFINITIONS AND INTERPRETATION

1.1 All terms defined in clause 2 of the DPA shall have the same meaning when used in this Brazil Local Law Schedule, except where otherwise provided below:
(A) "Controller" means a natural person or a legal entity, of public or private law, that makes decisions regarding the Processing of Personal Data;
(B) “LGPD” means Brazilian Federal Law n. 13.709/18 - Brazilian General Personal Data Protection Law ("LGPD") and its regulations
(C) “Personal Data” means any information relating to an identified or identifiable natural person;
(D) "Processor" means a natural person or a legal entity, of public or private law, that processes personal data on behalf and according to the instructions of the controller;
(E) “Processing” (including its cognate forms) means any operation or set of operations that is performed on Personal Data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, diffusion or extraction;
(F) "Sensitive Data" has the meaning given to the term in the LGPD and includes Personal Data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person; and
(G) "Regulator" means the Brazilian National Data Protection Authority ("ANPD"), which has jurisdiction over Enterprise User's Processing of Personal Data subject to the LGPD.

1. ROLES

2.1 The Parties acknowledge and agree that:
(A) PICO shall Process Enterprise User Controlled Data as further described in Schedule 1 (Processing Details) as a Processor, for and on behalf of the Enterprise User, for the purposes of providing the Services to Enterprise User, and
(B) Enterprise User remains at all times the Controller primarily responsible for the Personal Data.

1. ENTERPRISE USER OBLIGATIONS

3.1 Prior to disclosing any Enterprise User Controlled Data to PICO, Enterprise User shall inform the Data Subjects, in a clear and accessible manner, about the Purposes for which their Personal Data will be Processed and shared;
3.2 Enterprise User shall determine the purposes and means of Processing Enterprise User Controlled Data, which shall be observed by PICO, by way of documented instructions indicating such purposes and means in a clear and accessible manner;
3.3 Enterprise User must:
(A) ensure that the Processing of Enterprise User Controlled Data complies with the legal requirements described in the LGPD, providing the necessary instructions so that PICO can adopt the appropriate measures for the Processing of Enterprise User Controlled Data;
(B) ensure that it has the necessary legal basis to disclose Enterprise User Controlled Data to PICO, as well as to ensure that PICO can carry out the Processing of Enterprise User Controlled Data in accordance with the terms of the DPA and the Enterprise User Terms;
(C) protect the interests of Data Subjects with due care and, in particular, ensure that Enterprise User Controlled Data is Processed in accordance with the LGPD;
(D) adopt privacy and Personal Data protection governance policies, with measures to prevent the misuse of Personal Data, contingency plans and possible penalties for violations of the legal obligations established therein, in accordance with the LGPD;
(E) appoint a responsible person to act as a communication channel in matters relating to Personal Data, especially with Enterprise User, Data Subjects and the ANPD;
(F) immediately notify PICO if any Data Subject requests the exercise of their rights and this results in the need for PICO to take any measures;
3.4 Enterprise User acknowledges and agrees that PICO shall be under no obligation to, and shall be entitled to refuse to Process any Enterprise User Controlled Data that has not been obtained in accordance with this DPA and the LGPD.
(A) PICO shall promptly notify Enterprise User of such refusal in writing stating its reasons, and such refusal shall not constitute a basis for Enterprise User to allege that PICO has breached its obligations under this DPA or the Agreements.
3.5 Enterprise User warrants that:
(A) all Enterprise User Controlled Data disclosed to PICO is accurate and complete at the time of such disclosure, and will notify PICO if the Enterprise User Controlled Data is updated and/or changed after such disclosure;
(B) it will act at all times in accordance with the LGPD; and
(C) Enterprise User will not attempt to access, upload, distribute or make available for distribution any proprietary and/or confidential data unless the Data Subject has sufficient rights and proper authorization to do so.
3.6 Enterprise User authorizes PICO to subcontract third parties to assist in the provision of the Services referred to in the DPA and the Enterprise User Terms, provided that PICO takes due care to ensure that Processing to be carried out by sub-processors is limited to the purposes authorized by the Enterprise User and that the third party guarantees minimum security conditions for the Processing of Enterprise User Controlled Data.

1. PICO OBLIGATIONS

4.1 PICO shall make all information necessary to demonstrate compliance with the obligations laid down in the DPA, including this Brazil Local Law Schedule, and shall allow for and contribute to audits, including inspections, conducted by Enterprise User or an auditor mandated by Enterprise User.
4.2 If PICO is to entrust all or part of the Processing of Enterprise User Controlled Data to a sub-processor, Enterprise User may make a written confirmation request to PICO concerning the status of the security control measures of the sub-processor.
4.3 At the Enterprise User's request, PICO shall cause the sub-processor to be subject to an audit of its handling of Enterprise User Controlled Data.

1. INTERNATIONAL DATA TRANSFER

5.1. Enterprise User Controlled Data may be transferred to, and processed in, countries other than Brazil.
5.2. PICO will take appropriate safeguards to require that Enterprise User Controlled Data will remain protected in accordance with this DPA and the LGPD. These include implementing the Standard Contractual Clauses or other transfer mechanism provided by the LGPD for international transfers of Personal Data between the parties.
5.3 In respect to Personal Data transfers from Brazil, the Enterprise User and PICO shall enter into and comply with the Brazilian Standard Contractual Clauses, as set out in Annex III below.

1. TERMINATION

6.1 This DPA will remain in force for the duration of the Enterprise User Terms or so long as PICO is Processing Enterprise User Controlled Data, whichever is later.
6.2 Should any of the clauses and conditions of this DPA be declared null and void, in whole or in part, for any legal or contractual reason, the remaining clauses shall continue in full force and effect.
6.3 Upon termination of the DPA or after the end of provision of any Services under the Enterprise User Terms, PICO shall return all relevant Enterprise User Controlled Data in its possession to the Enterprise User, delete and stop Processing all of Enterprise User Controlled Data, except if otherwise required by applicable laws.

ANNEX III
Brazilian Standard Contractual Clauses

Section I - General Information
CLAUSE 1. Identification of the Parties
1.1. By this contractual instrument, the Exporter and the Importer (hereinafter, Parties), identified below, agree to adopt the standard contractual clauses (hereinafter Clauses) approved by the National Data Protection Authority (ANPD), to govern the International Data Transfer described in Clause 2, in accordance with the provisions of Brazilian National Legislation.

Name: Enterprise User
• Qualification:
• Primary Address:
• Email Address:
• Contact for the Data Subject:
• Other Information:
(x) Exporter/Controller ( ) Exporter/ProcessorName: PICO
• Qualification:
• Primary Address:
• Email Address:
• Contact for the Data Subject:
• Other Information:
( ) Importer/Controller (x) Importer/ProcessorCLAUSE 2. Object
2.1. These Clauses apply to the International Data Transfers from the Exporter to the Importer, as described below.
• Description of the international data transfer: PICO will import the end-user data provided by the Enterprise User to provide its services, as described in the Schedule 1 – processing details.
• Main purposes of the transfer: To provide the PICO services contracted by the Enterprise User, as described in the Schedule 1 – processing details.
• Categories of personal data transferred: Individuals about whom data is provided to PICO via the Services, include the following:
Enterprise Users and/or Authorised Users
Employees of Enterprise User
Enterprise User’s prospects and Enterprise Users
Enterprise User’s vendors and suppliers
Enterprise User’s business partners
Prospects, Enterprise Users, vendors, suppliers, and business partners of Enterprise User (who are natural persons)
Other data subjects that Enterprise User and/or Authorised Users conduct business or have relationships with.
• Data retention period: Upon termination of the DPA or after the end of provision of any Services under the Enterprise User Terms, PICO shall return all relevant Enterprise User Controlled Data in its possession to the Enterprise User, delete and stop Processing all of Enterprise User Controlled Data, except if otherwise required by applicable laws.
CLAUSE 3. Subsequent Transfers
3.1. The Importer may carry out a Subsequent Transfer of the Personal Data that is the subject of the International Data Transfer governed by these Clauses in the cases and under the conditions described below and provided that the provisions of Clause 18 are observed.
• Main purposes of the transfer: To provide the PICO services contracted by the Enterprise User, as described in the Schedule 1 – processing details.
• Categories of personal data transferred: Individuals about whom data is provided to PICO via the Services, include the following:
Enterprise Users and/or Authorised Users
Employees of Enterprise User
Enterprise User’s prospects and Enterprise Users
Enterprise User’s vendors and suppliers
Enterprise User’s business partners
Prospects, Enterprise Users, vendors, suppliers, and business partners of Enterprise User (who are natural persons)
Other data subjects that Enterprise User and/or Authorised Users conduct business or have relationships with.
• Data retention period: Upon termination of the DPA or after the end of provision of any Services under the Enterprise User Terms, PICO shall return all relevant Enterprise User Controlled Data in its possession to the Enterprise User, delete and stop Processing all of Enterprise User Controlled Data, except if otherwise required by applicable laws.
• Other information: n/a
CLAUSE 4. Responsibilities of the Parties
4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the following Party, as designated below, acting as Controller, shall be responsible for complying with the following obligations set out in these Clauses:
a) Responsible for publishing the document provided for in Clause 14:
(x) Exporter ( ) Importer
b) Responsible for responding to data subject requests as described in CLAUSE 15:
(x) Exporter ( ) Importer
c) Responsible for reporting the security incident as described in Clause 16:
(x) Exporter ( ) Importer
4.2. For the purposes of these Clauses, if it is later determined that the Designated Party under item 4.1 acts as a Processor, the Controller shall remain responsible:
a) For complying with the obligations set out in Clauses 14, 15, and 16 and other provisions established in National Legislation, especially in case of omission or non-compliance by the Designated Party;
b) For complying with ANPD determinations; and
c) For ensuring the rights of the Data Subjects and compensating for any damages caused, as provided in Clause 17.

Section II - Mandatory Clauses
CLAUSE 5. Purpose
5.1. These Clauses are intended to enable the secure international flow of personal data, establishing minimum guarantees and valid conditions for carrying out International Data Transfers and ensuring the adoption of adequate safeguards for complying with the principles, rights of the Data Subject, and the data protection regime provided for in National Legislation.
CLAUSE 6. Definitions
6.1. For the purposes of these Clauses, the definitions provided in Article 5 of Law No. 13.709, of August 14, 2018, and Article 3 of the Regulation on International Data Transfers shall apply, without prejudice to other normative acts issued by the ANPD. The Parties also agree to consider the terms and their respective meanings as set out below:
a) Data Processing Agents: The controller and the processor;
b) ANPD: National Data Protection Authority;
c) Clauses: The standard contractual clauses approved by the ANPD, which comprise Sections I, II, and III
d) Linked Contract: A contractual instrument signed between the Parties or at least one of them and a third party, including a Third Controller, which has a common purpose, linkage, or dependence on the contract governing the International Data Transfer;
e) Controller: The Party or third party ("Third Controller") responsible for making decisions regarding the processing of Personal Data;
f) Personal Data: Information related to an identified or identifiable natural person;
g) Sensitive Personal Data: Personal data about racial or ethnic origin, religious belief, political opinion, membership in a trade union or religious, philosophical, or political organization, data concerning health or sexual life, genetic or biometric data, when linked to a natural person;
h) Deletion: Exclusion of data or a set of data stored in a database, regardless of the procedure used;
i) Exporter: A data processing agent, located in the national territory or in a foreign country, that transfers personal data to an Importer;
j) Importer: A data processing agent, located in a foreign country or an international organization, that receives personal data transferred by an Exporter;
k) National Legislation: The set of Brazilian constitutional, legal, and regulatory provisions on Personal Data protection, including Law No. 13.709, of August 14, 2018, the Regulation on International Data Transfers, and other normative acts issued by the ANPD;
l) Arbitration Law: Law No. 9.307, of September 23, 1996;
m) Security Measures: Technical and administrative measures adopted to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
n) Research Entity: A public administration body or entity or a private non-profit legal entity legally constituted under Brazilian law, headquartered and with jurisdiction in Brazil, whose institutional mission or statutory objective includes basic or applied research of a historical, scientific, technological, or statistical nature;
o) Processor: The Party or third party, including a Subcontractor, that processes Personal Data on behalf of the Controller;
p) Designated Party: The Party designated under Clause 4 ("Option A") to fulfill specific obligations related to transparency, data subject rights, and security incident reporting in the capacity of Controller;
q) Parties: Exporter and Importer;
r) Access Request: A request for mandatory compliance under law, regulation, or determination by a public authority to grant access to Personal Data subject to the International Data Transfer governed by these Clauses;
s) Subcontractor: A data processing agent hired by the Importer, with no link to the Exporter, to process Personal Data after an International Data Transfer;
t) Third Controller: The Controller of Personal Data who provides written instructions for the International Data Transfer between Processors governed by these Clauses, as provided in Clause 4 ("Option B");
u) Data Subject: The natural person to whom the Personal Data subject to the International Data Transfer governed by these Clauses refers;
v) Transfer: A form of processing through which a data processing agent transmits, shares, or provides access to Personal Data to another data processing agent;
w) International Data Transfer: The transfer of Personal Data to a foreign country or international organization of which the country is a member; and
x) Subsequent Transfer: The International Data Transfer, originating from an Importer, to a third party, including a Subcontractor, provided that it does not constitute an Access Request.
CLAUSE 7. Applicable Law and ANPD Oversight
7.1. The International Data Transfer subject to these Clauses is governed by National Legislation and subject to ANPD oversight, including the authority to apply preventive measures and administrative sanctions to both Parties, as applicable, as well as to limit, suspend, or prohibit international transfers resulting from these Clauses or a Linked Contract.
CLAUSE 8. Interpretation
8.1. Any application of these Clauses must occur according to the following terms:
a) These Clauses must always be interpreted in favor of the Data Subject and in accordance with the provisions of National Legislation;
b) In case of doubt about the meaning of terms in these Clauses, the meaning most aligned with National Legislation shall apply;
c) No item in these Clauses, including a Linked Contract and the provisions in Section IV, may be interpreted to limit or exclude the liability of either Party concerning obligations under National Legislation; and
d) The provisions of Sections I and II shall prevail in case of conflict of interpretation with additional Clauses and other provisions provided in Sections III and IV of this instrument or in Linked Contracts.
CLAUSE 9. Possibility of Third-Party Accession
9.1. With the mutual consent of the Parties, a data processing agent may adhere to these Clauses as an Exporter or Importer by signing a written document that will become part of this instrument.
9.2. The adhering party shall have the same rights and obligations as the original Parties, depending on the assumed position of Exporter or Importer and according to the corresponding category of data processing agent.
CLAUSE 10. General Obligations of the Parties
10.1. The Parties commit to adopting and, when necessary, demonstrating the adoption of effective measures capable of proving compliance with the provisions of these Clauses and National Legislation, including the effectiveness of these measures, especially:
a) Using Personal Data only for the specific purposes described in Clause 2, without the possibility of further processing in a manner incompatible with these purposes, and in any case, subject to the limitations, guarantees, and safeguards provided in these Clauses;
b) Ensuring the compatibility of the processing with the purposes informed to the Data Subject, according to the context of the processing;
c) Limiting the processing to the minimum necessary to achieve its purposes, including only relevant, proportional, and non-excessive data concerning the purposes of processing Personal Data;
d) Ensuring that Data Subjects are provided, as stipulated in Clause 4:
(d.1.) Clear, precise, and easily accessible information about the processing and the respective data processing agents, subject to commercial and industrial secrecy;
(d.2.) Facilitated and free access to information on the form and duration of the processing, as well as the completeness of their Personal Data; and
(d.3.) The accuracy, clarity, relevance, and updating of Personal Data, according to the need and to fulfill the purpose of its processing;
e) Adopting appropriate security measures compatible with the risks involved in the International Data Transfer governed by these Clauses;
f) Not processing Personal Data for discriminatory, unlawful, or abusive purposes;
g) Ensuring that anyone acting under its authority, including subcontractors or any agent collaborating with it, whether free or for a fee, processes data only in compliance with its instructions and with the provisions of these Clauses; and
h) Maintaining a record of operations involving the processing of Personal Data subject to the International Data Transfer governed by these Clauses and providing the relevant documentation to the ANPD when requested.
CLAUSE 11. Sensitive Personal Data
11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific security measures proportional to the risks of the processing activity, the specific nature of the data, and the interests, rights, and guarantees to be protected, as described in Section III.
CLAUSE 12. Personal Data of Children and Adolescents
12.1. If the International Data Transfer involves Personal Data of children and adolescents, the Parties shall apply additional safeguards, including measures to ensure that processing is conducted in their best interest, in accordance with National Legislation and relevant international law instruments.
CLAUSE 13. Lawful Use of Data
13.1. The Exporter guarantees that the Personal Data was collected, processed, and transferred to the Importer in compliance with National Legislation.
CLAUSE 14. Transparency
14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear, and precise language about the International Data Transfer, including at least the following information:
a) The form, duration, and specific purpose of the international transfer;
b) The country of destination of the transferred data;
c) The identification and contact details of the Designated Party;
d) The shared use of data by the Parties and the purpose;
e) The responsibilities of the agents carrying out the processing;
f) The rights of the Data Subject and the means for exercising them, including a simple and accessible channel provided for responding to requests and the right to file a complaint against the Controller with the ANPD; and
g) Subsequent Transfers, including the recipients and the purpose of the transfer.
14.2. The document referred to in item 14.1 may be made available on a specific page or integrated, prominently and easily accessible, into the Privacy Policy or an equivalent document.
14.3. Upon request, the Parties must provide the Data Subject with a copy of these Clauses free of charge, subject to commercial and industrial secrecy.
14.4. All information provided to data subjects under these Clauses must be written in Portuguese.
CLAUSE 15. Rights of the Data Subject
15.1. The Data Subject has the right to obtain from the Designated Party, concerning the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, in accordance with National Legislation:
a) Confirmation of the existence of processing;
b) Access to the data;
c) Correction of incomplete, inaccurate, or outdated data;
d) Anonymization, blocking, or deletion of data that is unnecessary, excessive, or processed in non-compliance with these Clauses and National Legislation;
e) Data portability to another service or product provider, upon express request, in accordance with ANPD regulations, subject to commercial and industrial secrecy;
f) Deletion of Personal Data processed with the Data Subject's consent, except in cases provided in Clause 20;
g) Information about the public and private entities with which the Parties have shared data;
h) Information about the possibility of not providing consent and the consequences of refusal;
i) Revocation of consent through a free and facilitated procedure, with the processing conducted before the deletion request being ratified;
j) Review of decisions made solely based on automated data processing that affects their interests, including decisions intended to define their personal, professional, consumer, and credit profile or aspects of their personality; and
k) Information about the criteria and procedures used for automated decisionmaking, subject to commercial and industrial secrecy.
15.2. The Data Subject may object to processing carried out based on one of the exceptions to consent, in case of non-compliance with these Clauses or National Legislation.
15.3. The deadline for responding to requests provided in this Clause and item 14.3 is 15 (fifteen) days from the date of the Data Subject's request, except in cases where a different deadline is established in specific ANPD regulations.
15.4. If the Data Subject's request is directed to the Party not designated as responsible for the obligations set out in this Clause or item 14.3, the Party shall:
a) Inform the Data Subject of the contact channel provided by the Designated Party; or
b) Forward the request to the Designated Party as soon as possible to enable a response within the time frame provided in item 15.3.
15.5. The Parties must immediately inform the Data Processing Agents with whom they have shared data of any correction, deletion, anonymization, or blocking of the data so that they may replicate the same procedure, except in cases where such communication is proven to be impossible or would involve disproportionate effort.
15.6. The Parties shall promote mutual assistance to fulfill Data Subject requests.
CLAUSE 16. Security Incident Reporting
16.1. The Designated Party shall notify the ANPD and the Data Subjects, within 3 (three) business days of the occurrence of a security incident that may result in significant risk or harm to the Data Subjects, in accordance with National Legislation.
16.2. The Importer must maintain a record of security incidents in compliance with National Legislation.
CLAUSE 17. Liability and Compensation for Damages
17.1. The Party that, as a result of its data processing activity, causes material, moral, individual, or collective damage in violation of these Clauses and National Legislation is obligated to compensate for the damages.
17.2. The Data Subject may seek compensation for damages caused by either Party due to the violation of these Clauses.
17.3. The defense of the interests and rights of the Data Subjects may be pursued in court, individually or collectively, in accordance with the relevant legislation on individual and collective protection instruments
17.4. The Party acting as Processor is jointly liable for damages caused by the processing if it fails to comply with these Clauses or does not follow the lawful instructions of the Controller, except as provided in item 17.6.
17.5. Controllers directly involved in the processing that caused damage to the Data Subject are jointly liable for these damages, except as provided in item 17.6.
17.6. The Parties shall not be held liable if they can prove that:
a) They did not carry out the data processing attributed to them;
b) Although they carried out the data processing attributed to them, there was no violation of these Clauses or National Legislation; or
c) The damage resulted from the sole fault of the Data Subject or a third party that is not the recipient of a Subsequent Transfer or subcontracted by the Parties.
17.7. In accordance with National Legislation, the court may reverse the burden of proof in favor of the Data Subject when, in its judgment, the claim is plausible, the Data Subject is in a vulnerable position, or the production of evidence by the Data Subject would be excessively burdensome.
17.8. Collective actions seeking compensation for collective damages related to liability under this Clause may be brought collectively in court, in accordance with the relevant legislation.
17.9. The Party that compensates the Data Subject for damages has the right of recourse against the other responsible parties to the extent of their involvement in the harmful event.
CLAUSE 18. Safeguards for Subsequent Transfers
18.1. The Importer may only carry out Subsequent Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the cases and conditions described in Clause 3.
18.2. In any case, the Importer:
a) Must ensure that the purpose of the Subsequent Transfer is compatible with the specific purposes described in Clause 2;
b) Must ensure, through a written contractual instrument, that the safeguards provided in these Clauses are observed by the third-party recipient of the Subsequent Transfer; and
c) For the purposes of these Clauses, and regarding the transferred Personal Data, shall be considered responsible for any irregularities committed by the third-party recipient of the Subsequent Transfer.
18.3. The Subsequent Transfer may also be carried out based on another valid mechanism for International Data Transfer provided for in National Legislation, regardless of the authorization mentioned in Clause 3.
CLAUSE 19. Notification of Access Request
19.1. The Importer shall notify the Exporter and the Data Subject about an Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except in cases where notification is prohibited by the law of the country where the data is processed.
19.2. The Importer shall take the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is a legal basis to question the legality of the Access Request and, if applicable, the prohibition on notification referred to in item 19.1.
19.3. To comply with ANPD and Exporter requests, the Importer must maintain a record of Access Requests, including the date, requester, purpose of the request, type of data requested, number of requests received, and legal measures taken.
CLAUSE 20. Termination of Processing and Data Deletion
20.1. The Parties must delete the Personal Data subject to the International Data Transfer governed by these Clauses after the processing is completed, within the technical limits of the activities, with retention authorized only for the following purposes:
a) Compliance with a legal or regulatory obligation by the Controller;
b) Research by a Research Entity, ensuring, whenever possible, the anonymization of Personal Data;
c) Transfer to a third party, provided that the requirements provided in these Clauses and National Legislation are respected; and
d) Exclusive use by the Controller, with access by third parties prohibited, and provided that the data is anonymized.
20.2. For the purposes of this Clause, processing shall be considered complete when:
a) The purpose provided in these Clauses has been achieved;
b) The Personal Data is no longer necessary or relevant to achieving the specific purpose provided in these Clauses;
c) The processing period has ended;
d) The Data Subject's request has been fulfilled; and
e) The ANPD determines that there has been a violation of these Clauses or National Legislation.
CLAUSE 21. Data Processing Security
21.1. The Parties must adopt security measures that ensure the protection of Personal Data subject to the International Data Transfer governed by these Clauses, even after its completion.
21.2. The Parties shall specify in Section III the Security Measures adopted, considering the nature of the processed information, the specific characteristics and purpose of the processing, the current state of technology, and the risks to the rights of the Data Subjects, especially in the case of sensitive data and data of children and adolescents.
21.3. The Parties shall make the necessary efforts to adopt periodic evaluation and review measures to maintain an appropriate level of security for the characteristics of the data processing.
CLAUSE 22. Law of the Data Recipient Country
22.1. The Importer declares that it has not identified any laws or administrative practices in the data recipient country that prevent it from complying with the obligations assumed under these Clauses.
22.2. In the event of any legal change that alters this situation, the Importer shall immediately notify the Exporter for evaluation of the contract's continuation.
CLAUSE 23. Non-Compliance with Clauses by the Importer
23.1. If the safeguards and guarantees provided in these Clauses are violated or if it becomes impossible for the Importer to comply with them, the Exporter shall be notified immediately, except as provided in item 19.1.
23.2. Upon receiving the notification referred to in item 23.1 or verifying the Importer's non-compliance with these Clauses, the Exporter shall take the necessary steps to ensure the protection of the Data Subjects' rights and the compliance of the International Data Transfer with National Legislation and these Clauses, which may include:
a) Suspending the International Data Transfer;
b) Requesting the return of Personal Data, its transfer to a third party, or its deletion; and
c) Terminating the contract.
CLAUSE 24. Choice of Jurisdiction and Venue
24.1. These Clauses are governed by Brazilian law, and any disputes between the Parties arising from these Clauses shall be resolved before the competent courts of Brazil, subject to the Parties' choice of forum in Section IV.
24.2. The Data Subjects may bring legal actions against the Exporter or the Importer, at their discretion, before the competent courts in Brazil, including those located in their place of residence.
24.3. By mutual agreement, the Parties may resort to arbitration to resolve disputes arising from these Clauses, provided that the arbitration takes place in Brazil and in accordance with the provisions of the Arbitration Law.

Section III - Security Measures
As detailed in Annex II of the EU Standard Contractual Clauses.