Tisento Data Processing Addendum Jurisdiction Specific Terms

These Jurisdiction Specific Terms are an integral part of the Tisento Data Processing Addendum (“Addendum”). Capitalized terms which are used but not defined in this document shall have the meaning given to those terms in the Addendum. By signing the Addendum, the Parties have agreed to comply with these Jurisdiction Specific Terms which apply to the extent that the Parties Process Tisento Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions identified herein.

1.     Bulgaria

1.1.   Wherever the Processing pursuant to the Addendum falls within the scope of Bulgaria’s Personal Data Protection Act (as amended in November 2019) (“PDPA”), or any other corresponding decrees, regulations, or guidance, the provisions of the Addendum and this Section shall apply to such Processing.

1.2.   The Parties agree and acknowledge that, when Service Provider acts as a Processor, Service Provider shall comply with Article 25a of the PDPA which requires Service Provider to:

(a)   Return to Tisento any Personal Data Processed pursuant to the Addendum within a period of one month after having become aware of any Personal Data that has been disclosed (i) without a legal basis pursuant Article 6 (1) of the GDPR, or (ii) contrary to the principles under Article 5 of the GDPR; or, if this is impossible or would involve disproportionate efforts, erase or destroy the Personal Data; and

(b)   If the Personal Data is erased or destroyed in accordance with Section 1.2(a) of these Jurisdiction Specific Terms above, document such erasure and destruction.

2.     European Economic Area

2.1.   Definitions

(a)   “EEA” (as used in this Section) means the European Economic Area, consisting of the EU Member States, Iceland, Liechtenstein, and Norway.

(b)   “EEA Data Protection Laws” (as used in this Section) means the GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Tisento Personal Data.

(c)    “EU” means the European Union.

(d)   “EU 2021 Standard Contractual Clauses” (as used in these Jurisdiction Specific Terms) means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

2.2.   With regard to any Restricted International Transfer subject to EEA Data Protection Laws from Tisento to Service Provider, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a)   A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR.

(b)   The appropriate Standard Contractual Clauses adopted by the European Commission from time to time.

(c)    Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.

2.3.   Standard Contractual Clauses:

(a)   The Addendum hereby incorporates by reference the Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary, in their entirety (including the annexures thereto).

(b)   The Parties agree that any references to sections, annexures, exhibits, modules and choices within the Standard Contractual Clauses as set out in this Section 2.3 of these Jurisdiction Specific Terms, shall be deemed to be the same as the cognate and corresponding references to sections, annexures, exhibits, modules and choices within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to the Addendum.

(c)    For the purposes of the annexures to the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:

i.         Annex I(A): The content of Annex I(A) is set forth in Part A of Exhibit A.

ii.         Annex I(B): The content of Annex I(B) is set forth in Part B of Exhibit A.

iii.         Annex I(C): The content of Annex I(C) is set forth in Section 2.3(d)iv of these Jurisdiction Specific Terms.

iv.         Annex II: The content of Annex II is set forth in Appendix I to Exhibit A.

v.         The Parties agree to apply the following module[s]:

(A)  With respect to any Controller-to-Processor Restricted International Transfers, the Parties agree to implement Module Two of the EU 2021 Standard Contractual Clauses.

(B)   With respect to any Processor-to-Controller Restricted International Transfers of EEA Personal Data, the Parties agree to implement Module Four of the EU 2021 Standard Contractual Clauses.

(d)   The Parties further agree to the following choices under the EU 2021 Standard Contractual Clauses:

i.         Clause 7: The Parties choose not to include the optional docking clause.

ii.         Clause 9(a): The Parties choose Option 2, “General Written Authorization,” and the time period set forth in Section 6.4 of the Addendum. The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum.

iii.         Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.

iv.         Clause 13 (Annex I.C): The competent Supervisory Authority is the Data Protection Commission (Ireland).

v.         Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.

vi.         Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.

2.4.   The terms contained in Exhibit B to the Addendum supplement the Standard Contractual Clauses.

2.5.   In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.

3.     Switzerland

3.1.   Definitions

(a)   “FDPIC” (as used in this Section) means the Swiss Federal Data Protection and Information Commissioner.

(b)   “Swiss Data Protection Laws” (as used in this Section) includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection.

3.2.     With regard to any Restricted International Transfer subject to Swiss Data Protection Laws from Tisento to Service Provider within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a)   The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Tisento Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Tisento Personal Data within the meaning of the FADP.

(b)   The Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Laws).

(c)    Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.

3.3.     Standard Contractual Clauses:

(a)   The Addendum hereby incorporates by reference the Standard Contractual Clauses, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary, in their entirety (including the annexures thereto).

(b)   The Parties incorporate and adopt the Standard Contractual Clauses for Restricted International Transfers subject to Swiss Data Protection Laws in the same manner set forth in Section 2.3 of these Jurisdiction Specific Terms, subject to the following:

i.         Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.

ii.         Clause 18: The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.

iii.         References to "Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there any Restricted International Transfers subject to Swiss Data Protection Laws.

iv.         The Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.

3.4.     In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.

4.     United Kingdom

4.1.     Definitions

(a)   “UK Data Protection Laws” (as used in this Section) includes the Data Protection Act 2018 and the UK GDPR (as defined below).

(c)    “UK GDPR” (as used in this Section) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

(d)   “UK ICO” (as used in this Section) means the UK Information Commissioner’s Office.

(e)   “UK IDTA” (as used in this Section) means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.

4.2.     With regard to any Restricted International Transfer subject to UK Data Protection Laws from Tisento to Service Provider within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a)   A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR.

(b)   The UK IDTA.

(c)    The Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under UK Data Protection Laws, and the Processing activities of the Data Importer are not subject to the UK GDPR by virtue of application of Article 3(2) of the UK GDPR), as they have been adopted for use by the relevant authorities within the United Kingdom, including the UK ICO, using the UK Transfer Addendum.

(d)   Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.

4.3.     UK IDTA:

(a)   The Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary, in its entirety.

(b)   For the purposes of the tables to the UK IDTA:

i.         Table 1: The information required by Table 1 appears within Part A of Exhibit A.

ii.         Table 2:

(A)   The UK IDTA, shall be governed by the laws of England and Wales.

(B)   The Parties agree that any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales.

(C)   The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A.

(D)   The UK GDPR applies to the Data Importer’s Processing of the Personal Data.

(E)   The Addendum and the Agreement set out the instructions for Processing Personal Data.

(F)   The Data Importer will Process Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that the Data Exporter may terminate the UK IDTA before the end of such time.

(G)  The Data Importer may only transfer Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of the Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement.

(H)  Each Party must review the Addendum at regular intervals, to ensure that the Addendum remains accurate and up to date and continues to provide appropriate safeguards to the Personal Data. Each Party will carry out these reviews as frequently as at least once each time there is a change to the Personal Data, purposes for Processing, Data Importer information, or risk assessment or sooner.

iii.         Table 3: The content of Table 3 is set forth in Part B of Exhibit A and may be updated in accordance with Section 3.3 of the Addendum.

iv.         Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A and may be updated in accordance with Section 3.3 of the Addendum.

(c)    Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout the Addendum.

(d)   The terms contained in Exhibit B to the Addendum supplement the UK IDTA.

(e)   In cases where the UK IDTA applies and there is a conflict between the terms of the Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.