Incorporation of Standard Contractual Clauses
The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
- Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Social Chat processes personal data as a processor pursuant to the terms of the Agreement, Social Chat is located in non-adequacy approved third countries, and Customer is established in the EEA.
- Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Social Chat processes personal data as a processor pursuant to the terms of the Agreement, Social Chat is located in non-adequacy approved third countries, and Customer is established in the EEA.
Standard Contractual Clause Optional Provisions
In addition to Section 1, where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
- Clause 7 (Docking Clause) is omitted;
- In Clause 9(a) (Use of sub-processors) – Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;
- In Clause 11(a) (Redress) – the Optional provision shall NOT apply;
- In Clause 16(b) (Suspension of transfers) if Social Chat is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
- In Clause 17 (Governing Law) – the laws of the Republic of Ireland shall govern; and
- In Clause 18 (Choice of forum and jurisdiction) - the courts of the Republic of Ireland shall have jurisdiction.
Supplementary Terms to Standard Contractual Clauses
- Documentation and compliance. For the purposes of Clause 8.9 –the review and audit provisions in the Agreement and DPA shall apply.
Notification and Transparency.
- The Parties acknowledge and agree that Social Chat, where required by the Standard Contractual Clauses to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly.
- For purposes of Clause 8.3 – Modules 2 and 3 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Social Chat to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the data importer) have the option to be the party who makes any communication to the data subject, and Vendor shall provide the level of assistance set out in the DPA.
- Liability. For the purposes of Clause 12(a), the liability of the parties shall be limited in accordance with the limitation of liability provisions in the Agreement.
- Signatories. Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without being signed directly, Social Chat and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the data exporter or data importer (as applicable) accordingly.
Swiss Law Provisions
Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
- references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
- In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.
United Kingdom Law Provisions
- Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
- In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement, DPA and these SCCs.
- The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.
- References to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to the United Kingdom, UK GDPR and the ICO.
In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK. Annex I
Identification of Parties
The full name, address and contact details for the data exporter and data importer are set out in the Agreement; and
- In the case of Module 2, Customer and its relevant affiliates established in the EEA are the data exporter and controller, and Loup and its relevant subprocessor affiliates located in non-adequacy approved third countries the data importer and processor;
- In the case of Module 3, Customer and its relevant affiliates established in the EEA are the data exporter and processor, and Loup and its relevant subprocessor affiliates located in non-adequacy approved third countries are the data importer and processor;
Description of Data Processing
The data processing activities carried out by Loup under the Agreement may be described as follows:
Subject Matter and Purpose
The personal data transferred will be subject to the following basic processing activities:
Loup will process Customer personal data in order to provide the services identified in the Agreement.
The personal data transferred concern the following categories of data subjects:
Customer’s employees and consultants who use Loup’s Service.
Categories of personal data
The personal data transferred concern the following categories of data:
Loup may have access to personal data of Customer’s employees and consultants who use Loup’s Service.
The types of personal data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data.
Special categories of data
The personal data transferred concern the following special categories of data: