Data processing addendum.

This Data Processing Addendum (“DPA”) is incorporated into the services agreement between Deja Taylor, LLC (“DT”) and the customer (“Customer”), who have entered into a services agreement (“Agreement”). Deja Taylor and Customer are collectively referred to as the “Parties”, or individually as a “Party”.

1. Definitions

 All capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to such terms in the Agreement. The following definitions and rules of interpretation below apply to this DPA:

“Adequate” in relation to the level of protection given to Personal data in countries outside the European Economic Area (“EEA”) or United Kingdom, means a decision made by the European Commission under Article 25(6) of Directive 95/46/EC (as amended or replaced from time to time) or Information Commissioner’s Office, finding that the relevant third country provides an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. 

“Applicable Data Protection Law(s)” means all data protection laws and regulations applicable to a Party's processing of personal data under the Agreement.

“controller”, “processor”, “data subject” and “processing” (and “process”) have the meanings given in accordance with Applicable Data Protection Law.

“Deja Taylor Platform” means the Deja Taylor software-as-a-service solution that allows Customer to manage its professional consulting engagements throughout the engagement lifecycle.

personal data” means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area or Switzerland to a country outside of the European Economic Area or Switzerland which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

“Security Incident” means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to, Personal data transmitted, stored or otherwise processed.

“Sensitive personal data” means personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation, or any other data that falls within the definition of “special categories of data” under Applicable Data Protection Law. 

“Standard Contractual Clauses” or “SCC” means:

  1. where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EEA SCCs”); and

  2. where the UK GDPR applies, for the transfer of data from the United Kingdom to a non-adequate country, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 (“UK International Data Transfer Addendum”). 

“Team Member(s)” means the individual(s) that are employed by Deja Taylor.

“Team Member Data” means personal data that relates to the Team Member and is provided by the Team Member to Deja Taylor:

  1. Contact information: name, addresses, e-mail addresses, phone numbers and other ways in which Deja Taylor can contact the data subject.

  2. Identity Documents: Details about the data subject that are stored in documents in different formats, or copies of them. This could include things like (without limitation) passports, driver’s licenses, photographs or birth certificates.

  3. Payroll information: personal data contained in data subject’s pay slips.

“Customer Data” means personal data that relates to Customer’s relationship with Deja Taylor including: 

  1. Communications: any communication Customer has with Deja Taylor, like names, emails and phone numbers of individuals authorized by Customer to access Customer’s Deja Taylor account and/or use the Services

  2. Information regarding the usage of the Deja Taylor Platform:  such as payment transactions and technical connection data (IP address, location, logs, etc.)

“Customer’s customer data” means personal data that relates to Customer’s relationship with its customers, such as names, phone numbers and/or contact information of individuals authorized by Customer’s customers to access its account on Customer’s platform.

2. Relationship of the Parties

  1. Team Member Data.  The Parties acknowledge and agree that, with respect to Team Member Data, the Parties are each independent data controllers.

  2. Customer Data. The Parties acknowledge and agree that, with respect to Customer Data, the Parties are each independent data controllers.

  3. Customer’s customer data. The Parties acknowledge and agree that, with respect to Customer’s customer data, Customer may act either as a data controller or a data processor and Deja Taylor is a data processor.

3. Term and Termination

  1. The term of the DPA is co-terminus with the term of the Agreement.

  2. The termination of this DPA therefore depends on the provisions concerning the duration and the termination of the Agreement. Termination of the Agreement shall also have the effect of terminating this DPA.

  3. Furthermore, the premature termination of this DPA upon written notice to the other Party shall be permissible in the event of such other Party’s serious breach of statutory or contractual data protection provisions under the Data Protection Laws, insofar as the contracting Party in question cannot reasonably be expected to continue this DPA.

  4. The Parties acknowledge that the termination of the DPA at any time and for any reason, does not exempt them from their obligations under the Data Protection Laws relating to the collection, processing, and use of personal data.

4. Processing of Personal Data

  1. Purpose Limitation.

    1. Team Member Data. Deja Taylor will process Team Member Data as a data controller in accordance with Applicable Data Protection Laws, Deja Taylor’s Privacy Notice for Employees, Candidates and Team Members, and the Agreement for the purposes detailed in this DPA.

    2. Customer Data.  Deja Taylor will process Customer Data as a data controller in accordance with Applicable Data Protection Laws, Deja Taylor’s Website Privacy Notice, and the Agreement.

    3. Customer’s customer data. Deja Taylor shall process Customer’s customer data as a data processor (a) for the performance of the Services in accordance with Customer’s instructions as set forth in the Agreement and this DPA and in accordance with Applicable Data Protection Law, and (b) as further instructed by the Customer in writing.

  2. Third-Party Processors. Customer acknowledges and agrees that Deja Taylor, as a data controller, may engage third-party processors in connection with the provision of the Services. Deja Taylor acknowledges and agrees that Customer, as a data controller, may engage third-party processors in connection with the receipt of the Services. Both Parties shall have a written agreement with each processor and agree that any agreement with a processor shall include substantially similar data protection obligations as set out in this DPA. For the avoidance of doubt, such third-party data processors are not sub-processors. Both Parties shall be liable for the acts and omissions of its respective processors to the same extent such Party would be liable under the terms of this DPA, except as otherwise set forth in the Agreement.

  3. Customer Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Laws and that Deja Taylor’s processing of Customer’s customer data in accordance with Customer’s instructions will not cause Deja Taylor to violate Applicable Data Protection Laws. Deja Taylor will notify Customer to the extent permitted by law if it becomes aware or reasonably believes that Customer’s data processing instructions would violate Applicable Data Protection Law.

  4. Customer Compliance. Customer shall ensure that (a) it has and will continue to comply with Applicable Data Protection Laws in its use of the Services; (b) its customers and Team Members are provided adequate notice of Deja Taylor’s processing activities for which Deja Taylor acts as a controller to fulfill the requirements of Applicable Data Protection Laws; and (c) it has, and will continue to have, the right to transfer, or provide access to, its customers’ and Team Members’ personal data to Deja Taylor for processing in accordance with the terms of the Agreement and this DPA.

  5. Processing Information. Schedule 1 of this DPA details the duration of processing, the nature and purpose of processing, the type of Personal data and the categories of data subjects processed by Deja Taylor.

5. Security of Personal Data

  1. Each Party shall take suitable technical and organizational measures appropriate to the risk to ensure for protection of the security, confidentiality, and integrity of personal data it Processes under this DPA. Each Party guarantees to the other Party that it has carried out the technical and organizational measures specified in Schedule 3 to this DPA.

  2. The technical and organizational measures are subject to the current state of technology and technical progress. In this regard, a Party is permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to personal data transferred hereunder than the stipulated measures in Schedule 3.

  3. Employee Access. Deja Taylor shall ensure that only such of its employees who may be required by it to provide the Services to Customer or assist Deja Taylor in meeting its obligations under this DPA shall have access to personal data.

6. Security Incidents

  1. Upon confirming that a Security Incident involving personal data for which Deja Taylor acts as a data processor, Deja Taylor will:

    1. to the extent permitted by applicable law, notify Customer without undue delay, such notice to be delivered in accordance with Section 10 of this DPA;

    2. to the extent such Security Incident is caused by Deja Taylor’s violations of its obligations under this DPA, take such reasonable remedial steps to address such Security Incident and prevent any further incidents; and

    3. promptly provide the Customer will all relevant information in its possession as reasonably required by Applicable Data Protection Law to comply with any reporting obligations of a relevant regulatory authority concerning such Security Incident.

  2. Notification to the supervisory authority.  If Customer determines that a Security Incident must be notified to any supervisory authority and/or data subjects and/or the public or portions of the public pursuant to the Applicable Data Protection Law, Customer will, to the extent commercially feasible, notify Deja Taylor before the communication is made (and where not commercially feasible, as soon as is commercially feasible after such communication) and supply Deja Taylor with copies of any written documentation to be filed with the supervisory authority and of any notification Customer proposes to make (whether to any supervisory authority, data subjects, the public or portions of the public) which directly or indirectly references Deja Taylor, its security measures and/or role in the Security Incident, whether or not by name. Subject to Customer’s compliance with any mandatory notification deadlines under Applicable Data Protection Law, Customer will consult with Deja Taylor in good faith and take account of any clarifications or corrections Deja Taylor reasonably requests to such notifications and which are consistent with Applicable Data Protection Law.

7. Cross-Border Data Transfers

  1. To the extent that any personal data is transferred from the European Economic Area, the United Kingdom, and/or Switzerland (either directly or via onward transfer) to any country that, according to the European Commission or the competent authority for the UK and Switzerland, does not provide an adequate level of protection for personal data, the Parties agree that the Standard Contractual Clauses, incorporated by reference to this DPA, will apply in respect of the processing of such personal data. The Standard Contractual Clauses and this Clause 7 will not apply to personal data that is not transferred, either directly or via onward transfer, outside the EEA, the United Kingdom and/or Switzerland. In relation to the Standard Contractual Clauses, Deja Taylor will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Customer will comply with the obligations of the ‘data exporter’. Appendices of the EEA SCCs shall be deemed completed as set forth in Schedule 2 of this DPA in relation to transfer of personal data outside the EEA. The UK International Data Transfer Addendum, applicable to transfer of personal data outside the United Kingdom, shall be deemed completed as set forth in Schedule 4.

  2. In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, then the Standard Contractual Clauses shall prevail to the extent of the conflict.

  3. If the Standard Contractual Clauses are deemed invalid by a governmental entity with jurisdiction over Transferred personal data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred personal data, the Parties agree to work in good faith to find an alternative and/or modified approach with respect to such Transferred personal data which is in compliance with applicable laws.

8. Liability & Penalties

  1. This DPA is without prejudice to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect, including any limitations and exclusions on liability contained therein which shall apply to this DPA as if fully set forth herein. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of personal data.

  2. Notwithstanding anything to the contrary in this DPA or in the Agreement, neither Party will be responsible for any fines issued or levied under Article 83 of the GDPR against the other Party by a regulatory authority or governmental body in connection with such other Party’s violation of the GDPR.

9. Personal Data on Expiry or Termination

  1. Deletion of Personal Data.  In respect of Customer’s customer data that Deja Taylor processes as a data processor pursuant to the Agreement, Deja Taylor shall cease to process such personal data and will promptly arrange for its deletion on expiry or termination of the Agreement.

10. Notifications

  1. All notices given by Deja Taylor to Customer under or in connection with this DPA shall be sent to Customer’s email address associated to their account on the DT Platform and any notice given by Customer to Oyster shall be sent to inquiries@dejataylor.com.

11. Final Provisions

  1. Updates. Deja Taylor may update the terms of this DPA where the changes (a) are required to comply with Applicable Data Protection Law, applicable regulation, a court order, or guidance issued by a regulator or agency; or (b) do not have a material adverse impact on Customer’s rights under the DPA. Deja Taylor shall provide thirty (30) days’ notice prior to making any material change to the provisions of this DPA. If the Customer objects, the Customer has the right to terminate the affected Services within thirty (30) days of receiving written notice of the changes.

  2. Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the law and the jurisdiction of the country or territory which governs the Agreement, except as otherwise specified in this DPA, including its Schedules, or as required by Applicable Data Protection Law. 

  3. Jurisdiction Specific Terms. To the extent Deja Taylor processes personal data protected by Applicable Data Protection Laws in a jurisdiction listed in Schedule 5, then the terms specified in Schedule 5 (“Jurisdiction Specific Terms”) apply, and in case of any conflict between the Jurisdiction Specific Terms and any term of this DPA, the applicable Jurisdiction Specific Terms will take precedence.

Schedule 1: Details of Processing

  1. Nature and Purpose of Processing. The personal data transferred concern the following categories of data subjects:

    1. Team Member Data. Deja Taylor will process Team Member Data as a controller to perform the functions as a global employment platform provider that may include, but are not limited to, (a) manage the relationship with the Customer; (b) carry out Deja Taylor’s business operations, such as accounting, tax, billing, audit and compliance; (c) to investigate security issues, fraud, unauthorized or unlawful use of the Services and other misuses; (d) to improve the Services; and (e) as required by Applicable Data Protection Law. 

    2. Customer Data. Deja Taylor will process Customer Data as a controller to perform the functions as a global employment platform provider that may include, but are not limited to, (a) manage the relationship with the Customer; (b) carry out Deja Taylor’s business operations, such as accounting, tax, billing, audit and compliance; (c) to investigate security issues, fraud, unauthorized or unlawful use of the Services and other misuses; (d) to improve the Services; and (e) as required by Applicable Data Protection Law. 

    3. Customer’s customer data. Deja Taylor will process Customer’s customer data in accordance with Section 4.A.iii of this DPA.

  2. Duration of Processing

    1. Deja Taylor acting as a processor for Customer’s customer data. Deja Taylor will process Customer’s customer data for the duration outlined in Section 9 of this DPA.

    2. Deja Taylor acting as a controller. Deja Taylor will process personal data as a controller for as long as needed to provide the Services. Upon termination of the Agreement, Deja Taylor may retain personal data (a) for the purposes outlined in Section A.ii of this Schedule 1; or (b) as required by law. Deja Taylor will promptly delete or anonymize such personal data when Deja Taylor no longer requires it for the herein mentioned purposes. 

  3. Types of Personal Data

    1. Deja Taylor processes personal data contained in Team Member Data, Customer Data, and Customer’s customer data as defined in Section A of this DPA.

  4. Categories of Data Subjects

    1. Team Member Data. Team Member Data may concern the following categories of data subjects:

      1. Team Members employed by Deja Taylor to provide services to Customer

    2. Customer Data. Customer Data may concern the following categories of data subjects:

      1. Customer’s employees and agents

      2. Customer’s authorized users

    3. Customer’s customer data. Customer’s customer data may concern the following categories of data subjects:

      1. Customer’s customers and end users

Schedule 2: Standard Contractual Clauses Decision (EU) 2021/914

Terms applicable to the EEA SCCs:

  1. Clause 7 – the optional docking clause shall not apply

  2. Clause 9 – Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 of this DPA;

  3. Clause 11(a) – the optional language will not apply;

  4. Clause 17 – Option 1 will apply and the Clauses will be governed by the laws of the Republic of Ireland;

  5. Clause 18 – disputes will be resolved before the courts of the Republic of Ireland;

 

 

  1.  Module One (Controller to Controller) of the EEA SCCs apply where Customer is a controller and Deja Taylor is an independent controller

  2.  Module Two (Controller to Processor) of the EEA SCCs apply where Customer is a controller and Deja Taylor is a processor

  3.  Module Three (Processor to Processor) of the EEA SCCs apply where Customer is a processor and Deja Taylor is a processor

SCC Annex I: Personal Data

  1. List of Parties

Controller/Data Exporter:

Name:

The company defined as “Customer Company” who is a party to the Agreement

Address

The address of the Customer Company as detailed in the Agreement

Contact person’s name, position and contact info

Customer Company’s email address associated with its admin account on the Deja Taylor Platform

Activities relevant to the data transferred under the SCCs

Transfer of personal data in order for Deja Taylor to provide the Services

Signature and date:

By entering into the Agreement, Data Exporter is deemed to have signed these SCCs, including their annexes, as of the date the Parties entered into the Agreement or this DPA, whichever is later.

Role (controller/processor):

The Data Exporter’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA

 

Controller/Data Importer:

Name:

Deja Taylor, LLC

Address

As detailed in the Agreement

Contact person’s name, position and contact info

Deja Taylor’s Privacy Team, inquiries@dejataylor.com

Activities relevant to the data transferred under the SCCs

Provision of Services under the Agreement

Signature and date:

By entering into the Agreement, Data Importer is deemed to have signed these SCCs, including their annexes, as of the date the Parties entered into the Agreement or this DPA, whichever is later.

Role (controller/processor):

The Data Importer’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA

 

  1. Description of Transfer:

Categories of data subjects whose personal data is

transferred:

As described in Schedule 1 (Details of Processing) of this DPA

Categories of personal data transferred:

As described in Schedule 1 (Details of Processing) of this DPA

Sensitive data transferred (if applicable) and applied

restrictions or safeguards that fully take into

consideration the nature of the data and the risks

involved, such as for instance strict purpose

limitation, access restrictions (including access only

for staff having followed specialized training),

keeping a record of access to the data, restrictions

for onward transfers or additional security

measures:

Not applicable

The frequency of the transfer (e.g., whether the data

is transferred on a one-off or continuous basis):

Continuous for the duration of the Services.

 

Nature of the processing:

Processing of personal data to provide services

pursuant to the terms of the Agreement, including

workplace consulting services.

Purpose(s) of the data transfer and further

processing:

As described in Schedule 1 (Details of Processing) of this DPA

The period for which the personal data will be

retained, or, if that is not possible, the criteria used

to determine that period:

Upon termination or expiry of the Services, Deja Taylor shall promptly delete any personal data it has processed for Customer in connection with the Services unless Deja Taylor is required to keep the data for legal and regulatory reasons.

For transfers to (sub-) processors, also specify

subject matter, nature, and duration of the

processing:

Not applicable

  1. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 SCCs

 

Where the EU GDPR applies, the competent authority shall be determined in accordance with Clause 13 of the SCCs.

SCC Annex II: Technical and Organizational Measures including TOMS to Ensure the Security of the Data

Description of the technical and organizational security measures implemented by the data importer are as set forth in Schedule 3 of this DPA. The data importer may update its security document from time to time provided there is no degradation to the security and/or privacy of the Services.

Schedule 3: Technical and Organizational Security Measures

Deja Taylor’s TOMs


 
 
 
 
 

Organization of Information Security

Security Ownership

Deja Taylor has appointed an Information Security Officer responsible for coordinating and leading the security program. Deja Taylor’s security program is overseen by the senior leadership team.

Data Protection Ownership

Deja Taylor has appointed a Data Protection Officer responsible for coordinating and leading data protection compliance. Deja Taylor’s data protection program is overseen by the senior leadership team.

Information Security Management System (ISMS)

Deja Taylor operates an ISMS that sets out policies, procedures and continual improvements to the security program.

Security Roles and Responsibilities

Deja Taylor has a dedicated team of information security professionals. All employees and relevant contractors have confidentiality obligations within contracts of employment.

Risk Management Program

Deja Taylor takes a risk-based approach to information security, conducting risk assessments for key company assets.

Asset Management

Asset Inventory

Deja Taylor maintains an asset inventory of IT equipment and information processing systems. Use of assets is governed by Deja Taylor’s Acceptable Use Policy.

Human Resource Security

Confidentiality, Education & Awareness

Deja Taylor provides custom information security and data protection awareness training to all employees and relevant contractors on a periodic basis. 

Confidentiality clauses are included in all employee and contractor agreements.


 Physical & Environmental Security

Physical Access to Facilities

Deja Taylor’s production environment is hosted by ISO 27001 and SOC 2 certified data centers, and as such have stringent controls and extremely limited access.

Physical Access to Offices

Deja Taylor has no physical offices.


 
 
 

Operational Security

Anti-Malware

Deja Taylor maintains anti-malware controls in place for endpoints.

Data Loss Prevention

Deja Taylor uses mechanisms to detect, control and minimize where personal data is stored.

All business and personal data is backed up.

Encryption

SSL Encryption is used throughout our application

All data is encrypted in transit 

All databases and database backups are encrypted at rest

We apply a second layer of encryption to data such as bank accounts and NI numbers

Network Security 

Access to corporate network is protected by password.

All changes to network security configuration are subject to change control procedures.

Access Control

Access Policy

Access is only provided where necessary for the role.

Principle of Least Privilege

The minimum level of privileges are provided to allow authorized personnel to carry out their duties to avoid excessive privileges.

Identity & Access Management

Deja Taylor adopts an IAM system (OKTA) to centralize, limit and swiftly manage access for employees and contractors. 

Incident Management

Incident Detection, Reporting & Response 

Deja Taylor has a defined, repeatable way to respond to incidents according to best practice. Technical and operational measures have been put in place for timely incident detection and reporting.

Third Party Risk Management

Suppliers

Deja Taylor suppliers are reviewed by the security and legal teams, with appropriate measures such as contractual requirements and technical monitoring used.

Data Sub Processors

Deja Taylor does not have Sub-Processors. 

 

Schedule 4: UK International Data Transfer Addendum

Standard Data Protection International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018

VERSION B1.0, in force 21 March 2022

PART 1: TABLES

Table 1: Parties

Start Date:            As set forth in the Agreement that incorporates these Standard Contractual Clauses by reference or as set forth in the DPA, whichever is later.

 

The Parties

Exporter (who send the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

Full legal name: The company defined as Customer who is party to the Agreement.

Trading name (if different):

Main address (if a company registered address): The address of the Customer as provided in the Agreement or order form.

 Official registration number (if any) (company number or similar identifier): As provided in the Agreement or order form.

Full legal name: Deja Taylor, LLC 

Trading name (if different): 

Main address (if a company registered address): The Deja Taylor entity address specified in the Agreement or order form.

Official registration number (if any) (company number or similar identifier):as provided in the Agreement or on the order form.

Key Contact

Full name (optional):

Job Title:

Contact details including email: Customer’s email address associated to its DT account

 

Full name (optional):

Job Title:

Contact details including email: Oyster Privacy Team, inquiries@dejataylor.com

Signature (if require for the purpose of Section 2)

By entering into the order form or the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum

By entering into the order form or the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum

 

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs: The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: as provided in Table 1 above

Module

Module in Operation

Clause 7 (Docking Clause)

Clause 11 (Option)

Clause 9a (Prior Authorization or General Authorization

Clause 9a (Time Period)

1

Yes

Does not apply

Optional language does not apply

 

 

2

Yes

Does not apply

Optional language does not apply

Option 2 applies—general authorization

At least thirty days' prior to such change, where commercially feasible. In any event no less than 10 days.

3

Yes

Does not apply

Optional language does not apply

Option 2 applies—general authorization

At least thirty days' prior to such change, where commercially feasible. In any event no less than 10 days.

4

 

 

 

 

 

 

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: as set forth in Annex I.A of Schedule 2 of this DPA.

Annex 1B: Description of Transfer: as set forth in Annex I.B of Schedule 2 of this DPA.

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: as set forth in Annex II of Schedule 2 of this DPA.

Annex III: List of Sub processors (Modules 2 and 3 only): N/A.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum as set out in Section 19:

Importer and Exporter

 

PART 2: MANDATORY CLAUSES

Mandatory Clauses: 

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

Schedule 5: Jurisdiction-Specific Terms

Australia:

  • The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles (APPs) and the Australian Privacy Act (1988).

  • The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

  • The definition of “sensitive data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

Brazil:

  • The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).

  • The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.

  • The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to the data subjects.

California:

  • The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).

  • The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

  • The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any Data Subject Rights, apply to Consumer rights. With regard to Data Subject Requests, Deja Taylor can only verify a request from Customer and not from Customer’s end user or any third party.

  • The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.

  • The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.

  • Deja Taylor will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Deja Taylor agrees not to sell Customer’s Personal Data or Customer end users’ Personal Data; retain, use, or disclose Customer’s Personal Data for any commercial purpose other than providing the Services; or retain, use, or disclose Customer’s Personal Data outside of the scope of the Agreement. Deja Taylor understands its obligations under the Applicable Data Protection Law and will comply with them.

  • Deja Taylor certifies that its Sub-processors, if any, are Service Providers under Applicable Data Protection Law, with whom Deja Taylor has entered into a written contract that includes terms substantially similar to this DPA. Deja Taylor conducts appropriate due diligence on its Sub-processors.

  • Deja Taylor will implement and maintain the reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 5 of the DPA.

Canada:

  • The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

  • Deja Taylor’s processors, as described in Section 4 of the DPA, are third parties under Applicable Data Protection Law, with whom Deja Taylor has entered into a written contract that includes terms substantially similar to this DPA. Deja Taylor has conducted appropriate due diligence on its processors.

  • Deja Taylor will implement technical and organizational measures as set forth in Section 5 of the DPA.

European Union: 

  • The definition of “Applicable Data Protection Law” includes the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).

Israel:

  • The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL). 

  • The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law. 

  • The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law. 

  • Deja Taylor will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Deja Taylor in accordance with Section 5 of the DPA. 

  • Deja Taylor must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 5 of the DPA and complying with the terms of the Agreement. 

  • Deja Taylor must ensure that the Personal Data will not be transferred to a Sub-processor unless such Sub-processor has executed an agreement with Oyster pursuant to Section 4 of this DPA. 

Japan:

  • The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

  • The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

  • The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Deja Taylor is responsible for the handling of Personal Data in its possession.

Singapore:

  • The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).

  • Deja Taylor will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 6 of the DPA and complying with the terms of the Agreement.

United Kingdom:

  • The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018.

  • References in this DPA to GDPR will be deemed to be references to the corresponding laws of the United Kingdom, e.g., UK GDPR and Data Protection Act 2018.