Appendix 3
Cross Border Data Transfer Solutions
1. Definitions
For the purposes of the Clauses:
1.1. “Standard Contractual Clauses” means, depending on the circumstances unique to Customer, any of the following:
1.1.1. UK Standard Contractual Clauses, or;
1.1.2. 2021 Standard Contractual Clauses
1.2. “UK Standard Contractual Clauses” means: Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”).
1.3. “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
2. Cross Border Data Transfer Solutions
2.1. Order of Precedence. In the event the Services are covered by more than one Transfer Solution, the transfer of personal data will be subject to a single Transfer Solution in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.2 (UK Standard Contractual Clauses) or Section 2.3 (The 2021 Standard Contractual Clauses) of this Appendix 3; and, if neither (a) nor (b) is applicable, then (c) other data Transfer Solutions permitted under applicable Global Data Protection Legislation.
2.2. UK Standard Contractual Clauses. The parties agree that the UK Standard Contractual Clauses will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
2.2.1. The UK Controller to Processor SCCs will apply where Userback is processing Customer Personal Data. The illustrative indemnification clause will not apply. Appendix 1 (Subject Matter and Details of the Data Processing) of this Addendum serves as Appendix I of the UK Controller to Processor SCCs. Appendix 2 (Technical and Organizational Security Measures) of this Addendum serves as Appendix II of the UK Controller to Processor SCCs.
2.3 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
2.3.1. Module Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Customer is a controller of Customer Personal Data and Userback is processing Customer Personal Data.
2.3.2. Module Three (Processor to Processor) of the 2021 Standard Contractual Clauses will apply where Customer is a processor of Customer Personal Data and Userback is processing Customer Personal Data.
2.3.3. For each Module, where applicable:
(a) in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;
(b) in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 “General Written Authorisation” will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 9 (Subprocessors) of this Addendum;
(c) in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;
(d) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;
(e) in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(f) in Annex I, Part A (List of Parties) of the 2021 Standard Contractual Clauses:
(i) Data Exporter: Customer.
(ii) Contact details: The email address(es) designated by Customer in Customer’s account via its notification preferences.
(iii) Data Exporter Role: The Data Exporter’s role is set forth in Section 3.1 (Roles and Regulatory Compliance; Authorization) of this Addendum. The parties acknowledge and agree that with regard to the processing of Customer Personal Data, Customer may act either as a controller or processor and Userback is a processor. Userback will process Customer Personal Data in accordance with Customer’s Instructions as set forth in Section 3.2.1.
(iv) Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
(v) Data Importer: Userback Pty Ltd.
(vi) Address: 9 Aspire Street, Rochedale, Queensland 4123, Australia
(vii) Contact details: Userback Data Security Team – [email protected]
(viii) Data Importer Role: The Data Importer’s role is set forth in Section 3.1 (Roles and Regulatory Compliance; Authorization) of this Addendum. The parties acknowledge and agree that with regard to the processing of Customer Personal Data,Customer may act either as a controller or processor and Userback is a processor. Userback will process Customer Personal Data in accordance with Customer’s Instructions as set forth in Section 3.2.1.
(ix) Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
(g) in Annex I, Part B (Description of Transfer) of the 2021 Standard Contractual Clauses:
(i) The categories of data subjects are described in the “Data Subjects” Section of Appendix 1 (Subject Matter and Details of the Data Processing) of this Addendum.
(ii) The categories of personal data transferred is described in the “Categories of Personal Data” Section of Appendix 1 (Subject Matter and Details of the Data Processing) of this Addendum.
(iii) The Sensitive Data transferred is described in the “Sensitive Data” Section of Appendix 1 (Subject Matter and Details of the Data Processing) of this Addendum.
(iv) The frequency of the transfer is on a continuous basis for the duration of the Agreement.
(v) The nature of the processing is described in the “Nature and Purpose of the Processing” Section of Appendix 1 (Subject Matter and Details of the Data Processing) of this Addendum.
(vi) The purpose of the processing is described in the “Nature and Purpose of the Processing” Section of Appendix 1 (Subject Matter and Details of the Data Processing) of this Addendum.
(vii) The period for which personal data will be retained and the criteria used to determine that period is as follows: Prior to the termination of the Agreement, Userback will process stored Customer Personal Data for the permitted purposes set forth in Section 3.1.1. (Customer’s Instructions) until Customer elects to delete such Customer Personal Data via the Services. Prior to the termination of the Agreement, Customer agrees that it is solely responsible for deleting Customer Personal Data via the Services. Upon termination of the Agreement, Userback will (i) provide Customer thirty (30) days after the effective date of termination to obtain a copy of any stored Customer Personal Data via the Services, and (ii) delete any stored Customer Personal Data within thirty (30) days upon customer request, unless alternate timeframes for retention and/or deletion are otherwise set forth in the Agreement. Any Customer Personal Data archived on Userback’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.
(viii) For transfers to Subprocessors, the subject matter, nature, and duration of the processing is set forth at https://userback.io/dpa-subprocessors.
(h) In Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
(i) Appendix 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the Standard Contractual Clauses.
2.4 Conflict. To the extent there is any direct conflict between the Standard Contractual Clauses and any other terms in this Addendum, the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail.