Revision Date: 31 May 2022
If this Data Processing Addendum (“Addendum”) is expressly incorporated by reference into an agreement (“Main Agreement”) between Sophos Limited, a company registered in England and Wales number 2096520, with its registered office at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP, UK (“Supplier”) and a customer of Supplier (“Customer”), this Addendum forms part of the Main Agreement and is effective between the Supplier and the Customer.
If you wish to view this Addendum in another language, visit any of the following pages: Spanish, French, Italian, Brazilian Portuguese, German, Chinese Traditional, Chinese Simplified, and Japanese.
1. PREAMBLE
1.1 The parties have entered into the Main Agreement regarding the provision by the Supplier to the Customer of certain products and/or services (collectively, “Products”).
1.2 If the Main Agreement is an MSP agreement in similar form to the MSP agreement located at https://www.sophos.com/en-us/legal/sophos-msp-partner-terms-and-conditions (“MSP Agreement”), the Customer is a managed service provider (“MSP”). If the Main Agreement is an OEM agreement under which the Customer is authorised to distribute, sublicense, or make available to third parties Supplier Products in combination with the Customer’s products as part of a bundled unit (“OEM Agreement”), the Customer is an original equipment manufacturer (“OEM”). Otherwise, the Customer is an end user (“End User”).
1.3 The provision of the Products may include the collection, processing and use of Controller Data by the Supplier for the Customer. This Addendum sets forth the obligations of the parties with respect to such data processing and supplements the terms and conditions of the Main Agreement.
1.4 The Main Agreement, this Addendum and the documents expressly referenced in the Main Agreement and this Addendum shall constitute the entire agreement between the parties in relation to personal data collected, processed and used by the Supplier on behalf of the Customer in connection with the Main Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
2. DEFINITIONS
2.1 In this Addendum, the following terms shall have the following meanings:
“Applicable Data Protection Laws” means (a) EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or "GDPR"); (b) the e-Privacy Directive (EU Directive 2002/58/EC); and (c) any and all applicable national data protection legislation, including legislation made under or pursuant to (a) or (b); in each case as may be amended or superseded from time to time.
“Beneficiary” has the meaning given to it in the MSP Agreement.
“Clauses” shall have the meaning ascribed to it in the EU SCCs.
“Controller” means either: (a) the Customer, if the Customer is an End User; (b) the Beneficiary, if the Customer is an MSP; or (c) the End Customer, if the Customer is an OEM.
“Controller Data” means any and all personal data for which the Controller is the controller under Applicable Data Protection Laws.
“End Customer” has the meaning given to it in the OEM Agreement.
"Europe" (and "European") means (a) the Member States of the European Economic Area (“EEA”), and (b) with immediate effect following the date from which European Union law no longer applies to the United Kingdom, the United Kingdom.
“EU Standard Contractual Clauses” or “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by the European Commission implementing decision (EU) 2021/914 of 4 June 2021;
“EU Controller to Processor Clauses” means the Module Two Clauses to the EU SCCs;
“EU Processor to Processor Clauses” means the Module Three Clauses to the EU SCCs.
“Hosted Products” mean the Products listed in Exhibit 3.
“ICO” means The Information Commissioner’s Office established in the United Kingdom
“Personal Data Breach” means a breach of security (other than those caused by the Customer or its users) leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Data processed by the Supplier under this Addendum.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the ICO as set out in Exhibit 5 attached hereto.
2.2 In this Addendum, the lower case terms "controller", "processor", "data subject", "personal data" and "processing" (and derivatives thereof) shall have the meanings given in Applicable Data Protection Law.
3. SCOPE
3.1 The subject matter and duration of the Supplier's processing of Controller Data, including the nature and purpose of the processing, the types of Controller Data to be processed, and the categories of data subjects, shall be as described in: (a) this Addendum; (b) the Main Agreement; (c) any instructions in Exhibit 1 (Data Processing Instructions); and (d) the Customer’s instructions issued in accordance with clause 4 below.
3.2 The Customer is responsible for ensuring (a) that the Controller has a lawful basis for the processing of Controller Data that will be carried out by the Supplier on its behalf, and (b) that the Controller has obtained all necessary consents from data subjects that may be required for the processing of Controller Data by the Customer and the Supplier (including but without limitation, in relation to special categories of data); and (c) that it is otherwise compliant with, and will ensure its instructions to the Supplier for the processing of Controller Data comply in all respects with, Applicable Data Protection Laws.
3.3 The remaining provisions of this Addendum describe the parties’ respective obligations in relation to Controller Data for which either: (a) the Customer is the controller and the Supplier is the processor, if the Customer is an End User; or (b) the Customer is the processor for a third party controller, and the Supplier is the sub-processor, if the Customer is an MSP or OEM.
4. CUSTOMER INSTRUCTIONS
4.1 The Supplier shall process the Controller Data in accordance with the Customer's documented processing instructions, as exclusively set out in Clause 3.1 except (a) where otherwise agreed in writing between the Supplier and the Customer; or (b) where required by law to which the Supplier is subject (in which event, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits the provision of such information).
4.2 If the Supplier becomes aware that the Customer's processing instructions infringe Applicable Data Protection Laws (without imposing any obligation on the Supplier to actively monitor the Customer's compliance), it will promptly notify the Customer of same and suspend processing of the Controller Data.
5. DUTIES OF THE SUPPLIER
5.1 All Supplier personnel who process the Controller Data shall be adequately trained with respect to their data protection, security and confidentiality obligations, and shall be subject to written obligations to maintain confidentiality.
5.2 The Supplier will, at its own cost, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to protect the Controller Data against a Personal Data Breach. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons so as to ensure a level of security that is appropriate to the risk. In particular, the measures taken by the Supplier shall include those described in Exhibit 2 of this Addendum. The Supplier may change or amend the technical and organisational measures described in Exhibit 2 without the prior written consent of the Customer provided that the Supplier maintains at least an equivalent level of protection. Upon request by the Customer, the Supplier will provide an updated description of the technical and organisational measures in the form as presented in Exhibit 2.
5.3 The Supplier shall follow the requirements specified in clause 7 below for engaging any subprocessor to process Controller Data.
5.4 The Supplier shall follow the requirements specified in clause 8 below for assisting the Customer to respond to enquiries from third parties, including any requests from data subjects to exercise their rights under Applicable Data Protection Laws.
5.5 Upon confirming the occurrence of any Personal Data Breach, the Supplier shall inform the Customer without undue delay and shall provide all such timely information and cooperation as the Customer may reasonably require in order for the Customer (and, if the Customer is an MSP or OEM, its Controller) to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. The Supplier shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Personal Data Breach and shall keep the Customer informed of all developments in connection with the Personal Data Breach.
5.6 The Supplier shall provide the Customer (or, if the Customer is an MSP or OEM, its Controller) with all such reasonable and timely assistance as the Customer (or, as applicable, the Controller) may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority. Such assistance shall be provided at the Customer's expense.
5.7 The Supplier shall delete the Controller’s Controller Data within a reasonable period of time following termination or expiry of this Addendum, in each case if and to the extent permitted by applicable European law.
5.8 The Supplier shall follow the requirements specified in clause 8 for providing to the Customer (and, if the Customer is an MSP or OEM, its Controller) such information as is necessary to demonstrate the Supplier's compliance with the obligations laid down in this Addendum.
6. AUDIT RIGHTS OF THE CUSTOMER
6.1 The Customer acknowledges that the Supplier is regularly audited against SSAE 18 SOC 2 standards by independent third party auditors. Upon request, the Supplier shall supply a copy of its SOC 2 audit report to the Customer, which reports shall be subject to the confidentiality provisions of the Main Agreement as the Supplier’s confidential information. The Customer acknowledges and agrees that the third party auditor that authored such report (“Author”) does not accept any responsibility or liability to the Customer or the Customer’s auditors unless and until the Customer enters into a separate duty of care agreement with the Author. The Supplier shall also respond to any written audit questions submitted to it by the Customer, provided that the Customer shall not exercise this right more than once per year.
7. SUBPROCESSORS
7.1 The Customer consents to the Supplier’s existing subprocessors as at the date of this Addendum, which are listed at https://www.sophos.com/en-us/legal (“Subprocessor List”). The Supplier will not subcontract the processing of any Controller Data to any additional third party subprocessors (each a “New Subprocessor”) without prior notification to the Customer. The Supplier will provide prior notice of the addition of any New Subprocessor (including general details of the processing it performs or will perform), which notice may be given by posting details of such addition to the Subprocessor List. If the Customer does not object in writing to the Supplier’s appointment of a New Subprocessor (on reasonable grounds relating to the protection of Controller Data) within 30 days of the Supplier adding that New Subprocessor to the Subprocessor List, the Customer agrees that it will be deemed to have consented to that New Subprocessor. If the Customer provides such a written objection to the Supplier, the Supplier will notify the Customer in writing within 30 days that either: (a) the Supplier will not use the New Subprocessor to process the Controller Data; or (b) the Supplier is unable or unwilling to do so. If the notification in paragraph (b) is given, the Customer may, within 30 days of such notification, elect to terminate this Addendum and the Main Agreement as to the affected processing upon written notice to the Supplier and Supplier shall for Customers located within the European Economic Area and UK only, authorize a pro rata refund or credit of any prepaid fees for the period remaining after the termination. However, if no such notice of termination is provided within that timeframe, the Customer will be deemed to have consented to the New Subprocessor. The Supplier will impose data protection terms on New Subprocessors to protect the Controller Data to the same standard as provided for by this Addendum and the Supplier will remain fully liable for any breach of this Addendum that is caused by any such subprocessor.
8. INQUIRIES OF THIRD PARTIES
8.1 The Supplier shall provide all reasonable and timely assistance to the Customer (or, if the Customer is an MSP or OEM, the Controller), at the Customer's expense, to enable the Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Controller Data. If any such request, correspondence, enquiry or complaint is made directly to the Supplier, the Supplier shall promptly inform the Customer providing full details of the same.
9. INTERNATIONAL DATA TRANSFERS
9.1 Certain Products enable the Customer to choose whether to host the Controller Data for such Products in data centres that may be located in (a) the European Economic Area, (b) the United Kingdom, or (c) the United States of America (“Central Storage Location”). This selection takes place at the point of installation, account creation, or first use of the relevant Product. Once selected, the Central Storage Location cannot be varied at a later date.
9.2 The Customer acknowledges and agrees that, regardless of the selected Central Storage Location (if relevant), Controller Data may be exported through or to other jurisdictions (inside and/or outside of the United Kingdom and the European Economic Area): (a) to Sophos’s global team of technicians and engineers for malware, security threat, and false positive analysis, and research and development purposes, (b) in order to provide technical and customer support, account management, billing and other ancillary functions, and (c) as expressly described in the documentation referenced in clause 3.1 above.
9.3 The Supplier shall not transfer the Controller Data (nor permit the Controller Data to be processed in or from) a country outside of Europe unless the transfer is to a country that is deemed adequate under Applicable Data Protection Laws or Supplier takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws, including, for example but without limitation, by use of the EU SCC’s (as amended from time to time).
9.4 The transfer restriction described in clause 9.3 above, shall also apply to transfers of Controller Data from the European Economic Area to the United Kingdom if and when the United Kingdom ceases to be subject to European Union law.
9.5 If clause 9.3 above applies because the Supplier or a Supplier affiliate will process Controller Data in a country outside of the UK or the EEA then in such case (and only to the extent that for any transfers of Controller Data, no other measure recognised under Applicable Data Protection Laws for permitting such transfers is available (such as, without limitation, transfer to a recipient in a country that is deemed to provide adequate protection for personal data under Applicable Data Protection Laws or transfer to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Laws)) for any transfers of Controller Data, the parties agree that(a) for transfers from the EEA, the EU Controller to Processor Clauses shall apply and such EU SCCs are hereby incorporated by reference into this Addendum;(b) for transfers from the UK, the EU Controller to Processor Clauses shall apply (and such EU SCCs are hereby incorporated by reference into this Addendum) provided that such EU Controller to Processor Clauses shall be subject to the UK Addendum set out in Exhibit 5.
9.6 if clause 9.3 above applies because the Supplier or a Supplier affiliate will process Controller Data in a country outside of the UK or the EEA then in such case (and only to the extent that for any transfers of Controller Data, no other measure recognised under Applicable Data Protection Laws for permitting such transfers is available (such as, without limitation, transfer to a recipient in a country that is deemed to provide adequate protection for personal data under Applicable Data Protection Laws or transfer to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Laws)) where (as contemplated under clause 3.3(b) above) the Customer is the processor for a third party controller and the Supplier is the sub-processor, the parties agree that (a) for transfers from the EEA, the EU Processor to Processor Clauses shall apply and such EU SCCs are hereby incorporated by reference into this Addendum; (b) for transfers from the UK, the EU Processor to Processor Clauses shall apply (and such EU SCCs are hereby incorporated by reference into this Addendum) provided that such EU Processor to Processor Clauses shall be subject to the UK Addendum set out in Exhibit 5.
9.7 The Appendix to the EU SCC’s shall be completed as set out in Exhibit 4 below.
9.8 For each Module to the EU SCCs, where applicable:
(a) The details indicated in Exhibit 4 shall be used
(b) the optional docking clause in Clause 7 shall not apply;
(c) Option 2 under Clause 9 shall apply. The data importer shall notify the data exporter 30 days in advance of any intended changes (via addition or replacement) to the list of sub-processors.
(d) in Clause 11, the optional language shall not apply;
(e) For the purposes of Clauses 13(a):
(i) where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer will be the competent supervisory authority where the data exporter is established, and
(ii) where he data exporter is established in the UK, the ICO shall act as competent supervisory authority.
(f) For the purposes of Clause 17, the EU SCC’s shall be governed by the law of the EU Member State in which the data exporter is established;
(g) For the purposes of Clause 18(b), disputes will be resolved before the courts of the EU member state in which the data exporter is established.
10. DURATION
10.1 This Addendum commences upon (a) execution by both parties of the Main Agreement or (b) the date on which the Main Agreement becomes effective, if later and continues until the earlier of: (i) the expiry of the Customer’s entitlement to use and receive the Products, as noted in the Main Agreement or on any associated license entitlement; and (ii) the termination of the Main Agreement.
11. OTHER REGULATIONS
11.1 Modifications of and amendments to this Addendum require the written form. This also applies to changes and modifications to this clause 11.1.
11.2 In no event shall the Supplier's liability to the Customer in connection with any issue arising out of, or in connection with, this Addendum exceed the Supplier's limitations on liability set out in the Main Agreement. The Supplier's limitations on liability as set out in the Main Agreement shall apply in aggregate across both the Main Addendum and this Addendum, such that a single limitation on liability regime shall apply across both the Main Agreement and this Addendum.
11.3 This Addendum shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of laws principles. To the extent permitted by applicable law, the courts of England shall have exclusive jurisdiction to determine any dispute or claim that may arise out of, under, or in connection with this Addendum.
11.4 To the extent of any conflict with the terms of this Data Processing Addendum and the terms of any EU SCC’s entered into by the parties, the terms of the applicable EU SCC’s (including any addendums thereto), shall take precedence. LIST OF APPENDICES
Exhibit 1
Data Processing Instructions
This Exhibit 1 describes the processing that the Supplier will perform on behalf of the Customer.
(A) Subject matter, nature and purpose of the processing operations
The Controller Data will be subject to the following basic processing activities (please specify):
- Providing the Products purchased by the Customer under and pursuant to the Main Agreement
- Providing account management and customer technical support services
The Supplier provides Products that are designed to detect, prevent, and manage, or assist the Supplier to detect, prevent, and manage security threats within or against systems, networks, devices, files, and other data made available by the Customer. The content of any information held in these systems, networks, devices, files and other data is determined solely by the Customer and not by the Supplier.
(B) Duration of the processing operations:
The Controller Data will be processed for the following duration (please specify):
The duration specified in the Main Agreement (or for the term of the Main Agreement, if not otherwise specified).
(C) Data subjects
The Controller Data concern the following categories of data subjects (please specify):
Data subjects include the individuals about whom data is provided to the Supplier via the Products by (or at the direction of) Customer or Customer‘s end users.
(D) Types of personal data
The Controller Data concern the following categories of data (please specify):
Data relating to individuals provided to the Supplier via the Products, by (or at the direction of) Customer or by Customer‘s end users, such as contact information
(E) Special categories of data (if appropriate)
The Controller Data concern the following special categories of data (please specify):
Unless otherwise specified, the Supplier’s Products are not designed to process special categories of data.
Exhibit 2
Technical and Organisational Measures
Certain of these measures may only be relevant or applicable to Hosted Products.
Physical Access Control.
(a) Sophos has a physical access control policy;
(b) All staff carry ID / access badges;
(c) Entrances to facilities are protected by access badges or keys;
(d) Facilities are divided into (i) public access areas (such as reception areas), (ii) general staff access areas, and (iii) restricted access areas which may only be accessed by those per-sonnel with an express business need;
(e) Access badges and keys control access to restricted areas within each facility according to an individual’s authorised access levels;
(f) Access levels for individuals are approved by senior staff members and are verified on a quarterly basis;
(g) Reception and/or security staff are present at entrances to larger sites;
(h) Facilities are protected by alarms;
(i) Visitors are pre-registered and visitor logs are maintained.
System Access Control.
(a) Sophos has a logical access control policy;
(b) The network is protected by firewalls at each Internet connection;
(c) The internal network is segmented by firewalls based on application sensitivity;
(d) IDS and other threat detection and blocking controls run on all firewalls;
(e) Filtering of network traffic is based on rules that apply the principle of “least access”;
(f) Access rights are only granted to authorised personnel to the extent and for the duration necessary in order to perform their job roles and are reviewed quarterly;
(g) Access to all systems and applications is controlled by a secure log-on procedure;
(h) Individuals have unique user IDs and passwords for their own use;
(i) Passwords are strength tested and changes are enforced to weak passwords;
(j) Screens and sessions automatically lock after a period of inactivity;
(k) Sophos malware protection products are installed as standard;
(l) Regular vulnerability scans are conducted on IP addresses and systems;
(m) Systems are patched on a regular cycle with a prioritisation system for fast-tracking urgent patches.
Data Access Control.
(a) Sophos has a logical access control policy;
(b) Access rights are only granted to authorised personnel to the extent and for the duration necessary in order to perform their job roles and are reviewed quarterly;
(c) Access to all systems and applications is controlled by a secure log-on procedure;
(d) Individuals have unique user IDs and passwords for their own use;
(e) Passwords are strength tested and changes are enforced to weak passwords;
(f) Screens and sessions automatically lock after a period of inactivity;
(g) Laptops are encrypted using Sophos encryption products;
(h) Senders are directed to consider file encryption prior to sending any external email.
Input Control.
(a) Access to all systems and applications is controlled by a secure log-on procedure;
(b) Individuals have unique user IDs and passwords for their own use;
(c) The Sophos Central Products use transfer layer encryption to protect data in transit;
(d) Communication between the client software and the backend Sophos system is performed over HTTPS to secure the data in transit, establishing trust communication via certificates and server validation.
Subcontractor Control.
(a) Subcontractors with access to data undertake an IT security vetting procedure prior to onboarding and as required thereafter;
(b) Contracts contain an appropriate confidentiality and data protection obligations based on the subcontractor’s duties.
Availability Control.
(a) Sophos protects its premises from fire, flood and other environmental hazards;
(b) Back-up generators are available to maintain power supplies in the event of power outages;
(c) Data centres and server rooms use climate controls and monitoring;
(d) The Sophos Central system is load balanced and has failover between three sites, each running two instances of the software, any one of which is capable of providing the full service.
Segregation Control.
(a) Sophos maintains and applies a quality control process for the deployment of new cus-tomer products;
(b) Testing and production environments are separate;
(c) New software, systems and developments are tested prior to release to the production environment.
Organisational Control.
(a) Sophos has a dedicated IT security team;
(b) The Risk and Compliance team manage internal risk reporting and controls, which include reporting on key risks to management;
(c) An incident response process identifies and remedies risks and vulnerabilities on a timely basis;
(d) Each new employee undertakes data protection and IT security training;
(e) The IT Security department conducts quarterly security awareness campaigns.
Exhibit 3
Hosted Products
(a) Sophos Central
(b) Sophos Cloud Optix
(c) Central Device Encryption
(d) Central Endpoint Protection
(e) Central Endpoint Intercept X
(f) Central Endpoint Intercept X Advanced
(g) Central Mobile Advanced
(h) Central Mobile Standard
(i) Central Phish Threat
(j) Central Intercept X Advanced for Server
(k) Central Server Protection
(l) Central Mobile Security
(m) Central Web Gateway Advanced
(n) Central Web Gateway Standard
(o) Central Email Standard
(p) Central Email Advanced
(q) Central Wireless Standard
(r) Any other Sophos product that is administered and operated via Sophos Central
Exhibit 4
Reference data for Appendix of the EU Standard Contractual Clauses
Module that will apply:
MODULE TWO: Transfer controller to processor
ANNEX 1
A. LIST OF PARTIES
1. Data exporter(s): [Identity and contact details of the data exporter(s), including any contact person with responsibility for data protection]
|
Customer Name: |
As provided to Supplier under the Main Agreement |
|
Address: |
As provided to Supplier under the Main Agreement |
|
Contact email: |
As provided to Supplier under the Main Agreement |
|
Contact person’s name/ position: |
As provided to Supplier under the Main Agreement |
|
Activities relevant to the data transferred under these Clauses: |
As set out in clause 3 to the Addendum above |
|
Role (controller/processor): |
Controller |
2. Data importer(s): [Identity and contact details of the data importer(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
|
Name: |
Sophos Limited (for and on behalf of its EU and Swiss subsidiaries) |
|
Address: |
The Pentagon, Abingdon Science Park Abingdon, OX14 3YP, UK |
|
Other information needed to identify the organisation: |
Registration number: 2096520 |
|
Contact person’s name, position and contact details: |
Privacy Counsel |
|
Activities relevant to the data transferred under these Clauses: |
As set out in clause 3 to the Addendum above |
|
Role (controller/processor): |
Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
As set out in section C, Exhibit 1 to the Addendum
Categories of personal data transferred:
As set out in section D, Exhibit 1 to the Addendum.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
As set out in section E, Exhibit 1 to the Addendum.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous
Nature of the processing
As set out in section A, Exhibit 1 to the Addendum.
Purpose(s) of the data transfer and further processing
As set out in section A, Exhibit 1 to the Addendum.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the contracting period.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As set out in clause 3 to the Addendum above.
C. COMPETENT SUPERVISORY AUTHORITY
As set out in clause 9.8 to the Addendum above.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA[1]
The measures are set out in Exhibit 2 to the Addendum above.
ANNEX III – LIST OF SUB-PROCESSORS[2]
Not required as Clause 9(a), Option 1 has not been selected.
[1]Annex II must be completed for all modules except MODULE FOUR.
[2] Annex III applies only to MODULE TWO (Transfer controller to processor) and MODULE THREE (Transfer processor to processor) where Clause 9(a), Option 1) has been selected.
Exhibit 5
UK Addendum
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
|
Start date |
As set out in clause 10.1 of the Addendum above. |
|
|
The Parties |
Exporter (who sends the Restricted Transfer) |
Importer (who receives the Restricted Transfer) |
|
Parties’ details |
As set out in Exhibit 4 above. |
Full legal name: Sophos Limited (for and on behalf of its EU and Swiss subsidiaries) |
|
Key Contact |
As set out in Exhibit 4 above. |
Full Name (optional): Privacy Counsel |
Table 2: Selected SCCs, Modules and Selected Clauses
|
Addendum EU SCCs |
the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
|
Module |
Module in operation |
Clause 7 (Docking Clause) |
Clause 11 |
Clause 9a (Prior Authorisation or General Authorisation) |
Clause 9a (Time period) |
Is personal data received from the Importer combined with personal data collected by the Exporter? |
|
2 |
☒ |
Not Applicable |
Not Applicable |
Option 2 |
30 days |
Yes ☒ |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
|
Annex 1A: List of Parties: |
|
Annex 1B: Description of Transfer: |
|
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: |
|
Annex III: List of Sub processors (Modules 2 and 3 only): |
Table 4: Ending this Addendum when the Approved Addendum Changes
|
Ending this Addendum when the Approved Addendum changes |
Which Parties may end this Addendum as set out in Section 19: |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Adden-dum in any way that makes them legally binding on the Parties and allows data subjects to en-force their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
|
Addendum |
This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
|
Addendum EU SCCs |
The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
|
Appendix Information |
As set out in Table 3. |
|
Appropriate Safeguards |
The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
|
Approved Addendum |
The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
|
Approved EU SCCs |
The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
|
ICO |
The Information Commissioner. |
|
Restricted Transfer |
A transfer which is covered by Chapter V of the UK GDPR. |
|
UK |
Th United Kingdom of Great Britain and Northern Ireland. |
|
UK Data Protection Laws |
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
|
UK GDPR |
As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safe-guards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Ad-dendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specif-ic provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs pre-vail over all related agreements between the parties, the parties agree that, for Restricted Trans-fers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that: a. together they operate for data transfers made by the data exporter to the data im-porter, to the extent that UK Data Protection Laws apply to the data exporter’s pro-cessing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) gov-erned by the laws of England and Wales and (2) any dispute arising from it is re-solved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Sec-tion 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or pro-cessors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data export-er’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pur-suant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the Eu-ropean Parliament and of the Council of 27 April 2016 on the protection of natural per-sons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both re-placed with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of Eng-land and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Ap-proved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and de-monstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Adden-dum, but any changes must be made in accordance with its terms.
Alternative Part 2 Mandatory Clauses:
|
Mandatory Clauses |
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
Archived Versions