Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Torq Master Service Agreement available at https://torq.io/legal/msa/ (“Agreement”) between you, the Customer (as defined in the Agreement (collectively, “You”, “Your”, “Customer”, or “Data Controller”) and Torq Technologies Ltd. (“Torq”, “Us”, “We”, “Our”, “Service Provider” or “Data Processor”), and reflects the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) by Torq on behalf of Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.
This Agreement does not have to be signed in order to be binding. You indicate your agreement to this Agreement by signing into our Services or executing an Order Form.
By accessing or using the Services on behalf of your employer or other organization on behalf of whom you are acting; (a) you declare that you are over the age of 18 years old; (b) you declare that you have the right to bind your employer or entity to the terms of this DPA, and that you and your employer or organization agree to be bound by the terms of this DPA; (d) all references to “Customer”, “you” or “your” in this Agreement refer to your employer or entity. IF YOU OR YOUR EMPLOYER OR ENTITY DOES NOT AGREE TO BE BOUND BY THIS DPA, OR YOU DO NOT HAVE AUTHORITY TO BIND YOUR EMPLOYER OR OTHER ENTITY, PLEASE DO NOT PROVIDE ANY PERSONAL DATA TO US.
1. INTERPRETATION AND DEFINITIONS
1.1. Interpretation. The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.2. Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations; and (b) is permitted to use the Services pursuant to the Agreement between Customer and Torq, but has not signed its own agreement with Torq and is not a “Customer” as defined under the Agreement.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, and its implementing regulations, as may be amended from time to time, including by the California Privacy Rights Act of 2020.
“Data Controller“, “Member State“, “Data Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA. For the purposes of clarity, to the extent that the CCPA applies, the term “Controller” as used in this DPA shall also mean “Business”, and “Processor” shall also mean “Service Provider”, and “Data Subject” shall also mean “Consumer”. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.
“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their Member States, the United Kingdom, Switzerland, Canada, Israel and the United States of America, including without limitation the GDPR, the UK GDPR and CCPA.
“Data Subject” means the identified or identifiable person to whom the Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is processed by Torq solely on behalf of Customer under this DPA and the Agreement. For the avoidance of doubt, Customer’s business contact information is not by itself deemed to be Personal Data subject to this DPA.
“Security Documentation” means Torq’s security documentation applicable to the Services purchased by Customer, as updated by Torq from time to time, as made available at Torq’s Trust Centre and/or Customer may request by sending an email to [email protected].
“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws and Regulations, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, credit or debit card number; (c) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offences; (d) Personal Data relating to children; and/or I account passwords in unhashed form.
“Standard Contractual Clauses” or “SCCs” means: (a) in respect of transfers of Personal Data subject to the GDPR, the Standard Contractual Clauses between controllers and processors and between processors and processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I, II and V thereto (”EU SCCs”); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0), as incorporated into the EU SCCs through Annex III thereto (“UK Addendum”).
“Sub-processor” means any third party that is engaged by a Processor to carry out specific Processing activities of Personal Data.
“UK GDPR” means the Data Protection Act 2018, as updated, amended, replaced or superseded from time to time by the ICO, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
“US Laws” means, as applicable, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, and any other applicable data protection federal and/or state law.
2. PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties. The Parties acknowledge and agree that with regards to the Processing of Personal Data: (a) Customer is the Data Controller and/or Data Processor, and (b) Torq is the Data Processor and/or Data Sub-processor.
2.2. Customer’s Obligations. Customer shall comply with Data Protection Laws and Regulations, the Agreement and this DPA when acting as a Data Controller or Data Processor, including without limitation when providing instructions to Torq for the Processing of Personal Data. Customer shall have sole responsibility for the means by which Customer acquires Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) as required under Data Protection Laws and Regulations, and shall have any and all required legal bases in order to collect, Process and transfer to Torq the Personal Data, and to authorize the Processing by Torq of the Personal Data under this DPA.
2.3. Torq’s Processing of Personal Data. Torq shall Process Personal Data: (a) in accordance with the Agreement, this DPA, and applicable Data Protection Laws and Regulations; (b) in connection with its provision of the Services; (c) in accordance with Customer’s documented instructions as necessary for the performance of the Services, the Agreement and this DPA; (d) as required by any applicable law to which Torq and its Affiliates are subject, in which case, Torq shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. If Torq is unable to comply with the DPA or applicable Data Protection Laws and Regulations, Torq agrees to immediately provide written notification to Customer of such inability to comply therewith.
2.4. Details of Processing. Details relating to the duration, nature and purposes of the Processing, as well as the types of Personal Data categories of Data Subjects Processed under this DPA, are further specified in Appendix 1 (Details of the Processing). The Parties agree that Appendix 1 hereto shall satisfy any requirement under applicable Data Protection Laws and Regulations to provide details regarding the nature of the Processing activities related to Customer’s Personal Data.
2.5. Sensitive Data. The Parties agree that the Services are not intended for the Processing of Sensitive Data, and that if Customer wishes to use the Services to Process Sensitive Data, it must first obtain Torq’s explicit prior written consent and enter into any additional agreements as may be required by Torq.
2.6. Customer Instructions. To the extent that Torq, in Torq’s reasonable opinion, cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer and/or its authorized users relating to Processing of Personal Data or where Torq considers such a request to be unlawful, Torq shall inform Customer, providing relevant details of the problem, and Torq may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data). If the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Torq all the amounts owed to Torq or due before the date of termination. Customer shall have no further claims against Torq (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below). Torq shall not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Torq, to the extent that such is a result of Customer’s instructions.
3. RIGHTS OF DATA SUBJECTS
If Torq receives a request from a Data Subject to exercise any of its rights under Data Protection Laws and Regulations, including right of access, rectification, restriction of Processing, erasure, data portability, objection to the Processing, the right not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or to not be discriminated against (“Data Subject Request”), Torq shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Torq shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Torq’s provision of such assistance.
4. TORQ PERSONNEL
Torq shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a “need-to-know” basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality.
5. SUB-PROCESSORS
5.1. Appointment of Sub-processors. Customer acknowledges and agrees that: (a) Torq’s Affiliates may be engaged as Sub-processors; and (b) Torq and Torq’s Affiliates may each engage third party Sub-processors in connection with the provision of the Services.
5.2. Current Sub-processors. Torq’s current list of Sub-processors is available here (“Sub-processor List”) and is hereby approved by Customer.
5.3. New Sub-processors. Torq shall provide notification to Customer of any new Sub-processor(s) Torq wishes to engage. Customer may reasonably object to Torq’s use of a new Sub-processor for reasons related to the protection of Personal Data intended to be Processed by such Sub-processor by notifying Torq promptly in writing within thirty (30) days after receipt of Torq’s notice. Failure to object to such new Sub-processor within the aforementioned timeframe shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor in accordance with the above, Torq shall use reasonable efforts to amend the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If Torq is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Torq without the use of the objected-to new Sub-processor by providing written notice to Torq provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Torq. Until a decision is made regarding the new Sub-processor, Torq may temporarily suspend the Processing of the affected Personal Data. Customer shall have no further claims against Torq due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
5.4. Agreements with Sub-processors. Torq or any Torq Affiliate has entered into a written agreement with each existing Sub-processor, and shall enter into a written agreement with each new Sub-processor, containing the same or materially similar data protection obligations as set out in this DPA, in particular obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where a Sub-processor fails to fulfil its data protection obligations concerning its Processing of Personal Data, Torq shall remain responsible to Customer for the performance of the Sub-processor’s obligations.
6. SECURITY
6.1. Controls for the Protection of Personal Data. Taking into account the state of the art, Torq shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR and applicable Data Protection Laws and Regulations for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which is hereby approved by Customer. Upon the Customer’s request, Torq shall use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Torq.
6.2. Third-Party Certifications and Audits. At Customer’s expense, Torq shall allow for and contribute to audits, including inspections of Torq, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Torq) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Customer.
7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
To the extent required under applicable Data Protection Laws and Regulations, Torq shall notify Customer without undue delay after becoming aware of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Torq on behalf of the Customer (a “Personal Data Incident”). Torq shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Torq deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Torq’s reasonable control. The remediation obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, Customer shall be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
8. RETURN AND DELETION OF PERSONAL DATA
Subject to the Agreement and Torq’s data retention policies, Torq shall, at the choice of Customer, delete or return the Personal Data to Customer after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Torq may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Torq’s customers.
9. AUTHORIZED AFFILIATES
9.1. Contractual Relationship. The Parties acknowledge and agree that, by entering into this DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Torq. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
9.2. Communication. Customer shall remain responsible for coordinating all communication with Torq under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
10. TRANSFERS OF DATA
10.1. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”) and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States the European Commission or the UK supervisory authority (“Adequacy Decisions”), without any further safeguard being necessary.
10.2. To the extent that there is Processing of Personal Data which includes transfers from the EEA or the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the below terms shall apply, as applicable:
10.2.1. With respect to transfers from the EEA to other countries which have not been subject to a relevant Adequacy Decision, Customer as a Data Exporter (as defined in the EU SCCs) and Torq on behalf of itself and each Torq Affiliate (as applicable) as a Data Importer (as defined in the EU SCCs) hereby enter into the EU SCCs set out in Appendix 2. To the extent that there is any conflict or inconsistency between the terms of the EU SCCs and the terms of this DPA, the terms of the EU SCCs shall take precedence.
10.2.2. With respect to transfers from the UK to other countries which have not been subject to a relevant Adequacy Decision, Customer as a Data Exporter (as defined in the UK SCCs) and Torq on behalf of itself and each Torq Affiliate (as applicable) as a Data Importer (as defined in the UK SCCs), hereby enter into the UK SCCs set out in Appendix 2. To the extent that there is any conflict or inconsistency between the terms of the UK SCCs and the terms of this DPA, the terms of the UK SCCs shall take precedence.
11. TERMINATION
This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Any sections which by their nature, are intended to survive termination of this DPA, shall survive termination hereof. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
12. PRIVACY UNDER US LAWS
To the extent that the Personal Data is subject to US Laws, Torq shall not Sell or Share (as such terms are defined under Data Protection Laws and Regulations) Customer’s Personal Data without Customer’s prior written authorization. Torq acknowledges that when processing Personal Data in the provision of the Services, Customer is not selling or sharing Personal Data to Torq. Torq agrees not to retain, use or disclose Personal Data: (a) for any purpose other than the Business Purpose (as defined below); (b) for no other commercial or Business Purpose; or (c) outside the direct business relationship between Torq and Customer. Notwithstanding the foregoing, Torq may use, disclose, or retain Personal Data to: (a) transfer the Personal Data to other Sub-processors in order to provide the Services to Customer; (b) to comply with, or as allowed by, applicable US laws; (c) to defend legal claims or comply with a law enforcement investigation; (d) for internal use by Torq to build or improve the quality of its services and/or for any other purpose permitted under applicable US Laws; (e) to detect data security incidents, or protect against fraudulent or illegal activity; and (f) collect and analyze anonymous information. Torq shall use commercially reasonable efforts to comply with its obligations under the applicable US Laws. If Torq becomes aware of any material applicable requirement (to Torq as a service provider) under any applicable US Law that Torq cannot comply with, Torq shall use commercially reasonable efforts to notify Customer. Upon written Customer’s notice, Torq shall use commercial reasonable and appropriate steps to stop and remediate Torq’s alleged unauthorized use of Personal Data; provided that Customer must explain and demonstrate in the written notice which processing activity of Personal Data it considers to be unauthorized and the applicable reasons. Torq shall use commercially reasonable efforts to enable Customer to comply with consumer requests made pursuant to applicable US Laws. Notwithstanding anything to the contrary, Customer shall be fully and solely responsible for complying with its own requirements under the applicable US Laws. “Business Purpose” means the Processing activities that Torq shall perform to provide Services (as described in the Agreement), this DPA and any other instruction from Customer, as otherwise permitted by applicable law, including the CCPA and other applicable US Laws, or as otherwise necessary to provide the Services to Customer.
13. RELATIONSHIP WITH AGREEMENT
In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail with regards to the subject matter herein.
14. AMENDMENTS
This DPA may be amended at any time by a written instrument duly signed by each of the Parties.
APPENDIX 1 – DETAILS OF THE PROCESSING
1. Subject Matter. Torq will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
2. Nature and Purpose of Processing
(a) Providing the Service(s) to Customer.
(b) Setting up profile(s) for users authorized by Customer.
(c) Performing the Agreement, this DPA and/or other agreements executed by the Parties.
(d) Complying with Customer’s instructions, where such instructions are consistent with the terms of the Agreement.
(e) Providing support services, as agreed in the Agreement.
(f) Complying with applicable laws and regulations.
(g) All tasks related with any of the above.
3. Duration of Processing. Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Torq will Process Personal Data for the duration of the provision of the Services, unless otherwise agreed upon in writing.
4. Type of Personal Data. Customer may submit Personal Data to the Services, the extent of which is determined by Customer in its sole discretion.
5. Categories of Data Subjects. The categories of data subjects relating to the Personal Data that will be processed by Torq are dependent on Customer, and may include, but are not limited to, any of the following categories:
(a) Users authorized by Customer to use the Services
(b) Customer’s employees, agents, advisors and freelancers (who are natural persons)
(c) Customer’s customers, prospects, business partners and vendors, and any of their respective employees (who are natural persons)
(d) Any other third party individual with respect to whom Customer provides Personal Data in its use of the Services.
APPENDIX 2 – STANDARD CONTRACTUAL CLAUSES
EU SCCs. If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses (“EU SCCs”) as follows:
(a) The EU SCCs (Controller-to-Processor and Processor-to-Processor), as applicable, will apply, with respect to restricted transfers between Customer and Torq that are subject to the GDPR.
(b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Torq (as Data Importer), the following shall apply: (i) Clause 7 of the EU SCCs shall be applicable; (ii) in Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Sub-Processors) shall apply; (iii) Clause 11 of the EU SCCs shall be not applicable; (iv) in Clause 13: the relevant option applicable to Customer, as informed by Customer to Torq; (v) in Clause 17, option 1 shall apply, and the Parties agree that the EU SCCs shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
(c) Annex I.A (List of Parties): With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Torq as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Torq as a data processor (sub-processor). Data Exporter and Data Importer contact details (name, address and contact details) shall be as detailed in the Order Form. Activities relevant to the data transferred under these clauses shall be as specified in Section 2.3 and Appendix 1 of the DPA. Signature and Date: By signing the Order Form and accessing and using Services, each Party is deemed to have agreed to these EU SCCs, including their Annexes.
(d) Annex I.B (Description of Transfer) shall be completed as described in Appendix 1 (Details of the Processing) of this DPA.
(e) Annex I.C (Competent Supervisory Authority) shall be the Irish supervisory authority.
(f) Annex II (Technical and organisational measures including technical and organisational measures to ensure the security of the data) shall be completed as described in the Security Documentation.
(g) Annex III (List of Sub-processors) shall be completed as detailed in the Sub-Processor List.
UK SCCs. If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. The Parties hereby agree to execute the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as follows:
(a) The UK Standard Contractual Clauses (Controller-to-Processor and Processor to Processor), as applicable, will apply with respect to restricted transfers between Customer and Torq that are subject to the GDPR.
(b) Table 1 shall be as set out in Annex I.A of the EU SCCs (List of Parties).
(c) Table 2: The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Torq (as Data Importer), the following shall apply: (i) Clause 7 of the EU SCCs shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Sub-Processors) shall apply; (iii) Clause 11 of the EU SCCs shall be not applicable; (iv) In Clause 17, option 1 shall apply, and the Parties agree that the SCCs shall be governed by the laws of England and Wales; and (v) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.
(d) Table 3:
(i) Annex I.A (List of Parties): With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Torq as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Torq as a data processor (sub-processor). Data Exporter and Data Importer contact details (name, address and contact details) shall be as detailed in the Order Form. Activities relevant to the data transferred under these clauses shall be as specified in Section 2.3 and Appendix 1 of the DPA. Signature and Date: By signing the Order Form and accessing and using Services, each Party is deemed to have agreed to these UK SCCs, including their Annexes.
(ii) Annex I.B of the UK SCCs shall be completed as described in Appendix 1 (Details of the Processing) of this DPA.
(iii) Annex I.C of the UK SCCs shall be completed as follows: The competent supervisory authority is the ICO supervisory authority.
(iv) Annex II of the UK SCCs shall be completed as described in the Security Documentation.
(v) Annex III of the UK SSCs shall be completed as detailed in the Sub-Processor List.
Last update: July 18, 2024