Demand Partner DP Addendum
Last Updated: 01/03/2023
This Demand Partner DPA Addendum (hereinafter the “DPA“) is entered into by and between ExplorAds, a Cypriot company located at 2 Filiou Zannetou St. 3021 Limassol Cyprus (hereinafter “ExplorAds”) and you (hereinafter the “Demand Partner” or “You”), supplements and forms part of the Agreement or any other written or electronic agreement referencing to this DPA between ExplorAds and Advertiser/DSP to reflect the parties’ agreement with regard to the processing of personal data. ExplorAds and Demand Partner have entered into a master agreement, or other such governing contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Agreement”), under which Demand Partner may purchase digital advertising inventory via ExplorAds’s RTB services and platform(s) (collectively: the “ExplorAds Services”).
This DPA is effective as of the date of the Agreement entered into (hereinafter the “Effective Date”). Capitalized terms used in this DPA shall have the meanings given to them in the main body of the Agreement unless otherwise defined in this DPA.
ExplorAds is a provider of a technology market place platform, which engages in the provision of auction of purchases of digital advertising inventory (including via its platform vendors and sub-Processors). Demand Partner is an advertiser, agency, demand-side platform or an ad network which uses ExplorAds’s Services to engage in the buying of digital advertising inventory. The parties have entered into this DPA to ensure that in sharing such personal data pursuant to the Agreement, they both comply with Applicable Privacy Law, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
IT IS AGREED:
1. Definitions
“Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
“Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
“Processor” means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the Controller;
“Sub-processor” means any person appointed by or on behalf of ExplorAds to process the Personal Data on behalf of ExplorAds in connection with the Agreement;
“CPRA” mean the California Privacy Rights Act of 2020, Cal. Civ. Code §§ 1798.100 et. Seq;
“Demand Partners” means Explorads’ media buying clients, including but not limited to advertisers, demand side platforms, ad exchanges, agencies and ad networks;
“European Data Protection Law” means as applicable to a party in its Processing of Data: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts the GDPR and e-Privacy Directive in domestic law or that relates to data and privacy and is enacted as a consequence of the United Kingdom leaving the European Union; in each case, as may be amended, superseded or replaced from time to time;
“European Economic Area” means, for the purposes of this DPA, the European union (EU), the United Kingdom, Iceland, Lichtenstein, Norway and Switzerland;
“Government Authority Request” means any subpoena, warrant or other judicial, regulatory, governmental or administrative order, proceeding, demand or request (whether formal or informal) by a government or quasi-governmental or other regulatory authority (including law enforcement or intelligence agencies) seeking or requiring access to or disclosure of Personal Data.
“Industry Rules” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols;
“Personal Data” means any information which are related to an identified or identifiable natural person to the extent that such information is protected as “personal data” under applicable European Data Protection Law;
“Privacy Requirements” means: (i) European Data Protection Law, as applicable to Publisher, ExplorAds, its Demand Partners, and their respective processing of Data under this DPA; and (ii) any applicable self-regulatory codes, rules or guidelines, including without limitation, the IAB Transparency and Consent Framework (TCF) (in each case, as amended, superseded or replaced);
“Publisher Assets” means the websites, mobile applications and/or other digital media properties owned or operated by the Publisher (including via its vendors and sub-processors) and accessible through the ExplorAds platform or via which the Personal Data used in connection with the Services;
“ExplorAds Privacy Policy” means the privacy policy available at: Privacy Statement – ExplorAds as updated or amended from time to time);
“Standard Contractual Clauses” means: the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
“Sell,” “Selling,” “Sale,” or “Sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data for monetary or other valuable consideration.
“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
The terms “Commission“, “Member State“, “Personal Data Breach“, “Supervisory Authority“, “Data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law.
2. Scope of processing
The parties agree that unless otherwise agreed between the parties, based on the Agreement ExplorAds will submit to Demand Partner the ExplorAds Platform Services and/or Demand Partner may otherwise collect or receive certain data, including (but not limited to) in bid requests submitted to Demand Partner. Demand Partner acknowledges that such data (as described in the Agreement) may contain Personal Data, as more particularly described in Annex A.
The parties also agree that at the moment of the registration and/or signing of the Agreement Demand Partner may provide data (including Personal Data) about or related to its personnel as more particularly described in Annex B of this DPA.
3. Relationship of the parties
a. Demand Partner agrees that it shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or any other third party using the Services only process and collect the Data solely for the purposes expressly permitted under the Agreement and this DPA (the “Purposes“) and in a manner that complies with this DPA, the Applicable Privacy Laws, the Agreement and where applicable, the Industry Rules.
b. The parties acknowledge that Demand Partner is a controller of the Data and that ExplorAds will process the Data as a data processor, and strictly for the designated Purposes. In no event will the parties process the Data jointly as joint controllers. The parties also acknowledge that only for the Purposes of the processing of the Demand Partner’s Personnel Data, ExplorAds will be considered as the Controller. ExplorAds hereby agrees that it will process and collect the Demand Partner’s Personnel Data only in a manner that complies with the Purposes. The parties hereby agree that for the Purposes of the processing of the Demand Partner’s Personnel Data, the legal basis will be the Agreement between the parties and Explorads legitimate interests. The Demand Partner acknowledges that ExplorAds provides a marketplace Platform and that any Personal Data transferred to Demand Partner through the Platform(s) is transferred by Explorads from the Publishers using its Platform(s) and such Publishers shall be responsible to comply with their own responsibilities as the Controllers of such Personal Data and subject to their privacy policy.
c. Compliance with Applicable Privacy Law: Each party shall be individually and separately responsible for complying with the obligations that apply directly to it under Applicable Privacy Law as per the designated roles. Without limitation to the foregoing, each party shall maintain a publicly accessible privacy policy on its website(s) that satisfies the requirements of Applicable Privacy Law.
d. Consent Signals: Demand Partner shall and shall ensure that the Demand Third Parties honor all “consent”, “no consent” “opt-in” and “opt-out” signals received from ExplorAds (or any of its publisher clients or other sub-processors like IAb enabled by ExplorAds through the Services) in compliance with Applicable Privacy Law and where applicable, the Industry Rules.
e. Deletion: Demand Partner will not, and will not permit any third party, to retain the Personal Data for longer than the period during which the Demand Partner has a lawful basis to retain the Data for the designated Purposes and in compliance with the Applicable Privacy Law. Promptly upon the expiration or earlier termination of the Agreement, or such earlier time as ExplorAds requests, in the event that ExplorAds cannot deleted the Personal Data by itself, Demand Partner shall securely destroy each and every original and copy in every media of all Personal Data related to DPA in Demand Partner’s or its Sub-Processors’ possession, custody or control. Upon as ExplorAds’s request, Demand Partner shall provide to as ExplorAds a completed Officer’s Certificate certifying that such action occurred. In the event applicable law does not permit Demand Partner to comply with the destruction of the Personal Data, Demand Partner warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after the end of the provision of the Services relating to the Processing under the Agreement and this DPA.
Demand Partner shall not share, transfer, disclose, Sell, make available or otherwise provide access to any Personal Data to any third party, or contract any of its rights or obligations concerning Personal Data, unless ExplorAds has authorized Demand Partner to do so in writing.
4. Personal Data Breach
Demand Partner shall notify ExplorAds in writing without undue delay upon Demand Partner or any its sub-contractors becoming aware of a Security Incident or a Personal Data Breach affecting Personal Data, providing ExplorAds with sufficient information to inform its sub-processors or any other third party; Demand Partner shall be responsible to inform the Data Subjects of the Personal Data Breach as required under the Applicable Privacy Law. Such notification shall as a minimum:
(i) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned, effect on the Parties, if known, of the Security Incident;
(ii) communicate the name and contact details of the Demand Partner’s data protection officer or other relevant contact from whom more information may be obtained;
Demand Partner shall co-operate with ExplorAds, shall cooperate fully with ExplorAds in all reasonable and lawful efforts to prevent, assess and take such reasonable commercial steps as are directed by ExplorAds to assist in the investigation, mitigation and remediation of each such Personal Data Breach and, where required by Applicable Privacy Law, to notify the Security Incident to the competent supervisory authority. Demand Partner shall be responsible for the costs and expenses associated with the performance of its obligations described in this paragraph. The content of any filings, communications, notices, press releases or reports related to any Security Incident related to this DPA and Agreement must be approved by ExplorAds prior to any publication or communication thereof, unless prohibited by applicable law.
In the event of a Security Incident involving Personal Data in Demand Partner’s possession, custody or control or for which Demand Partner is otherwise responsible, Demand Partner shall reimburse ExplorAds for all commercially reasonable direct notification related costs incurred by ExplorAds arising out of or in connection with any such Security Incident, subject to the limitation of liability in the Agreement.
Demand Partner shall supervise its employees, and shall employ required efforts to review its agents, consultants and Sub-Processors to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. Demand Partner shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Addendum to relevant employees who have access to the Personal Data.
5. Sub-Processors
ExplorAds’s current list of Sub-processors is included in Annex D (“Sub-processor List”) and is hereby approved by the Demand Partner.
Where ExplorAds engages a Sub-processor for carrying out specific Processing activities, the same or materially similar data protection obligations as set out in this DPA will be imposed on such new Sub-processor by way of a contract, or other undertaking.
Where Demand Partner provides access to Personal Data to a third party on its behalf, Demand Partner shall enter into a written agreement with each Sub-Processor that imposes substantially the same obligations on the Sub-Processor as those imposed on Service Provider under this DPA. Where the Sub-Processor fails to fulfil its obligations, Demand Partner shall remain fully liable to ExplorAds for the performance of such Sub-Processor’s obligations.
6. Assistance and Right to Monitor
- Demand Partner shall make available to ExplorAds available information necessary to demonstrate its compliance with the obligations under this Addendum. Demand Partner shall cooperate fully with any such inspection. Demand Partner shall deal promptly and appropriately with any inquiries from ExplorAds relating to this Addendum.
- Upon request, Demand Partner will provide reasonable cooperation to ExplorAds, in connection with (i) any privacy or information security assessment that may be requested by ExplorAds or that may be required under Applicable Privacy Law, including Privacy Laws concerning cross-border data transfer or disclosure of Personal Data, and (ii) any consultation of a privacy regulatory authority in relation to such assessment.
- Where Demand Partner receives a Government Authority Request concerning Personal Data subject to this DPA (or any portion thereof), Demand Partner shall:
- Follow its documented procedure, outlined under this DPA;
- To the fullest extent permitted by law, immediately and in advance of providing any response or making any disclosure, notify ExplorAds, in writing of such Government Authority Request so that ExplorAds may, or require Demand Partner to, contest or seek to narrow such disclosure or seek a protective order or other appropriate remedy. Where permitted by law, Demand Partner shall seek to redirect the Government Authority (or other third party) to request the Personal Data directly from ExplorAds;
- Reject such Government Authority Request unless required by applicable law to comply;
- To the fullest extent permitted by law, fully cooperate with and take all required steps to assist ExplorAds to contest or seek to narrow such Government Authority Request, obtain a protective order or seek another remedy at ExplorAds’s discretion. Where ExplorAds seeks to contest a Government Authority Request or narrow the scope of such a request, Demand Partner shall, to the fullest extent permitted by law, allow ExplorAds to conduct all negotiations and proceedings on its behalf and provide ExplorAds with such reasonable assistance as is required by ExplorAds;
- Where any attempt to contest, or to seek to narrow such Government Authority Request, or obtain a protective order or seek another remedy is not successful so that some or all of the Personal Data is required to be disclosed, Demand Partner shall take all necessary steps to furnish only the minimum amount of Personal Data legally required to be disclosed, including by removing any information prior to disclosure or access that would allow an individual to be directly identified from the information disclosed or to which access is provided, taking into account ExplorAds’s requests.
7. Standard Contractual Clauses
(a) ExplorAds agrees to abide by and process Data in accordance with the SCCs, whichever apply as set forth in this Section 5(a). The parties agree that the Applicable SCCs are hereby incorporated into and form an integral part of this DPA. The terms of the SCC will apply where and to the extent (i) the applicable transfer of Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for Personal Data (as described in applicable European Data Protection Law); or (ii) ExplorAds and the applicable transfer of Personal Data is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data.
(b) For the purposes of the SCC the parties agree, (i) ExplorAds shall be deemed the “data exporter” and Demand Partner shall be deemed the “data importer”; (ii) Annex A of this DPA shall replace Appendix 1 of the Standard Contractual Clauses; and (iii) Annex B of this DPA shall replace Appendix 2 of the Standard Contractual Clauses; (iv) Module 4 (Transfer processor to controller) will apply to the processing of the Personal Data submitted based on the Agreement (Annex A 1); Module 1 (Transfer Controller to Controller) will apply to the processing of the Demand Partner’s Personnel Data (Annex A 2) to ExplorAds; (v) in Clause 7, the optional docking clause will apply; (vi) in Clause 17, Option 1 will apply, and the SCCs will be governed by laws of Cyprus; (vii) in Clause 18(b), disputes shall be resolved by the applicable courts located in Cyprus; (viii) Annex A to this DPA shall replace Annex I of the SCCs; and (ix) Annex B to this DPA shall replace Annex II of the SCCs. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs (as applicable). Accordingly, if and to the extent the SCCs conflict with any provision of the Agreement, including this DPA, the SCCs (as applicable) shall prevail to the extent of such conflict (see Annex E).
8. California region
The following additional terms shall apply with respect to data subjects who are California residents:
For the purpose of this section, the definitions of: “Controller” includes “Business”; “Processor” includes “Service Provider”, or “Contractor” or “Third Party”, “Sub–Processor” includes “Sub–Provider”; “Data Subject” includes “Consumer”; “Personal Data” includes “Personal Information”, “Purpose” includes “Business Purpose”; in each case as defined under CPRA.
- For this “California” section shall include processing Personal Data for the Purposes described in this DPA and in accordance with the applicable ExplorAds’s documented lawful instructions as (a) set forth in this DPA, and (b) as necessary to comply with applicable Data Protection Law, (c) as otherwise agreed in writing, or (d) as otherwise may be permitted for “Service Providers” as defined under the CPRA.
- Notwithstanding any use restriction contained elsewhere in this DPA, ExplorAds shall process Personal Data only to perform the Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law. company may de-identify or aggregate Consumer Data as part of performing the Services specified in this DPA and the Agreement.
- Demand Partner shall not sell or share the Personal Data provided to it be ExplorAds to any third party.
9. General Terms applicable to all Personal Data
(a) Subcontracting: The Demand Partner may enlist the help of third parties to handle Personal Data as outlined in this DPA, as long as they agree in writing to follow the Demand Partner’s instructions, implement security measures that are at least as protective as those outlined in Annex C, and ensure compliance with relevant privacy laws and this DPA.
(b) Security: The Demand Partner shall develop, maintain and implement a comprehensive written information security program that complies with Applicable Privacy Laws and must implement security measures that are at least as protective as those outlined in Annex C to protect data, including Personal Data from security incidents. These measures must comply with relevant Applicable Privacy Law.
(c) International Transfers: If European data protection laws apply to the data, the Demand Partner must not process or allow the data to be processed outside of Europe unless necessary measures are taken to ensure compliance with these laws and this DPA, as outlined by ExplorAds.
(d) Transfer Arrangements: If ExplorAds adopts a different method for transferring data, it will take precedence over any methods outlined in this DPA. These methods must comply with relevant privacy laws in the country where data processing takes place. The Demand Partner must take any necessary actions to implement these methods.
(e) Cooperation and Data Subject Rights: Both parties must inform each other of any requests from data subjects to exercise their rights under relevant privacy laws and cooperate to respond to these requests and fulfill their legal obligations.
(f) Change in Law: If there are changes to relevant privacy laws or directives from regulatory authorities that affect this DPA or data processing, ExplorAds may amend this DPA as needed to maintain compliance.
(g) Survival: This DPA will continue to be in effect after the Agreement is terminated or expires, as long as data processing complies with the DPA and relevant privacy laws.
(h) Miscellaneous: This DPA will be governed by and interpreted in accordance with the governing law and jurisdiction provisions outlined in the Agreement.
Annex A
List of parties
Processor / Data Exporter
| Name: | ExplorAds LTD |
| Address: | 2 Filiou Zannetou St. 3021 Limassol Cyprus |
| Contact person’s name, email, and position: | Eran Cohen, DPO, contact@explorads.com |
| Activities relevant to personal data transfers: | See Annex B |
| Signature and date: | |
| Role: | Processor |
Controller / Data Importer
| Name: | Demand Partner |
| Address: | See Agreement |
| Contact person’s name, email, and position: | See Agreement |
| Activities relevant to Personal Data transfers: | Annex B |
| Signature and date: | See Agreement |
| Role: | Controller or Processor |
Annex A (2)
List of parties
Controller / Data Importer
| Name: | ExplorAds LTD |
| Address: | 2 Filiou Zannetou St. 3021 Limassol Cyprus |
| Contact person’s name, email, and position: | Eran Cohen, DPO, privacy@explorads.com |
| Activities relevant to personal data transfers: | See Annex B |
| Signature and date: | |
| Role: | Controller |
Controller / Data Exporter
| Name: | See Agreement |
| Address: | See Agreement |
| Contact person’s name, email, and position: | See Agreement |
| Activities relevant to personal data transfers: | Annex B |
| Signature and date: | See Agreement |
| Role: | Controller |
Annex B
Description of transfer
Defined terms are as set out in the Demand Partner Data Processing Addendum agreed between the parties
Categories of Data Subjects whose Personal Data is transferred:
§ End users, submitted to Demand Partner via the ExplorAds Services
§ Demand Partner’s Personnel
Categories of Personal Data transferred:
End users:
§ Identifiers: Identifier for Advertising (IFA; IDFA; GAID); User ID; Buyer ID; Device ID, IP address
§ Demographic information: location, year of birth, gender
Demand Partner’s Personnel:
§ Contact details (first name, last name, email, country (region), address, telephone and Skype)
Recipients: sub-contractors, supervisory authority
Sensitive data transferred (if applicable): None.
Frequency of the transfer:
End Users – Continuous
Demand Partner’s Personnel – Only at the moment of registration and when required to update the information.
Nature of the Processing: Personal data transferred will be processed in accordance with the Agreement (including this DPA) and ExplorAds Services and may be subject to the following processing activities:
1. Storage and other processing necessary to provide ExplorAds Services to the Demand Partner
2. Disclosures in accordance with the Agreement and/or as required by applicable laws
Purpose(s) of the data transfer and further processing:
End Users: solely for the Purposes expressly permitted under the Agreement and this DPA, for the provision of the ExplorAds Services
Demand Partner’s Personnel: For business relationship and account management purposes.
Period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Data Importer will not, and will not permit any third party, to retain the Data for longer than the period during which the Data Importer has a lawful basis to retain the Data for the Prescribed Purposes and in compliance with the European Data Protection Law.
Contact points for data protection enquiries:
Data Exporter: See Annex A
Data Importer: See Annex A/Agreement
Competent Supervisory Authority
The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR, the EU supervisory authority determined to be appropriate in the event that a relevant situation arises, and for Data protected by the Cypriot DPA, Commissioner for personal data protection.
Annex C
Technical and organizational security measures
The technical and organizational security measures implemented by Demand Partner to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:
| Type of measure | Terms |
| Measures for ensuring confidentiality | Demand Partner has implemented measures to ensure the integrity, availability and security of personal information, including vulnerability scans. |
| Measures for ensuring ongoing availability and adaptability of services | Demand Partner maintains personal data availability and resilience through a variety of technical, physical, and administrative measures. Examples of these measures include: secured and monitored operational sites; processes and policies for topics such as incident response and review, and vendor review |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Further measures include regular backups and disaster recovery plans |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures in order to ensure the security of the processing | At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices |
| Measures for user identification and authorization | Demand Partner has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request. Demand Partner has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”. |
| Measures for the protection of Data during storage | As per the Agreement, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope and cannot be directly identified with a natural person by Demand Partner. Data is only stored for as long as necessary for legitimate business purposes. |
| Measures for ensuring physical security of locations at which personal data are processed | Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement. Demand Partner provides personnel who access personal data with appropriate information security and data protection training. |
| Measures for certification/assurance of processes and products | Demand Partner participates in industry certification and self-regulatory programs such as IAB TCF 2.0 |
| Measures for ensuring accountability | Demand Partner has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes at least a personal data breach policy and appointment of a data protection officer (DPO). The foregoing measures are regularly reviewed (at least once a year) and updated to ensure alignment with applicable law and industry standards. |
| Measures for allowing data portability and ensuring erasure | Demand Partner has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. |
Annex D
Sub-processors List
| Entity Name | Sub-Processing Activities | Entity Country |
| AdKernel | Process of data | US |
| Amazon Web Services (AWS) | data center services | US |
| MySQL | Database services | DE |
| MongoDB | Database services | DE |
| DynamoDB | Database services | DE |
Annex E
Standard Contractual Clauses
1. Preamble: According to the GDPR, Standard Contractual Clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU or the EEA to Third Countries. This includes model contract clauses, so-called Standard Contractual Clauses (SCC) that have been pre-approved by the European Commission.
On 4 June 2021, the European Commission issued modernized Standard Contractual Clauses under the GDPR for Data Transfers from Controllers or Processors in the EU/EEA (or otherwise subject to the GDPR) to Controllers or Processors established outside the EU/EEA (and not subject to the GDPR).
These modernized SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46., and are available here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.
The Parties herein agree to be bound by Standard Contractual Clauses (SCC)]:
- MODULE ONE: Transfer Controller to Controller
- MODULE FOUR: Transfer Processor to Controller
When applicable, Client shall ensure to have an approved and completed SCC in place with authorized Sub-Processors, as per Module 1& 4 – transfers Processor to Controlleror transfers Controller to Controller.
The parties shall complete, attach and sign the applicable Module of the SCC and send to the following to: contact@explorads.com.