Data Processing Agreement

Last modified: 30 November 2022

Table of Contents

  • AlphaSights Data Processing Agreement
  • Schedule A – Description of the Transfer
  • Schedule B – Technical and organisational measure to ensure the security of Personal Data
  • Schedule C – Client-Confidential Expert Engagement Records specific terms and amendments

This Data Processing Agreement, including its Schedules, (the “DPA”), as amended by AlphaSights from time to time, is incorporated by reference into the Access Terms (scheduled to and forming part of the Access Plan) or other written agreement for access to any AlphaSights Client-Facing Domain between AlphaSights Ltd (“AlphaSights”) and You (each being a “Party” and together the “Parties”), each referred to generically in this DPA as the “Access Terms”.

Collectively: (i) the DPA; (ii) the Access Plan; (iii) the Access Terms; and (iv) any signed written agreement for additional access to any AlphaSights Client-Facing Domain, are referred to in this DPA as the “Agreement”. In the event of any conflict or inconsistency between any of the terms of the Agreement, and always subject to Clause 12.3 of the DPA, the provisions of the following documents (in order of precedence) shall prevail: (a) this DPA; (b) the Access Plan; (c) any signed written agreement for additional access to any AlphaSights Client-Facing Domain and (d) the Access Terms. Except as specifically amended in this DPA, the Access Terms remain unchanged and in full force and effect, including any provisions regarding either Party’s liability.

Now, therefore, the Parties agree as follows:

1. Purpose

1.1 This DPA governs the processing and sharing of Personal Data that either Party provides to the other Party in connection with You accessing any AlphaSights Client-Facing Domain and completing Transactions. Terms specific to AlphaSights’ provision of Client-Confidential Expert Engagement Records are provided at Schedule C.

1.2 Except as set out in Schedule C with regards to Client-Confidential Expert Engagement Records, the Parties acknowledge and agree that each Party will be acting as an independent Controller of the Personal Data and will be subject to and responsible for complying with the obligations imposed on a Controller under all applicable Data Protection Laws. Affiliates are also covered by this DPA to the extent such Affiliates qualify as Data Controllers (or equivalent term under applicable Data Protection Laws).

2. Definitions

2.1 Capitalised terms used in this DPA will have the meanings given to them below. To the extent that a capitalised term in this DPA is not defined below, it is defined in the Agreement:

“Adequate Country” means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data.

“Affiliate” means, with respect to either Party, another Entity controlling, controlled by, or under common control with, such Party. The term “control” for the purposes of this definition means possession of the power, directly or indirectly, whether by contract or ownership, to direct or cause the direction of the management and affairs of such Entity, including business and investment decisions.

“AlphaSights Client-Facing Domain” means any domain, website, webpage and online platform, including the Platform, made available to, or accessible by You.

“Client-Confidential Expert Engagement Record” means any Expert Engagement Record of an Expert engagement completed by You or by a third party acting on Your behalf, or output solicited from, submitted by or derived from Expert(s) or engagements with Expert(s) by You, at Your request and for Your account.

“Controller”, “data subject”, “process/processing”, “personal data breach”, “Processor” and “Supervisory Authority” have the same meanings as in the GDPR.

“Entity” means any individual, sole proprietorship, general partnership, limited partnership, limited liability partnership, joint venture, trust, unincorporated association, corporation, limited company, unlimited company, other entity or governmental entity (including any instrumentality, division, agency or department thereof).

“Expert” means an individual natural person whose information and data relating to career history and fields of expertise, legal name, contact details or other Personal Data, is recorded on the Platform or any AlphaSights Client-Facing Domain, or otherwise made accessible to You.

“Expert Engagement Record” means transcripts of engagements with Expert(s) completed on or through the Platform, and any other output, including, but not limited to, work product, survey responses, industry overviews, reports, company primers, interaction summaries and synthesised insights, solicited from, submitted by or derived from Expert(s) or engagements with Expert(s).

“EU SCCs” mean the Standard Contractual Clauses, approved by the European Commission Decision C (2010) 593 of 4 June 2021 (as amended from time to time).

“Data Protection Laws” means all applicable laws, regulations and court orders which apply to the processing of Personal Data, including, but not limited to, in the European Economic Area (EEA), Switzerland, the United Kingdom (UK), the United States of America (USA). This includes the European Union Regulation (EU) 2016/679 (the “GDPR”), the UK GDPR, Data Protection Act 2018, the Privacy Act 1998, the California Consumer Privacy Act of 2018 (the “CCPA”) and the California Privacy Rights Act of 2020 (the “CPRA”) and any similar or equivalent applicable laws under any jurisdiction regarding the processing of Personal Data of the Parties, each as amended from time to time.

“EEA Personal Data” means Personal Data to which the Data Protection Laws of the European Union (EU), or a member state of the EU or EEA, applied prior to its processing by the recipient Party.

“Personal Data” means any personally identifiable information belonging to an identifiable natural person, including but not limited to, an identifier such as a name, an identification number, location data, an online identifier, or factors specific to the physical, economic, cultural or social identity of that natural person, received under or in connection with the Agreement and for the avoidance of doubt includes the term personal data as defined in the GDPR.

“Platform” means the online platform and its domains, incorporating proprietary technology, database and functionality owned, developed, maintained and/or operated by AlphaSights, on or through which Experts can be requested or engaged.

“Representative” means any director, officer, partner, managing member, equity holder or employee acting for or on behalf of a Party.

“Swiss Personal Data” means Personal Data to which the Data Protection Laws of Switzerland applied prior to Its processing by the recipient Party.

“Third Country” means (respectively to the circumstances of the transfer) a country outside the UK, the EEA or an Adequate Country.

“Transaction” means each and every instance You complete an Expert engagement, or access Client-Confidential Expert Engagement Records or Platform Content, on or through any AlphaSights Client-Facing Domain.

“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, as amended from time to time.

“UK Personal Data” means Personal Data to which the Data Protection Laws of the UK applied prior to its processing by the recipient Party.

3. Mutual obligations

3.1 The Parties agree that they will:

(a) only process Personal Data in accordance with and for the purposes specified in the Agreement (unless legally required to do otherwise). For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Schedule A to this DPA, which shall apply as Annex I to Module 1 the EU SCCs and Annex 1B to the UK Addendum;

(b) each establish, maintain and use administrative, physical and technical safeguards to prevent the accidental or unlawful destruction, loss, alteration, unauthorised access, use, storage or disclosure of Personal Data, including the security measures set forth in Schedule B to this DPA, which shall apply as Annex II to Module 1 of the EU SCCs and Annex II to the UK Addendum, and

(c) without undue delay, provide the other Party with reasonable assistance with: (i) responses to data subjects’ requests to exercise their rights under Data Protection Laws; and (ii) engagement with supervisory authorities; and

(d) without undue delay, notify the other Party of a Personal Data breach after becoming aware of such breach.

4. International Personal Data transfers

4.1 Where a Party processes Personal Data in a Third Country outside the UK, the EEA or an Adequate Country the Parties agree that:

(a) any transfer of EEA Personal Data or Swiss Personal Data to a Third Country shall be governed by Module 1 of the EU SCCs, which are incorporated into this DPA by reference;

(b) the Party processing the Personal Data in the Third Country will act as the data importer and the Party transferring the Personal Data to the data importer will act as the data exporter;

(c) in respect of any Swiss Personal Data, the EU SCCs will be modified to refer to Swiss Data Protection Laws and must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;

(d) any transfer of UK Personal Data to a Third Country shall be governed by the EU SCCs (as implemented in this Clause 4) incorporating the amendments set out in the UK Addendum, which is incorporated into this DPA by reference; and

(e) Schedule A to this DPA shall apply as Annex I to Module 1 of the EU SCCs and Annex 1B to the UK Addendum and Schedule B to this DPA shall apply as Annex II to Module 1 of the EU SCCs and Annex II to the UK Addendum.

4.2 The Parties agree that the following terms apply with regards to the EU SCCs:

(a) the optional docking clause under Clause 7 of the EU SCCs shall not apply, and the option under Clause 11 of the EU SCCs shall not apply;

(b) the Data Protection Commission of Ireland shall be the competent Supervisory Authority pursuant to Clause 13 of the EU SCCs;

(c) the SCCs shall be governed by the law of Ireland, which allows for third-party beneficiary rights pursuant to Clause 17 of the EU SCCs; and

(d) any dispute arising from the SCCs shall be resolved by the courts of Ireland pursuant to Clause 18 of the EU SCCs.

4.3 If the EU SCCs and, if applicable, UK Addendum are insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.

4.4 Subject to the terms of the EU SCCs and, if applicable, UK Addendum, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):

(a) challenge the request and notify the data exporter about it; and

(b) only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

5. Third Party Data Processors

The Parties acknowledge that in order to fulfil their obligations under the Agreement, either Party may be required to transfer the Personal Data to, and otherwise interact with, third party data processors. The Parties agree that to the extent they transfer Personal Data to a third party data processor, they are responsible for entering into a separate contractual arrangement with such third-party data processor binding them to comply with obligations in accordance with Data Protection Laws.

6. Controller to Processor Scenarios

To the extent that You access a Client-Confidential Expert Engagement Record, the Parties agree that You will be Controller and AlphaSights will be Processor and that the terms and conditions set out in Schedule C to this DPA will amend this DPA with respect only to the accessing of a Client-Confidential Expert Engagement Record. For the avoidance of doubt, if You access a Client-Confidential Expert Engagement Record, the amendments set out in Schedule C apply only with respect to such access and the DPA will apply unamended with respect to any other Transaction, and references to ‘Personal Data’ in Schedule C shall be construed accordingly.

7. Term

This DPA shall remain in effect for as long as either Party processes the Personal Data for the purposes specified in the Agreement. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement and/or this DPA in order to protect the Personal Data will remain in full force and effect.

8. Notices

All notices given under this DPA will be given in writing and delivered to the address of the relevant Party stated in the Agreement. Notices may be delivered by hand, by first class mail or by email. Notices will be deemed delivered by hand, when delivered; if by mail, two working days after sending; if by email, the next working day after sending.

9. Third Parties

Subject to the application of the EU SCCs and UK Addendum where applicable, the Parties confirm their intent not to confer any rights on any third parties by virtue of this DPA and, accordingly, the Contracts (Rights of Third Parties) Act 1999 will not apply, except that each Party recognises and agrees that its Affiliates are third-party beneficiaries under this DPA.

10. Entire Agreement

This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the Parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.

11. Waiver

If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.

12. Amendments

AlphaSights may update this DPA where such update:

12.1 is required to comply with applicable Data Protection Laws or a regulation, court order or guidance issued by a governmental regulator or agency; or
is commercially reasonable; and

(a) does not result in a material reduction in the technical and organisational measures necessary to ensure the security of the Personal Data; and

(b) does not expand the scope of or remove any restrictions on either Party’s processing of the Personal Data, unless such expansion or removal is required in accordance with Clause 12.1 above; and

(c) does not otherwise have a material adverse impact on either Party’s rights under the DPA.

12.3 Nothing in this DPA is intended to modify or contradict the EU SCCs or UK Addendum or prejudice the fundamental rights or freedoms of data subjects under applicable Data Protection Laws.

13. Governing law and jurisdiction
This DPA is governed by English law and the Parties hereby submit to the exclusive jurisdiction of the English courts.

 

 

Schedule A – Description of the Transfer

A.1 Controller to Controller transfers

1. Categories of data subjects whose Personal Data is transferred in connection with the Agreement

The Personal Data transferred concern the following categories of data subjects. Each category includes current, past and prospective data subjects. Where any of the following is itself a business or organisation, it includes their staff (e.g. employees, contractors, volunteers, agents, temporary and casual workers):

1.1. AlphaSights and its Affiliates;

1.2. Experts;

1.3. Clients and its Affiliates;

1.4. the Parties’ suppliers;

1.5. the Parties’ shareholders;

1.6. the Parties’ advisers, consultants and other professional advisers; and

1.7. any other natural person whose Personal Data is provided to AlphaSights by You in connection with a Transaction.

2. Nature and purpose of the transfer of the Personal Data

The transfer of Personal Data is made for the following purposes:

2.1. From You (as exporter) to AlphaSights (as importer):

(a) in connection with Your access to any AlphaSights Client-Facing Domain in accordance with the Agreement, including:

i. the sharing of identity data, contact data, the Scope and Transaction data with AlphaSights for and during access to any AlphaSights Client-Facing Domain (such categories of Personal Data being explained in Clause 3 below);

ii. the sharing of Personal Data to enable AlphaSights to determine whether to accept You as a Client; and

iii. the keeping of Personal Data to maintain Your account and profile with AlphaSights, records of Transactions and other general information management;

(b) to otherwise fulfil the Parties’ (and, if applicable, its Affiliate’s) obligations under the Agreement with the data exporter; or

(c)to comply with applicable law.

2.2. From AlphaSights (as exporter) to You (as importer):

(a) in connection with Your access to any AlphaSights Client-Facing Domain in accordance with the Agreement, including:

i. providing and maintaining Your access to any AlphaSights Client-Facing Domain by, for example, sharing contact data, identity data, Transaction Data and Transaction Profile data (such categories of Personal Data being explained in Clause 3 below);

ii. deciding whether to accept AlphaSights as a vendor; and

iii. keeping records of your Account with AlphaSights, Transactions and other general information management in accordance with the Agreement;

(b) to otherwise fulfil the Parties’ (and, if applicable, its Affiliate’s) obligations under the Agreement with the data exporter; or

(c) to comply with applicable law.

3. Categories of Personal Data transferred

3.1 The data transferred is the Personal Data provided by the Parties in connection with Your access to any AlphaSights Client-Facing Domain under the Agreement. Such Personal Data may include:

(a) identity data, including first name, maiden name, last name, username or similar identifier, title, gender and other diversity or demographic data;

(b) contact data, including address(es), email address(es) and telephone number(s);

(c) Transaction data, including: (i) any Personal Data contained within an Expert Engagement Record accessed by You; (ii) any Personal Data in the Scope; and (iii) any Personal Data exchanged between You or an Expert with AlphaSights before, during and after a Transaction, including any correspondence or Personal Data related to a Transaction (e.g. parties entering and exiting AlphaSights’ conference bridge, duration and time of interactions) and any Expert feedback or feedback from You;

(d) Transaction Profile data, including an Expert’s professional background, language spoken, location, relevant qualifications, career history and any additional information provided;

(e) marketing and communications data, including Your preferences in receiving marketing from AlphaSights and third parties and Your communication preferences;

(f) any other information volunteered by the data subject.

(g) technical data, including internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices You or Experts use to access any AlphaSights Client-Facing Domain; and

(h) usage data, including information about how you access and use any AlphaSights Client-Facing Domain.

3.2 The Personal Data transferred do not concern any categories of sensitive data.

4. Duration of processing

The Parties will process the Personal Data for the duration required under the Agreement. You may continue to process the Personal Data to the extent necessary to comply with Your legal and regulatory obligations, always subject to the requirements in the Access Terms. AlphaSights may continue to process the Personal Data as necessary for its legitimate interests.

 

A.2 Processor to Controller transfers (for the purposes of Schedule C only)

1. Categories of data subjects whose Personal Data is transferred in connection with Your access to a Client-Confidential Expert Engagement Record

The Personal Data transferred concerns the following categories of data subjects. Each category includes current, past and prospective data subjects. Where any of the following is itself a business or organisation, it includes their staff (e.g. employees, contractors, volunteers, agents, temporary and casual workers):

1.1. You or your Affiliates;

1.2. Any of Your advisers, consultants and other professional advisers who participate in a Client-Confidential Expert Engagement Record in accordance with the Agreement; and

1.3. Any other natural person whose Personal Data is provided to AlphaSights by You in connection with a Client-Confidential Expert Engagement Record.

The transfer of Personal Data from You (as exporter) to AlphaSights (as importer) is made for the following purposes:

1.4. in connection with Your access to a Client-Confidential Expert Engagement Record in accordance with the Agreement, including:

(a) the sharing of identity data, contact data, the Scope and Transaction data with AlphaSights for and during access to any AlphaSights Client-Facing Domain (such categories of Personal Data being explained in Clause 3 below); and

(b) the keeping of Personal Data to maintain Your account and profile with AlphaSights, records of Transactions and other general information management;

1.5. to otherwise fulfil the Parties’ (and, if applicable, its Affiliate’s) obligations under the Agreement with the data exporter; or

1.6. to comply with applicable law.

2. Categories of Personal Data transferred

2.1. The data transferred is the Personal Data provided by the data exporter (You) to the data importer (AlphaSights) in connection with Your access to a Client-Confidential Expert Engagement Record under the Agreement. Such Personal Data may include:

(a) identity data, including first name, maiden name, last name, username or similar identifier, title, gender and other diversity or demographic data;

(b) contact data, including address(es), email address(es) and telephone number(s);

(c) Transaction data, including: (i) any Personal Data contained within a Client-Confidential Expert Engagement Record accessed by You; (ii) any Personal Data in the Scope; and (iii) any Personal Data exchanged between You or an Expert with AlphaSights before, during and after a Transaction, including any correspondence or Personal Data related to a Transaction and any Expert feedback or feedback from You;

(d) Transaction Profile data, including an Expert’s professional background, language spoken, location, relevant qualifications, career history and any additional information provided;

(e) any other information volunteered by the data subject;

(f) technical data, including internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices You or Experts use to access a AlphaSights Client-Facing Domain with respect to a Client-Confidential Engagement Record; and

(g) usage data, including information about how you access and use any AlphaSights Client-Facing Domain with respect to a Client-Confidential Engagement Record.

2.2. The Personal Data transferred do not concern any categories of sensitive data.

3. Duration of processing

The Parties will process the Personal Data for the duration required under the Agreement. You may continue to process the Personal Data to the extent necessary to comply with Your legal and regulatory obligations, always subject to the requirements in the Access Terms. AlphaSights may continue to process the Personal Data as necessary for its legitimate interests.

Schedule B – Technical and organisational measures to ensure the security of Personal Data

1.1. As data importers the Parties agree to use reasonable endeavours to implement a combination of the following technical and organisational measures to ensure an appropriate level of security of the Personal Data, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

(a) Firewalls to protect internet connection as a first line of defence against an intrusion from the internet;

(b) Appropriate secure settings for all devices and software processing the Personal Data;

(c) Control over who has access to the Personal Data and any AlphaSights Client-Facing Domain;

(d) Encryption of the Personal Data;

(e) Protections from viruses and other malware;

(f) Keeping software and devices up to date to fix bugs and security vulnerabilities;

(g) Ensuring physical security of locations at which the Personal Data are processed;

(h) Regular backups of data to ensure it can be quickly restored in the event of disaster or ransomware infection; and

(i) Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing.

Schedule C – Client-Confidential Expert Engagement Records specific terms and amendments

The following terms and conditions amend the DPA with respect only to Client-Confidential Expert Engagement Records received by You from AlphaSights. For the avoidance of doubt, if You receive a Client-Confidential Expert Engagement Record, the amendments set out in this Schedule C apply only with respect to such Client-Confidential Expert Engagement Record and the DPA will apply unamended with respect to any other Transaction.

1.1. The following clause is added to the DPA as a new Clause 1.3:

“The Parties acknowledge and agree that with respect to the provision of Client-Confidential Expert Engagement Records, You will act as Controller and AlphaSights will act as Processor in respect of the processing of any Personal Data under or in connection with the Agreement.”

1.2. Clause 3 is replaced in its entirety with the following clause:

“3.1 You (as Controller) instruct AlphaSights (as Processor) to process the Personal Data in accordance with this DPA and are responsible for providing all notices and obtaining all consents, licences and legal bases required to allow AlphaSights to process the Personal Data.

3.2 AlphaSights will:

(a) only process the Personal Data in accordance with and for the purposes specified in the Agreement (unless legally required to do otherwise in which case AlphaSights will notify You unless prohibited by law from doing so). For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to Schedule C of this DPA are described in Schedule A to this DPA, which shall apply as Annex I to Module 2 of the EU SCCs and Appendix 1 to the UK Addendum;

(b) not sell, retain or use any Personal Data for any purpose other than as permitted by the Agreement;

(c) inform You immediately if (in AlphaSights’ opinion) any instructions infringe Data Protection Laws;

(d) establish, maintain and use administrative, physical and technical safeguards to prevent the accidental or unlawful destruction, loss, alteration, unauthorised access, use, storage or disclosure of the Personal Data, including the security measures set forth in Schedule B to this DPA, which shall apply as Annex II to Module 2 of the EU SCCs and Annex II to the UK Addendum; and

(e) without undue delay, notify You of a Personal Data breach after becoming aware of a personal data breach;

(f) ensure that anyone authorised to process the Personal Data is committed to confidentiality obligations;

(g) without undue delay, at a cost to be determined between the Parties, provide You with reasonable assistance with:

i. data protection impact assessments;

ii. responses to data subject’s requests to exercise their rights under Data Protection Laws; and

iii. engagement with supervisory authorities;

(h) if requested, provide You with information reasonably necessary (as determined in AlphaSights’ sole discretion) to demonstrate AlphaSights’ compliance with its obligations under Data Protection Laws and this DPA;

(i) upon request, AlphaSights will provide to You an opinion report applicable to the Client-Confidential Expert Engagement Records provided by an accredited, third-party audit firm. If the Report does not provide, in Your reasonable judgement, sufficient information to confirm AlphaSights’ compliance with the terms of this DPA, then You or an accredited third-party audit firm agreed by both Parties may audit AlphaSights’ compliance with the terms of this DPA during regular business hours, with reasonable advance notice to AlphaSights and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time AlphaSights expends for any such audit. Before commencement of any such audit, the Parties shall mutually agree upon the scope, timing and duration of the audit. You may not audit AlphaSights more than once annually; and

(j) return the Personal Data upon Your written request or delete the Personal Data when no longer required under the Agreement, unless retention is required for legal or internal compliance purposes.

3.3. The Parties warrant that they and any Representatives, agents and/or subcontractors will comply with their respective obligations under all applicable Data Protection Laws regarding the processing of all the Personal Data for the term of this DPA.”

1.3. The following clause is added to the DPA as a new Clause 3A. “Sub-processing”

“3A.1 Pursuant to the Access Terms, You authorise AlphaSights to engage other processors (referred to in this section as sub-processors) when processing the Personal Data for the purposes of providing outsource support services for the provision of Client-Confidential Expert Engagement Records, including, translation services or transcription services, and any other business needs that may arise from time to time, on the basis that these sub-processers keep any information they receive confidential.

3A.2 AlphaSights will:

(a) require its sub-processors to comply with materially similar terms as AlphaSights’ obligations under this DPA;

(b) ensure appropriate safeguards are in place before internationally transferring the Personal Data to its sub-processor; and

(c) be liable for any acts, errors or omissions of its sub-processors as if they were a party to this DPA.

3A.3 AlphaSights may appoint new sub-processors, provided that if AlphaSights wishes to make any changes to the criteria for choosing a sub-processor You will be notified in writing 30 days before the new sub-processor is granted access to the Personal Data and may reasonably object in writing. If the Parties cannot agree on a solution within a reasonable time, either Party may terminate the DPA in respect of the provision of Client-Confidential Expert Engagement Records.”

1.4. Clause 4.1 is replaced in its entirety with the following clause:
“Where AlphaSights processes the Personal Data in a Third Country outside the UK, the EEA or an Adequate Country the Parties agree that:

(a) any transfer of EEA Personal Data or Swiss Personal Data to a Third Country shall be governed by Module 2 of the EU SCCs, which are incorporated into this DPA by reference;

(b) the Party processing the Personal Data in the Third Country will act as the data importer and the Party transferring the Personal Data to the data importer will act as the data exporter;

(c) in respect of any Swiss Personal Data, the EU SCCs will be modified to refer to Swiss Data Protection Laws and must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;

(d) any transfer of UK Personal Data to a Third Country shall be governed by the EU SCCs (as implemented in this Clause 4) incorporating the amendments set out in the UK Addendum, which is incorporated into this DPA by reference; and

(e) Schedule A to this DPA shall apply as Annex I to Module 2 of the EU SCCs and Annex 1B to the UK Addendum and Schedule B to this DPA shall apply as Annex II to Module 2 of the EU SCCs and Annex II of the UK Addendum.”

1.5. The following clause is added to the DPA as a new Clause 4.2A:

“4.2A The Parties agree that for the purposes of Module 2 of the EU SCCs, Clause 9 Option 2 is selected (General Written Authorisation) and the Parties agree that the time period for submitting requests for authorisation shall be 30 days in accordance with Clause 3A of this DPA.”