Data Processing Agreement

This Data Processing Addendum ("DPA") forms part of the General Terms and Conditions ("Terms and Conditions") between CargoRadar ("we", "us", or "our") and its customers ("Customer", “Client”). Customer has engaged us to provide goods, services, or other deliverables (the “Services”) as outlined in CargoRadar’s respective Terms and Conditions. In connection with the provisions of the Services, CargoRadar may have access to, store, monitor or process data, which may include personal data.

By using the Services and accepting the Terms and Conditions, the Customer agrees to the terms of this DPA.

1. Definitions

●       “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and the EU GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), each as amended or replaced from time to time;

●       “EEA” means the European Economic Area, which includes the 27 member states of the European Union (EU) as well as three of the four member states of the European Free Trade Association (EFTA) - specifically, Iceland, Liechtenstein, and Norway.

●       "Data Protection Laws" for the purposes of Processing Personal Data relating to Data Subjects who are: (i) located in; or (ii) citizens of, the European Union or the European Economic Area, means any laws in force from time to time relating to data protection, including, but not limited to the EU GDPR,  the United Kingdom’s Data Protection Act 2018, the Swiss Federal Act on Data Protection and any national implementing laws, any regulations and legislations which amends, re-enacts or replaces the GDPR and any amendment thereto;

●        "Customer Personal Data" means the Personal Data described under Schedule 1 to this DPA;

●       "Personal Data", “Data Subject”, “Personal Data Breach”, “Processing”, “Controller”, “Processor” shall have the meaning given to them in the GDPR and under other Data Protection Laws, or where not specifically defined, the same meaning as analogous terms under Data Protection Laws.

●       “Customer Personal Data” means any Personal Data disclosed by, made available by, or collected on behalf of Customer to CargoRadar as part of Services.

●       "Sub-processor" Any third party appointed by or on behalf of CargoRadar to process Personal Data in connection with the Services.

●       "EU SSCs " means the Standard Contractual Clauses attached as Schedule 2, approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.

●       “UK IDTA” means the United Kingdom (UK) International Data Transfer Addendum to the EU SCCs, approved and updated by the Information Commissioner Office from time to time, which shall apply solely in respect of the transfer of Personal Data from the UK to third countries that have been declared “adequate” by the UK Secretary of State.

2. Data Processing

2.1 Scope and Role: where CargoRadar processes Client Personal Data as a Processor, CargoRadar shall process such data as required to perform the Services, in accordance with the nature and purpose of the processing set out in Schedule 1. 

2.2 Customer Instructions: CargoRadar will process Personal Data only in accordance with the documented instructions of the Customer. CargoRadar will accept instructions solely from the Customer, unless otherwise agreed in writing by the parties, and in accordance with the nature and purpose of the processing set out in Schedule 1. If applicable laws preclude CargoRadar from complying with Customer’s instructions, CargoRadar will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

3. Confidentiality

3.1 Confidentiality Obligations: CargoRadar will ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security Measures

4.1 Technical and Organizational Measures: CargoRadar will implement appropriate technical and organizational measures specified in Schedule 2 to ensure a level of security appropriate to the risk, to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

5. Cross-Border Transfers of Personal Data

5.1. EEA country to non-EEA country personal data transfers: The parties hereby agree that, where Customer is a Controller and CargoRadar is a Processor, Module Two (Controller to Processor Module) of the Standard Contractual Clauses and all other sections of the Standard Contractual Clauses having general application (hereinafter, “C-to-P SCCs”) shall apply to the transfer of Customer Personal Data originating from the EU, UK, and Switzerland to CargoRadar in the United States. The parties further agree to comply with the C-to-P SCCs, which are hereby attached to this DPA at Schedule 2.

5.2. UK personal data transfers: The parties agree that the UK Addendum to the Standard Contractual Clauses, as set out in Schedule 3 hereto (“UK Addendum”), shall govern the transfer of Personal Data originating from the UK. By entering into this DPA, the parties agree to be bound by the UK Addendum.

5.3. Swiss personal data transfers: The parties agree that the following provisions of the Swiss Federal Act on Data Protection shall apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the C-to-P SCCs or the P-to-P SCCs, as applicable; (ii) the parties agree to abide by the EU GDPR standard in relation to all Processing of Customer Personal Data governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the C-to-P SCCs and the P-to-P SCCs will not be interpreted to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the C-to-P SCCs and the P-to-P SCCs; and (iv) references to the ‘GDPR’ in the C-to-P SCCs and the P-to-P SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection.

6. Sub-processing

6.1 Sub-processor Authorization: Customer provides a general authorization to CargoRadar to engage Sub-processors. A list of Sub-processors can be provided upon request.

6.2 Sub-processor Obligations: CargoRadar will ensure that each Sub-processor is bound by data protection obligations compatible with those of CargoRadar under this DPA, including providing sufficient guarantees to implement appropriate technical and organizational measures.

7. Data Subject Rights

7.1 Assistance: CargoRadar shall, upon request by the Client and at the Client’s expense, and taking into account the nature of the processing, assist the Client by appropriate technical and organizational measures, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Laws.

8. Data Breach Notification

8.1 Notification Obligations: CargoRadar will notify Customer without undue delay after becoming aware of a Personal Data Breach. Such notification will include details sufficient to enable the Customer to comply with its obligations under Data Protection Laws.

9. Data Protection Impact Assessment and Prior Consultation

9.1 Assistance: CargoRadar will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with supervisory authorities, which the Customer reasonably considers to be required by Data Protection Laws.

10. Deletion or Return of Personal Data

10.1 Deletion or Return: Upon termination or expiry of the Agreement, CargoRadar will, at the choice of the Customer, delete or return all Personal Data to the Customer, and delete existing copies unless applicable law requires storage of the Personal Data.

11. Audit Rights

11.1 Audit Requests: Subject to reasonable advance written notice and limited to no more than once per calendar year, CargoRadar shall, at the Customer’s request and expense, provide the Customer with access to any CargoRadar premises, facilities, or equipment used to process relevant Customer Personal Data. This access is granted to enable the Customer to reasonably assess CargoRadar's compliance with its obligations under this Agreement, provided that the auditor is not a direct competitor of CargoRadar.

12. Liability

12.1. Liability for Breach: Each party shall be liable for any direct damages caused by its breach of this DPA. Neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including, but not limited to, loss of profits, revenue, data, or use, incurred by the other party in connection with this DPA, even if advised of the possibility of such damages.

12.2. Indemnification: Customer agrees to indemnify, defend, and hold harmless Cargoradar, its affiliates, officers, directors, employees, and agents from and against any claims, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or related to any breach by Customer of its obligations under this DPA, including but not limited to Customer's breach of applicable data protection laws.

12.3. Joint and Several Liability: If either party is held liable for a violation of this DPA involving both parties, each party shall be liable for that part of the damages corresponding to its respective responsibility for the harm caused by the violation.

12.4. Mitigation: Each party agrees to use reasonable efforts to mitigate any damage, loss, and expenses that it may incur as a result of a breach by the other party of this DPA.

12.5. Force Majeure: Neither party shall be liable for any failure or delay in the performance of its obligations under this DPA if such failure or delay is caused by events beyond its reasonable control, including, but not limited to, acts of God, war, terrorism, strikes, or other labor disputes, riots, natural disasters, or governmental actions.

12.7. Severability: If any provision of this liability clause is found to be unenforceable or invalid, such unenforceability or invalidity shall not render this clause unenforceable or invalid as a whole, and such provision shall be changed and interpreted so as to best accomplish the objectives of such unenforceable or invalid provision within the limits of applicable law.

13. Governing Law

13.1 Governing Law: This DPA shall be governed by, and construed in accordance with, the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Republic of Bulgaria.

By using the Services and accepting the Agreement, the Customer acknowledges and agrees to the terms of this DPA.

Schedule 1

This Schedule also serves as Annex I and Annex II to the Transfer Clauses.

1. List of Parties

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Name:

The entity identified as “Customer” in the DPA.

Address:

Customer’s account owner address and email address as communicated by Customer to CargoRadar.

Contact person’s name, position and contact details:

Customer’s account owner address and email address as communicated by Customer to CargoRadar.

Activities relevant to the data transferred under these Clauses:

The processing activities defined in this Schedule 1 to the DPA and in the Terms and Conditions.

Role (controller/processor):

Controller (under the C2P SCCs) or Processor (under the P2P SCCs)

 

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

Name:

The entity identified as “CargoRadar” in the DPA.

Address:

41 Nedelcho Bonev blvd., 3rd floor

1528 Sofia, Bulgaria

Contact person’s name, position and contact details:

Name: Dimitar Parvanov
Title: CTO
Email: privacy@cargoradar.eu

Activities relevant to the data transferred under these Clauses:

The processing activities defined in this Schedule 1 to the DPA and in the Agreement.

Role (controller/processor):

Processor (under the C2P SCCs) or sub-Processor (under the P2P SCCs)

2. Description of Transfer

2.1. Categories of Data Subjects: Customer’s Personal Data.

2.2. Types of Personal Data: Information associated with the Customer’s vehicle and the use thereof, which is transmitted to or through the CargoRadar Services, as described in the Privacy Policy.

2.3.      Special Categories of Personal Data (if applicable): Not applicable

2.4. Subject-Matter and Nature of the Processing: The subject-matter of Processing of Customer Personal Data by CargoRadar is the provision of the Services to the Customer. Customer Personal Data will be subject to those Processing activities which CargoRadar needs to perform in order to provide the Services pursuant to the Terms and Conditions.

2.5. Purpose of the Processing: Customer Personal Data will be Processed by CargoRadar for purposes of providing the Services set out in the Terms and Conditions and CargoRadar’s Privacy Policy.

2.6. Retention: The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The duration specified in Section 10 of the DPA.

2.7. Duration of the Processing: Customer Personal Data will be Processed for the duration of the relationship between CargoRadar and its Customer, subject to Section 10 of the DPA.

3. Sub-processors


A list of CargoRadar’s sub-Processors and the nature of the Processing activities can be received upon request.

4. Supervisory Authority

The competent supervisory authority will be the Republic of Bulgaria authority.

 Schedule 2

Technical and Organizational Measures

In accordance with Article 32 of the EU General Data Protection Regulation (“GDPR”)

The following Technical and Organizational Security Measures (TOMs) implemented by CargoRadar apply to facilities, systems, and assets only that are used to process personal data, and which are owned by or under the control of CargoRadar, respectively.

PHYSICAL

  1. Physical Security

a. CargoRadar shall implement:

i. A building access control system for the Site.

ii. A building alarm system for the Site.

iii. Appropriate CCTV for the Site.

  1. Employee, Visitor, and Trusted Agent Access

a. In areas where Services are being provided, CargoRadar shall:

i. Restrict access to authorized persons only.

ii. Utilize identification and authentication controls to authorize and validate the access.

iii. Securely maintain an audit trail of all access, including times of entry and departure.

iv. Securely manage visitors:

1.     grant access only for specific authorized purposes;

2.     record the date and time of entry; and

3.     ensure that all visitors are escorted and supervised at all times.

TECHNICAL

  1. System Administration

a. Where systems allow, all privileged accounts shall be uniquely identifiable, and each user shall be accountable and responsible for any action taken under that user’s own user ID and password.

b. Where systems allow, system accounts or built-in application accounts shall not be used to provide generic or unauthorized access.

c. All access to Information Systems shall be authenticated. This includes console access, individual accounts, administrative accounts, and any automated relationships with other systems.

  1. Password Controls

a. Passwords shall be protected at all times, including appropriate encryption.

b. All passwords shall be promptly changed if they are suspected of being compromised or known to have been disclosed to unauthorized parties; users shall be able to change their own passwords.

c. Where systems allow, passwords shall be uniquely identifiable and each user shall be accountable and responsible for any action taken under that user’s own user ID and password. Users shall not share or divulge their password to anyone.

d. On rare occasions where the requirement of hardcoded usernames and passwords is necessary and where systems allow, the system will be configured with a service account with the lowest set of privileges possible.

e. Where systems allow, password complexity should never be less than three out of four character classes and shall have character class choices such as upper case letters, lower case letters, numeric digits, or special characters. Where possible, an increased password length will be used to increase entropy probabilities.

  1. Segregation Control

a. Where the customer solution utilizes a shared environment, appropriate security controls will be deployed to ensure appropriate customer segregation.

  1. Perimeter Defense

a. Firewalls and intrusion detection systems are in place to monitor and resist malicious activity.

  1. Operating System Security Controls

a. Anti-Virus Configuration

i. Anti-virus software can be supplied as a service and configured upon the customer’s express consent. Where this service is provided, it will be configured to run real-time and to download automatic updates no less than once per week.

b. Patch Management

i. Where possible, patch management systems are in place to deploy critical security patches to CargoRadar managed devices. For customer-facing services, patches will not be deployed without a customer request to do so.

  1. System and Device Hardening

a. Where possible, all operating systems and devices will be hardened to remove any weak protocols and services that are not required.

  1. Vulnerability Discovery

a. Where possible, regular system vulnerability scanning will be carried out with the express permission of the customer to identify any technical issues that may need to be resolved.

PROCESS

  1. System Administration

a. Privileged account requests shall be subject to proper justification, provisioning, and an approvals process, and assigned to named individuals.

b. CargoRadar Service Provider personnel privileges shall be reviewed to ensure they have the appropriate privileges to undertake their duties.

c. Starters and leavers process is in place to remove accounts that are no longer required.

  1. Information Security and Data Privacy Training

a. CargoRadar’s staff receives regular (at least annually) Information Security and Data Privacy trainings.

  1. Access Controls to Data

a. CargoRadar shall follow Customer instructions with regards to the movement of data. All requests to move customer data shall be made in writing to the CargoRadar Service Provider.

  1. Destruction of Media

a. All hard drives shall follow CargoRadar’s processes and procedures for their erasure or destruction prior to disposal of the system.

  1. Disclosure Control

a. CargoRadar shall not:

i. Allow copying of customer hosting environments other than for backup or forensic purposes.

ii. Allow the removal of Customer Personal data from the premises unless at the specific request of the customer.

  1. Supplier Management

a. Any suppliers or contractors with direct access to the platform or system data must have appropriate contractual obligations applied to maintain the confidentiality of data and comply with applicable CargoRadar security policy controls.

b. CargoRadar shall use reasonable endeavors to impose obligations in relation to the Processing of the Customer Personal Data that are equivalent to those imposed on CargoRadar.

c. The subcontracted service provider shall employ appropriate operational and technological processes and procedures to keep Personal Data safe from unauthorized access, loss, destruction, theft, or disclosure.

CUSTOMER RESPONSIBILITIES IN RELATION TO DATA CONFIDENTIALITY AND ENCRYPTION

  1. CargoRadar recommends that the Customer further protects the confidentiality of the Customer’s data with additional cryptographic controls. Such controls would include encrypting data at rest through application and database level encryption. In addition, the application controls should ensure that all access to sensitive data is tightly controlled through strong access control mechanisms and all such access is thoroughly audited.
  2. Cryptographic keys for the protection of data by the customer as recommended above are also the responsibility of the customer. The Customer should design their key management system taking into account the same issues about protecting data at rest.

Schedule 3

 

1.1           The terms below shall have the following meanings ascribed to them for the purposes of Schedule 3.

"Data Exporter" means Customer when exporting Personal Data to CargoRadar in circumstances where the Personal Data are transferred from one country to another directly or by onward transfer; and

"Data Importer" means CargoRadar when importing Personal Data from Customer in circumstances where the Personal Data are transferred from one country to another directly or by onward transfer.

I.                 European Economic Area

A.               The terms below shall have the following meanings ascribed to them for the purposes of this Section I:

1.         "C-to-P Transfer Clauses" means Module Two (Controller-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2.         "P-to-P Transfer Clauses" means Module Three (Processor-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

3.         "Europe" means the European Economic Area.

4.         "European Data Protection Laws" means any applicable laws of Europe that relate to the Processing of Client Personal Data under the Terms.

5.         "Transfer Clauses" means the C-to-P Transfer Clauses or the P-to-P Transfer Clauses, as the case may be.

B.               When Data Exporter transfers Client Personal Data subject to European Data Protection Laws, either directly or via onward transfer, to Data Importer located in a country that does not ensure an adequate level of protection within the meaning of European Data Protection Laws, the Parties agree to Process the transferred Client Personal Data in accordance with the Transfer Clauses as follows:

1.1.1      if the Data Exporter acts as a Controller of that Personal Data and the Data Importer acts as a Processor of that data, the Parties shall comply with the terms of the C-to-P Transfer Clauses; and

1.1.2      if the Data Exporter acts as a Processor of that Personal Data, the Parties shall comply with the terms of the P-to-P Transfer Clauses.

C.               For the purposes of C-to-P Transfer Clauses the following additional provisions shall apply:

1.1.1      the names and addresses of those Data Exporter(s) and Data Importer(s) shall be considered to be incorporated into the C-to-P Transfer Clauses;

1.1.2      The Parties’ signature to this DPA shall be considered as signature to the C-to-P Transfer Clauses;

1.1.3      Clause 7 (Docking Clause) shall apply;

1.1.4      Option 2 under paragraph (a) of Clause 9 (Use of sub-processors) shall apply and “[Specify time period]” be replaced with "thirty (30) business days";

1.1.5      The option under Clause 11 (Redress) shall not apply;

1.1.6      For the purposes of paragraph (a) of Clause 13 (Supervision), the Data Exporter shall be considered as established in an EU Member State;

1.1.7      The governing law for the purposes of Clause 17 (Governing law) shall be the law of [The Republic of Bulgaria]

1.1.8      The courts under Clause 18 (Choice of forum and jurisdiction) shall be the courts of  [The Republic of Bulgaria];

1.1.9      The contents of Schedule 1 shall form Annex I.A to the C-to-P Transfer Clauses (List of Parties);

1.1.10   The contents of Schedule 1 shall form Annex I.B to the C-to-P Transfer Clauses (Description of Transfer);

1.1.11   The Bulgarian supervisory authority shall act as competent supervisory authority for the purposes of Annex I.C of the C-to-P Transfer Clauses (Competent Supervisory Authority); and

1.1.12   The contents of Schedule 2 shall form Annex II of the C-to-P Transfer Clauses (Technical and organisational measures including technical and organisational measures to ensure the security of the data).

D.               For the purposes of P-to-P Transfer Clauses the following additional provisions shall apply:

1.1.1      the names and addresses of those Data Exporter(s) and Data Importer(s) shall be considered to be incorporated into the P-to-P Transfer Clauses;

1.1.2      The Parties’ signature to this Agreement shall be considered as signature to the P-to-P Transfer Clauses;

1.1.3      Clause 7 (Docking Clause) shall apply;

1.1.4      Option 2 under paragraph (a) of Clause 9 (Use of sub-processors) shall apply and “[Specify time period]” be replaced with "thirty (30) business days";

1.1.5      The option under Clause 11 (Redress) shall not apply;

1.1.6      For the purposes of paragraph (a) of Clause 13 (Supervision), the Data Exporter shall be considered as established in an EU Member State;

1.1.7      The governing law for the purposes of Clause 17 (Governing law) shall be the law of [The Republic of Bulgaria];

1.1.8      The courts under Clause 18 (Choice of forum and jurisdiction) shall be the courts of [The Republic of Bulgaria];

1.1.9      The contents of Schedule 1 shall form Annex I.A to the P-to-P Transfer Clauses (List of Parties);

1.1.10   The contents of Schedule 1 shall form Annex I.B to the P-to-P Transfer Clauses (Description of Transfer);

1.1.11   The Bulgarian supervisory authority shall act as competent supervisory authority for the purposes of Annex I.C of the P-to-P Transfer Clauses (Competent Supervisory Authority); and

1.1.12   The contents of Schedule 2 shall form Annex II of the P-to-P Transfer Clauses (Technical and organisational measures including technical and organisational measures to ensure the security of the data).

II.               Switzerland

A.               For the purposes of this Section II, the term "Swiss Data Protection Laws" means Switzerland’s Federal Act on Data Protection of June 19, 1992, the Ordinance to the Federal Act on Data Protection, and the Ordinance on Data Protection Certification, and all Swiss laws relating to the Processing, privacy, protection, or use of Personal Data.

B.               When Data Exporter transfers Personal Data subject to Swiss Data Protection Laws, either directly or via onward transfer, to a Data Importer located in a country that does not ensure an adequate level of protection within the meaning of Swiss Data Protection Laws, the Parties agree to the Transfer Clauses in accordance with Section 0 of this Schedule 3, as supplemented by Clause C of this Section II.

C.               The following additional provisions shall apply so that the Transfer Clauses are suitable for providing an adequate level of protection for such transfer under Swiss Data Protection Laws:

(a)            “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(b)            “Revised FADP” means the revised version of the Federal Act of Data Protection (“FADP”) of 25 September 2020, which is scheduled to come into force on 1 January 2023.

(c)            The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).

(d)            The Transfer Clauses also protect the data of legal entities until the entry into force of the Revised FADP.

(e)            The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

III.             United Kingdom

A.               The terms below shall have the following meanings ascribed to them for the purposes of this Section III:

(a)            "UK" means the United Kingdom.

(b)            "UK Data Protection Laws" means the UK GDPR, Data Protection Act of 2018, and all UK laws relating to the Processing, privacy, protection, or use of Personal Data.

(c)            "UK GDPR" means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

B.               When Data Exporter transfers Personal Data subject to UK Data Protection Laws, either directly or via onward transfer, to a Data Importer located in a country that does not ensure an adequate level of protection within the meaning of UK Data Protection Laws, the Parties agree to the Transfer Clauses in accordance with Section I of this Schedule 3 as supplemented by Clause C of this Section III.

C.               The following additional provisions shall apply so that the Transfer Clauses are suitable for providing an adequate level of protection for such transfer under UK Data Protection Laws:

(a)            Where a data exporter is located in the UK, this UK Addendum to the Transfer Clauses shall apply.

(b)            Where this UK Addendum uses terms that are defined in the Annex those terms shall have the same meaning as in the Annex. In addition, the following terms have the following meanings:

(i)              This “UK Addendum” means this Addendum to the Transfer Clauses.

(ii)             The “Annex” means the Transfer Clauses.

(c)            This UK Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 UK GDPR.

(d)            This UK Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.

(e)            Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this UK Addendum has been entered into.

(f)              In the event of a conflict or inconsistency between this UK Addendum and the provisions of the Transfer Clauses or other related agreements between the Parties, existing at the time this UK Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects shall prevail.

(g)            This UK Addendum incorporates the Transfer Clauses which are deemed to be amended to the extent necessary so they operate:

(i)              for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and

(ii)             to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR.

(h)            The amendments required by Clause (g) above, include (without limitation):

(i)              References to the “Transfer Clauses” means this UK Addendum as it incorporates the Transfer Clauses.

(ii)             Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”

(iii)           References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.

(iv)           References to Regulation (EU) 2018/1725 are removed.

(v)            References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”.

(vi)           Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner.

(vii)         Clause 17 is replaced to state “These Transfer Clauses are governed by the laws of England and Wales.”

(viii)        Clause 18 is replaced to state: “Any dispute arising from these Transfer Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

(ix)           The footnotes to the Transfer Clauses do not form part of the UK Addendum.

(i)              The parties may agree to change Clause 17 and/or 18 of the Transfer Clauses to refer to the laws and/or courts of Scotland or Northern Ireland.

(j)              The parties may amend this UK Addendum provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Transfer Clauses and making changes to them in accordance with Clause (g) above.

Data Processing Agreement

This Data Processing Addendum ("DPA") forms part of the General Terms and Conditions ("Terms and Conditions") between CargoRadar ("we", "us", or "our") and its customers ("Customer", “Client”). Customer has engaged us to provide goods, services, or other deliverables (the “Services”) as outlined in CargoRadar’s respective Terms and Conditions. In connection with the provisions of the Services, CargoRadar may have access to, store, monitor or process data, which may include personal data.

By using the Services and accepting the Terms and Conditions, the Customer agrees to the terms of this DPA.

1. Definitions

●       “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and the EU GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), each as amended or replaced from time to time;

●       “EEA” means the European Economic Area, which includes the 27 member states of the European Union (EU) as well as three of the four member states of the European Free Trade Association (EFTA) - specifically, Iceland, Liechtenstein, and Norway.

●       "Data Protection Laws" for the purposes of Processing Personal Data relating to Data Subjects who are: (i) located in; or (ii) citizens of, the European Union or the European Economic Area, means any laws in force from time to time relating to data protection, including, but not limited to the EU GDPR,  the United Kingdom’s Data Protection Act 2018, the Swiss Federal Act on Data Protection and any national implementing laws, any regulations and legislations which amends, re-enacts or replaces the GDPR and any amendment thereto;

●        "Customer Personal Data" means the Personal Data described under Schedule 1 to this DPA;

●       "Personal Data", “Data Subject”, “Personal Data Breach”, “Processing”, “Controller”, “Processor” shall have the meaning given to them in the GDPR and under other Data Protection Laws, or where not specifically defined, the same meaning as analogous terms under Data Protection Laws.

●       “Customer Personal Data” means any Personal Data disclosed by, made available by, or collected on behalf of Customer to CargoRadar as part of Services.

●       "Sub-processor" Any third party appointed by or on behalf of CargoRadar to process Personal Data in connection with the Services.

●       "EU SSCs " means the Standard Contractual Clauses attached as Schedule 2, approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.

●       “UK IDTA” means the United Kingdom (UK) International Data Transfer Addendum to the EU SCCs, approved and updated by the Information Commissioner Office from time to time, which shall apply solely in respect of the transfer of Personal Data from the UK to third countries that have been declared “adequate” by the UK Secretary of State.

2. Data Processing

2.1 Scope and Role: where CargoRadar processes Client Personal Data as a Processor, CargoRadar shall process such data as required to perform the Services, in accordance with the nature and purpose of the processing set out in Schedule 1. 

2.2 Customer Instructions: CargoRadar will process Personal Data only in accordance with the documented instructions of the Customer. CargoRadar will accept instructions solely from the Customer, unless otherwise agreed in writing by the parties, and in accordance with the nature and purpose of the processing set out in Schedule 1. If applicable laws preclude CargoRadar from complying with Customer’s instructions, CargoRadar will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

3. Confidentiality

3.1 Confidentiality Obligations: CargoRadar will ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security Measures

4.1 Technical and Organizational Measures: CargoRadar will implement appropriate technical and organizational measures specified in Schedule 2 to ensure a level of security appropriate to the risk, to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

5. Cross-Border Transfers of Personal Data

5.1. EEA country to non-EEA country personal data transfers: The parties hereby agree that, where Customer is a Controller and CargoRadar is a Processor, Module Two (Controller to Processor Module) of the Standard Contractual Clauses and all other sections of the Standard Contractual Clauses having general application (hereinafter, “C-to-P SCCs”) shall apply to the transfer of Customer Personal Data originating from the EU, UK, and Switzerland to CargoRadar in the United States. The parties further agree to comply with the C-to-P SCCs, which are hereby attached to this DPA at Schedule 2.

5.2. UK personal data transfers: The parties agree that the UK Addendum to the Standard Contractual Clauses, as set out in Schedule 3 hereto (“UK Addendum”), shall govern the transfer of Personal Data originating from the UK. By entering into this DPA, the parties agree to be bound by the UK Addendum.

5.3. Swiss personal data transfers: The parties agree that the following provisions of the Swiss Federal Act on Data Protection shall apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the C-to-P SCCs or the P-to-P SCCs, as applicable; (ii) the parties agree to abide by the EU GDPR standard in relation to all Processing of Customer Personal Data governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the C-to-P SCCs and the P-to-P SCCs will not be interpreted to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the C-to-P SCCs and the P-to-P SCCs; and (iv) references to the ‘GDPR’ in the C-to-P SCCs and the P-to-P SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection.

6. Sub-processing

6.1 Sub-processor Authorization: Customer provides a general authorization to CargoRadar to engage Sub-processors. A list of Sub-processors can be provided upon request.

6.2 Sub-processor Obligations: CargoRadar will ensure that each Sub-processor is bound by data protection obligations compatible with those of CargoRadar under this DPA, including providing sufficient guarantees to implement appropriate technical and organizational measures.

7. Data Subject Rights

7.1 Assistance: CargoRadar shall, upon request by the Client and at the Client’s expense, and taking into account the nature of the processing, assist the Client by appropriate technical and organizational measures, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Laws.

8. Data Breach Notification

8.1 Notification Obligations: CargoRadar will notify Customer without undue delay after becoming aware of a Personal Data Breach. Such notification will include details sufficient to enable the Customer to comply with its obligations under Data Protection Laws.

9. Data Protection Impact Assessment and Prior Consultation

9.1 Assistance: CargoRadar will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with supervisory authorities, which the Customer reasonably considers to be required by Data Protection Laws.

10. Deletion or Return of Personal Data

10.1 Deletion or Return: Upon termination or expiry of the Agreement, CargoRadar will, at the choice of the Customer, delete or return all Personal Data to the Customer, and delete existing copies unless applicable law requires storage of the Personal Data.

11. Audit Rights

11.1 Audit Requests: Subject to reasonable advance written notice and limited to no more than once per calendar year, CargoRadar shall, at the Customer’s request and expense, provide the Customer with access to any CargoRadar premises, facilities, or equipment used to process relevant Customer Personal Data. This access is granted to enable the Customer to reasonably assess CargoRadar's compliance with its obligations under this Agreement, provided that the auditor is not a direct competitor of CargoRadar.

12. Liability

12.1. Liability for Breach: Each party shall be liable for any direct damages caused by its breach of this DPA. Neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including, but not limited to, loss of profits, revenue, data, or use, incurred by the other party in connection with this DPA, even if advised of the possibility of such damages.

12.2. Indemnification: Customer agrees to indemnify, defend, and hold harmless Cargoradar, its affiliates, officers, directors, employees, and agents from and against any claims, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or related to any breach by Customer of its obligations under this DPA, including but not limited to Customer's breach of applicable data protection laws.

12.3. Joint and Several Liability: If either party is held liable for a violation of this DPA involving both parties, each party shall be liable for that part of the damages corresponding to its respective responsibility for the harm caused by the violation.

12.4. Mitigation: Each party agrees to use reasonable efforts to mitigate any damage, loss, and expenses that it may incur as a result of a breach by the other party of this DPA.

12.5. Force Majeure: Neither party shall be liable for any failure or delay in the performance of its obligations under this DPA if such failure or delay is caused by events beyond its reasonable control, including, but not limited to, acts of God, war, terrorism, strikes, or other labor disputes, riots, natural disasters, or governmental actions.

12.7. Severability: If any provision of this liability clause is found to be unenforceable or invalid, such unenforceability or invalidity shall not render this clause unenforceable or invalid as a whole, and such provision shall be changed and interpreted so as to best accomplish the objectives of such unenforceable or invalid provision within the limits of applicable law.

13. Governing Law

13.1 Governing Law: This DPA shall be governed by, and construed in accordance with, the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Republic of Bulgaria.

By using the Services and accepting the Agreement, the Customer acknowledges and agrees to the terms of this DPA.

Schedule 1

This Schedule also serves as Annex I and Annex II to the Transfer Clauses.

1. List of Parties

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Name:

The entity identified as “Customer” in the DPA.

Address:

Customer’s account owner address and email address as communicated by Customer to CargoRadar.

Contact person’s name, position and contact details:

Customer’s account owner address and email address as communicated by Customer to CargoRadar.

Activities relevant to the data transferred under these Clauses:

The processing activities defined in this Schedule 1 to the DPA and in the Terms and Conditions.

Role (controller/processor):

Controller (under the C2P SCCs) or Processor (under the P2P SCCs)

 

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

Name:

The entity identified as “CargoRadar” in the DPA.

Address:

41 Nedelcho Bonev blvd., 3rd floor

1528 Sofia, Bulgaria

Contact person’s name, position and contact details:

Name: Dimitar Parvanov
Title: CTO
Email: privacy@cargoradar.eu

Activities relevant to the data transferred under these Clauses:

The processing activities defined in this Schedule 1 to the DPA and in the Agreement.

Role (controller/processor):

Processor (under the C2P SCCs) or sub-Processor (under the P2P SCCs)

2. Description of Transfer

2.1. Categories of Data Subjects: Customer’s Personal Data.

2.2. Types of Personal Data: Information associated with the Customer’s vehicle and the use thereof, which is transmitted to or through the CargoRadar Services, as described in the Privacy Policy.

2.3.      Special Categories of Personal Data (if applicable): Not applicable

2.4. Subject-Matter and Nature of the Processing: The subject-matter of Processing of Customer Personal Data by CargoRadar is the provision of the Services to the Customer. Customer Personal Data will be subject to those Processing activities which CargoRadar needs to perform in order to provide the Services pursuant to the Terms and Conditions.

2.5. Purpose of the Processing: Customer Personal Data will be Processed by CargoRadar for purposes of providing the Services set out in the Terms and Conditions and CargoRadar’s Privacy Policy.

2.6. Retention: The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The duration specified in Section 10 of the DPA.

2.7. Duration of the Processing: Customer Personal Data will be Processed for the duration of the relationship between CargoRadar and its Customer, subject to Section 10 of the DPA.

3. Sub-processors


A list of CargoRadar’s sub-Processors and the nature of the Processing activities can be received upon request.

4. Supervisory Authority

The competent supervisory authority will be the Republic of Bulgaria authority.

 Schedule 2

Technical and Organizational Measures

In accordance with Article 32 of the EU General Data Protection Regulation (“GDPR”)

The following Technical and Organizational Security Measures (TOMs) implemented by CargoRadar apply to facilities, systems, and assets only that are used to process personal data, and which are owned by or under the control of CargoRadar, respectively.

PHYSICAL

  1. Physical Security

a. CargoRadar shall implement:

i. A building access control system for the Site.

ii. A building alarm system for the Site.

iii. Appropriate CCTV for the Site.

  1. Employee, Visitor, and Trusted Agent Access

a. In areas where Services are being provided, CargoRadar shall:

i. Restrict access to authorized persons only.

ii. Utilize identification and authentication controls to authorize and validate the access.

iii. Securely maintain an audit trail of all access, including times of entry and departure.

iv. Securely manage visitors:

1.     grant access only for specific authorized purposes;

2.     record the date and time of entry; and

3.     ensure that all visitors are escorted and supervised at all times.

TECHNICAL

  1. System Administration

a. Where systems allow, all privileged accounts shall be uniquely identifiable, and each user shall be accountable and responsible for any action taken under that user’s own user ID and password.

b. Where systems allow, system accounts or built-in application accounts shall not be used to provide generic or unauthorized access.

c. All access to Information Systems shall be authenticated. This includes console access, individual accounts, administrative accounts, and any automated relationships with other systems.

  1. Password Controls

a. Passwords shall be protected at all times, including appropriate encryption.

b. All passwords shall be promptly changed if they are suspected of being compromised or known to have been disclosed to unauthorized parties; users shall be able to change their own passwords.

c. Where systems allow, passwords shall be uniquely identifiable and each user shall be accountable and responsible for any action taken under that user’s own user ID and password. Users shall not share or divulge their password to anyone.

d. On rare occasions where the requirement of hardcoded usernames and passwords is necessary and where systems allow, the system will be configured with a service account with the lowest set of privileges possible.

e. Where systems allow, password complexity should never be less than three out of four character classes and shall have character class choices such as upper case letters, lower case letters, numeric digits, or special characters. Where possible, an increased password length will be used to increase entropy probabilities.

  1. Segregation Control

a. Where the customer solution utilizes a shared environment, appropriate security controls will be deployed to ensure appropriate customer segregation.

  1. Perimeter Defense

a. Firewalls and intrusion detection systems are in place to monitor and resist malicious activity.

  1. Operating System Security Controls

a. Anti-Virus Configuration

i. Anti-virus software can be supplied as a service and configured upon the customer’s express consent. Where this service is provided, it will be configured to run real-time and to download automatic updates no less than once per week.

b. Patch Management

i. Where possible, patch management systems are in place to deploy critical security patches to CargoRadar managed devices. For customer-facing services, patches will not be deployed without a customer request to do so.

  1. System and Device Hardening

a. Where possible, all operating systems and devices will be hardened to remove any weak protocols and services that are not required.

  1. Vulnerability Discovery

a. Where possible, regular system vulnerability scanning will be carried out with the express permission of the customer to identify any technical issues that may need to be resolved.

PROCESS

  1. System Administration

a. Privileged account requests shall be subject to proper justification, provisioning, and an approvals process, and assigned to named individuals.

b. CargoRadar Service Provider personnel privileges shall be reviewed to ensure they have the appropriate privileges to undertake their duties.

c. Starters and leavers process is in place to remove accounts that are no longer required.

  1. Information Security and Data Privacy Training

a. CargoRadar’s staff receives regular (at least annually) Information Security and Data Privacy trainings.

  1. Access Controls to Data

a. CargoRadar shall follow Customer instructions with regards to the movement of data. All requests to move customer data shall be made in writing to the CargoRadar Service Provider.

  1. Destruction of Media

a. All hard drives shall follow CargoRadar’s processes and procedures for their erasure or destruction prior to disposal of the system.

  1. Disclosure Control

a. CargoRadar shall not:

i. Allow copying of customer hosting environments other than for backup or forensic purposes.

ii. Allow the removal of Customer Personal data from the premises unless at the specific request of the customer.

  1. Supplier Management

a. Any suppliers or contractors with direct access to the platform or system data must have appropriate contractual obligations applied to maintain the confidentiality of data and comply with applicable CargoRadar security policy controls.

b. CargoRadar shall use reasonable endeavors to impose obligations in relation to the Processing of the Customer Personal Data that are equivalent to those imposed on CargoRadar.

c. The subcontracted service provider shall employ appropriate operational and technological processes and procedures to keep Personal Data safe from unauthorized access, loss, destruction, theft, or disclosure.

CUSTOMER RESPONSIBILITIES IN RELATION TO DATA CONFIDENTIALITY AND ENCRYPTION

  1. CargoRadar recommends that the Customer further protects the confidentiality of the Customer’s data with additional cryptographic controls. Such controls would include encrypting data at rest through application and database level encryption. In addition, the application controls should ensure that all access to sensitive data is tightly controlled through strong access control mechanisms and all such access is thoroughly audited.
  2. Cryptographic keys for the protection of data by the customer as recommended above are also the responsibility of the customer. The Customer should design their key management system taking into account the same issues about protecting data at rest.

Schedule 3

 

1.1           The terms below shall have the following meanings ascribed to them for the purposes of Schedule 3.

"Data Exporter" means Customer when exporting Personal Data to CargoRadar in circumstances where the Personal Data are transferred from one country to another directly or by onward transfer; and

"Data Importer" means CargoRadar when importing Personal Data from Customer in circumstances where the Personal Data are transferred from one country to another directly or by onward transfer.

I.                 European Economic Area

A.               The terms below shall have the following meanings ascribed to them for the purposes of this Section I:

1.         "C-to-P Transfer Clauses" means Module Two (Controller-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2.         "P-to-P Transfer Clauses" means Module Three (Processor-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

3.         "Europe" means the European Economic Area.

4.         "European Data Protection Laws" means any applicable laws of Europe that relate to the Processing of Client Personal Data under the Terms.

5.         "Transfer Clauses" means the C-to-P Transfer Clauses or the P-to-P Transfer Clauses, as the case may be.

B.               When Data Exporter transfers Client Personal Data subject to European Data Protection Laws, either directly or via onward transfer, to Data Importer located in a country that does not ensure an adequate level of protection within the meaning of European Data Protection Laws, the Parties agree to Process the transferred Client Personal Data in accordance with the Transfer Clauses as follows:

1.1.1      if the Data Exporter acts as a Controller of that Personal Data and the Data Importer acts as a Processor of that data, the Parties shall comply with the terms of the C-to-P Transfer Clauses; and

1.1.2      if the Data Exporter acts as a Processor of that Personal Data, the Parties shall comply with the terms of the P-to-P Transfer Clauses.

C.               For the purposes of C-to-P Transfer Clauses the following additional provisions shall apply:

1.1.1      the names and addresses of those Data Exporter(s) and Data Importer(s) shall be considered to be incorporated into the C-to-P Transfer Clauses;

1.1.2      The Parties’ signature to this DPA shall be considered as signature to the C-to-P Transfer Clauses;

1.1.3      Clause 7 (Docking Clause) shall apply;

1.1.4      Option 2 under paragraph (a) of Clause 9 (Use of sub-processors) shall apply and “[Specify time period]” be replaced with "thirty (30) business days";

1.1.5      The option under Clause 11 (Redress) shall not apply;

1.1.6      For the purposes of paragraph (a) of Clause 13 (Supervision), the Data Exporter shall be considered as established in an EU Member State;

1.1.7      The governing law for the purposes of Clause 17 (Governing law) shall be the law of [The Republic of Bulgaria]

1.1.8      The courts under Clause 18 (Choice of forum and jurisdiction) shall be the courts of  [The Republic of Bulgaria];

1.1.9      The contents of Schedule 1 shall form Annex I.A to the C-to-P Transfer Clauses (List of Parties);

1.1.10   The contents of Schedule 1 shall form Annex I.B to the C-to-P Transfer Clauses (Description of Transfer);

1.1.11   The Bulgarian supervisory authority shall act as competent supervisory authority for the purposes of Annex I.C of the C-to-P Transfer Clauses (Competent Supervisory Authority); and

1.1.12   The contents of Schedule 2 shall form Annex II of the C-to-P Transfer Clauses (Technical and organisational measures including technical and organisational measures to ensure the security of the data).

D.               For the purposes of P-to-P Transfer Clauses the following additional provisions shall apply:

1.1.1      the names and addresses of those Data Exporter(s) and Data Importer(s) shall be considered to be incorporated into the P-to-P Transfer Clauses;

1.1.2      The Parties’ signature to this Agreement shall be considered as signature to the P-to-P Transfer Clauses;

1.1.3      Clause 7 (Docking Clause) shall apply;

1.1.4      Option 2 under paragraph (a) of Clause 9 (Use of sub-processors) shall apply and “[Specify time period]” be replaced with "thirty (30) business days";

1.1.5      The option under Clause 11 (Redress) shall not apply;

1.1.6      For the purposes of paragraph (a) of Clause 13 (Supervision), the Data Exporter shall be considered as established in an EU Member State;

1.1.7      The governing law for the purposes of Clause 17 (Governing law) shall be the law of [The Republic of Bulgaria];

1.1.8      The courts under Clause 18 (Choice of forum and jurisdiction) shall be the courts of [The Republic of Bulgaria];

1.1.9      The contents of Schedule 1 shall form Annex I.A to the P-to-P Transfer Clauses (List of Parties);

1.1.10   The contents of Schedule 1 shall form Annex I.B to the P-to-P Transfer Clauses (Description of Transfer);

1.1.11   The Bulgarian supervisory authority shall act as competent supervisory authority for the purposes of Annex I.C of the P-to-P Transfer Clauses (Competent Supervisory Authority); and

1.1.12   The contents of Schedule 2 shall form Annex II of the P-to-P Transfer Clauses (Technical and organisational measures including technical and organisational measures to ensure the security of the data).

II.               Switzerland

A.               For the purposes of this Section II, the term "Swiss Data Protection Laws" means Switzerland’s Federal Act on Data Protection of June 19, 1992, the Ordinance to the Federal Act on Data Protection, and the Ordinance on Data Protection Certification, and all Swiss laws relating to the Processing, privacy, protection, or use of Personal Data.

B.               When Data Exporter transfers Personal Data subject to Swiss Data Protection Laws, either directly or via onward transfer, to a Data Importer located in a country that does not ensure an adequate level of protection within the meaning of Swiss Data Protection Laws, the Parties agree to the Transfer Clauses in accordance with Section 0 of this Schedule 3, as supplemented by Clause C of this Section II.

C.               The following additional provisions shall apply so that the Transfer Clauses are suitable for providing an adequate level of protection for such transfer under Swiss Data Protection Laws:

(a)            “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(b)            “Revised FADP” means the revised version of the Federal Act of Data Protection (“FADP”) of 25 September 2020, which is scheduled to come into force on 1 January 2023.

(c)            The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).

(d)            The Transfer Clauses also protect the data of legal entities until the entry into force of the Revised FADP.

(e)            The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

III.             United Kingdom

A.               The terms below shall have the following meanings ascribed to them for the purposes of this Section III:

(a)            "UK" means the United Kingdom.

(b)            "UK Data Protection Laws" means the UK GDPR, Data Protection Act of 2018, and all UK laws relating to the Processing, privacy, protection, or use of Personal Data.

(c)            "UK GDPR" means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

B.               When Data Exporter transfers Personal Data subject to UK Data Protection Laws, either directly or via onward transfer, to a Data Importer located in a country that does not ensure an adequate level of protection within the meaning of UK Data Protection Laws, the Parties agree to the Transfer Clauses in accordance with Section I of this Schedule 3 as supplemented by Clause C of this Section III.

C.               The following additional provisions shall apply so that the Transfer Clauses are suitable for providing an adequate level of protection for such transfer under UK Data Protection Laws:

(a)            Where a data exporter is located in the UK, this UK Addendum to the Transfer Clauses shall apply.

(b)            Where this UK Addendum uses terms that are defined in the Annex those terms shall have the same meaning as in the Annex. In addition, the following terms have the following meanings:

(i)              This “UK Addendum” means this Addendum to the Transfer Clauses.

(ii)             The “Annex” means the Transfer Clauses.

(c)            This UK Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 UK GDPR.

(d)            This UK Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.

(e)            Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this UK Addendum has been entered into.

(f)              In the event of a conflict or inconsistency between this UK Addendum and the provisions of the Transfer Clauses or other related agreements between the Parties, existing at the time this UK Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects shall prevail.

(g)            This UK Addendum incorporates the Transfer Clauses which are deemed to be amended to the extent necessary so they operate:

(i)              for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and

(ii)             to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR.

(h)            The amendments required by Clause (g) above, include (without limitation):

(i)              References to the “Transfer Clauses” means this UK Addendum as it incorporates the Transfer Clauses.

(ii)             Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”

(iii)           References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.

(iv)           References to Regulation (EU) 2018/1725 are removed.

(v)            References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”.

(vi)           Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner.

(vii)         Clause 17 is replaced to state “These Transfer Clauses are governed by the laws of England and Wales.”

(viii)        Clause 18 is replaced to state: “Any dispute arising from these Transfer Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

(ix)           The footnotes to the Transfer Clauses do not form part of the UK Addendum.

(i)              The parties may agree to change Clause 17 and/or 18 of the Transfer Clauses to refer to the laws and/or courts of Scotland or Northern Ireland.

(j)              The parties may amend this UK Addendum provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Transfer Clauses and making changes to them in accordance with Clause (g) above.