1 972 913 2893
Toegevoegd aan Mijn kantoren

Data Transfer Addendum

Global Service Office Landlord & Operator Terms and Conditions: Data Transfer Addendum

This Data Transfer Addendum applies where We transfer Customer Personal Data to You in circumstances where the GDPR, UK GDPR or Switzerland’s Federal Act on Data Protection apply, and where You are not located in a country or territory that is recognised under applicable Data Protection Legislation as providing adequate protection of personal data.

The terms of this Data Transfer Addendum form part of and are incorporated into the Global Operator Standard Terms and Conditions and the Landlord Listing Terms and Conditions (Terms). Any defined terms set forth in the Terms shall apply to the interpretation of this Data Transfer Addendum.

1. Incorporation of the Standard Contractual Clauses

  • Module 1 of the Standard Contractual Clauses is incorporated by reference into the Terms and apply (where applicable) pursuant to clause 5 of the Terms and as tailored and supplemented by the provisions in this Data Transfer Addendum. The Standard Contractual Clauses apply as follows:
  • Optional Clause 7 is used. The optional second paragraph of Clause 11(a) is not used.
  • For Clause 17 Governing Law: Option 1 is selected and the governing law is that of Ireland.
  • For Clause 18 Choice of forum and jurisdiction: The courts of Ireland shall resolve any disputes arising from these Clauses.

Standard Contractual Clauses

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Data exporter
Name: Us (as defined in the Terms)
Address: Our address (as stated in the Terms)
Activities relevant to the data transferred under these Clauses: As described in Annex IB
By entering into the Terms the data exporter will be deemed to have signed this Annex I thereby agreeing to (i) these Clauses, (ii) the UK Addendum to these Clauses below and (iii) the Switzerland Addendum to these Clauses below from the date the Terms are entered into.
Role (controller/processor): Controller

Data importer(s):

Data importer
Name: You (as defined in the Terms)
Address: Your address, as made available by You to Us from time to time
Activities relevant to the data transferred under these Clauses: As described in Annex IB
By entering into the Terms the data importer will be deemed to have signed this Annex I thereby agreeing to (i) these Clauses, (ii) the UK Addendum to these Clauses below and (iii) the Switzerland Addendum to these Clauses below from the date the Terms are entered into.
Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer personnel.

Categories of personal data transferred

Name and business contact details (including email address and telephone number).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous for our provision of the Services.

Nature of the processing

Storage, analysis and use of Customer Personal Data for the Agreed Purpose (as defined in the Terms).

Purpose(s) of the data transfer and further processing

Customer Personal Data is provided by the data exporter to the data importer for the Agreed Purpose (as defined in the Terms).

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with clause 5 of the Terms.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

N/A.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer shall take appropriate technical and organisational measures to ensure that the processing of Customer Personal Data complies with the requirements set out in the Data Protection Legislation, in particular the requirements of the GDPR, UK GDPR and FADP (as applicable), and that the rights of data subjects are protected. The measures must ensure a level of data security appropriate to the risks to the rights and freedoms of the data subjects. These measures include, among others, the following:

The Data Importer shall as a minimum, ensure:

  • The confidentiality of information processed.
  • The integrity of information processed.
  • The availability of information processed.
  • That the data importer complies with its legal requirements.
  • That information security and risk awareness training is provided to all data importer personnel.
  • That breaches of information security, actual or suspected, are reported to and investigated by the data importer.

Non-exhaustive examples of the measures that the data importer shall implement to ensure the above are:

  • Implementing data loss prevention measures to ensure that confidential data cannot be transported outside of the data importer’s systems.
  • Maintaining and implementing disaster recovery and backup plans.
  • Utilising appropriate network security and endpoint protection tools to ensure the integrity and security of the data importer’s network and systems.
  • Monitoring the data importer’s network and systems for unauthorised access or use.
  • Regularly patching known vulnerabilities and updating third party software.
  • Implementing access management controls.
  • Maintaining and implementing password security standards.
  • Utilising multifactor authentication for the use of the data importer’s systems and applications.
  • Utilising a VPN for secure communications.
  • Encrypting data, including encrypting all data at rest.

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (v B1.0)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

By entering into the Terms, both parties agree to the format of this Part 1: Tables set out below.

Table 1: Parties

The start date of this Addendum is the same as the start date of the Addendum EU SCCs. The parties’ details are as set out in Annex I.A of the Addendum EU SCCs above.

Table 2: Selected SCCs, Modules and Selected Clauses

The Addendum EU SCCs are the version of the Approved EU SCCs incorporated into the Terms (as tailored and supplemented by the provisions at the start of this Data Transfer Addendum) which this Addendum is appended to, including the Appendix Information (as defined below).

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in Annex I and II of the Addendum EU SCCs above.

Table 4: Ending this Addendum when the Approved Addendum Changes

Neither party may end this Addendum as set out in Section 19.

Alternative Part 2 Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Switzerland Addendum to the EU Commission Standard Contractual Clauses

This Addendum applies to and is a part of the Clauses.

The Parties agree that the following provisions shall apply with respect to data transfers that are governed by Switzerland’s Federal Act on Data Protection (“FADP”), e.g. personal data transferred by a data exporter from Switzerland to a data importer outside of Switzerland (including personal data located in Switzerland that a data exporter makes accessible to the data importer) (the “Swiss Personal Data”):

  1. Reference to the competent supervisory authority in Annex I.C under Clause 13 shall be deemed to refer to the Federal Data Protection and Information Commissioner (“FDPIC”);
  2. References to Member State(s), the EU and the EEA shall be deemed to include Switzerland;
  3. The list of data subjects and categories of data indicated in Annex I.B to the Clauses shall not be deemed to restrict the application of the Clauses to the Swiss Personal Data;
  4. References to (articles in) the EU General Data Protection Regulation 2016/679 shall be deemed to refer to (equivalent articles in) the FADP;
  5. Where the Clauses use terms that are defined in the EU General Data Protection Regulation 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP; and
  6. Until such date as the revised FADP enters into force in Switzerland (removing FADP protection for data pertaining to legal entities), the term “personal data” shall be deemed to include information relating to an identified or identifiable legal entity.