Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the CreateBase Terms of Service ("Terms") between the party named as "Customer" in the Terms ("Customer" or "Controller") and The Cur8 Group Corp. d/b/a CreateBase ("CreateBase" or "Processor") and sets out the parties' respective obligations when Customer personal data is processed by CreateBase in relation to the Services performed by CreateBase on Customer's behalf pursuant to the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed. This DPA will be effective from the date on which the Customer accepts the Terms of Service.

1. Definitions and Interpretation

1.1 Definitions

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

• "Agreement" means this Data Processing and Services Agreement and all Schedules;
• "Customer Personal Data" means any Personal Data Processed by CreateBase on behalf of Customer pursuant to or in connection with the Principal Agreement;
• "Customer Confidential Information" means all non-public, proprietary, or confidential information disclosed by Customer to The Cur8 Group Corp including but not limited to music rights data, royalty information, collaborator details, split sheet information, financial data, and strategic business information;
• "Data Protection Laws" means EU Data Protection Laws, U.S. Privacy Laws, and, to the extent applicable, the data protection or privacy laws of any other country;
• "U.S. Privacy Laws" means applicable U.S. federal and state privacy laws including but not limited to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and any other applicable state privacy laws;
• "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
• "GDPR" means EU General Data Protection Regulation 2016/679;
• "Data Transfer" means: a transfer of Customer Personal Data from the Customer to CreateBase; or an onward transfer of Customer Personal Data from CreateBase to a Subprocessor, or between two establishments of CreateBase, in each case, where such transfer would be prohibited by Data Protection Laws;
• "Services" means the music rights management platform, Story-to-Splits AI processing, royalty collection and distribution, metadata registration and optimization, split sheet generation, rights administration, identity verification, and related services that CreateBase provides;
• "Deliverables" means all work products, documents, metadata configurations, rights registrations, split sheet data, royalty collection setups, and other materials created by CreateBase specifically for Customer during the performance of Services;
• "Subprocessor" means any person appointed by or on behalf of CreateBase to process Personal Data on behalf of the Customer in connection with the Agreement;
• "Music Rights Data" means all data related to musical works, sound recordings, compositions, splits, royalties, and associated rights information processed through CreateBase services.

1.2 GDPR Terms

The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Confidentiality and Data Protection

2.1 Comprehensive Confidentiality

2.1.1 CreateBase acknowledges that it may receive Customer Confidential Information and Customer Personal Data in connection with the Services.

2.1.2 CreateBase shall:

• Hold all Customer Confidential Information in strict confidence;
• Use Customer Confidential Information solely for the purpose of providing the Services;
• Not disclose Customer Confidential Information to any third party without Customer's prior written consent;
• Implement and maintain appropriate safeguards to protect the confidentiality of such information.

2.1.3 The confidentiality obligations shall survive termination of this Agreement for a period of seven (7) years.

2.2 Processing Obligations

CreateBase shall:

• 2.2.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data;
• 2.2.2 not Process Customer Personal Data other than on the Customer's documented instructions;
• 2.2.3 ensure all employees handling Personal Data or Confidential Information are bound by legally enforceable confidentiality agreements;
• 2.2.4 provide adequate training to all employees handling Personal Data on data protection requirements and procedures;
• 2.2.5 be held liable for any processing activities conducted outside the scope of documented instructions.

2.3 Processing Instructions

The Customer instructs CreateBase to process Customer Personal Data for the following purposes:

• Story-to-Splits AI processing for rights metadata generation
• Music rights registration with PROs, MLC, and SoundExchange
• Royalty collection and distribution management
• Split sheet generation and collaborator management
• Identity verification and matching across music platforms
• Metadata optimization and cleanup services
• Rights administration and compliance monitoring
• Customer support and service delivery

3. Processor Personnel

CreateBase shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual's duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Enterprise Security Measures

4.1 Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CreateBase shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

4.2 Specific Security Measures

CreateBase implements and maintains the following enterprise-grade security measures:

• 4.2.1 Encryption: End-to-end encryption for all data in transit and at rest using industry-standard encryption protocols (minimum TLS 1.2, AES-256);
• 4.2.2 Access Controls: Multi-factor authentication and role-based access control limiting data access to authorized personnel only;
• 4.2.3 Data Minimization: Customer data is processed according to configured retention policies; sensitive financial information is processed with enhanced security controls;
• 4.2.4 Infrastructure Security: Regular security assessments, automated security updates, comprehensive incident response procedures;
• 4.2.5 Compliance Certifications: CreateBase is pursuing SOC 2 Type II and ISO 27001 certifications (pending completion);
• 4.2.6 Zero Trust Architecture: Implementation of zero trust security principles with continuous verification and least-privilege access;
• 4.2.7 Data Residency: Standard data residency in the United States with configurable controls for enterprise accounts to meet jurisdictional requirements.

4.3 Risk Assessment

In assessing the appropriate level of security, CreateBase shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. U.S. Privacy Law Compliance

5.1 U.S. Consumer Privacy Rights

CreateBase shall assist Customer in fulfilling consumer rights requests under applicable U.S. Privacy Laws, including:

• Right to know/access personal information
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt-out of sale/sharing of personal information
• Right to limit use of sensitive personal information

5.2 CCPA/CPRA Compliance

5.2.1 CreateBase warrants that it will not:

• Sell or share Customer Personal Data;
• Retain, use, or disclose Customer Personal Data for any purpose other than performing the Services;
• Use Customer Personal Data for advertising or commercial purposes outside the Services.

5.2.2 CreateBase shall provide the same level of privacy protection as required by applicable U.S. Privacy Laws.

5.3 Cross-Border Data Transfers

For transfers of personal data from the U.S. to other jurisdictions, CreateBase shall implement appropriate safeguards including standard contractual clauses or other legally recognized transfer mechanisms.

6. Intellectual Property and Deliverables Ownership

6.1 Deliverables Ownership

6.1.1 All Deliverables created specifically for Customer, including but not limited to:

• Custom metadata configurations
• Rights registration data
• Generated split sheet information
• Royalty collection setups
• Integration specifications
• Custom workflows and processes

shall be owned by Customer upon full payment of applicable fees.

6.1.2 CreateBase hereby assigns to Customer all right, title, and interest in and to such Deliverables, including all intellectual property rights therein.

6.2 CreateBase Retained Rights

6.2.1 CreateBase retains ownership of:

• Its core platform, software, and underlying technology
• General methodologies, processes, and know-how
• Aggregated and anonymized insights that cannot identify Customer
• AI models and algorithms used in service delivery

6.2.2 CreateBase may use general knowledge, skills, and experience gained from providing Services, provided such use does not violate confidentiality obligations or disclose Customer Confidential Information.

6.3 License Grant

6.3.1 Customer grants CreateBase a limited, non-exclusive license to use Customer Confidential Information solely for the purpose of providing the Services during the term of this Agreement.

6.3.2 CreateBase grants Customer a perpetual, irrevocable, royalty-free license to use Deliverables for Customer's business purposes, including the right to modify and create derivative works.

7. Subprocessing

7.1 Authorized Subprocessors

CreateBase is authorized to engage the following Subprocessors:

7.2 Subprocessor Requirements

CreateBase shall ensure that all Subprocessors:

• Are bound by data protection and confidentiality obligations substantially equivalent to those in this Agreement
• Maintain compliance with applicable Data Protection Laws
• Process Personal Data only for the specific purposes authorized by Customer
• Implement appropriate technical and organizational measures

7.3 Subprocessor Changes

CreateBase shall inform Customer of any intended changes to Subprocessors with at least 30 days' prior written notice. Customer may object to such changes within 14 days if the changes do not meet required data protection standards.

8. Data Subject Rights

8.1 Assistance to Customer

CreateBase shall assist Customer in fulfilling its obligations to respond to requests to exercise Data Subject rights under applicable Data Protection Laws, including both GDPR and U.S. Privacy Laws.

8.2 Data Subject Request Handling

CreateBase shall:

• 8.2.1 promptly notify Customer within 5 business days if it receives a request from a Data Subject;
• 8.2.2 not respond to that request except on the documented instructions of Customer or as required by applicable laws;
• 8.2.3 provide Customer with all necessary technical assistance to fulfill Data Subject requests;
• 8.2.4 maintain records of all Data Subject requests and responses for audit purposes.

9. Data Protection Impact Assessment and Prior Consultation

CreateBase shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by CreateBase, taking into account the nature of the Processing and information available to CreateBase.

10. Personal Data Breach

10.1 Breach Notification

CreateBase shall notify Customer at [CUSTOMER PRIVACY EMAIL] without undue delay and in any event within 72 hours upon becoming aware of a Personal Data Breach affecting Customer Personal Data or Confidential Information, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

10.2 Breach Response

CreateBase shall cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

10.3 Breach Documentation

CreateBase shall maintain records of Personal Data Breaches to the extent reasonably practicable, including:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects concerned (if determinable)
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for obtaining more information

11. Data Retention and Deletion

11.1 Data Deletion

CreateBase shall delete Customer Personal Data and Confidential Information within 30 days of the cessation of Services, except for:

• Data required to be retained by law (financial records - 7 years)
• Deliverables owned by Customer
• Data necessary for pipeline royalty processing (18 months maximum)
• Aggregated, anonymized data that cannot identify Customer

11.2 Specific Retention Periods

• Artist and Collaborator Data: Retained during active subscription plus 18 months for pipeline royalty processing
• Music Rights Metadata: Retained during service period unless Customer requests deletion
• Split Sheet Data: Retained per Customer configuration or deleted upon request
• AI Processing Data: Processed in real-time and not retained unless specifically configured
• Support and Communication Data: Retained for 3 years or as required by law

11.3 Certification

CreateBase shall provide written certification to Customer that it has fully complied with this section within 30 days of the service cessation date.

12. Audit Rights

12.1 Audit Access

Subject to this section 12, CreateBase shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of Customer Personal Data.

12.2 Annual Audit Rights

Customer may conduct at least one audit per year of CreateBase's data processing activities upon reasonable notice (minimum 30 days).

12.3 Audit Limitations

Information and audit rights of the Customer only arise under section 12.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

12.4 Compliance Documentation

CreateBase shall maintain and provide documentation demonstrating compliance with this Agreement and applicable Data Protection Laws, including:

• Security policies and procedures
• Employee training records
• Incident response logs
• Subprocessor compliance assessments
• Technical and organizational measures documentation

13. Data Transfer and Cross-Border Processing

13.1 International Transfers

Personal data processed under this Agreement may be transferred from Customer's jurisdiction to the United States and other jurisdictions where CreateBase or its Subprocessors operate.

13.2 Transfer Safeguards

For transfers from the EU/EEA, the Parties shall rely on EU approved standard contractual clauses as set forth in Schedule A.

13.3 Government Access Requests

CreateBase shall immediately notify Customer of any legally binding request for disclosure of Personal Data by a government authority, unless prohibited by law. CreateBase will:

• Challenge overly broad requests where legally possible
• Provide minimum necessary information
• Seek confidential treatment of disclosed information
• Notify Customer when legally permissible

14. No-Training and AI Ethics

14.1 No-Training Rights

CreateBase shall not use Customer Personal Data or Confidential Information for the purpose of training or developing its artificial intelligence models, machine learning algorithms, or similar technologies, except:

• Where explicitly authorized by Customer in writing
• For processing necessary to provide the contracted Services
• For aggregated, anonymized insights that cannot identify Customer

14.2 AI Ethics

CreateBase warrants that its AI systems are designed and operated in accordance with responsible AI principles, including:

• Fairness and non-discrimination
• Transparency in AI decision-making
• Accountability for AI-generated outputs
• Privacy by design in AI processing
• Human oversight of automated decisions

14.3 AI Processing Limitations

CreateBase's AI processing shall:

• Be limited to the specific purposes outlined in this Agreement
• Not create profiles of individuals for unauthorized purposes
• Maintain accuracy and reliability in AI-generated metadata
• Allow for human review and correction of AI outputs
• Respect intellectual property rights in training data and outputs

15. Liability and Indemnification

15.1 GDPR and Privacy Law Liability

CreateBase shall be liable for damages caused by:

• Non-compliance with applicable Data Protection Laws
• Processing Personal Data outside the scope of lawful instructions
• Failure to implement appropriate security measures
• Unauthorized disclosure of Customer Confidential Information

15.2 Confidentiality Breach

CreateBase shall indemnify Customer for damages resulting from unauthorized disclosure of Customer Confidential Information, including:

• Direct financial losses
• Regulatory fines and penalties
• Legal costs and expenses
• Reputational harm (to the extent quantifiable)

15.3 Commercial Liability

All other liability matters, including commercial liability, limitation of damages, and general indemnification, shall be governed by the Principal Agreement between the parties, except where Data Protection Laws mandate higher liability standards.

15.4 Liability Limitations

Notwithstanding any limitation of liability in the Principal Agreement, CreateBase's liability for:

• Data Protection Law violations shall not be limited
• Confidentiality breaches shall be subject to a minimum liability cap of $100,000
• Security breaches shall include costs of breach notification and remediation

16. Term and Termination

16.1 Term

This Agreement shall remain in effect for the duration of the Principal Agreement and any period during which CreateBase processes Customer Personal Data.

16.2 Termination Rights

Either party may terminate this Agreement:

• Upon termination of the Principal Agreement
• For material breach not cured within 30 days of written notice
• If required by applicable Data Protection Laws

16.3 Survival

The following provisions shall survive termination:

• Confidentiality obligations (Section 2.1)
• Deliverables ownership (Section 6)
• Data deletion obligations (Section 11)
• Liability provisions (Section 15)
• Audit rights for completed processing

17. Governing Law and Dispute Resolution

17.1 Governing Law

This Agreement shall be governed by the laws of the state of [CUSTOMER STATE]. Where Customer is located outside the United States, this Agreement shall be governed by the laws of Delaware, United States.

17.2 Dispute Resolution

Any disputes shall be resolved in accordance with the dispute resolution mechanism set forth in the Principal Agreement. For data protection-specific disputes, parties agree to:

• First attempt resolution through good faith negotiation
• Submit to mediation if negotiation fails
• Resort to binding arbitration as specified in the Principal Agreement

17.3 Regulatory Cooperation

Both parties agree to cooperate fully with data protection authorities in any investigation or proceeding related to this Agreement.

18. General Provisions

18.1 Entire Agreement

This Agreement, together with the Principal Agreement, constitutes the entire agreement between the parties regarding data processing and confidentiality.

18.2 Amendments

This Agreement may only be amended:

• In writing signed by both parties
• To comply with changes in applicable Data Protection Laws
• Through updated Terms of Service with appropriate Customer notice

18.3 Notices

All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to:

• For CreateBase: privacy@createbase.com
• For Customer: The email address associated with Customer's account

18.4 Severability

If any provision is found unenforceable, the remainder of the Agreement shall remain in full force and effect, and the parties shall work in good faith to replace the unenforceable provision with an enforceable provision that achieves the same purpose.

18.5 Force Majeure

Neither party shall be liable for any failure or delay in performance under this Agreement which is due to fire, flood, earthquake, pandemic, governmental action, war, terrorism, or other causes beyond the reasonable control of such party.

SCHEDULE A - INTERNATIONAL DATA TRANSFERS

A.1 Standard Contractual Clauses

For transfers of personal data from the European Economic Area to CreateBase in the United States, the parties shall execute the Standard Contractual Clauses as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs").

A.2 SCC Execution Process

A.2.1 The SCCs shall be executed as a separate agreement between Customer (as data exporter) and CreateBase (as data importer) prior to any transfer of EU personal data.

A.2.2 The applicable module shall be Module 2: Controller to Processor transfers.

A.2.3 The SCCs shall incorporate the data processing details, technical and organizational measures, and subprocessor information as specified in the Annexes to this DPA.

A.3 SCC Precedence

In the event of any conflict between this DPA and the executed SCCs, the SCCs shall take precedence for matters relating to international transfers of personal data from the EU.

A.4 Additional Transfer Mechanisms

CreateBase may rely on other lawful transfer mechanisms as they become available, including:

• Adequacy decisions by the European Commission
• Binding corporate rules
• Approved certification mechanisms
• Other legally recognized transfer mechanisms

A.5 Transfer Impact Assessment

Prior to executing SCCs, CreateBase and Customer may jointly conduct a transfer impact assessment to evaluate:

• Local laws that may impact the effectiveness of SCCs
• Additional safeguards that may be necessary
• Technical and organizational measures to supplement SCC protections

SCHEDULE B - STANDARD CONTRACTUAL CLAUSES (FULL TEXT)

SECTION I

Clause 1 - Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a third country.

(b) The Parties: (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter 'entity/ies') transferring the personal data, as listed in Annex I.A (hereinafter each 'data exporter'), and (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each 'data importer'), have agreed to these standard contractual clauses (hereinafter: 'Clauses').

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 - Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 - Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

• Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
• Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
• Clause 9(a), (c), (d) and (e);
• Clause 12(a), (d) and (f);
• Clause 13;
• Clause 15.1(c), (d) and (e);
• Clause 16(e);
• Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 4 - Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 - Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 - Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION III - LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 8 - Data importer obligations

The data importer warrants and undertakes that:

(a) It has no reason to believe that the laws and practices in the third country of destination applicable to its processing of the personal data, including any requirements to disclose personal data or measures authorising access by public authorities, prevent it from fulfilling its obligations under these Clauses. It is aware that in case of changes in the laws of the third country of destination, it has the obligation to inform the data exporter accordingly and the data exporter may then suspend the data transfer and/or terminate the contract.

(b) It will process the personal data in accordance with the data processing principles set forth in Annex I.A. It shall in particular ensure that the personal data is processed in a manner that is adequate, relevant and not excessive in relation to the purpose(s) of processing.

(c) It will cooperate in responding to any enquiry from the data exporter that relates to the processing under these Clauses and will comply with the advice of the supervisory authority with regard to the processing of the data.

(d) At the request of the data exporter, it will make its data processing facilities available for an audit of the processing activities covered by these Clauses carried out by the data exporter or another inspection body or auditor with appropriate professional qualifications bound by a duty of confidentiality.

Clause 9 - Use of sub-processors

(a) The data importer has the data exporter's general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors, thereby giving the data exporter the opportunity to object to such changes.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the data importer is under these Clauses, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Regulation (EU) 2016/679.

Clause 10 - Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects' requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11 - Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13; (ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer shall agree that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12 - Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data importer and its sub-processor under paragraph (b).

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer's responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13 - Supervision

(a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to auditing and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION IV - FINAL PROVISIONS

Clause 14 - Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements: (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; (ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 - Obligations of the data importer in case of access by public authorities

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

Clause 16 - Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; (ii) the data importer is in substantial or persistent breach of these Clauses; or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 - Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18 - Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX - SCC ANNEXES

ANNEX I

A. LIST OF PARTIES

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES

Related Policies

Learn about our privacy practices, data processing, and service terms:

• Terms of Service
• Privacy Policy
• Cancellation Policy
• Account Credit Policy