International Transfers and Standard Contractual Clauses EU / UK

TRANSFERS OF PERSONAL DATA OUTSIDE THE UK / EEA

This Restricted Transfer Addendum (“RTA”) is entered into by and between:

  1. the Client (“Client” or “you”); and
  2. Cleary Gottlieb Steen & Hamilton LLP, a New York limited liability partnership; Cleary Gottlieb Steen & Hamilton LLP, an English limited liability partnership; Cleary Gottlieb Steen & Hamilton Studio Legale, an Italian partnership; CGS&H Limited Liability Company; CGSH International Legal Services, LLP— Sucursal Argentina; Cleary Gottlieb Steen & Hamilton Consultores em Direito Estrangeiro; and Cleary Gottlieb Steen & Hamilton (Hong Kong) (“Cleary”, “we” or “us”)

    (each a “Party”, and together the “Parties”).  

THE PARTIES AGREE AS FOLLOWS:

  1. This RTA supplements Cleary’s Terms and Conditions and Engagement Letters (together the “Agreement”) under which the Client instructs Cleary to provide it with services (“the Services”).
  2. It applies where there is one or more Restricted Transfers between the Parties and in such cases is intended by the Parties to comply with the International Transfer Requirements in respect of such Restricted Transfer(s).

1. DEFINITIONS AND INTERPRETATION

1.1 Unless otherwise defined in this RTA, words and expressions used in this RTA shall have the meanings given in the Agreement.

1.2 In this RTA the following words should have the following meanings:

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) C/2021/3972 (as set out in Schedule 1 of this RTA); and

“Data Protection Laws” means:

  1. the UK Data Protection Laws;
  2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”);
  3. all local laws or regulations of jurisdictions in the EEA implementing or supplementing the GDPR;
  4. codes of practice and guidance relating to Restricted Transfers that are issued by national supervisory authorities, regulators or institutions of competent jurisdictions relating to the laws and regulations referred to in (a)-(c);
  5. other data protection legislation and guidance applicable to Cleary, including as relevant the California Consumer Privacy Act (CCPA), South Korea’s Personal Information Protection Act , Brazil’s General Personal Data Protect Act (“LGPD”) and Russia’s  Federal Law on Personal Data (No. 152-FZ) (together the “Other Relevant Data Protection Laws”).

in each case as amended, superseded or replaced from time to time;

EEA” means the European Economic Area;

Effective Date” means the date upon which the Parties entered the Agreement (and in doing so this RTA)

International Transfer Requirements” means the requirements of Chapter V of the GDPR (Transfers of personal data to third countries or international organisations) and any analogous concept under the Other Relevant Data Protection Laws, as applicable;

Restricted Country” means a country, territory or jurisdiction which is not considered by the EU Commission (or in respect of personal data transfers caught by the requirements of UK Data Protection Laws, the relevant UK governmental or regulatory body as applicable), to offer an adequate level of protection in respect of the processing of personal data pursuant to Article 45(1) of the GDPR. This definition also includes any countries to which transfers of data would be restricted under the Other Relevant  Data Protection Laws, as applicable;

Restricted Transfer” means a transfer of personal data from an entity who is established in the United Kingdom and/or the European Union (as applicable) and/or whose processing of personal data under this Addendum is caught by the requirements of the GDPR, to an entity located in a Restricted Country. This definition also includes transfers of data from jurisdictions subject to the Other Relevant  Data Protection Laws to jurisdictions that would be considered Restricted Countries under those Other Relevant  Data Protection Laws, as applicable.  

“UK” means the United Kingdom;

“UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018; and

UK GDPR” has the meaning given to it in the Data Protection Act 2018 (as amended from time to time).

1.3 References in this RTA to “controller”, “personal data”, “processor”, and “processing” shall have the same meaning as defined in the GDPR.

1.4 Unless the context otherwise requires, a reference to a “clause” is a reference to a clause of the main body of this RTA.

1.5 A reference to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires and insofar as the Data Protection Law is that of the UK be construed as a reference to the UK GDPR and/or the equivalent Article or Chapter of the UK GDPR.

1.6 References to legislation (or specific provisions of legislation) means that legislation (or specific provision) as amended from time to time.

2. APPLICABILITY AND EFFECT OF THIS RTA

2.1 This RTA will be deemed to have taken effect on the Effective Date and will remain in effect for the duration of the Agreement.

2.2 This RTA shall be deemed incorporated into, and to form a part of, the Agreement and shall amend and/or supersede any existing clauses or schedules relating to compliance with the International Transfer Requirements. Any provision of the Agreement that does not relate to compliance with the International Transfer Requirements shall be unaffected by this RTA and shall remain in full force and effect.

2.3 In the event of any conflict or inconsistency between the Agreement, the main body of the RTA and/or the SCCs, the provisions which provide the most protection to data subjects shall prevail. In the absence of any such provision providing more protection to data subjects than any other provision, in the event of any conflict or inconsistency:

  1. between this RTA and the Agreement, this RTA shall prevail;
  2. between the SCCs and the main body of this RTA, the former shall prevail.

2.4 For the avoidance of doubt, nothing in this RTA is intended to vary, modify or contradict the provisions of the SCCs.

3. INTERNATIONAL TRANSFER REQUIREMENTS

3.1 The Agreement specifies each Party’s status as a controller and/or a processor in respect of personal data that is processed under or in connection with the Agreement.

3.2 Subject to clause 4, where there is a Restricted Transfer, the Parties agree to rely on the Standard Contractual Clauses to comply with the International Transfer Requirements and, accordingly, to the extent that such transfer is:

  1. on a controller to controller basis, Appendix 1 to Schedule 1 will apply;
  2. on a controller to processor basis Appendix 2 to Schedule 1 will apply;

3.3 Each Party agrees that by entering into this RTA, the SCCs are incorporated into this RTA and deemed executed by each of the Parties acting on their own behalf and on behalf of their affiliates (where applicable) without the need for any further signature from either Party.

3.4 The SCCs shall cease to apply to the processing of personal data if and to the extent that the relevant transfer of the personal data ceases to be a Restricted Transfer.

4. UK INTERPRETATION OF SCCS

4.1 For the purposes of any Restricted Transfer(s) that are made by a data exporter established in the UK, the SCCs shall be deemed to be amended (and/or insofar as possible will be interpreted) so that they operate to provide appropriate safeguards to the transfer(s) in accordance with Articles 46 of the UK GDPR Laws.

4.2 The amendments required by clause 4.1 include (without limitation) the following amendments to the SCCs:

  1. references to “these clauses” means a reference to the SCCs as amended by this clause 4;
  2. references to the GDPR or “that Regulation” shall be deemed references to the UK Data Protection Laws, and references to “Articles” of the GDPR shall be deemed references to corresponding provisions of the UK GDPR or sections of other UK Data Protection Laws (as applicable);
  3. a reference to a “supervisory authority” or “competent supervisory authority” shall be deemed a reference to the Information Commissioner’s Office;
  4. a reference to the “European Union”, “EU”, “Union”, “Member State” or “one of the Member States” or similar shall be deemed a reference to the United Kingdom;
  5. references to “Regulation (EU) 2018/1725)” shall be deemed replaced with the words “[intentionally omitted]”;
  6. clause 6 of the SCCs is deleted and replaced with:
  7. “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
  8. clause 13(a) of the SCCs shall be deemed to read: the “ICO shall act as competent supervisory authority” and Annex 1, Part C (Competent Supervisory Authority) shall be completed accordingly;
  9. clauses 17 and 18 of the SCCs shall not apply (clause 13 of this RTA shall instead apply); and
  10. in clause 16, a reference to “the European Commission” shall be deemed a reference to a competent authority in the UK and the words “Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred” shall be deemed replaced with the words “[intentionally omitted]”,

4.3 For the avoidance of doubt, where the relevant processing activity falls within the territorial scope of the UK GDPR and Data Protection Laws of a European Union Member State (and/or an EEA state), the relevant Restricted Transfer shall be subject to clauses 4.1 and  4.2 where it is made by a data exporter established in the UK.

4.4 Nothing in this clause 4 shall:

  1. change the legal meaning of the SCCs;
  2. prevent the data subject from lodging a complaint with the supervisory authority in the country of his/her habitual residence or place of work; or
  3. give an interpretation to the SCCs that conflicts with rights and obligations provided for in UK Data Protection Laws.

4.5 The Parties agree that this clause 4 incorporates the [draft] UK Addendum to the European Commission Standard Contractual Clauses issued by the ICO under or pursuant to section 119A(1) of the Data Protection Act 2018 and that, by entering into this RTA, the requirements of that addendum are binding on the parties in accordance with clause 12 of that addendum.

5. INVALIDITY OF THE SCCS

5.1 If any transfer mechanism relied upon by the Parties pursuant to clause 3.2 ceases to exist or is no longer considered by either Party to be a lawful method of complying with the International Transfer Requirements for any reason, the data importer shall cease (and procure that any relevant third party ceases) all substantive processing of such personal data until such time as the data importer has, in accordance with the data exporter’s instructions, entered into an alternative transfer mechanism and/or put in place such supplementary measures and/or safeguards to comply with the International Transfer Requirements.

5.2 Subject to clause 5.3, if the data exporter determines (acting reasonably) that it is not feasible to put in place such an alternative transfer mechanism and/or supplementary measures and/or safeguards to enable compliance with the International Transfer Requirements, the data exporter shall be entitled to require the data importer to:

  1. process (and/or procure that any relevant third party processes) the personal data within a jurisdiction which is not a Restricted Country; and/or
  2. delete (or procure the deletion of) and/or destroy the personal data such that it is no longer processed in the relevant Restricted Country.

5.3 Where the data exporter is unable to comply with clause 5.2 because of local laws applicable to the data importer that prohibit such compliance, the data importer warrants that it will continue to ensure compliance with this RTA and will only process the relevant personal data to the extent and for as long as required under that local law.

6. RIGHTS AND REMEDIES

6.1 The rights and remedies provided under this RTA are in addition to, and not exclusive of, any rights or remedies provided by law.

7. LIABILITY

7.1 The exclusions and limitations of liability set out in (or that otherwise apply to) the Agreement,  including in particular in clause 18, shall apply to this RTA.

8. THIRD PARTY RIGHTS

8.1 Except as otherwise expressly stated in this RTA, this RTA does not confer any rights on any person or party (other than the Parties) under the Contracts (Rights of Third Parties) Act 1999 or otherwise.

9. FURTHER ASSURANCE

9.1 Each Party shall, at the request of the other Party, execute such additional documents and perform or procure the performance of such other acts or things that may reasonably be required by the other Party in order to give full effect to this RTA.

10. ENTIRE AGREEMENT

10.1 This RTA and the documents referred to or incorporated in it constitute the entire agreement between the parties relating to the subject matter of this RTA and supersede and extinguish any prior drafts, agreements, undertakings, representations, warranties and arrangements of any nature whatever, whether or not in writing, between the parties in relation to the subject matter of this RTA.

11. SEVERANCE

11.1 If any provision of this RTA is held to be invalid or unenforceable by any judicial or other competent authority, all other provisions of this RTA will remain in full force and effect and will not in any way be impaired.

11.2 If any provision of this RTA is held to be invalid or unenforceable but would be valid or enforceable if some part of the provision were deleted, or the period of the obligation reduced in time, or the range of activities or area covered reduced in scope, the provision in question will apply with the minimum modifications necessary to make it valid and enforceable.

12. GOVERNING LAW AND JURISDICTION

12.1 This RTA and any dispute or claim arising out of or in connection with it or its subject matter, whether of a contractual or non-contractual nature, shall:

  1. where the relevant data exporter is established in a Member State of the European Union or a Restricted Country, be governed by and construed in accordance with the law of Belgium ; and/or
  2. where the relevant data exporter is established in the United Kingdom, be governed by and construed in accordance with the law of England and Wales (or the laws of the country in which the data exporter is established).

12.2 The Parties irrevocably agree that:

  1. where clause 12.1(a) applies, the courts of Belgium shall have exclusive jurisdiction to settle any dispute which may arise out of or in connection with this RTA; and/or
  2. where clause 12.1(b) applies, the courts of England and Wales (or the courts of the jurisdiction in which the relevant data exporter is established) shall have exclusive jurisdiction to settle any dispute which may arise out of or in connection with this RTA,

provided in each case that a data subject whose personal data is subject to the GDPR (or as the case may be the UK GDPR) may also bring legal proceedings before the courts of the Member State in which that data subject has their habitual residence (or as the case may be the courts of England and Wales).

Execution This RTA will be deemed to have been executed by the Parties on the Effective Date.


Appendix 1 - Controller to Controller

Appendix 2 - Controller to Processor

Annex