Tag’s Content Engine (formerly referred to as DICE) DATA PROTECTION ADDENDUM
Version: November 2025
This Data Protection Addendum (“DPA”) forms part of the Tag’s Content Engine Pilot Terms or any other agreement between Tag and Client for the purchase of Services from Tag that references this DPA (the “Agreement”). Notwithstanding the foregoing, in the event of a conflict or inconsistency between the terms of the Agreement and this DPA, this DPA shall prevail.
This DPA shall be effective from the Effective Date of the Agreement, as applicable. Except as modified below the terms of the Agreement shall remain in effect.
1. Definitions
1.1 In this DPA, defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of the Agreement. In addition, the following definitions have the meanings given below:
Adequacy Finding | refers to a legally-binding decision issued by the applicable authority allowing the transfer of Personal Data to a third country which has been considered adequate in terms of data protection safeguards under (i) an implementing act adopted in accordance with the examination procedure referred to in GDPR Article 93(2) and/or (ii) Schedule 21 of the UK Data Protection Act 2018; |
Applicable Law | means applicable laws of the United Kingdom (UK), the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states from time to time including the EU AI Act together with applicable laws in the United Kingdom from time to time; |
Appropriate Safeguards | means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws, as amended or updated from time to time; |
Data Protection Laws | means all Applicable Laws relating to the Processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including, but not limited to, the following laws to the extent applicable in the circumstances: (a) the EU GDPR; (b) the UK GDPR and the Data Protection Act 2018; (c) any other laws to which the processing or use of (d) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing; |
Data Protection Losses | means all liabilities, including all: (a) costs (including legal costs), claims, demands, actions settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and, (b) to the extent permitted by Applicable Law:(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (i) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and (ii) the reasonable costs of compliance with investigations by a Supervisory Authority; |
Data Subject Request | means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws; |
GDPR | means the EU GDPR and UK GDPR, as applicable in the context; |
Effective Date | means the effective date in (a) Tag’s Content Engine Pilot Terms; or (b) any other agreement between Tag and Client for the purchase of Services which makes reference to this DPA; |
EU GDPR | means the General Data Protection Regulation, Regulation (EU) 2016/679 as amended, nationally implemented or supplemented from time to time; |
EU Standard Contractual Clauses or ‘EU SCCs’ | means the standard contractual clauses adopted by the European Commission decision on 4 June 2021 governing the transfers of personal data to a Third Country without an Adequacy Finding; |
Personal Data Breach | means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data; |
Processing Instructions | has the meaning given to that term in paragraph 3.1.1; |
Sub-Processor | means another Processor engaged by Tag for carrying out Processing activities in respect of the Personal Data on behalf of the Client; |
Supervisory Authority | means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; |
UK | means the United Kingdom; |
UK GDPR | means the EU GDPR and the Data Protection Act 2018 as both amended by the UK Data Protection Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019(2019/419), together with any laws and regulations that replaces or amends any of these from time to time; |
UK Standard Contractual Clauses or ‘UK SCCs’ | means the standard contractual clauses recognised under the UK GDPR, as a means of providing appropriate safeguards for Personal Data transferred out of the United Kingdom, as amended, replaced or supplemented from time to time. |
|
The following terms shall have the same meanings as in the Data Protection Laws, and their equivalent terms (and their derivatives) shall be construed accordingly: “controller”, “data protection officer”, “Personal Data”, “processor”, “processing”, “data subject”, “international organisation”, “Member State”, “supervisory authority”, “Third Country”, and “Union”.
2. Processor and Controller
2.1 The parties agree that, for the Personal Data, the Client shall be the Controller and Tag shall be the Processor. Nothing in the Agreement relieves the Client of any responsibilities or liabilities under any Data Protection Laws.
2.2 To the extent the Client is not sole Controller of any Personal Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct Tag to process the Personal Data in accordance with the Agreement.
2.3 Tag shall process Personal Data in compliance with:
2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under the Agreement; and
2.3.2 the terms of the Agreement.
2.4 The Client shall ensure that it, its Affiliates and each Authorised User shall at all times comply with:
2.4.1 all Data Protection Laws in connection with the Processing of Personal Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under the Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.4.2 the terms of the Agreement.
2.5 The Client warrants, represents and undertakes, that at all times:
2.5.1 all Personal Data (if processed in accordance with the Agreement) shall comply in all respects, including in terms of its collection, storage and Processing, with Data Protection Laws;
2.5.2 fair Processing and all other appropriate notices have been provided to the Data Subjects of the Personal Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all Processing activities in respect of the Personal Data which may be undertaken by Tag and its Sub-Processors in accordance with the Agreement;
2.5.3 the Personal Data is accurate and up to date;
2.5.4 it shall establish and maintain adequate security measures to safeguard the Personal Data in its possession or control from (including from unauthorised or unlawful destruction, corruption, Processing or disclosure) and maintain complete and accurate backups of all Personal Data provided to Tag (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Personal Data in the event of loss, damage or corruption of such Personal Data by Tag or any other person;
2.5.5 all instructions given by it to Tag in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.5.6 it has undertaken due diligence in relation to Tag’s Processing operations and commitments and it is satisfied (and all times it continues to use the Services remains satisfied) that:
(a) Tag’s Processing operations are suitable for the purposes for which the Client proposes to use the Services and engage Tag to process the Personal Data;
(b) the technical and organisational measures set out in the Agreement (each as updated from time to time) shall ensure a level of security appropriate to the risk with regards to the Personal Data; and
(c) Tag has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
3. Instructions and details of Processing
3.1 Insofar as Tag processes Personal Data on behalf of the Client, Tag
3.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Personal Data only on and in accordance with the Client’s documented instructions as set out in this paragraph 3.1 and paragraphs 3.2 and 3.3 as updated from time to time;
3.1.2 if Applicable Law requires it to process Personal Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before Processing the Personal Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.1.3 shall promptly inform the Client if Tag becomes aware of a Processing Instruction that, in Tag’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to paragraphs 2.4 and 2.5; and
(b) to the maximum extent permitted by Applicable Law, Tag shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any Processing in accordance with the Client’s Processing Instructions following the Client’s receipt of the information required by this paragraph 3.1.3.
3.2 The Client acknowledges and agrees that the execution of any computer command to process (including deletion of) any Personal Data made in the use of any of the Content Engine Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the Training Materials). The Client shall ensure that Authorised Users do not execute any such command unless authorised by the Client (and by all other relevant Controller(s)) and acknowledges and accepts that if any Personal Data is deleted pursuant to any such command Tag is under no obligation to seek to restore it.
3.3 Subject to the Order Form the Processing of the Personal Data by Tag under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Appendix 1.
4. Technical and Organisational Measures
4.1 Taking into account the nature of the Processing, Tag shall implement and maintain, at its cost and expense, the Technical and Organisational Measures in relation to the Processing of Personal Data . as set forth in Appendix 2 of this DPA. Vendor shall ensure that persons authorized to carry out processing have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality.
5. Using staff and other Processors
5.1 The Client grants Tag a general authorisation to appoint Sub-Processors for the Processing of Personal Data.
5.2 Tag shall:
5.2.1 prior to the relevant Sub-Processor carrying out any Processing activities in respect of the Personal Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 2 to 11 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); and
5.2.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
5.3 Tag shall ensure that all persons authorised by it (or by any Sub-Processor) to process Personal Data are subject to a binding written contractual obligation to keep the Personal Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Tag shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).
6. Assistance with Compliance and Data Subject Rights
6.1 Tag shall assist the Client, by implementing appropriate technical and organisational measures, to comply with the Client’s obligation to respond to all Data Subject Requests it receives under Data Protection Laws. The Client shall pay Tag for all work, time, costs and expenses incurred in connection with such activity, calculated on a time and materials basis at Tag’s rates set out in Tag’s Standard Pricing Terms, a copy of which shall be available to the Client upon request.
6.2 Tag shall provide such assistance as the Client reasonably requires (taking into account the nature of Processing and the information available to Tag) to the Client in ensuring compliance with the Client’s obligations under Data Protection Laws with respect to:
6.2.1 security of Processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
6.2.3 prior consultation with a Supervisory Authority regarding high risk Processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach,
provided the Client shall pay Tag for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at Tag’s rates set out in Tag’s Standard Pricing Terms.
7. International Data Transfers
7.1 The Client hereby authorises Tag to process Personal Data, including using Sub-Processors, in accordance with this Agreement, outside the country in which the Client is located by way, as necessary, of Appropriate Safeguards and in accordance with Data Protection Laws, an Adequacy Finding, and the Agreement. The provisions of the Agreement (including this Data Protection Addendum) shall constitute the Client’s instructions with respect to transfers in accordance with paragraph 3.1.1.
7.2 To the extent that, in order to enable Tag deliver the Services, any Restricted Transfer is required of Client Personal Data between the Client (acting as an ‘exporter’) and Tag (acting as an ‘importer’) or between Tag (acting as an ‘exporter’) to the Client (acting as an ‘importer’), the parties will ensure that an agreed Transfer Mechanism will govern such Restricted Transfer(s), which may include any relevant provisions of the Standard Contractual Clauses.
7.3 Restricted Transfers Subject to UK GDPR:
7.3.1 Where a Restricted Transfer set out in clause 7.2 above would result in the transfer of Client Personal Data from the United Kingdom to a Non-Adequate Recipient outside the United Kingdom, Appendix 3 will apply to such Restricted Transfers.
7.4 Restricted Transfers Subject to the EU GDPR:
7.4.1 Where a Restricted Transfer set out in clause 7.2 above would result in the transfer of Client Personal Data from the European Economic Area to a Non-Adequate Recipient outside the European Economic Area, Appendix 4 will apply to such Restricted Transfers.
7.4.2 For the purposes of any Restricted Transfers described in clause 7.4.1 above, the Client shall implement and maintain all supplementary measures to ensure compliance with the Client’s obligations as data exporter and to render the Restricted Transfer effective and compliant with the Data Protection Legislation.
7.5 The Client acknowledges that due to the nature of cloud services, the Personal Data may be Transferred to other geographical locations in connection with use of the Service further to access and/or computerised instructions initiated by Authorised Users. The Client acknowledges that Tag does not control such Processing and the Client shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Personal Data to other geographical locations if Appropriate Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.
8. Information and Audit
8.1 Tag shall maintain, in accordance with Data Protection Laws binding on Tag, written records of all categories of Processing activities carried out on behalf of the Client.
8.2 On request, Tag shall provide the Client (or an independent third party auditor reasonably acceptable to Tag) with a copy of the third-party certifications and audits to the extent made generally available to its Clients. Such information shall be confidential to Tag and shall be Tag Confidential Information as defined in the Agreement, and shall be treated in accordance with applicable terms.
8.3 In the event that the Client, acting reasonably, deems the information provided in accordance with paragraph 8.2 insufficient to satisfy its obligations under Data Protection Laws, Tag shall, on request by the Client make available to the Client such information as is reasonably necessary to demonstrate Tag’s compliance, its obligations under this Agreement and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Client (or an independent third party auditor reasonably acceptable Tag) for this purpose, provided:
8.3.1 such audit, inspection or information request is reasonable, limited to information in Tag’s possession or control and is subject to the Client giving Tag reasonable (and in any event at least sixty (60) days) prior notice of such audit, inspection or information request;
8.3.2 the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the frequency, timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Client or third party auditor shall comply (including to protect the security and confidentiality of other Clients, to ensure Tag is not placed in breach of any other arrangement with any other Client and so as to comply with the remainder of this paragraph 8.3);
8.3.3 the Client shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of Tag;
8.3.4 the duration of any audit or inspection shall be limited to one Business Day;
8.3.5 all costs of such audit or inspection or responding to such information request shall be borne by the Client, and Tag’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Client on a time and materials basis in accordance with Tag’s Standard Pricing Terms;
8.3.6 the Client’s rights under this paragraph 8.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if the Client (acting reasonably) believes Tag is in breach of this Data Protection Addendum;
8.3.7 the Client shall promptly (and in any event within one Business Day) report any non-compliance identified by the audit, inspection or release of information to Tag;
8.3.8 the Client agrees that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits shall be Tag Confidential Information as defined in the Agreement, and shall be treated in accordance with applicable terms;
8.3.9 the Client shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of Tag while conducting any such audit or inspection; and
8.3.10 this paragraph 8.3 is subject to paragraph 8.4.
8.4 The Client acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that Tag or Client may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 8.3. The Client’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s) and paragraphs 5.2.1 and 8.3 shall be construed accordingly. Notwithstanding this, Tag shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws and Tag’s obligations under the Agreement and the Client accepts that the provisions of this paragraph 8.4 shall satisfy Tag’s obligations in this regard. To the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this 8.4, equivalent restrictions and obligations on the Client to those in paragraphs 8.3.1 to
8.3.10 (inclusive) shall apply together with any additional or more extensive restrictions and obligations applicable in the circumstances.
9. Breach Notification
9.1 In respect of any Personal Data Breach involving Personal Data, Tag shall, without undue delay:
9.1.1 notify the Client of the Personal Data Breach; and
9.1.2 provide the Client with details of the Personal Data Breach under Data Protection Laws to enable the Client to make a reasonable determination with respect the Breach.
9.1.3 taking into account the nature of the processing, assist Client (at the Client’s reasonable cost) by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to the data subject request under the Data Protection Laws.
9.1.4 provide the Client with additional and supplementary details of the Personal Data Breach as they become aware of them.
10. Deletion of Personal Data and copies
10.1 Following the end of the provision of the Services (or any part) relating to the Processing of Personal Data Tag shall, at the cost and choice of the Client, dispose of Personal Data in accordance with its obligations under the Agreement unless Data Protection Laws requires the storage and/or retention of such Personal Data.
10.2 Tag shall have no liability (howsoever arising, including in negligence) for any deletion, destruction or retention (if required to do so under Data Protection Laws) of any such Personal Data undertaken in accordance with the Agreement.
APPENDIX 1
DATA PROCESSING DETAILS
Subject-matter of Processing: | The subject matter of the Processing is the Client Personal Data in accordance with the relevant Order Form and under the Agreement. |
Duration of the Processing: | The duration of the Processing is until the earlier of final termination or final expiry of the Agreement, except as otherwise expressly stated in the Agreement; |
Nature and purpose of the Processing: | Processing as reasonably required to provide the Services in accordance with the Agreement, as further initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Client, in each case in a manner consistent with the Agreement and in relation to Content Engine Service, in accordance with the nature and purpose identified in the relevant Order Form. |
Type of Personal Data: | Personal data may include: [Name, Email Address, Job Title, individual images, videos, or voice sample uploaded or generated by the Client] |
Categories of Data Subjects: | [Employees, Client’s Employees, Client’s Talent] |
Special categories of Personal Data: | [Certain voice data or facial image data] data importer will follow the safeguards set forth in Appendix 2, including access restrictions, encryption, logging, and transport security to protect it |
For transfers to (sub-) processors |
|
APPENDIX 2
TECHNICAL AND ORGANISATIONAL MEASURES
Description of the technical and organisational security measures implemented by the data importer
Security
Tag and its group of companies has adopted an Information Security Policy which details the technical and organisational security measures implemented by the data exporters and the data importers and accommodates the requirements of its specific Client engagements. The Information Security Policy is kept under regular review and is updated as required by technological or contractual demands. Below is a summary of the key features of the Information Security Policy as at the date of this Agreement.
1. Information Classification Scheme
An Information Classification Scheme is used to protect physical and logical assets and to ensure a consistent and appropriate method of handling, storing and protecting these assets, according to their level of sensitivity.
2. Physical Access Controls
Access to company premises is controlled and provided on an individual and accountable basis. Measures are implemented to ensure that access is only provided to individuals that have been accessed ID badges or visitor badges. Access to secured areas such as server rooms are restricted to authorised personnel only, and visitors must follow additional procedures in place for gaining access.
3. Logical Access Controls
Access to company IT systems and software applications is provided on an individual and accountable basis. Approved users are issued with unique credentials, which must not be shared with or communicated to any other person. Access rights are regularly reviewed to ensure that only those persons who require access to systems are provided with such access. Access to systems is granted according to the principle of least privilege and need to know.
4. Cryptographic Techniques
Industry standard encryption techniques must be applied to data in accordance with the Information Classification Scheme.
5. Secure Software Development
The company will ensure that applications will be developed in compliance with secure software development frameworks, tested regularly and protected against known vulnerabilities.
6. Removable Media
Write access to USB removable storage devices, removable hard disks and CD & DVD drives is disabled by default.
7. Secure Artificial Intelligence
The company will ensure that Ai technology design and implementation and the acceptable, ethical, legal and secure use of Ai technology is defined, governed and monitored. Ai risks and the expected mitigations to minimise data breaches will be reviewed and implemented.
8. Monitoring
The company will monitor the activity and use of IT systems (including internet and email) and telecommunications systems for the purposes of detecting and responding to security incidents and infringements of its policies.
9. Incident Response
The company maintains a Security Incident Management Plan that ensures a consistent and effective approach to the management of information security incidents. The plan is exercised and test at least once a year.
APPENDIX 3
UK STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 26(2) of the UK GDPR for the transfer of personal data to processors established in Third Countries which do not have an Adequacy Finding.
For the purposes of this Appendix 3, references to the "data exporter" shall mean the Client and "data importer" shall mean Tag (each a "party", together the "parties").
1. Where Standard Contractual Clauses are agreed as required by the Parties for a Restricted Transfer involving any Client Personal Data or Tag-Controlled Personal Data that is subject to the UK Data Protection Law, the EEA SCCs found in Appendix 4 to this DPA
are incorporated, as amended by the Information Commissioner’s Office International Data Transfer Addendum to the EU
Commission Standard Contractual Clauses version B1.0 (the “IDTA”) is hereby incorporated into this Agreement as the Transfer Mechanism for any Restricted Transfers of Client Personal Data from the United Kingdom to a Non-Adequate Recipient, as populated by the Addendum to this Appendix 3.
Addendum to Appendix 3
Part 1: Tables
Table 1: Parties and signatures
Table 1 is populated as follows:
The details of the Exporter and the Importer are populated with the relevant details of the Client and Tag (as appropriate for the transfer) as found in the Services Agreement.
The Key Contact for Tag is the UK Data Protection Officer, contactable at global.privacy@tagworldwide.com. The Key Contact for the Client is populated with the details of the signatory to the Services Agreement.
The signatures to the Services Agreement to which this Agreement attaches constitute the signatures confirming each party agreeing to be bound by the IDTA.
Table 2: Selected SCCs, Modules and Selected Clauses
Table 2 is populated as follows:
The Approved EU SCCs, including the Appendix Information, and with only the following modules, clauses or operational provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.
The modules and operational clauses in table 2 are populated with the relevant details of Annex 3 of this Agreement.
For the purposes of Option 4, personal data received from the importer may be combined with personal data collected by the exporter.
Table 3: Appendix Information
Table 3 is populated as follows:
The list of parties is populated with the details of the parties found in the Agreement.
A description of the transfer is populated with the details of the Schedule and of Appendix 1 of this Agreement.
The technical and organisational measures is populated with the details of Appendix 2 of this Agreement.
The list of Sub-Processors is populated with the details of Appendix 1 of this Agreement.
Table 4: Ending this Addendum when the Approved Addendum Changes
Neither party may end this Addendum is set out in Section 19 of the IDTA.
APPENDIX 4
INCORPORATION OF EU STANDARD CONTRACTUAL CLAUSES
1. Where the EEA SCCs are agreed as required by the parties for a Restricted Transfer, EEA SCCs are hereby deemed accepted by
the parties and incorporated and read as follows:
EEA SCC clause reference | Interpretation – Controller – Processor Module | Interpretation – Processor – Controller Module |
Clause 7 – optional docking clause | Clause is not included | Clause is not included |
Clause 9 – use of sub-processors | OPTION 2: GENERAL WRITTENAUTHORISATION is chosen. | N/A |
Clause 11 - redress | The optional paragraph within clause 11(a) is removed. | The optional paragraph within clause 11(a) is removed. |
Clause 17 – governing law | The governing law of the applicable EU\UK Country, referenced in the contract, shall be included into Clause 17 where a Member State is required to be specified | The governing law of the applicable EU/UK Country, referenced in the contract, shall be included into Clause 17 where a Member State is required to be specified. |
18 – choice of forum and jurisdiction | As applicable - England for UK jurisdiction \ Ireland for EU jurisdiction shall be included into Clause 18 where a Member State is required to be specified | England for UK jurisdiction \ Ireland for EU jurisdictions shall be included into Clause 18 where a Member State is required to be specified |
Part A, Annex I – list of parties | For transfers from the Client to Tag, the Client identified as the data exporter and for transfers from Tag to the Client, Tag identified as the data exporter; and For transfers from the Client to Tag, Tag identified as the data importer and for transfers from Tag to the Client, the Client identified as the data importer. | For transfers from the Client to Tag, the Client identified as the data exporter and for transfers from Tag to the Client, Tag identified as the data exporter; and For transfers from the Client to Tag, Tag identified as the data importer and for transfers from Tag to the Client, the Client identified as the data importer. |
Part B, Annex I – description of transfer | Populated with the relevant details of Appendix 1 of this Agreement. | Populated with the relevant details of Appendix 1 of this Agreement |
Part C, Annex I – competent supervisory authority | For the EU, the Irish Data Protection Commission and for the UK, the Information Commissioner Office shall be included where a competent supervisory authority is required to be specified | N/A |
Annex II – technical and organisational measures | As set out in clause 6.2.1 of this Agreement | N/A |
Annex III – list of sub-processors | Populated with the details of Annex 2 of this Agreement | N/A |
2. Where the Swiss Federal Act on Data Protection of June 19, 1992, as amended or replaced (“Swiss FADP”) applies, the EEA SCCs above will apply as follows:
(a) the Swiss Data Protection and Information Commissioner is the exclusive supervisory authority.
(b) the term “member state” must not be interpreted in such a way as to exclude data subjects of Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EEA SCCs; and
(c) references to the GDPR in the EEA SCCs shall also include the reference to the equivalent provisions of the Swiss FADP.