The following terms apply when a Customer and/or GBG is subject to EU GDPR and/or the UK GDPR when transferring Customer Data or Results.

Part 1 of these terms shall apply where the GBG Entity providing the Services is identified as acting in the role of Processor in the Loqate Data Privacy Roles Table that can be found here.

Part 2 of these terms shall only apply where the relevant transfer is classed as a Restricted Transfer (as defined below). These Local Laws are supplementary to the General Terms agreed by the Parties and referenced in the Order Form and shall together with the Product Terms apply to the provision of the Service purchased by the Customer Entity from the GBG Entity. Where there is a conflict between the General Terms, the Product Terms and these Local Laws, these Local Laws shall take precedence.

DEFINITIONS

In these Local Laws, the following definitions shall apply in addition to the definitions set out in the General Terms and Product Terms unless the context expressly states otherwise:

"controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" have the meanings given in EU and UK Data Protection Laws;

“Customer” means as applicable, the Customer or a provider of services to the Customer such as an intermediary or reseller.

“Customer Data” means any data provided to GBG by the Customer for processing in accordance with the terms of an Agreement including where relevant any personal data.

"EEA" means the Member States of the European Economic Area.

“EU and UK Data Protection Laws” means (i) Regulation 2016/679 (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national law made under or pursuant to (i) or (ii); (iv) the UK GDPR as it is saved and incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (v) the Data Protection Act 2018; and (vi) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to apply in the UK under section 2 of the European Union (Withdrawal) Act 2018, in each case as may be amended or superseded from time to time.

"EU GDPR” means Regulation 2016/679 (General Data Protection Regulation)

“EU Restricted Transfer” means a transfer of personal data, to which the EU GDPR applies, from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission

“EU SCCs” means the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj

“PECR” means the Privacy and Electronic Communications (EC Directive) Regulations 2003

"Restricted Transfer" means, as the context requires, either an EU Restricted Transfer, a Swiss Restricted Transfer or a UK Restricted Transfer

"Standard Contractual Clauses" or “SCCs” means, as the context requires, the EU SCCs or the UK SCCs

“Swiss Restricted Transfer” means where the Swiss Federal Act on Data Protection (FADP) applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Addendum issued by the UK’s Information Commissioner’s Office in accordance with s119A of the Data Protection Act 2018

“UK GDPR” means the EU GDPR as it is saved and incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”)

“UK Restricted Transfer” means a transfer of personal data, to which the UK GDPR applies, from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018

“UK SCCs” means the EU SCCs as amended by the UK Addendum, adopted pursuant to or permitted under Article 46 of the UK GDPR

PART 1:

1. GBG ENTITY ACTS AS PROCESSOR
   
   1.1 Where GBG is a processor for the Service the terms set out in Part 1 of these Local Laws shall apply. For ease of reference, the Customer is referred to the Loqate Data Privacy Roles Table set out on the Local Laws page at https://gbgplc.com/en/legal-and-regulatory/local-laws for confirmation of the relevant roles in which each party will be acting.
   1.2 Purpose limitation. GBG shall process the Customer Data as a processor as necessary to provide the Service to the Customer and strictly in accordance with the documented instructions of the Customer, except where otherwise required by any Applicable Data Protection Laws, in which case GBG shall inform the Customer of that legal requirement before processing (unless prohibited by that law). GBG shall immediately inform the Customer if it becomes aware that the Customer’s processing instructions infringe Applicable Data Protection Law.
   1.3 Confidentiality of processing. In addition to any other confidentiality obligations contained in the Agreement, the applicable personal data shall be subject to a strict duty of confidentiality.
   1.4 Sub-processing. The Customer consents to GBG engaging third-party sub processors to process the applicable personal data provided that: (i) GBG informs the Customer of any intended changes concerning the addition or replacement of a third-party sub-processor with access to the applicable personal data and give the Customer the opportunity to object to such changes; (ii) GBG imposes data protection terms on any sub processor it appoints that protects the applicable personal data to the same standard provided for by this Agreement; and (iii) GBG remains fully liable for any breach of this Part 1 that is caused by an act, error or omission of its third-party sub processor.
   1.5 Cooperation and data subjects’ rights. Where GBG is a processor it shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the Customer at its own expense to enable to respond to: (i) any request from a data subject to exercise any of its rights under EU and UK Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third-party in connection with the processing of the applicable personal data. In the event that any such request, correspondence, enquiry or complaint is made directly to GBG, GBG shall promptly inform the Customer providing full details of the same.
   1.6 Data Protection Impact Assessment. Where GBG is a processor, upon the Customer’s request, GBG shall provide the Customer with all such reasonable and timely assistance as the Customer may require in order to conduct a data protection impact assessment in accordance with EU and UK Data Protection Laws including, if necessary, to assist the Customer to consult with its relevant data protection authority.
   1.7 Data Breaches. Where GBG is a processor, upon becoming aware of a data breach, GBG shall inform the Customer without undue delay and shall provide all such timely information and cooperation to the Customer as may reasonably be required for the Customer to fulfil its data breach reporting obligations under EU and UK Data Protection Laws. GBG shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Data Breach and shall keep the Customer informed of all developments in connection with the data breach.
   1.8 Deletion or return of the applicable personal data. Upon termination or expiry of this Agreement, GBG shall (at the Customer’s election) destroy or return to the Customer within 30 days, any applicable Customer Data. This requirement shall not apply to the extent that GBG is required by any Applicable Data Protection Laws to retain some or all of the applicable Customer Data, in which event GBG shall isolate and protect the applicable Customer Data from any further processing except to the extent required by such law until deletion is possible.
   1.9 International transfers of Customer Data. The Customer acknowledges that GBG may process Customer Data in a territory outside of the EEA, the United Kingdom, or your local country or region. If GBG’s processing of Customer Data involves an EU or Swiss Restricted Transfer , the parties will be deemed to have entered into the EU SCCs, completed in accordance with Part 2 of these Local Laws. If GBG’s processing of Customer Data involves a UK Restricted Transfer of personal data, the parties will be deemed to have entered into the UK SCCs, completed in accordance with Part 2 of these Local Laws. Where the processing involves an onward transfer of Customer Data to a third country, GBG will take all necessary measures to ensure such onward transfers are in compliance with Applicable Data Protection Law, including but not limited to EU and UK Data Protection Laws.

PART 2: Transfers subject to appropriate safeguards

1. EU RESTRICTED TRANSFERS
   
   1.1 The Parties agree that when the transfer of Customer Data is an EU Restricted Transfer then, unless the parties rely on an alternative transfer mechanism or basis under the EU Data Protection Laws, the following Standard Contractual Clauses apply, populated as relevant in accordance with clauses 2 and 3 of this Part 2:
   
   (a) Module One (controller to controller) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where the Customer acts as the controller of personal data and GBG acts as a separate independent controller in relation to Customer Data;
   (b) Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where the Customer acts as the controller of personal data and GBG acts as a processor;
   (c) Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where the Customer acts as a processor of personal data and GBG acts as a sub-processor.
   1.2 If there is any conflict between the Agreement and the relevant Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

2. POPULATION OF EU SCCs
   
   2.1 Where Module 1 applies in accordance with clause 1.1(a) of this Part 2 the following shall apply:
   
   (a) in relation to an EU Restricted Transfer of Customer Data, the EU SCCs will apply completed as follows
   
   i. In clause 7, the optional docking clause will not apply;
   ii. Clause 9 is deemed inapplicable;
   iii. In clause 11, the optional language will not apply:
   iv. In Clause 13, all square brackets are removed, and all text therein is retained;
   v. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish Law;
   vi. In Clause 18(b) disputes shall be resolved before the courts of Ireland;
   vii. Annex 1, Part A: with the relevant information set out in the relevant Order Form
   viii. Annex 1, Part B with the relevant information set out in Schedule 1 to this Part 2.
   ix. Annex 1, Part C: in accordance with the criteria set out in the Clause 13(a) of the EU SCCs
   x. Annex II with the relevant information set out in Schedule 2 (Information Security Requirements) to this Part 2
   
   2.2 Where Module Two or Three applies in accordance with clauses 1.1(b) and 1.1(c) the following terms are applicable:
   
   (a) in relation to an EU Restricted Transfer of Customer Data, the EU SCCs will apply completed as follows:
   
   i. in Clause 7, the optional docking clause will not apply;
   ii. in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 30 days
   iii. in Clause 11, the optional language will not apply;
   iv. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
   v. in Clause 18(b) disputes shall be resolved before the courts of Ireland;
   vi. Annex I, Part A: with the information set out in the relevant Order Form.
   vii. Annex I, Part B: with the relevant information set out in Schedule 1 to this Part 2;
   viii. Annex I, Part C: in accordance with the criteria set out in Clause 13(a) of the EU SCCs;
   ix. Annex II, with the provisions of Schedule 2 (Information Security Requirements) to this Part 2.

3. UK RESTRICTED TRANSFERS
   
   (a) Where Module One of the EU SCCs applies, in relation to a UK Restricted Transfer of Customer Data, the UK SCCs will be completed as follows:
   
   i. the EU SCCs, completed as set out above at clause 2.1(a) shall apply to transfers of such Customer Data, and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such Customer Data.
   ii. in addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 3.1(a) (as applicable), in accordance with the relevant Order Form and Schedule 2 (Information Security Requirements) to this Part 2, and
   iii. table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "Importer".
   
   (b) Where Module Two or Three of the EU SCCs apply, in relation to a UK Restricted Transfer of Customer Data, the UK SCCs will be completed as follows:
   
   i. the EU SCCs, completed as set out above at clause 2.2(a) of these Local Laws, shall apply to transfers of such Customer Data, and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such Customer Data or Results.
   ii. in addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 2.2(a), in accordance with the relevant Order Form and Schedule 2 (Information Security Requirements) to this Part 2, and
   iii. table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "Importer".

4. SWISS DATA TRANSFERS
   
   4.1 Where there is a Swiss Restricted Transfers, the following amendments and additional provisions apply in addition to the EU SCCs:
   
   (a) The terms “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with the EU SCCs;
   (b) The EU SCCs also protect the data of legal entities until the entry into force of the revised version of the of the Swiss Federal Act on Data Protection (“FADP”) of 25 September 2020, which is scheduled to come into force in 2023 (“Revised FADP”); and
   (c) The Federal Data Protection and Information Commissioner (“FDPIC”) shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

SCHEDULE 1 to PART 2 – DESCRIPTION OF THE TRANSFER

The terms of this Schedule 1 shall apply only to the extent that the Standard Contractual Clauses are incorporated in the Agreement in accordance with clause 1 of Part 2 of these Local Laws. If so, this Schedule 1 will apply in addition to the terms of the Agreement. Any definition not provided in this Schedule 1 shall have the same meaning as set out elsewhere in the Agreement.

Description of the Transfer in relation to Customer Data and Results

The following table is only applicable where the Standard Contractual Clauses are incorporated into the Agreement in accordance with Part 2 of these Local Laws. 

SCHEDULE 2 to PART 2 – Information Security Requirements

The terms of this Schedule 2 shall apply only to the extent that the Standard Contractual Clauses are incorporated in the Agreement in accordance with Part 2 of these Local Laws.  Where applicable, both Parties shall comply with the following Information Security Requirements in addition to any security requirements that are also required under Applicable Data Protection Laws:

• Physical access control

Both Parties shall implement and maintain physical controls to prevent unauthorised access, damage and interference to data processing systems, e.g., magnetic or chip cards, keys, electric door openers, site security or security guards, alarm systems, video surveillance systems.

• System access control

Both Parties shall ensure that it reviews and maintains a formally documented access control policy for authorisation of access rights to its systems. 

• No unauthorised use of the system, e. g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data storage media.
  
  
• Data access control

Both Parties shall ensure that:

• they have appropriate restrictions in relation to access to personal data. Access to the personal data must be restricted to a need-to-know basis, and access must be revoked when appropriate.
• They subject all users to a login process to authenticate their identity to gain access to any system used by either Party.
  
  
• Segregation control

Both parties shall ensure there is separate processing of data collected for different purposes, e.g., multi-client capability, sandboxing.

• Pseudonymisation

 Where appropriate to do so both Parties shall adopt pseudonymisation measures. This means the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to corresponding technical and organisational measures

• Transfer control

Both parties shall ensure that there is no unauthorised reading, copying, modifying or removal of data during electronic transmission or transport, e. g: encryption, Virtual Private Networks (VPN), electronic signature

• Availability control

Both Parties shall put in place protection against accidental or deliberate destruction or loss, e. g: back-up strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and contingency plans. 

• Both Parties shall implement processes for regularly testing, assessing, and evaluating security measures
  
  
• Information Security Management and Policy.

Both parties shall ensure that:

• The roles and responsibilities for information security management are formally identified and documented;
• There is a formal documented approach to risk management;
• It carries out regular risk assessments;
• Maintains and reviews an information security policy and communicates that to its employees/agent and/or contractors; and
• It maintains and reviews an effective privacy and security incident plan.