The following terms apply when a Customer and/or GBG is subject to EU GDPR and/or the UK GDPR when transferring Customer Data or Results and the transfer is classed as a Restricted Transfer. These Local Laws are supplementary to the General Terms agreed by the Parties and referenced in the Order Form and shall together with the Product Terms apply to the provision of the Service purchased by the Customer Entity from the GBG Entity. Where there is a conflict between the General Terms and these Local Laws, these Local Laws shall take precedence.

1. DEFINITIONS

1.1 In these Local Laws, the following definitions shall apply in addition to the definitions set out in the General Terms and Product Terms unless the context expressly states otherwise:

"controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" have the meanings given in EU and UK Data Protection Laws;

“Customer” means as applicable, the Customer or a provider of services to the Customer such as an intermediary or reseller.

“Customer Data” means any data provided to GBG by the Customer for processing in accordance with the terms of an Agreement including where relevant any personal data.

"EEA" means the Member States of the European Economic Area.

“EU and UK Data Protection Laws” means (i) Regulation 2016/679 (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national law made under or pursuant to (i) or (ii);, (iv) the UK GDPR as it is saved and incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (v) the Data Protection Act 2018; and (vi) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to apply in the UK under section 2 of the European Union (Withdrawal) Act 2018; and in each case as may be amended or superseded from time to time. 

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss Federal Act on Data Protection (FADP) applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner (“Swiss Restricted Transfer”).

"Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs"). 

2. RESTRICTED TRANSFERS

2.1 The Parties agree that when the transfer of Customer Data or Results (as may be applicable in the context) is a Restricted Transfer or Swiss Restricted Transfer then the following Standard Contractual Clauses apply:

2.1.1 Module One (controller to controller) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where the Customer acts as the controller of personal data and GBG acts as a separate independent controller in relation to Customer Data or Results (as may be applicable in the context and more particularly described in the Agreement);

2.1.2 Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where the Customer acts as the Controller of personal data and GBG acts as a processor in relation to Customer Data;

2.1.3 Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where the Customer acts as a processor of personal data and GBG acts as a sub-processor in relation to Customer Data.

2.2. If there is any conflict between the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

3. POPULATION OF EU SCCs and UK SCCs

3.1 Where Module 1 applies in accordance with clause 2.1.1 the following shall apply:

(a) in relation to Customer Data or Results (as may be applicable in the context and more particularly described in the Agreement) that is protected by EU GDPR, the EU SCCs will apply completed as follows

(i) In clause 7, the optional docking clause will not apply;
(ii) In clause 11, the optional language will not apply:
(iii) In Clause 13, all square brackets are removed, and all text therein is retained;
(iv) In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish Law;
(v) In Clause 18(b) disputes shall be resolved before the courts of Ireland;
(vi) Annex 1, Part A: with the relevant information set out in the relevant Order Form
(vii) Annex 1, Part B with the relevant information set out in Schedule 1.  
(viii) Annex 1, Part C: in accordance with the criteria set out in the Clause 13(a) of the EU SCCs
(ix) Annex II with the relevant information set out in Schedule 2 (Information Security Requirements)

(b) in relation to Customer Data or Results (as may be applicable in the context and more particularly described in the Agreement) that is protected by UK GDPR, the UK SCCs will be completed as follows:

(i) the EU SCCs, completed as set out above at clause 3.1(a) shall apply to transfers of such Customer Data or Results (as may be applicable in the context), and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such Customer Data or Results.
(ii) in addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 3.1(a) (as applicable), in accordance with the relevant Order Form, and table 4 in Part 1 shall be deemed completed by selecting "neither party".

3.2 Where Module Two or Three applies in accordance with clauses 2.1.2 and 2.1.3 the following terms are applicable:

(a) in relation to Customer Data or Results (as may be applicable in the context and more particularly described in the Agreement) that is protected by EU GDPR, the EU SCCs will apply completed as follows:

(i) in Clause 7, the optional docking clause will not apply;
(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 30 days
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(v) in Clause 18(b) disputes shall be resolved before the courts of Ireland;
(vi) Annex I, Part A: with the information set out in the relevant Order Form.
(vii) Annex I, Part B: with the relevant information set out in Schedule 1, Annex A;
(viii) Annex I, Part C: in accordance with the criteria set out in Clause 13(a) of the EU SCCs;
(ix) Annex II, with the provisions of Schedule 2 (Information Security Requirements).

(b) in relation to Customer Data or Results (as may be applicable in the context and more particularly described in the Agreement) that is protected by UK GDPR, the UK SCCs will be completed as follows:

(i) the EU SCCs, completed as set out above at clause 3.2(a) of these Local Laws, shall apply to transfers of such Customer Data, and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such Customer Data or Results.
(ii) in addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 3.2 (a) , in accordance with the relevant Order Form and Schedule 2 (Information Security Requirements), and table 4 in Part 1 shall be deemed completed by selecting "neither party".

4. SWISS DATA TRANSFERS

4.1 Where the EU SCCs apply to Swiss Restricted Transfers, the following amendments and additional provisions apply:

(a) The terms “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with the EU SCCs;
(b) The EU SCCs also protect the data of legal entities until the entry into force of the revised version of the of the Swiss Federal Act on Data Protection (“FADP”) of 25 September 2020, which is scheduled to come into force in 2023 (“Revised FADP”); and
(c) The Federal Data Protection and Information Commissioner (“FDPIC”) shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

SCHEDULE 1 – DESCRIPTION OF THE TRANSFER

The terms of this Schedule 1 shall apply only to the extent that the Standard Contractual Clauses are incorporated in the Agreement in accordance with clause 2.1 of these Local Laws. If so, this Schedule 1 will apply in addition to the terms of the Agreement. Any definition not provided in this Schedule 1 shall have the same meaning as set out elsewhere in the Agreement.

Description of the Transfer in relation to Customer Data and Results

The following table is only applicable where the Standard Contractual Clauses are incorporated into the Agreement in accordance with clause 2 of these Local Laws. 

Schedule 2 – (Information Security Requirements)

Where applicable, both Parties shall comply with the following Information Security Requirements in addition to any security requirements that are required under Applicable Data Protection Laws(s):

• Physical access control

Both Parties shall implement and maintain physical controls to prevent unauthorised access, damage and interference to data processing systems, e.g., magnetic or chip cards, keys, electric door openers, site security or security guards, alarm systems, video surveillance systems.

• System access control

Both Parties shall ensure that it reviews and maintains a formally documented access control policy for authorisation of access rights to its systems. 

• No unauthorised use of the system, e. g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data storage media.
  
  
• Data access control

Both Parties shall ensure that:

• they have appropriate restrictions in relation to access to personal data. Access to the personal data must be restricted to a need-to-know basis, and access must be revoked when appropriate.
• They subject all users to a login process to authenticate their identity to gain access to any system used by either Party.
  
  
• Segregation control

Both parties shall ensure there is separate processing of data collected for different purposes, e.g., multi-client capability, sandboxing.

• Pseudonymisation

 Where appropriate to do so both Parties shall adopt pseudonymisation measures. This means the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to corresponding technical and organisational measures

• Transfer control

Both parties shall ensure that there is no unauthorised reading, copying, modifying or removal of data during electronic transmission or transport, e. g: encryption, Virtual Private Networks (VPN), electronic signature

• Availability control

Both Parties shall put in place protection against accidental or deliberate destruction or loss, e. g: back-up strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and contingency plans. 

• Both Parties shall implement processes for regularly testing, assessing, and evaluating security measures
  
  
• Information Security Management and Policy.

Both parties shall ensure that:

• The roles and responsibilities for information security management are formally identified and documented;
• There is a formal documented approach to risk management;
• It carries out regular risk assessments;
• Maintains and reviews an information security policy and communicates that to its employees/agent and/or contractors; and
• It maintains and reviews an effective privacy and security incident plan.