Standard Contractual Clause Selections and Addendum
Last Updated September 27, 2023
The following selections and addendum shall supplement and/or amend the SCCs incorporated into the Independent Controller Data Processing Addendum (Sovrn as Data Importer).
SCC Section Reference Concept Selection of the Parties
| Section Governing law IV, Clause 17 | The laws of the Republic of Ireland. | ||
| Section IV, Clause 18 (b) | Choice of forum and jurisdiction | The courts of the Republic of Ireland. | |
| Annex I.A | List of Parties – Data exporter(s) | Name: | Customer |
| Address: | As set forth in the Agreement | ||
| Contact: | As set forth in the Agreement | ||
| Activities relevant to the data transferred under these Clauses: | Receipt of the Services from Sovrn under the Agreement. | ||
| Signature and Date: | The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA. | ||
| Role (controller/processor): | controller | ||
| Annex I.A | List of Parties – Data importer(s) | Name: | Sovrn |
| Address: | 5541 Central Ave, Suite 100 Boulder, CO 80301 USA | ||
| Contact: | Dpo[at]sovrn.com | ||
| Activities relevant to the data transferred under these Clauses: | The provision of the Services to Customer under the Agreement. | ||
| Signature and Date: | The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA. | ||
| Role (controller/processor): | controller | ||
| Annex I.B | Description of the Transfer | Categories of data subjects whose personal data is transferred | End users of Customer’s digital properties. |
| Categories of personal data transferred | Categories of Personal Data transferred will depend upon the Services selected by the Customer and may include: (i) Cookies (session, persistent, LSO, other) or other online unique IDs; (ii) Interest activity, behavioral targeting, or other profiling data (including inferences); (iii) IP address; (iv) hashed email; and (v) User agent string/OS/chipset/screen. | ||
| Sensitive data transferred (if applicable) and applied restrictions or safeguards | N/A | ||
Section
Reference
| The frequency of the transfer | Continuous basis for the term of the Agreement. |
| Nature of the processing | As set forth in the Agreement. |
| Purpose(s) of the data transfer and further processing | To allow Sovrn to provide the Services under the Agreement. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Data is retained only for as long as needed to fulfill obligations defined in the Agreement, or as long as needed to support a business purpose. |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | As above. |
| Annex I.C Competent Supervisory Authority | Irish Data Protection Commissioner, unless Customer notifies Sovrn of an alternative competent supervisory authority by emailing privacy[at]sovrn.com. |
Annex II Technical and Organisational Measures https://www.sovrn.com/company/security/
ADDENDUM TO THE STANDARD CONTRACTUAL CLAUSES
Sovrn and Customer agree that the SCCs shall be modified and/or supplemented as follows:
- Supplemental Business-Related Clauses. In accordance with Clause 2 of the SCCs, the Parties wish to supplement the SCCs with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. The Parties therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the SCCs, including without limitation the following:
- The information required to be provided to Data Subjects under Clause 8.2(a) shall be provided by Customer using the relevant information provided by Sovrn through the DPA and the SCC selections above;
- in the event of a data subject request for a copy of the clauses in accordance with Clause 8.2(c), each Party agrees to make all redactions reasonably necessary to protect business secrets or other confidential information of the other Party;
- Sovrn shall be deemed in compliance with Clause 8.7 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
- the terms of the Agreement governing indemnification and limitation of liability, including Section 12 of the DPA, shall apply to each Party’s liability under Clauses 12(a), 12(c), and 12(d);
- The termination provision(s) of the Agreement shall apply to a termination pursuant to Clause 14(f) or Clause 16; and
- Certification of deletion of Personal Data under Clause 16(d) shall be provided by Sovrn upon written request of Customer.
- Transfers from the United Kingdom. If the SCCs apply to the Transfer of Personal Data originating from the United Kingdom, this Section shall apply to and modify the SCCs to the extent that UK Data Protection Laws apply to Customer’s Processing when making that Transfer. The Parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in the selections above; and (c) Company may end the UK Addendum in accordance with Section 19 thereof.
- Transfers from Switzerland.If the SCCs apply to the Processing of Personal Data originating from Switzerland, the SCCs shall be modified as follows: (a) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c); (b) references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the Swiss FDPA; and (d) the Parties agree that the supervisory authority as indicated in Annex I.C shall be, insofar as the data transfer is governed by the Swiss FDPA, the Swiss Federal Data Protection and Information Commissioner.
