Standard Contractual Clause Selections and Addendum

Last Updated March 28, 2022

Effective March 28, 2022

The following selections and addendum shall supplement and/or amend the SCCs incorporated into the Independent Controller Data Processing Addendum.

SCCs Section Reference Concept Selection by the Parties
Section IV, Clause 17 Governing law The laws of the Republic of Ireland.
Section IV, Clause 18 (b) Choice of forum and jurisdiction The courts of the Republic of Ireland.
Annex I.A List of Parties – Data exporter(s) Name: Customer
Address: As set forth in the Agreement
Contact: As set forth in the Agreement
Activities relevant to the data transferred under these Clauses: Receipt of the Services from Sovrn under the Agreement.
Signature and Date: The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA.
Role (controller/processor): controller
Annex I.A List of Parties – Data importer(s) Name: Sovrn
Address: 5541 Central Ave
Boulder, CO 80301 USA
Contact: Dpo[at]sovrn.com
Activities relevant to the data transferred under these Clauses: The provision of the Services to Customer under the Agreement.
Signature and Date: The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA.
Role (controller/processor): controller
Annex I.B Description of the Transfer Categories of data subjects whose personal data is transferred End users of Customer’s digital properties.
Categories of personal data transferred Categories of Personal Data transferred will depend upon the Services selected by the Customer and may include: (i) Cookies (session, persistent, LSO, other) or other unique IDs; (ii) Interest activity, behavioral targeting, or other profiling data; (iii) IP address; (iv) hashed email; and (v) User agent string/OS/chipset/screen.
Sensitive data transferred (if applicable) and applied restrictions or safeguards N/A
The frequency of the transfer Continuous basis for the term of the Agreement.
Nature of the processing As set forth in the Agreement.
Purpose(s) of the data transfer and further processing To allow Sovrn to provide the Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Data is retained only for as long as needed to fulfil obligations defined in the Agreement, or as long as needed to support a business purpose.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing As above.
Annex I.C Competent Supervisory Authority Irish Data Protection Commissioner, unless Customer notifies Sovrn of an alternative competent supervisory authority by emailing privacy[at]sovrn.com.
Annex II Technical and Organisational Measures https://www.sovrn.com/company/security/

ADDENDUM TO THE STANDARD CONTRACTUAL CLAUSES

Sovrn and Customer agree that the SCCs shall be modified and/or supplemented as follows:

  1. Transfers from Switzerland. If the SCCs apply to the Processing of Personal Data originating from Switzerland, the SCCs shall be modified as follows:
    1. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c);
    2. the SCCs shall also protect the data of legal entities until the entry into force of the revised FDPA on or about 1 January 2023;
    3. references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the FDPA;
    4. the parties agree that the supervisory authority as indicated in Annex I.C shall be the Swiss Federal Data Protection and Information Commissioner.
  2. Transfers from the United Kingdom. If the SCCs apply to the Transfer of Personal Data originating from the United Kingdom, this Section shall apply to and modify the SCCs to the extent that UK Data Protection Laws apply to Customer’s Processing when making that Transfer. As used in this Section, “Approved Addendum” means the template addendum issued by the Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of such thereof. The Parties acknowledge and agree that: (a) the information required to be set forth in “Part 1: Tables of the Approved Addendum” shall be completed in accordance with the selections set forth in the table above; and (b) “Part 2: Mandatory Clauses” of the Approved Addendum, as it is revised under Section 18 thereof, is hereby incorporated herein by reference. For purposes of Section 19 of the Approved Addendum, Sovrn may end the Approved Addendum in accordance with Section 19 thereof.
  3. Supplemental Business-Related Clauses. In accordance with Clause 2 of the SCCs, the Parties wish to supplement the SCCs with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. The Parties therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the SCCs, including without limitation the following:
    1. The information required to be provided to Data Subjects under Clause 8.2(a) shall be provided by Customer using the relevant information provided by Sovrn in Annex I.
    2. In the event of a data subject request for a copy of the clauses in accordance with Clause 8.2(c), each Party agrees to make all redactions reasonably necessary to protect business secrets or other confidential information of the other Party.
    3. Sovrn shall be deemed in compliance with Clause 8.7 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    4. The terms of the Agreement governing indemnification and limitation of liability, including Section 11 of the DPA, shall apply to each Party’s liability under Clauses 12(a), 12(c), and 12(d).
    5. The termination provision(s) of the Agreement shall apply to a termination pursuant to Clause 14(f) or Clause 16.
    6. Certification of deletion of Personal Data under Clause 16(d) shall be provided by Sovrn upon written request of Customer.