萝莉社

Version 3.2, Effective date: 1st July 2022

Version 2.2, Effective date: 27th September 2021

Version 2.1, Effective date: 1 April 2021

Version: 1.1, Effective date: 9 October 2019

This Addendum, also referred to as the Data Processing Agreement, forms an integral part of the cooperation agreement, Master Terms and Conditions available at /en/terms-conditions/master (鈥�Master Terms and Conditions鈥�) or any other agreement (Master Terms and Conditions or any such other agreement hereinafter referred to also as the 鈥�Agreement鈥�) concluded between Mews' Affiliate as defined in the respective Agreement (鈥�Mews鈥�) and you (鈥�Partner鈥�). This Addendum supplements the terms of the Agreement concluded between Mews and Partner; whereas in case of any conflicting terms between Agreement and this Addendum, this Addendum shall prevail unless the Parties explicitly agree in writing on specific derogations from this Addendum in the Agreement.

For the purposes of this Addendum, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or Master Terms and Conditions.

鈥淎uthorised User鈥� means a person authorised by Partner to have access to Mews Platform and/or Mews Account and to provide instructions to and receive communication from Mews, notwithstanding whether via Mews Platform, Mews Account, via e-mail or otherwise.

鈥淐辞苍迟谤辞濒濒别谤鈥� means a person or entity that determines the purposes and means of the Processing of Personal Data.

鈥淒ata Protection Legislation鈥� means EU Data Protection Laws, UK Data Protection Laws, CCPA and/or any other applicable data privacy legislation of the country of registration of Mews Affiliate as defined in the Agreement.

鈥淒ata Subject鈥� means the identified or identifiable person to whom Personal Data relates.

鈥淓U Data Protection Laws鈥� means the GDPR and the EU e-Privacy Directive (Directive 2002/58/EC)

鈥淕顿笔搁鈥� means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

鈥淧ersonal Data鈥� means any information relating to (i) an identified or identifiable natural person and/or, (ii) an identified or identifiable legal entity (where such information is protected by Data Protection Legislation similarly to data which identifies a living individual); which, for the purpose of this Addendum, shall include personal data of Guests i.e. data contained in the contact forms, contact and identification information, including name, title, email, and address, ID and/or passport numbers, payment details, Guests鈥� preferences, and Partner鈥檚 services details and limited device and location data (city) and any other personal data categories as described in Annex I. Personal Data may include special categories of data, as further described in Annex I.

鈥淧谤辞肠别蝉蝉颈苍驳鈥� means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; for the avoidance of doubts, the processing of other information than Personal Data (e.g. anonymised data) for the purpose of enhancing the Mews services does not fall under the scope of this Addendum.

鈥淧谤辞肠别蝉蝉辞谤鈥� or 鈥沦耻产-辫谤辞肠别蝉蝉辞谤鈥� means a person or entity that Processes Personal Data on behalf of a Controller and/or Processor, as applicable.

鈥淧ersonal Data Breach鈥� means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Mews under this Addendum.

鈥沦别谤惫颈肠别蝉鈥� for the purpose of this Addendum means the services provided by Mews to the Partner pursuant to the Agreement.

鈥淪tandard Contractual Clauses鈥� or 鈥淪CCs鈥� means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021.

鈥淪upervisory Authority鈥� means an independent public authority which is established by an EU Member State or other country pursuant to the GDPR or a corresponding law.

鈥淯K Data Protection Laws鈥� means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

鈥淯K GDPR鈥� means the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018.

2.1 Processing of Personal Data

Mews and Partner acknowledge that Partner is the Controller or primary Processor with regard to the Processing of Personal Data. Mews shall Process Personal Data as a Processor or Sub-processor (as applicable to Partner鈥檚 use of the Services) on Partner鈥檚 behalf and only to the extent and in such a manner as is necessary for the purposes specified by and in accordance with this Addendum, the Agreement or as otherwise instructed by the Partner from time to time. Where Mews reasonably believes that a Partner instruction is contrary to: (i) applicable law and regulations or (ii) the provisions of the Agreement or the Addendum, Mews will undertake all reasonable endeavors to inform the Partner and is authorized to defer the performance of the relevant instruction until it has been amended by Partner to the extent required by Mews to satisfy it that such instruction is lawful, or is mutually agreed by both Partner and Mews to be lawful.

3.1 Mews鈥� Processing of Personal Data

Mews shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Partner鈥檚 documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Authorised Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Partner (e.g., via email) where such instructions are consistent with the terms of the Agreement. The Partner hereby instructs Mews to inform Data Subjects about the Processing of their Personal Data on behalf of Partner via email and about the possibility to use Mews services to manage Data Subjects鈥� data, bookings and associated services. Mews shall keep a log of the performed Processing operations.

3.2 Technical and Organizational Measures

Mews shall maintain and implement reasonable and appropriate technical and organizational measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration unauthorized disclosure or access, and in relation to the security of Personal Data and the platforms used to provide the Services as described in the Data Protection Legislation. In implementing such measures Mews shall be entitled to take into account the current standard practice in determining what is reasonable, as well as the proportionality of the cost of putting such measures in place when weighed against the potential harm to relevant Data Subjects that the putting into place of those measures is designed to protect against.

3.3 Personnel

Mews shall ensure that its Personnel engaged in the Processing of Personal Data are informed about its obligation and responsibilities hereunder, have received appropriate training, and are informed about the confidential nature of the Personal Data. The 鈥淧ersonnel鈥� means those employees and/or agents, consultants, subcontractors or other third parties: (i) who are engaged by Mews so that it may fulfill its obligations to Partner under the Agreement or Addendum, and (ii) who are subject to confidentiality obligations in substantially the same extent as set out in Agreement and Addendum. Mews shall ensure that Personnel鈥檚 access to Personal Data is limited to those performing Services in accordance with the Agreement, and the Personnel confidentiality obligations shall survive the termination of the Personnel engagement.

3.4 Notifications.

Mews shall notify the Partner as soon as commercially reasonable in writing:

3.4.1 of any communication received from an individual relating to (i) an individual鈥檚 rights to access, modify, correct, delete or block his or her Personal Data; (ii) an individual鈥檚 right to rectify, restrict or erase his or her Personal Data, to data portability, to object to the Processing and not to be subject to automated decision-making; and (iii) any complaint about Partner鈥檚 Processing of Personal Data; to the extent not prohibited by law, of any subpoena or other judicial or administrative order or proceeding seeking access to, or disclosure of Personal Data; and

3.4.2 to the extent not prohibited by law, of any complaint, notice or other communication that relates to

Partner鈥檚 compliance with data protection and privacy law and the Processing of Personal Data. Mews shall provide the Partner with commercially reasonable cooperation and assistance (at Partner鈥檚 expense) in relation to such complaint, notice or communication.

3.5 Personal Data Breach

Upon becoming aware of a Personal Data Breach, Mews shall notify the Partner without undue delay and provide timely information and cooperation as the Partner may reasonably require to fulfil its data breach obligations under Data Protection Legislation. Where it is not possible to provide all details at the same time, the information may be provided in phases, without undue delay. The Partner agrees that Mews鈥� obligation to notify the Personal Data Breach is not and will not be construed as an acknowledgment by Mews of any fault or liability of Mews with respect to such Personal Data Breach. Mews shall take all reasonable measures and actions to remedy or mitigate the effects of any Personal Data Breach. If a Personal Data Breach is caused or materially contributed to by the Partner, Mews will cooperate in the investigation of the Personal Data Breach subject to Partner's obligation to compensate Mews for its expenses and costs.

3.6 Data Returns and Deletion

Upon termination or expiration of the Agreement, Mews shall, prior to the end of the Term, return the Personal Data by enabling the Partner to download it. Following the end of the Term, Mews is not required to retain any Partner麓s data (including Personal Data) and shall delete it from its systems unless its retention is required by applicable law.

3.7 Mews Compliance

Mews shall comply with the Data Protection Legislation applicable to its own operations and provision of the Services under the Agreement and its obligations under this Addendum.

3.8 Data Sharing

By enabling or accepting data sharing within Mews Account with any third party the Partner instructs Mews pursuant to Art. 28 (3)a) GDPR to provide access to all Personal Data and any other data processed within Partner鈥檚 Mews Account to such third party. The Partner is responsible for obtaining all necessary consents of the Data Subjects or any other third parties with the data sharing as required by the applicable Data Protection Legislation. The Partner will fully indemnify, defend and hold harmless Mews and its Affiliates from and against any claims brought Data Subject or any third party, arising out of the violation of this clause, including for all liabilities, damages, losses, cost and expenses.

3.9 Integrations

Mews Platform offers several integrations. By connecting or subscribing to the respective integration via Mews Account the Partner instructs Mews pursuant to Art. 28 (3)a) GDPR to provide access to Personal Data processed within Partner鈥檚 Mews Account to the respective integration partner as required for the interoperation of the integration partner services or product with Mews Services.

3.10 Audit

Partner shall have the right to conduct an audit to verify Mews' compliance with its obligations laid down in Art. 28 GDPR and in this Addendum. Mews shall allow the Partner to carry out the audit under the following conditions:

• Partner asks Mews to carry out the audit via a written notice at least 30 (thirty) days in advance;
• Partner will specify the agenda for such audit in the notification under (i);
• the audit shall not take place more than once a year;
• all associated costs and expenses shall be borne by the Partner and reimbursed to Mews on demand; and
• the audit shall last no longer than the equivalent of 1 working day (8 hours) of the Mews representative.

In case Partner requests the audit via third independent party 鈥� external licensed auditor, Mews may object to an external licensed auditor appointed by Partner to conduct the audit if the auditor is, in Mews鈥� reasonable opinion, not suitably qualified or independent, a competitor of Mews, or otherwise manifestly unsuitable. Any such objection will require Partner to appoint another auditor. In case Partner requires more than one audit within one calendar year, Partner shall obtain prior written permission of Mews and shall bear the cost associated with such audits and reimburse Mews all reasonably incurred costs of such audits. At the request of Partner, Mews will provide Partner with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by the Partner.

4.1 Partner鈥檚 Processing of Personal Data

Partner shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Legislation. For the avoidance of doubt, Partner warrants that its instructions for the Processing of Personal Data shall comply with Data Protection Legislation and that it shall not make any instruction or order which directs Mews to take any action or course of action which is unlawful or otherwise not in compliance with Data Protection Legislation. Partner shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Partner acquired Personal Data.

4.2 Partner鈥檚 Compliance

In addition to Partner鈥檚 obligations stated in the Agreement, Partner is responsible for (i) integrity, security, maintenance and appropriate protection of Personal Data, and (ii) ensuring its compliance with any applicable privacy, data protection and security law and regulation relative to: (a) its Processing of the Personal Data; (b) its use of the Services; and (c) any and all data Processing registration or notification requirements to which Partner is subject under the applicable law.

4.3 Notifications

Partner agrees to make any required notifications to, and obtain required consents and rights from, individuals in relation to Mews鈥� provision of any Services to Partner. Where Mews notifies Partner of a communication described in Sub-section 3.4.1, 3.4.2 or 3.5, it is Partner鈥檚 responsibility to respond to and take all other appropriate action with regard to the communication. Partner agrees to immediately notify Mews of any unauthorized use of the Services or Partner鈥檚 account or of any other breach of security involving the Services.

4.4 Technical and organizational measures

Partner is solely responsible for implementing and maintaining security measures and other technical and organizational measures appropriate to the nature and volume of Personal Data that Partner stores or otherwise Processes using the Services. Partner is also responsible for the use of the Services by any of its employees, any person Partner authorizes to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by Partner.

4.5 Data sharing with other Partners

Within Mews Platform, the Partner may set up the Mews Account(s) as part of a data sharing cluster with other account(s) (鈥�Cluster鈥�) which in effect means that the Partner and the Controller(s) of these other account(s) share with each other and jointly process the Personal Data of their Customers (existing and future Customers including the Customers imported into the Mews Account(s)). The Partner is solely responsible for ensuring that the processing of Personal Data in the Cluster is compliant with all applicable Data Protection Legislation and that Partner has appropriate agreements in place to cover the data sharing.

The Partner acknowledges that the set up of its Mews Account(s) as a part of a Cluster is non-reversible. By setting its Mews Account(s) as part of a Cluster the Partner instructs Mews as a Processor to process the Personal Data within such Cluster. Shall the Partner wish to withdraw from the Cluster, this is only possible by creating a new Mews Account. As the set up in a Cluster is non-reversible, the Partner continues jointly processing Personal Data in its old Mews Account(s) unless such Personal Data is deleted from the Cluster (such deletion is subject to due cooperation provided by other Partners within the Cluster and costs to be reimbursed to Mews upon demand).

5.1 Partner and Mews cooperation

To the extent required by Data Protection Legislation, Mews will provide reasonable cooperation regarding the Mews Services to enable the Partner to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation. Partner must cooperate with Mews鈥� reasonable investigation of the Service outages, security problems, and any suspected Personal Data Breach. Partner shall provide reasonable assistance to Mews in the cooperation or prior consultation of the Supervisory Authority regarding the tasks outlined to this Section, to the extent required by Data Protection Legislation.

5.2 Mews鈥� Assistance with Partner鈥檚 Compliance Requirements

During the term of Partner鈥檚 Agreement with Mews, Partner may request that Mews assists Partner鈥檚 efforts to comply with Partner鈥檚 obligations under an applicable data protection or privacy law and regulations provided (i) such requested assistance is relevant to Services that support the Processing of Personal Data, (ii) such requested assistance is commercially reasonable and proportionate to the objective of the exercise with which Mews is requested to assist, and (iii) if Mews agrees to so assist, that all of its associated costs and expenses (including the cost of its staff鈥檚 time) shall be borne by the Partner and reimbursed to Mews on demand.

6.1 The Partner provides a general authorization for Mews to engage Sub-processors to Process Personal Data on Partner's behalf. The Partner approves the following as Sub-processors: (i) those listed in Annex III hereof, (ii) Mews鈥� Affiliates, and (iii) any Sub-processor authorized by the Partner through an Authorized User by enabling an integration with the Mews Services via the MEWS Account or otherwise. Mews may during the term of the agreement involve new Sub-processors in Processing, provided that such Sub-processors only access and use Personal Data to the extent required to perform obligations subcontracted to it.

6.2 Objection Right for New Sub-processors

Mews agrees to notify the Partner in advance before engaging any new Sub-processor. The Partner may object to Mews鈥檚 use of a new Sub-processor by notifying Mews promptly in writing within ten (10) business days after receipt of Mews鈥� notice and specifying the deficiencies. In the event Partner objects to a new Sub-processor, Mews will effort to add additional safeguards (covering the specified deficiencies) or change the Sub-processor (vis a vis the Sub-processor); should Mews be unable to do so, Mews will use reasonable efforts to make available to Partner a change in the Services or recommend a commercially reasonable change to Partner鈥檚 configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Partner. If Mews is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Partner may terminate only those part of Services which cannot be provided by Mews without the use of the objected-to new Sub-processor by providing written notice to Mews. Mews will refund Partner any prepaid fees covering the remainder of the term of Agreement following the effective date of termination with respect to such terminated part of Services, which shall represent the sole and exclusive remedy of the Partner in connection with introduction of new Sub-processor. If Mews does not receive any objection within the specified period, the Partner will be deemed to have consented to the new sub-processor and waived their right to object.

6.3 Liability

Mews shall be liable for the acts and omissions of its Sub-processors to the same extent Mews would be liable if performing the services of each Sub-processor directly under the terms of this Addendum except as otherwise set forth in the Agreement.

7.1 Data Transfer

The Parties agree that Personal Data may be transferred from the European Union/European Economic Area to a third country, only if one of the following conditions applies: (a) there is an applicable decision of the European Commission that states that the third country ensures an adequate level of protection; or (b) the transfer may take place because Mews has provided appropriate safeguards according to the Art. 46 of the GDPR, and on condition that enforceable data subject rights and effective legal remedies for Data Subjects are available; or (c) the derogations for specific situation under the Art. 49 of the GDPR apply.

7.2 Standard contractual clauses

For the purpose of Art. 7.1 (b) of this Addendum, the Parties agree that Standard Contractual Clauses are considered as appropriate safeguards. To enable data transfer from/to third countries to/from European Union/European Economic Area, the Standard Contractual Clauses are hereby incorporated by reference into this Addendum and form an integral part of this Addendum as follows:

7.2.1 For the purposes of Personal Data that is subject to the EU Data Protection Laws ("EU Data"):

(i) Where Partner is Controller Module Two (Controller to Processor) of the SCCs will apply, where Partner is Processor Module Three (Processor to Sub-Processor) of the SCCs will apply;

(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 6 (Sub-Processing) of this Addendum;

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;

(v) in Clause 18(b), disputes shall be resolved before the courts of The Netherlands;

(vi) Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this Addendum; Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this Addendum;

Annex IV 鈥� UK Addendum to the SCCs.

7.2.3 The transfer of Personal Data that is subject to the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (鈥淪wiss FADP鈥�) shall be governed by Annex V 鈥� Swiss Addendum to the SCCs.

8.1 Partner agrees that any Authorised User of Partner may be contacted and shall be entitled to receive any communication in relation to this Addendum.

9.1 Mews acknowledges that it acts as a Service Provider in respect of any Partner Personal Information processed by it hereunder.

9.2 Unless prescribed by applicable law or expressly agreed between the Parties, Mews shall not:

• sell Partner Personal Information;
• retain, use, or disclose Partner Personal Information for any purpose other than the specific purpose of performing the Services in accordance with the Agreement;
• retain, use, or disclose Partner Personal Information for a commercial purpose other than specified in the Agreement; or
• retain, use, or disclose the Partner Personal Information outside of the direct business relationship between Mews and Partner.

9.3 Mews certifies that it understands and will comply with the responsibilities and restrictions imposed by this Addendum, the CCPA and other applicable data protection laws and regulations.

9.4 In this Clause 9:

9.4.1 鈥淐CPA鈥� means the California Consumer Privacy Act, California Civil Code 搂搂1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this Addendum; and

9.4.2 鈥淧artner Personal Information鈥� means any Partner data that comprises 鈥減ersonal information鈥� as defined in the CCPA;

9.4.3 鈥淪ervice Provider鈥� has the meaning set forth in Section 1798.140(v) of the CCPA.

10.1 This Clause 10 applies only if the contracting Party to the Agreement is Mews with its registered seat in the United States of America.

10.2 COPPA

Protecting the privacy of children is especially important. The Children鈥檚 Online Privacy and Protection Act (鈥淐OPPA鈥�) requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children in the United States of America who are under 13. Mews respects the role of parents or guardians in the monitoring of their children鈥檚 online activities. Accordingly, Mews limits its collection of personal information from children to no more than is reasonably necessary to participate in the Services and to improve it going forward. Mews does not collect any Personal Data from children other than as set out in the Agreement. Mews reserves the right to refuse to Process data supplied by Partner that is in violation of this Clause 10.2.

10.3 Third Party Use of Partner data

Unless otherwise agreed all data provided to Mews by Partner is Confidential Information and Mews will not use any data for any other purposes than to exercise its rights and perform its obligations in connection with conducting of the Services. Partner acknowledges that in order to properly carry out the Services, information given to Mews by Partner will be made available to third parties in order to enable the performance of the Services. Partner acknowledges that such third parties are not representatives of Mews and Mews is not responsible for the acts and omissions of those third parties. Mews requires third parties to which any Partner Personal Data is made available to apply the same level of privacy protection as set forth in this Addendum and as required by applicable laws. The manner in which any Partner data may be used is covered by the Mews Privacy Policy, found at .

11.1 Third Party Beneficiaries

Data Subjects are the sole third party beneficiaries to the SCCs, and there are no other third party beneficiaries to the Agreement and this Addendum. Notwithstanding the foregoing, the Agreement and the terms of this Addendum apply only to the parties and do not confer any rights to any Partner鈥檚 affiliate, Partner鈥檚 end user or any third-party Data Subjects.

11.2 Governing Law

Nothing in this Addendum amends the Applicable Law section of the Agreement, which shall, for the avoidance of doubt, govern all claims brought under the Agreement and this Addendum.

11.3 Limitation of Liability

To the maximum extent permitted by law, the aggregate liability of Mews and its Affiliates arising out of or in connection with this Addendum (including the Standard Contractual Clauses, Swiss Addendum, and UK Addendum), whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability (including any agreed aggregate financial cap) set forth in the Agreement. For the avoidance of doubt, nothing in this Addendum is intended to limit the rights a Data Subject may have against either Party arising from that Party's breach of the Standard Contractual Clauses, where applicable.

11.4 Term

Following the termination of the Agreement, this Addendum will continue to be in effect until Mews ceases to process Personal Data on behalf of the Partner.

11.5 Termination

Mews may terminate this Addendum if Mews offers alternative mechanisms to Partner that comply with the obligations of the applicable data privacy laws.

11.6 Counterparts

List of Parties

• Data exporter
  The data exporter is Partner
• Data importer
  The data importer is Mews

Description of Transfer

• Categories of data data subjects
  The personal data transferred may concern individuals about whom personal data is transmitted or stored by data exporter via the Mews hosted system and/or services, which typically include individuals (Guests or prospects) using Partner鈥檚 services. In the case Partner utilizes Mews Events, the personal data transferred may concern individuals making reservations for events and event attendees. In the case Partner utilizes the learning management system, the personal data transferred may concern the Partner鈥檚 employees or other individuals working with or cooperating with the Partner. In case Partner utilizes the Mews Revenue Management Product (鈥淩MS Services鈥�), the personal data transferred may also concern individuals having accounts with the RMS Services (typically Partner鈥檚 personnel).
• Categories of data
  The personal data transferred concerns the following categories of data: Guests鈥� data contained in the contact forms and any other personal data contained in the contact or booking forms, contact and identification information, including name, title, email, and address, ID and/or passport numbers, Guest selfie and a copy of their ID/passport (only if enabled by the Partner), payment details, Guests鈥� preferences, and Partner鈥檚 services details and limited device and location data (city) in electronic form that is transferred to data importer in the context of Mews鈥� Services (provided by the relevant sub-processor/importer), any other data the Partner enables to be collected from the Guest through the Services. In the case Partner utilizes the Mews Events product, the personal data transferred may include the contact and identification details of individuals making reservations for events and attending events, payment details, attendee preferences and Partner鈥檚 services details and limited device and location data (city) in electronic form that is transferred to data importer in the context of Mews鈥� Services (provided by the relevant sub-processor/importer). In the case Partner utilizes the learning management system, the personal data transferred may include the contact and identification details of the Partner鈥檚 employees or other individuals working with or cooperating with the Partner, as well as reports related to their training and limited device and location data (city) in electronic form that is transferred to data importer in the context of Mews鈥� Services (provided by the relevant sub-processor/importer). In case Partner utilizes the RMS Services, the personal data transferred may include name, surname, email address, position and IP address of individuals having accounts with the RMS Services (typically Partner鈥檚 personnel).
• Sensitive data
  Sensitive data such as disability and dietary requirements, guest selfie and a copy of their ID/passport (only if enabled by the Partner) may be transferred if data subjects decide to share information of such nature, or this information is submitted by Authorized Users Technical and Organisational measures as per Annex II apply.
• Processing operations
  The personal data transferred will be subject to the following basic processing activities: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Partner must use reasonable security precautions in connection with its use of the services, including appropriately encrypting any personal data stored on or transmitted by the hosted system.
• Frequency of transfer
  Continuous
• Nature and subject matter of processing
  
  • storage (hosting) and other processing necessary to provide, maintain and improve the Services provided to Partner under the Agreement,
  • customer support provided to the Partner on a case by case basis,
  • disclosures in accordance with the Agreement, as compelled by law, and
  • collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Duration of Processing
  Term
• Purpose(s) of the data transfer and further processing
  
  • (i) Processing to provide, maintain, support and improve Services provided to Partner in accordance with the Agreement;
  • (ii) Processing initiated by Users in their use of the Services; and
  • (iii) Processing to comply with other documented reasonable instructions provided by Partner (e.g. via email) where such instructions are consistent with the terms of the Agreement (including this Addendum).
  • (iv) Processing to enable the Partner to manage learning and training activities in the learning management system.

Competent supervisory authority

With respect to EU Data the competent supervisory authority is the Dutch Data Protection Authority (the "Dutch DPA").

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. Data importer shall implement security measures equivalent to those required under the Agreement, the Addendum and any ancillary documents entered into pursuant to the Agreement. The implemented security measures are available here:

The list of approved sub-processors of Mews is available at

Date of this Addendum

• This UK Addendum is effective from: The same date as the Agreement.

Background

Interpretation of this UK Addendum

• Where this UK Addendum uses terms that are defined in the SCCs those terms shall have the same meaning as in the SCCs.
• This UK Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that it fulfils the intention for it to provide the appropriate safeguards as required by Article 46 (2) (d) UK GDPR.
• If the provisions included in this UK Addendum amend the SCCs in any way which is not permitted under the SCCs or the template addendum issued by the Information Commissioner (hereinafter 鈥淎pproved UK Addendum鈥�), such amendment(s) will not be incorporated in this UK Addendum and the equivalent provision of the SCCs will take their place.
• If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws applies.
• If the meaning of this UK Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
• Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this UK Addendum has been entered into.

Hierarchy

• Although Clause 5 of the SCCs sets out that the SCCs prevail over all related agreements between the parties, the parties agree that, for transfer of UK Data, the hierarchy in this clause prevails. Where there is any inconsistency or conflict between Approved UK Addendum and the SCCs as incorporated herein, the Approved UK Addendum overrides the SCCs as incorporated herein, except where (and in so far as) the inconsistent or conflicting terms of the SCCs as incorporated herein provides greater protection for data subjects, in which case those terms will override this UK Addendum. Where this UK Addendum incorporates SCCs as incorporated herein which have been entered into to protect transfers subject to the GDPR then the Parties acknowledge that nothing in this UK Addendum impacts those SCCs as incorporated herein.

Incorporation of the SCCs

• This UK Addendum incorporates the SCCs which are amended to the extent necessary so that:
  • Together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter鈥檚 processing when making that transfer; and
  • They provide appropriate safeguards for the transfers in accordance with Articles 46 (2) (d) of the UK GDPR Laws.
  • Where Partner is Controller, Module Two (Controller to Processor) of the SCCs will apply; where Partner is Processor, Module Three (Processor to Sub-Processor) of the SCCs will apply.
  • In Clause 9 of the SCCs, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 6 (Sub-Processing) of this DPA.
  • In Clause 11 of the SCCs, the optional language will not apply.
  • Clause 2 of the SCCs shall apply without the wording: 鈥渁nd, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679鈥�.
  • Clause 6 of the SCCs Description of the transfer(s) is replaced with: 鈥淭he details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I.B of the Addendum where UK Data Protection Laws apply to the data exporter鈥檚 processing when making that transfer.鈥�
  • Clause 8.7(i) of Module 1 of the SCCs is replaced with: 鈥渋t is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer.鈥�
  • Clause 8.8(i) of Module 2 and 3 of the SCCs is replaced with: 鈥渢he onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer.鈥�
  • Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this Addendum; Annex II of the SCCs with Annex II; and Annex III with Annex III.
  • References to 鈥淩egulation (EU) 2016/679鈥�, 鈥淩egulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)鈥� and 鈥渢hat Regulation鈥� are all replaced by 鈥淯K Data Protection Laws鈥�.
  • References to specific Article(s) of 鈥淩egulation (EU) 2016/679鈥� are replaced with the equivalent Article or Section of UK Data Protection Laws.
  • References to Regulation (EU) 2018/1725 are removed.
  • References to the 鈥淓uropean Union鈥�, 鈥淯nion鈥�, 鈥淓U鈥�, 鈥淓U Member State鈥�, 鈥淢ember State鈥� and 鈥淓U or Member State鈥� are all replaced with the 鈥淯K鈥�.
  • The reference to 鈥淐lause 12(c)(i)鈥� at Clause 10(b)(i) of Module one of the SCCs, is replaced with 鈥淐lause 11(c)(i) of the SCCs鈥�.
  • Clause 13(a) of the SCCs and Part C of Annex II of the SCCs are not used.
  • The 鈥渃ompetent supervisory authority鈥� and 鈥渟upervisory authority鈥� are both replaced with the Information Commissioner.
  • Clause 16(e), subsection (i) of the SCCs is replaced with: 鈥渢he Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply.鈥�
  • Clause 17 of the SCCs is replaced to state: 鈥淭hese SCCs are governed by the laws of England and Wales.鈥�
  • Clause 18 of the SCCs is replaced to state: 鈥淎ny dispute arising from these SCCs shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.鈥�
  • The footnotes to the SCCs do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.
• If the Information Commissioner issues a revised version of the Approved UK Addendum this UK Addendum is automatically amended as set out in the revised Approved UK Addendum from the start date specified therein unless the parties agree otherwise.

The Parties agree that the transfer of Personal Data from Switzerland to third countries (which have not been determined to provide adequate protection for personal data) that is subject to the Swiss Federal Act on Data Protection 1992, as amended (鈥淪wiss FADP鈥�) shall be governed by the Standard Contractual Clauses, as specified in clause 7.2.1 of this Addendum, with the following modifications:

a) Where the transfer is exclusively subject to Swiss FADP:

• References to GDPR are replaced by references to the Swiss FADP.
• References to the 鈥淓U鈥�, 鈥淓U Member State鈥�, 鈥淓uropean Union鈥� and 鈥淯nion鈥� are replaced with references to Switzerland.
• References to the competent supervisory authority are replaced by references to the Federal Data Protection and Information Commissioner in Switzerland (or its replacement or successor) (鈥淔DPIC鈥�).
• Clause 13 (Supervision): Competent supervisory authority is: FDPIC.
• Clause 17 (Governing law): Swiss law.

b) Where the transfer is subject to both Swiss FADP and GDPR:

• References to GDPR are supplemented by references to the FADP.
• References to the 鈥淓U鈥�, 鈥淓U Member State鈥�, 鈥淓uropean Union鈥� and 鈥淯nion鈥� are supplemented with references to Switzerland.
• References to competent supervisory authority are supplemented with references to FDPIC.
• References to the competent supervisory authority are supplemented by references to the Federal Data Protection and Information Commissioner in Switzerland (or its replacement or successor).

• Clause 13 (Supervision): Competent supervisory authority is:
1. FDPIC, insofar as the transfer is governed by Swiss FADP; and
2. The Dutch Data Protection Authority, insofar as the transfer is governed by GDPR.

• Clause 17 (Governing law): Dutch law.

The term 鈥淢ember State鈥� must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.