Data Processing Addendum (Suppliers)
Last Updated: August 20, 2025This Data Processing Addendum (“DPA”) is part of the applicable products or services agreement between the Parties herein (the “Agreement”), referencing this DPA. This DPA is effective on the same date as the Agreement, or as otherwise agreed between the Parties herein. The Parties agree that this DPA shall replace any existing DPA, or other data protection provisions the Parties may have previously entered into in connection with the Services.
1. Definitions
1.1 Affiliate means any company controlling, controlled by, or under common control with a Party, where control means ownership, directly or indirectly, of the shares of a company representing fifty percent (50%) or more of the voting rights in this company.
1.2 Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.3 Data Exporter means the party (and any of its Affiliates, Personnel, subsidiaries, and Subprocessors) that transfers Personal Data to the Data Importer, from one geographic region or country to another, for the purposes specified in the Agreement.
1.4 Data Importer means the party (and any of its Affiliates, Personnel and Subprocessors) that will have access to or otherwise process Personal Data, in circumstances where the Personal Data originates from a data subject located in the country at issue and is processed by the Data Importer outside of that country.
1.5 DPA Exhibit (Processing Details) means the document attached to the Agreement or this DPA, and incorporated by reference into this DPA, that sets forth the details of the Processing activities carried out by Supplier on behalf of Redis, including but not limited to: (i) the categories of Personal Data processed; (ii) the categories of Data Subjects to whom the Personal Data relates; (iii) the nature and purpose of the Processing; (iv) the duration of the Processing; (v) the types of Processing operations performed; and (vi) a current list of authorized Subprocessors engaged by Supplier to Process Personal Data.
1.6 Incident means (i) any complaint, inquiry, or request relating to the exercise of a Data Subject’s rights under applicable Privacy Law; (ii) any investigation, inspection, or seizure of Personal Data by a governmental or regulatory authority, or a credible indication that such action is imminent; (iii) any actual or reasonably suspected unauthorized or accidental access to, processing of, deletion of, loss of, or any other form of unlawful processing of Personal Data; (iv) any actual or reasonably suspected breach of security or confidentiality resulting in, or likely to result in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data; or (v) a situation in which the Processor believes that compliance with a specific instruction from the Controller would violate applicable Privacy Law.
1.7 Individual or Data Subject means a natural person the Personal Data relates to.
1.8 Non-Adequate Country means a country not providing an adequate level of Personal Data protection pursuant to applicable Privacy Laws or a decision of a supervisory authority.
1.9 Personal Data means information about an identified or identifiable Individual, also referred to as Personal Information, (or other substantially similar term) pursuant to applicable Privacy Law, which is Processed under the terms of the Agreement.
1.10 Personnel means the employees, agents, consultants, and contractors of Redis, Supplier, and Affiliates.
1.11 Privacy Law means, to the extent applicable: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) the Data Protection Act 2018 and EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection (“FADP”); (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100), together with the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102) which may be amended from time to time (“CCPA”);and (vi) any other data protection legislation applicable to the processing of Personal Data under the Agreement, including but not limited to the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and other U.S. state privacy laws.
1.12 Process, Processed or Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.13 Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
1.14 Standard Contractual Clauses or SCCs or EU SCCs mean the standard contractual clauses for the transfer of personal data to third countries pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which are available at this link.
1.15 Subprocessor means any third party (including an Affiliate of the Processor) engaged by or on behalf of the Processor to Process Personal Data on behalf of Controller in connection with the performance of the Services under the Agreement. Subprocessors may include vendors, subcontractors, hosting providers, or other service providers who have logical access to, store, or otherwise Process Personal Data.
2. Data Processing
2.1. This DPA applies when Personal Data is Processed by Supplier for the provision of the Service, as further specified in the Agreement and the applicable Order Form. In this context:
(i) If the GDPR or other Privacy Law apply to Supplier Processing of Personal Data on behalf of Redis under the Agreement, the Supplier acts as the Processor. Redis may act as either the Controller or Processor of Personal Data, as defined under applicable Privacy Law. Where Redis is acting as a Processor on behalf of a third-party Controller, Supplier shall be deemed a Subprocessor.; and
(ii) If the CCPA applies to Supplier Processing of Personal Data on behalf of Redis under the Agreement, (a) Redis is the “Business” and Supplier and applicable Affiliates are the “Service Provider” as those terms are defined under the CCPA; (b) Supplier will Process Personal Data solely on behalf of Redis and for the specific business purposes set forth in the Agreement not retaining, using, disclosing, or otherwise Processing such Personal Data for any other purpose.
2.2 An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in the DPA Exhibit (Processing Details).
2.3 Subject to the provisions of the Agreement, to the extent that the Supplier’s data processing activities are not adequately described in the Agreement, Redis will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Supplier. The Supplier will process the Personal Data only as set forth in Redis' written instructions and no Personal Data will be processed unless explicitly instructed by Redis.
2.4 Supplier shall maintain complete, accurate, and up-to-date written records of all categories of processing activities carried out on behalf of Redis, containing at minimum the information required by applicable Privacy Law. Supplier shall make such records available to Redis upon request and to supervisory authorities when required by applicable Privacy Law.
2.5 The Supplier will only process the Personal Data on documented instructions of Redis to the extent that this is required for the provision of the Services. If the Supplier reasonably believes that a specific processing activity beyond the scope of Redis' instructions is required to comply with a legal obligation to which the Supplier is subject, the Supplier shall inform the Redis of that legal obligation and seek explicit authorization from Redis before undertaking such processing. The Supplier shall never process Personal Data in a manner inconsistent with Redis' documented instructions. The Supplier shall immediately notify Redis if, in its opinion, any instruction infringes Privacy Law. Such notification shall not constitute a general obligation on the part of the Supplier to monitor or interpret the laws applicable to Redis.
2.6 The Supplier will assist Redis in complying with Redis' obligations pursuant to Articles 32 to 36 to the GDPR (or other substantially similar obligations under applicable Privacy Law), in relation to the Processing of Personal Data by the Supplier.
3. Confidentiality
3.1 The Supplier shall treat all Personal Data as confidential and it shall inform all its Personnel and/or Subprocessors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Supplier shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality. The Supplier is responsible for any breach of confidentiality on the part of its Personnel and/or Subprocessors.
4. Data Subject Rights
4.1 The Supplier shall promptly notify Redis if it receives a request from a Data Subject to exercise their rights under applicable Privacy Law (such as access, rectification, deletion, portability, objection, or restriction of processing). Taking into account the nature of the processing, the Supplier shall assist Redis by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfill Redis' obligations to respond to Data Subject requests. The Supplier shall not respond directly to a Data Subject request unless authorized in writing by Redis or required by applicable Privacy Law.
5. Information Security
5.1 The Supplier shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures include, at a minimum, the security measures described in the Agreement.
5.2 The Supplier shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on Personnel who will have access to the Personal Data, conducting appropriate background checks, requiring Personnel to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the Processing.
5.3 The Supplier shall demonstrate the measures and shall allow Redis to audit and test such measures. Unless otherwise required by a Supervisory Authority, Redis may carry out, or have carried out by a third party, an audit of the Supplier´s premises and operations in connection with the Agreement. The Supplier shall cooperate with such audits carried out by or on behalf of Redis and shall grant Controller´s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. The Supplier shall provide Redis and/or Controller's auditors with access to any information relating to the Processing of the Personal Data as may be reasonably required by Redis to ascertain the Supplier´s compliance with the Agreement. If non-compliance is discovered, the Supplier shall provide a remediation plan within 15 days and implement remediation within 30 days or as agreed between the Parties. Supplier shall bear reasonable costs of remediation verification audits.
5.4 If regulatory authorities require an audit of Supplier's processing of the Personal Data, Supplier shall cooperate fully and promptly inform Redis unless legally prohibited.
5.5 The Supplier’s adherence to either an approved code of conduct or to an approved certification mechanism recognized under Privacy Law may be used as an element by which the Supplier demonstrates compliance with certain requirements set out in this DPA, provided that the requirements contained in the Agreement relating to Security are also addressed by such code of conduct or certification mechanism.
6. Improvements to Security
6.1 The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Supplier will evaluate the measures as implemented in accordance with this DPA on an on-going basis in order to maintain compliance. The Supplier shall conduct regular testing, at least annually, to assess the effectiveness of the technical and organizational measures implemented and shall make improvements based on the results of such testing. The Supplier shall promptly implement improvements to security measures as they become available and shall not reduce the overall level of security provided during the term of the Agreement without Redis' prior written consent. If the Parties cannot reach agreement on such amendment within thirty (30) days, Redis may terminate any affected portion of the Services upon written notice to the other Party.
7. Data Transfers
7.1 The Supplier shall promptly notify Redis of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorization from Redis, which may be refused in its own discretion.
7.2 To the extent Redis or the Supplier rely on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Redis and the Supplier agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer as soon as reasonably possible.
7.3 Unless otherwise described in Attachment 1, hereby incorporated by reference, provisions no less stringent than those of the EU C-to-P Transfer Clauses (defined herein) apply to all transfers of personal data, including but not limited to those pertaining to Data Subjects located in the European Economic Area from the data exporter under this DPA to data importer. "EU C-to-P Transfer Clauses" means the drafting of the standard contractual clauses of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council which is mandatory for all Modules and which otherwise comprises of Module Two (Controller-to-Processor) as approved by the European Commission and as updated from time to time.
7.4 The Supplier agrees not to: (i) rent, lease, sell; or (ii) trade Personal Data for any benefits, such as a reduced fee for services from its vendors; or (iii) provide hashed or pseudonymized Personal Data for any persona matching or related services, absent a signed amendment to this DPA, referencing the Agreement. For clarity, this means that the Supplier may not use any Personal Data under this DPA to further any customer loyalty plan, regardless of whether a Data Subject covered by this DPA has an independent customer relationship with the Supplier. For purposes of the CCPA and other applicable Privacy laws, the Supplier agrees that it will meet any required service provider obligations relating to the sale or sharing of data if such is applicable to the Agreement.
8. Information Obligations and Incident Management
8.1 Upon Redis' request, the Supplier shall provide reasonable assistance to Redis in conducting data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to the Supplier. Such assistance may include providing information about the Supplier's processing operations, assisting in identifying risks to Data Subjects, and providing input on risk mitigation measures.
8.2 If the Supplier becomes aware of an Incident that has a material impact on the Processing of the Personal Data, it shall notify Redis within forty-eight (48) hours, shall at all times cooperate with Redis, follow Redis' instructions with regard to such incidents, in order to enable Redis to perform a thorough investigation into the Incident, to formulate a correct response, and to take suitable further steps in respect of the Incident.
8.3 The Supplier must maintain written incident response procedures. When an Incident occurs that likely requires Redis to issue a data breach notification under Privacy Law, the Supplier must notify Redis within forty-eight (48) hours of discovering the Incident.
8.4 The Supplier shall address any breach or Incident notifications to Redis whose contact details are provided in this DPA. Such notification must contain the following:
(a) a description of the nature of the Incident, including if possible the categories and approximate number of Data Subjects impacted and the categories and approximate number of Personal Data records impacted;
(b) the name and contact details of the Supplier’s data protection officer or another contact if needed;
(c) a description of the likely consequences of the Incident; and
(d) a description of the measures taken or proposed to be taken by the Supplier to address the Incident including measures to mitigate its possible adverse effects.
8.5 The Supplier shall bear all costs associated with remedying an Incident caused by Supplier's failure to comply with this DPA, including but not limited to costs of notification, credit monitoring, and call center support if required by Redis or by law.
9. Subprocessors
9.1 Redis grants the Supplier a general written authorization to engage Subprocessors in accordance with Article 28(2) of the GDPR, subject to the conditions set out in this section.
9.2 The Supplier shall conduct appropriate due diligence on all Subprocessors before engaging them and shall provide Redis with documentation of such due diligence upon request, including security assessments, audit reports, and compliance certifications.
9.3 The Supplier shall not subcontract any of its obligations under this DPA that involve Processing of Personal Data, in whole or in part, to any Subprocessor without providing Redis with no less than thirty (30) days’ prior written notice. This notice must include the identity and location of the proposed Subprocessor and a description of the Processing activities to be subcontracted. The Redis reserves the right to reasonably object to the appointment of any new Subprocessor on legitimate privacy or data protection grounds.
9.4 If Redis objects to a proposed Subprocessor, and the Parties cannot resolve the objection through good-faith negotiations within a reasonable period, Redis may terminate, by written notice, only those portions of the Service that cannot be performed without the proposed Subprocessor. In such case, the Supplier shall provide a pro-rated refund of any pre-paid fees corresponding to the terminated portion of the Service.
9.5 The Supplier shall enter into a written agreement with each approved Subprocessor that imposes obligations substantially equivalent to those imposed on the Supplier under this DPA. If required under applicable Privacy Law, the Supplier shall ensure that each Subprocessor agrees to enter into supplementary terms directly with Redis or take other legally sufficient measures as requested by Redis.
9.6 Supplier shall audit each Subprocessor's compliance with its data protection obligations at least annually and shall provide Redis with a summary of audit findings upon request.
9.7 The Supplier is fully liable and accountable to Redis for the acts, omissions, and Processing operations of any Subprocessor it engages, to the same extent as if such acts or omissions were those of the Supplier itself under this DPA.
9.8 The Supplier shall ensure that all Subprocessors implement and maintain security measures that meet or exceed those required by this DPA. The Supplier shall further ensure that Subprocessors are contractually obligated to comply with applicable Privacy Laws and cooperate in the fulfillment of Data Subject rights, regulatory inquiries, and audit requests to the extent required.
9.9 The Supplier shall maintain an up-to-date list of all Subprocessors engaged in the Processing of Personal Data under the Agreement, and shall update this list promptly upon any changes.
10. Returning or Destruction of Personal Data
10.1 At the direction of Redis, the Supplier shall delete, destroy or return all Personal Data including any copies within thirty (30) days as follows: (a) upon termination of this DPA; (b) upon Redis' written request; or (c) upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required.
10.2 The Supplier shall notify all Subprocessors of the termination of the Agreement and shall ensure that all Subprocessors either destroy the Personal Data or return the Personal Data to Redis, at the direction of Redis within thirty (30) days.
10.3 Upon Redis' request, the Supplier shall provide written certification of the deletion or destruction of Personal Data within fifteen (15) days of completing such action.
10.4 Any return of Personal Data shall be in a machine-readable, industry-standard format that allows Redis to easily access and use the Personal Data.
10.5 The Supplier shall securely delete or destroy all Personal Data using methods that prevent recovery, and shall provide Redis with a detailed description of the methods used upon request.
10.6 If the Supplier is required by applicable Privacy Law to retain any Personal Data beyond the periods specified in this section, Supplier shall notify Redis in writing of such requirement, including details of the specific Personal Data that must be retained and the legal basis for retention. Supplier shall maintain the confidentiality of any such retained Personal Data and shall ensure that it is only processed as necessary for the purpose specified in the applicable Privacy Law requiring its storage.
11. Assistance to Redis
11.1 The Supplier shall implement appropriate technical and organizational measures in order to assist Redis in the fulfilment of Redis' obligation to respond to Data Subject requests under Privacy Law.
11.2 Taking into account the nature of processing and the information available to the Supplier, the Supplier shall assist Redis in ensuring compliance with obligations pursuant to Section 5 (Information Security), as well as other Redis obligations under Privacy Law that are relevant to the Data Processing described in Attachment 1. For clarity this includes notifications to a supervisory authority, or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and assisting and cooperating with Redis in consultations with supervisory authorities.
11.3 The Supplier shall make available to Redis all information necessary to demonstrate compliance with the Supplier’s obligations and allow for and contribute to audits, including inspections, conducted by Redis or another auditor mandated by Redis. The Supplier shall promptly inform Redis if, in its opinion, an instruction infringes Privacy Law.
12. Duration and Termination
12.1 Termination or expiration of this DPA does not discharge the Supplier from its confidentiality obligations, which survives any such termination or expiration.
12.2 The Supplier shall process Personal Data until the date of expiration or termination of the Agreement, unless instructed otherwise by Redis, or until such data is returned or destroyed on instruction of Redis.
13. Contact
13.1 The Redis DPO can be contacted at [email protected].
14. Miscellaneous
14.1 In the event of any inconsistency between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA prevail.
14.2 This DPA shall be governed by the same law and subject to the same jurisdiction as the Agreement, except where mandatory provisions of applicable Privacy Laws require otherwise.
14.3 Any amendments to this DPA must be in writing and signed by authorized representatives of both Parties.
14.4 If any provision of this DPA is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions of this DPA, and all provisions not affected by such invalidity shall remain in full force and effect.
Attachment 1 To Redis Data Processing Addendum (Suppliers)
Specific Data Transfer Provisions
1. General
The following provisions apply to all transfers of Personal Data pertaining to Data Subjects located in the European Economic Area under this DPA.
2. SCC Modules
Module 2 applies when Redis is the Controller. If Redis is a Processor and Supplier is a Subprocessor, Module 3 applies.
3. Amendments to the SCC Modules
Module 2 and Module 3 are hereby amended as follows, to the extent allowed by applicable law:
| Section Reference | Concept | Selection by the Parties |
|---|---|---|
| Section 1, Clause 7 | Docking Clause | Any Clause purporting to allow the admission of contracting parties without mutually executed signed writings shall not apply (including but not limited to any optional docking clauses). |
| Section II, Clause 9 | Approval of Subprocessor | The language of Option 2 shall apply, with General Written Authorisation in accordance with a notification period of five (5) days in advance. Any optional language requiring Prior Specific Written Authorisation does apply, except in the case of a mutually executed amendment between Controller and Processor. |
| Section II, Clause 11 | Redress | The Optional language of Clause 11 shall not apply. |
| Section II, Clause 13 | Supervision | All options under Clause 13(a) shall apply. |
| Section II, Clause 15 | Audit Rights | Any audit right described in Module 2 or Module 3 is satisfied by the audit procedures explicitly described in this DPA, except to the extent mandated by Privacy Law. |
| Section IV, Clause 17 | Governing Law | The language of Option 1 in Clause 17 shall apply, except as otherwise described in this Attachment 1. The SCCs will be governed by the law of the Republic of Ireland. |
| Section IV, Clause 18 | Choice of Forum and Jurisdiction | The courts of the EU Member State where the competent supervisory authority is located, according to Clause 13. |
| Annex 1(A) | List of Parties | Data Importer's "Name"; "Address"; "Contact person's name, position and contact details" shall be those details of Redis as defined in this Agreement. |
| Annex 1(B) | Description of Transfer | Outlined in Section 2 of this DPA. |
| Annex 1(C) | Competent Supervisory Authority | (i) The competent supervisory authority shall be drafted as the supervisory authority which is competent to supervise the activities of the Data Exporter or, (ii) where the Data Exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the Data Subjects relevant to the transfer are located. |
4. Processing Details
This Section describes the “Activities relevant to the data transferred under these Clauses" contained in the Modules: (i) The subject matter, nature, categories, and types of Personal Data subject to Processing are described in the Agreement, (ii) The descriptions of scope and transfer, described in the Agreement is the Description of Transfer for the purposes of Annex I.B of the Appendix of the Standard Contractual Clauses, (iii) The duration of the Processing activities are described in the Agreement, (iv) The purpose of the Processing is the provision of the Services to Customer, and (v) The details contained in the Agreement are agreed by the Parties to constitute a description of transfers to applicable Subprocessors.
5. Adequacy Decisions
If the European Commission has previously adopted an adequacy decision with respect to a jurisdiction outside of the European Union, the Parties acknowledge that such decision is a valid transfer mechanism for data transfers to the applicable jurisdiction. If the European Commission adopts a new adequacy decision, determining on the basis of Article 45 GDPR, that a jurisdiction outside of the European Union offers an adequate level of protection, and such decision is published to the European Commission’s website, available at this link, The Parties agree that this decision may be used as a transfer mechanism for the applicable jurisdiction.
Specific Personal Data Transfers
1. Transfer outside Brazil
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Lei Geral de Proteção de Dados Pessoais (Law No. 13,709/2018) (“LGPD”), the the Brazilian Standard Contractual Clauses (“Brazilian SCCs”) apply, is incorporated by reference, and is entered into by executing this DPA.
b. The Parties agree to amend the Brazilian SCCs as follows: (i) For the purpose of Clause 1 (Identification of the Parties) of the Brazilian SCCs, see the details of Annex 1(A) within the table under “Amendments to the Modules” of this Attachment, (ii) For the purpose of Clause 2 (Object) of the Brazilian SCCs, see the details of Annex 1(B) within the table under “Amendments to the Modules” of this Attachment, (iii) For the purpose of Clause 3 (Onward Transfers) of the Brazilian SCCs, the language of Option A shall apply, (iv) For the purpose of Clause 4 (Responsibilities of the Parties) of the Brazilian SCCs, the language of Option A shall apply, and (v) Information required to complete Section 3 (Security Measures) of the Brazilian SCCs shall align with the corresponding Appendices and Annexes of the EU SCC attached to this DPA.
2. Transfer outside India
a. Transfer of Personal Data subject to the Indian Digital Personal Data Protection Act is not permitted to countries specifically blacklisted by the Government of India.
3. Transfer outside Japan
a. For transfers of Personal Data subject to the Japanese Act on the Protection of Personal Information (“APPI”) the Parties agree that the DPA and its Attachment apply as legitimate measures for the transfers.
4. Transfer outside the People’s Republic of China
a. The Processors shall not Transfer any Personal Data outside the People’s Republic of China (“PRC”) nor allow any third parties outside PRC to access Controllers’ Personal Data without the written consent of the Controllers. Where the Controllers consent to the Transfer of Personal Data to and/or by the Processors, the latter shall collaborate and assist the Controllers, in accordance with the applicable PRC’s laws and regulations, by (i) providing the required documentation to obtain the Transfer(s) approvals from the appropriate regulatory authorities and/or (ii) conducting security assessments and/or (iii) filing the applicable standard contractual clauses.
5. Transfer outside Switzerland
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Swiss Federal Act on Data Protection from September 1st, 2023 (“FADP”), the SCCs apply, with the following amendments: (i) the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (ii) the governing law shall be the Swiss law in case the Transfer is exclusively subject to the FADP, as per Clause 17 (Governing law), (iii) the term EU Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland), and, (iv) references to the GDPR shall also include the reference to the equivalent provisions of the FADP (as amended or replaced). The EU SCC’s Annexes are completed as per Section 12.2 (b) to (d).
6. Transfer outside Turkey
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the Law on the Protection of Personal Data from April 7, 2016 (“Turkish Data Protection Law”), the Turkish standard contractual clauses (“Turkish SCCs”) apply, is incorporated by reference, and is entered into by executing this DPA.
b. The Parties agree to amend the Turkish SCCs as follows: (i) For the purpose of Clause 8 (Sub-Processors) of the Turkish SCC, the language of Option 2 applies, (ii) For the purpose of Clause 10 (Redress) of the Turkish SCC, the optional language shall not apply, and (iii) Information required tO complete the Appendix, Annexes I to III of the Turkish SCC can be found in the Appendix of the EU SCC.
7. Transfer outside the UK
a. Where one or both Parties are located in Non-Adequate Countries and are Processing Personal Data subject to the UK GDPR, the EU SCC apply and the UK International Data Transfer Addendum to the EU SCC, entered into force on 21 March 2022 (as amended or supplemented) (“UK Addendum”), is incorporated by reference and is entered into by executing this DPA.
b. The Parties agree to amend the UK Addendum as follows: (i) In the body of the approved EU SCC referenced in Section 2.2 above, to which the UK Addendum is appended to: (a) the Information Commissioner’s Office is the competent Supervisory Authority as per Clause 13.a (Supervision) and Appendix I.C, (b) the laws of the UK as per Clause 17 (Governing law) apply, (c) the courts of the UK as per Clause 18 (Choice of forum and jurisdiction) are selected, (d) references to the GDPR shall be replaced by the UK GDPR and references to specific Section(s) of the GDPR are replaced with the equivalent section(s) of the UK GDPR (if any), and (e) references to the Union, EU and EU Member State are all replaced with the UK, (ii) The EU SCC’s Annexes are completed as per Section 12.2, (iii) In Table 4 of the UK Addendum, “Both Parties may end the UK Addendum as set out in Section 19 of the UK Addendum” is added in the section “Ending this Addendum when the Approved Addendum changes”, and (iv) The Alternative Part 2 Mandatory Clauses of the UK Addendum is selected.