Data Processing Addendum

Last Updated: June, 2025

This Data Processing Addendum (“Addendum”) is an addendum and forms part of the main Agreement (the Booking Terms and Conditions and the Privacy Policy) between Machu Travel Peru (“the Company”) and the Client. This Addendum sets out the rights and obligations of the Company and the Client regarding the processing of the Client’s Personal Data. The Client, who has provided their personal data and that of other travelers in their booking, acts as the Data Subject.

1. Definitions

The following definitions, when used in this Addendum, have the meanings ascribed to them below unless the context otherwise requires.

Main Agreement: The Booking Terms and Conditions and Privacy Policy of Machu Travel Peru, accepted by the Client.
Personal Data: Any information that relates to an identified or identifiable natural person (“Data Subject”), including, but not limited to, names, contact information, passport data, health data, and data necessary for the provision of the service.
Parties: Both Machu Travel Peru and the Client.
Party: Machu Travel Peru or the Client.
Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means.
Controller: Machu Travel Peru, which, in accordance with Data Protection Laws, determines the purposes and means of processing the Client’s Personal Data.
Processor: A third party that processes Personal Data on behalf of and under the instructions of Machu Travel Peru, such as hotels, airlines, local tour operators, etc.
Sub-Processor: A third party engaged by a Processor to process Personal Data on behalf of Machu Travel Peru.
Personal Data Breach: A breach of security leading to the destruction, loss, variation, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Data Protection Laws: The Peruvian Personal Data Protection Law (Law No. 29733) and its Regulations, and, to the extent applicable to the Client, the General Data Protection Regulation (EU Regulation 2016/679 or “GDPR”) or others.

2. Duration and Scope

This Addendum enters into force on the date the Client accepts the Main Agreement and will remain in full force and effect until the Client’s Personal Data has been deleted or returned, in accordance with Section 10 below, or until the Client revokes its consent to the processing of its Personal Data, subject to the retention periods required by law. The Company’s processing of the Client’s Personal Data is limited to the extent necessary to provide the contracted tourist services and comply with legal and regulatory obligations.

3. Processing of Personal Data

For the purposes of this Addendum, Machu Travel Peru acts as the Data Controller and the Client as the Data Subject. In certain limited contexts, subprocessors process data to provide complementary services to clients, subject to prior agreement with them. In all contexts, Machu Travel Peru must comply with the requirements set forth in this Agreement.

Machu Travel Peru must:

Comply with all applicable data protection laws in the processing of the Client’s personal data;
Not process the Client’s personal data except in accordance with the Master Agreement, unless such processing is required by applicable data protection laws to which the relevant processing activities are subject, in which case Machu Travel Peru must, to the extent permitted by applicable data protection laws, inform the Client of this legal requirement prior to the respective act of processing the Client’s personal data; and
Immediately inform the Client if, in Machu Travel Peru’s reasonable opinion, a Personal Data Breach occurs.

All necessary information regarding the details of the Processing is detailed in Annex A. Machu Travel Peru has the right to update Annex A by sending it to the Client. The Client will be deemed to have accepted such an update unless it notifies Machu Travel Peru in writing of its non-acceptance within fourteen (14) days of receipt. If the Client issues such a non-acceptance notice, the Parties will cooperate and negotiate in good faith regarding any necessary updates to Annex A.

Machu Travel Peru instructs the Data Processors to process the Client’s Personal Data and, in particular, to transfer the Client’s Personal Data, which is necessary for the fulfillment of the Master Agreement, to the Sub-Processors (subject to the requirements of Applicable Data Protection Laws), only as reasonably necessary for the provision of the Services and in accordance with the Agreement and this Annex.

4. Machu Travel Peru Personnel

Machu Travel Peru guarantees:

The reliability of any of its employees, agents, or contractors who may have access to the Client’s Personal Data;
That access to the Client’s Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfill the Master Agreement involving the Client or to comply with Applicable Data Protection Laws; and
That all such individuals are bound by formal confidentiality agreements, professional confidentiality obligations, and legal confidentiality obligations, which will continue after the termination of the Services.

5. Security of Processing

Machu Travel Peru implements and maintains appropriate technical and organizational security measures to protect the Client’s Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, such as those identified in Appendix I of Annex A. The Client will also assist Machu Travel Peru in ensuring Machu Travel Peru’s compliance with its own obligations related to security measures.

6. Sub-Processing

The Client acknowledges and agrees that the Company may use Data Processors (third-party providers) to process Personal Data on the Company’s behalf. By accepting this Addendum, the Client grants general authorization for the Company to engage third parties as Data Processors for the provision of travel services.

The Company undertakes to:

Inform the Client of any material changes to the list of Data Processors (e.g., in its Privacy Policy).
Ensure that such Data Processors offer sufficient and appropriate security and compliance guarantees.

7. Rights of Data Subjects

Machu Travel Peru will facilitate the exercise of the Client’s rights as a Data Subject, including the rights of access, rectification, erasure, and objection (ARCO rights) in accordance with Peruvian Data Protection Laws and the Master Agreement between both parties, as well as other relevant rights under the GDPR. To exercise these rights, the Client may contact Machu Travel Peru through the channels specified in its Master Agreement.

8. Personal Data Breach

Machu Travel Peru will maintain a reasonable and appropriate personal data breach response program.

Response to Breach. If Machu Travel Peru discovers, is notified, or has reason to suspect a Personal Data Breach affecting the Client’s Personal Data under its control or that of any of its contracted Data Processors, Machu Travel Peru will: (i) immediately or as quickly as possible implement measures to prevent unauthorized access; (ii) protect the Client’s Personal Data; and (iii) notify the Client as soon as possible or within twenty-four (24) hours of becoming aware of such suspected Personal Data Breach.

Obligations in the event of non-compliance. Immediately after notifying the Client of a personal data breach, Machu Travel Peru must:

Describe to the Client in as much detail as possible: (i) the nature of the personal data breach, (ii) where possible, the approximate number of personal data records affected, (iii) the impact of such personal data breach on the Client; (iv) the measures taken or proposed by Machu Travel Peru to address the personal data breach; and (v) the relevant persons who will be available until the parties mutually agree that the personal data breach has been resolved;
Provide and supplement notifications as information becomes available;
Assist the Client in complying with its respective obligations under Applicable Data Protection Laws, including obligations to notify Supervisory Authorities or Data Subjects of a Personal Data Breach; and
In cooperation with the Client, use its best efforts to investigate, mitigate, and remediate each such Personal Data Breaches and prevent their recurrence.

9. Deletion or Return of Personal Data

Once the trip is concluded and all legal or contractual record retention obligations have been fulfilled, the Company will securely delete all of the Client’s Personal Data from its systems and those of its Data Processors.

The foregoing Section shall not apply to the extent that applicable law requires Machu Travel Peru or its Data Processors, as appropriate, to retain the Client’s Personal Data. In such cases, the Service Provider or Data Processor, as applicable, will specify the applicable law requiring such retention and the period for which it will retain the Client’s Personal Data. The Service Provider’s obligations under this Addendum will continue throughout the retention period of the Client’s Personal Data.

The first section does not apply to Client Personal Data that has been archived in backup systems, which Machu Travel Peru or its Subprocessors, as applicable, use to securely isolate and protect from any further Processing, except to the extent required by applicable law.

10. Audit Rights

The Company will make available to the Client, upon reasonable, justified, and written request, all information necessary to demonstrate compliance with its obligations under this Addendum and will enable and assist the Client in ensuring transparency in the process.

11. Jurisdiction-Specific Terms

To the extent Machu Travel Peru processes the Client’s Personal Data protected by Peruvian Data Protection Laws and/or Applicable Data Protection Laws in one of the jurisdictions listed in Appendix B, the terms and definitions specified in Appendix B with respect to the applicable jurisdictions will apply in addition to the terms of this Appendix.

Machu Travel Peru may update Appendix B periodically to reflect changes or additions to the Applicable Data Protection Laws to which the relevant Processing operations are subject. Machu Travel Peru shall have the right to update Appendix B periodically by posting an updated version online or by sending it to the Client. The Client will be deemed to have accepted such update unless it notifies Machu Travel Peru in writing of its non-acceptance within fourteen (14) days of receipt. If the Client issues such a notice of non-acceptance, the Parties will cooperate and negotiate in good faith regarding any necessary updates to Annex B.

In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms in this Addendum, those governed by Peruvian Data Protection Laws shall prevail.

12. Restricted Transfers

The Client acknowledges that the provision of travel services may require the transfer of Personal Data outside of Peru. The Company will only transfer Personal Data to countries deemed by the competent authority to have an adequate level of protection, or through the use of standard contractual clauses or similar transfer mechanisms. Restricted transfers of the Client’s personal data within the scope of this Addendum will be carried out in accordance with the applicable terms and requirements set forth in Annex B and applicable data protection laws.

13. Updates to this Addendum

Machu Travel Peru may update this Addendum, Annex A, and Annex B (and their appendices) periodically to reflect necessary changes or additions to the Applicable Data Protection Law. Notwithstanding the foregoing, if a new version of the Standard Contractual Clauses adopted by the competent authorities of the jurisdiction governing the processing of the Client’s Personal Data is subsequently required to enable the Parties to rely on the Standard Contractual Clauses as a legal transfer mechanism for Restricted Transfers, the Parties shall be deemed to have accepted the new version of the Standard Contractual Clauses by accepting this Addendum, and, if necessary, Machu Travel Peru shall have the right to update Addendum A and Addendum B (and their appendices) accordingly.

14. Liability

Machu Travel Peru’s liability under this Addendum is governed by the limitation of liability provisions set forth in the Main Agreement. Each Party’s liability under this Addendum shall be subject to the exclusions and limitations of liability set forth in this Agreement. Under no circumstances does this Addendum restrict or limit the rights of any Data Subject under Applicable Data Protection Law.

15. General Terms

The Client must provide contact information to receive notifications under this Addendum. Notifications from Machu Travel Peru under this Addendum should be addressed to the contact information provided.
Prior Agreement. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials, or presentations, and agreements, oral and written, related to the subject matter of this Addendum. This Addendum shall be construed consistently with the Main Agreement. In the event of a conflict between the two, this Addendum shall prevail with respect to the processing of Personal Data.
All provisions of the Agreement that are not explicitly modified or supplemented by the provisions of this Addendum shall remain in full force and effect, provided that they do not conflict with the mandatory requirements of Applicable Data Protection Law. In the event of a conflict between the Agreement (including its annexes, schedules, and appendices) and this Addendum, the provisions of this Addendum shall prevail, except where the Jurisdiction-Specific Terms apply and prevail.
Suppose any provision of this Addendum is deemed legally invalid or unenforceable. In that case, that provision shall be deemed superseded by a valid and enforceable provision that most closely matches the intent of the original provision, and the remainder of this Addendum shall continue in full force and effect.
Signature: By accepting the Machu Travel Peru Booking Terms and Conditions, the Client also agrees to the terms of this Data Processing Addendum.

Annexes to the Data Processing Addendum (DPA)

Annex A: Details of Processing

This Annex will detail the categories of Personal Data that the Company will process and the specific purposes for which it will be used, in accordance with Section 3 of the Addendum.

Party:

Machu Travel Peru

Company Number:

+1 877 695 0999

Email Address:

contact@machutravelperu.org

Mailing Address:

Urb. Quispicanchis, Av. Brasil A 6 – Cusco 08003

DESCRIPTION OF PROCESSING:

Purpose of Processing:

The purpose of processing the Client’s Personal Data is related to the provision of Services in accordance with the Master Agreement.

Nature and purpose of processing:

The Processing is related to the provision of Services, namely, the delivery of travel services, including (where applicable) accommodation, meals, excursions, transportation, etc., to the client, as further detailed in the Master Agreement. Machu Travel Peru and its Contracted Processors will perform such Personal Data Processing as is necessary to provide those Services in accordance with the Master Agreement.

Subsequent Processing:

Machu Travel Peru will not perform any further Processing of Personal Data beyond the provision of the Services under the Master Agreement.

Retention criteria (duration):

Generally, retention of Personal Data is not required. If it must be retained, the retention period will be limited to that necessary for the provision of the Services contemplated in the Agreement.

Categories of Personal Data:

The Client will submit Personal Data to Machu Travel Peru to perform the Services in accordance with the Agreement, which may include, among others, the following categories of Personal Data:

Identification: Name, gender, date of birth, nationality, passport/ID information. This information is essential for managing your flight, hotel, and train reservations, and for obtaining your entry tickets to tourist sites such as Machu Picchu. It is also required for accommodation registration and by tourism and immigration authorities, in compliance with Peruvian legal obligations.
Contact: Address, email, phone number, emergency contact information. We use your email address and phone number to communicate with you. This includes sending booking confirmations, detailed itineraries, real-time updates, and coordinating services during your trip. With your express consent, this data may also be used to send you news and promotions about future trips.
Sensitive: Medical requirements/health conditions (e.g., allergies), dietary information, only if provided by the Client and with their explicit consent. If you choose to provide them, we process information about allergies, medical conditions, or dietary restrictions. The purpose is to ensure your safety and well-being during the trip by informing guides, hotels, and restaurants about your special needs. The processing of this sensitive data requires your explicit consent.
Financial: Payment Data. To process your payment, we collect proof of payment. Your financial data is handled through secure payment platforms to ensure the security of your financial transactions.
Categories of Data Subjects: The Client and travelers included in your reservation.

Additional special categories of Personal Data may be inferred in connection with the provision of the Services, such as the following:

Race or ethnicity (for example, as shown in passport data).
Religious or philosophical beliefs, political opinions, trade union membership, and/or sexual orientation or sexual orientation, if the nature of the trip reveals such information (such as a group booking from a specific religious organization).

Transfer Frequency:

Each time the Master Agreement is established between both parties.

Purpose, nature, and duration of processing by contracted processors:

Any processing of the Client’s Personal Data by the contracted processors will be carried out only to the extent strictly necessary for the provision of the Services in accordance with the Master Agreement.

Technical and organizational measures of the contracted processors:

When Machu Travel Peru engages a Data Processor under this Annex, Machu Travel Peru and the Data Processor must enter into an agreement with data protection terms substantially similar to those contained in this Annex. Machu Travel Peru must ensure that the agreement with each Data Processor allows it to fulfill its respective obligations.

In addition to implementing technical and organizational measures to protect the Client’s Personal Data, Contracted Processors must:

Notify Machu Travel Peru in the event of a Personal Data Breach so that the Machu Travel Peri can immediately notify the Client;
Delete the Client’s Personal Data upon request from Machu Travel Peru in accordance with the Client’s instructions;
Not engage additional Contracted Processors without Machu Travel Peru’s authorization; and
Not process the Client’s Personal Data in a manner that conflicts with Machu Travel Peru’s instructions.

Appendix I to Annex A: Technical and Organizational Security Measures

This Annex describes the security measures we implement to protect your Personal Data, in accordance with Section 5 of the Addendum. During the term of the Agreement and as long as Machu Travel Peru has access to the Client’s Personal Data, it will implement and maintain technical and organizational security measures to protect such Client’s Personal

Data. These include the following:

Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services:

Storage of Personal Data on servers with regular backups.
Policies for the classification, identification, and handling of Personal Data.
All our systems are protected with up-to-date antivirus and antimalware software.
Payment data is processed through certified payment gateways that comply with industry standards (PCI DSS).

Measures to ensure the physical security of locations where Personal Data is processed:

Physical access controls to prevent unauthorized access to facilities (door locks, security cameras, etc.).
Environmental controls in facilities that store Personal Data.

Measures to ensure data minimization:

An internal review process with relevant stakeholders (including the Data Protection Officer, where applicable) to ensure that Machu Travel Peru only collects the Personal Data it needs.
Ensure that data minimization is integrated into the system configuration and change management procedure.
Internal processes to delete Personal Data from its systems as soon as such Personal Data is no longer required under the terms of the Master Agreement.

Measures to ensure accountability:

Ensure that personnel responsible for processing Personal Data are bound by confidentiality obligations (e.g., through a confidentiality agreement).
Disciplinary procedures and sanctions when personnel violate security policies, confidentiality agreements, and other policies related to Personal Data.

Appendix II to Annex A: Data Processors (Processors) and Sub-processors

This Annex details the categories of third parties with whom Machu Travel Peru shares your Personal Data for the provision of the contracted services.

Categories of Data Processors:

In order to organize your trip, it is necessary to share your data with various entities, which act as our Data Processors. These categories (but are not limited to) include:

Accommodation Providers: Your identification data is shared with hotels, hostels, and other accommodations to record your stay.
Transportation Companies: Your data is shared with airlines, train operators (such as PeruRail and Inca Rail), and ground transportation companies to issue tickets and manage your transportation.
Local Tour Operators: We share your information with tour guides, drivers, and certain third parties necessary for the fulfillment of the Master Agreement.
Government Authorities and Official Entities: Your data is shared with the Peruvian Ministry of Culture for the issuance of tickets issued by regulatory entities when legally required.
Booking and Travel Management Platforms: Your data is entered into booking management software to efficiently organize and coordinate your itinerary.

Authorization for Subprocessors:

By accepting this agreement, you grant us general authorization to subcontract with Data Processors of the aforementioned categories. We undertake to conduct due diligence to ensure that any third party we use meets appropriate security and privacy standards.

Annex B: Jurisdiction-Specific Terms

Australia

When applicable, the Processing of the Client Personal Data shall be compliant with the Australian Privacy Principles, the Australian Privacy Act (1988), or any other applicable law, regulation, or decree of Australia pertaining to the protection of such information.

Brazil

When applicable, the Processing of the Client Personal Data shall be compliant with Brazil’s Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 and any corresponding decrees, regulations, or guidance.

Canada

When applicable, the Processing of the Client Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable Canadian privacy or data protection laws.

European Economic Area

Definitions:

“EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
“EEA Data Protection Laws” means the EU GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Machu Travel Peru Personal Data.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.
“EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

Restricted Transfers. Concerning any Restricted Transfer subject to EEA Data Protection Laws, one of the following transfer mechanisms shall apply, in the following order of precedence:

A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR;
The appropriate Standard Contractual Clauses adopted by the European Commission from time to time; or
Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.
Standard Contractual Clauses.
This Addendum hereby incorporates by reference the Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
The Parties agree that any references to clauses, annexures, modules, and choices within the Standard Contractual Clauses shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to this Addendum.

For the purposes of the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:

The Parties agree to apply the following modules, as applicable:
Module Two with respect to Controller-to-Processor Restricted Transfers;
Module Three with respect to Processor-to-Processor Restricted Transfers, and
Module Four with respect to Processor-to-Controller Restricted Transfers;
Clause 7: The Parties choose not to include the optional docking clause.
Clause 9(a): The Parties choose Option 2, “General Written Authorization,” and the time period set forth in Section 6.3 of this Addendum. The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of this Addendum.
Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.
Clause 13 (Annex I.C): The competent Supervisory Authority is the Irish Data Protection Commission.
Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.
Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
Annex I(A and B): The content of Annex I(A) is set forth in Part A of Exhibit A.
Annex II: The content of Annex II is set forth in Appendix I to Exhibit A.
In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted Transfer in question.

Peru

Where applicable, the processing of personal data of the Client shall comply with the Peruvian Privacy Principles, the Personal Data Protection Law, Law No. 29733, and its regulations approved by Supermo Decree No. 016-2024-JUS. Where the principles, rights, and obligations related to the processing of personal data are established.

South Africa

When applicable, the Processing of the Client Personal Data (as identified in Exhibit A) shall be compliant with the Protection of Personal Information Act (POPIA). For the sake of clarity, Machu Travel Peru’s obligations to the Client under the DPA are those that POPIA requires that Machu Travel Peru as “Operator” have in place with the Client as the “Responsible Party”, and “Personal Data” means “personal information”.

Machu Travel Peru will further establish and maintain the security measures referred to in section 19 of POPIA and will notify Machu Travel Peru immediately where there are reasonable grounds to believe that the Personal Data of a data subject has been accessed or acquired by any unauthorized person.

Machu Travel Peru shall ensure that no Personal Data of data subjects is transferred outside of the Republic of South Africa unless:

the data subject provides its prior written consent to the transfer;
the recipient is subject to a law, code of conduct or contract which provides comparable protection for the Personal Data as the protections contained in this Addendum, including similar provisions relating to the further transfer of the Personal Data;

Switzerland

Definitions:

“FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
“Swiss Data Protection Laws” includes the Federal Act on Data Protection as amended (“FADP”) and the Ordinance to the Federal Act on Data Protection.

Restricted Transfers. With regard to any Restricted Transfer subject to Swiss Data Protection Laws between the Parties one of the following transfer mechanisms shall apply, in the following order of precedence:

A valid adequacy decision adopted by the FDPIC on the basis of Article 6 of the FADP;
The Standard Contractual Clauses adopted by the FDPIC; or
Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.

Standard Contractual Clauses:

This Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses for Restricted Transfers subject to Swiss Data Protection Laws in the same manner set forth in Section 7.3 of these Jurisdiction Specific Terms, subject to the following:

Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.

Clause 18: The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.

References to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there any Restricted Transfers subject to Swiss Data Protection Laws.

In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted Transfer in question.

United Kingdom

Definitions.

“EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“UK Data Protection Laws” (as used in this Section) includes the Data Protection Act 2018 and the UK GDPR (as defined below).
“UK GDPR” (as used in this Section) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
“UK ICO” (as used in this Section) means the UK Information Commissioner’s Office.
“UK IDTA” (as used in this Section) means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
“UK Transfer Addendum” (as used in this Section) means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.

Restricted Transfers. With regard to any Restricted Transfer subject to UK Data Protection Laws, one of the following transfer mechanisms shall apply, in the following order of precedence:

a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR;
the UK IDTA;
the Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under UK Data Protection Laws, and the Processing activities of the Data Importer are not subject to the UK GDPR by virtue of application of Article 3(2) of the UK GDPR), as they have been adopted for use by the relevant authorities within the United Kingdom, including the UK ICO, using the UK Transfer Addendum; or
any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
EU 2021 Standard Contractual Clauses and UK Transfer Addendum.
The Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses, which have been adopted for use by the UK ICO with certain modifications and the addition of the UK Transfer Addendum. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs where necessary in their entirety (including the annexures thereto).

For the purposes of the tables to the UK Transfer Addendum:

Table 1: The content of Table 1 is set forth in Part A of Exhibit A.
Table 2: The content of Table 2 is incorporated and adopted as to Restricted Transfers subject to UK Data Protection Laws in exactly the same manner set forth in Section 7.3 of these Jurisdiction Specific Terms. To the extent Module 4 is applicable, Personal Data received from the Data Importer may be combined with personal data collected by the Data Exporter.
Table 3: The content of Table 3 (Annexes 1A, 1B, II, and III) is set forth as follows:
Annex 1: The content of Annex 1 is set forth in Exhibit A.
Annex II: The content of Annex II is set forth in Appendix I to Exhibit A.
Table 4: The Parties agree that the Data Exporter may terminate the UK Transfer Addendum.
The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses as to Restricted Transfers subject to UK Data Protection Laws in exactly the same manner set forth in Section 7.3 of these Jurisdiction Specific Terms, with the following distinctions:
Clause 13 (Annex I.C): The competent authority shall be UK ICO.
Clause 17: The EU 2021 Standard Contractual Clauses, including the incorporated UK Transfer Addendum, shall be governed by the laws of England and Wales.
Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses or the incorporated UK Transfer Addendum shall be resolved by the courts of England and Wales. A Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.

In cases where the EU 2021 Standard Contractual Clauses, in conjunction with the UK Transfer Addendum, apply and there is a conflict between the terms of this Addendum and the terms of the EU 2021 Standard Contractual Clauses, in conjunction with the UK Transfer Addendum, the terms of the EU 2021 Standard Contractual Clauses, in conjunction with the UK Transfer Addendum, shall prevail with regard to the Restricted Transfer in question.UK IDTA.

This Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.

For the purposes of the tables to the UK IDTA:

Table 1: The information required by Table 1 appears within Part A of Exhibit A.
Table 2:
The UK IDTA, shall be governed by the laws of England and Wales.
The Parties agree that any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales.
The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A.
The UK GDPR may apply to the Data Importer’s Processing of the Personal Data.
This Addendum and the Agreement set out the instructions for Processing Personal Data.
The Data Importer shall Process Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that the Data Exporter may terminate the UK IDTA before the end of such time period with one month’s written notice.
The Data Importer may only transfer Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of this Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement.
Each Party must review this Addendum at regular intervals, to ensure that this Addendum remains accurate and up to date and continues to provide appropriate safeguards to the Personal Data. Each Party will carry out these reviews as frequently as at least once each year or sooner.
Table 3: The content of Table 3 is set forth in Part B of Exhibit A.
Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A.

Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout this Addendum.

In cases where the UK IDTA applies and there is a conflict between the terms of this Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.

United States of America

Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of United States Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.