Utility3 (OH) Data Processing Addendum

UK / EEA / Switzerland

This Data Processing Addendum ("DPA") supplements and forms part of the Agreement between Customer and Utility3 in relation to the transfer and processing of Covered Data in connection with the Services.

1. Definitions

1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:

"Adequate Jurisdiction" means the UK, a member state of the European Union, Switzerland, or a country, territory, specified sector or international organization which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as set out in:

(a) with respect to personal data relating to data subjects in the European Economic Area, a decision of the European Commission;

(b) with respect to personal data relating to data subjects in the UK, the UK Data Protection Act 2018 or regulations made by the UK Secretary of State under the UK Data Protection Act 2018; and

"Administration Data" means:

(a) contact details relating to, and the content of correspondence with, Customer's Authorized Users; and

(b) support enquiries submitted by Customer's Authorized Users in relation to the Service.

"Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of personal data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR and Swiss Data Protection Laws.

"Authorized Sub-processor" means the Sub-processors listed in Schedule 4, and any other Sub-processors appointed in accordance with paragraph 7.4.

"Controller Purposes" means:

(a) developing (and maintaining and improving) a Digital Character;

(b) training, developing and improving the AI System, including the Model, and any other AI products or services of Utility3 (including, where technically feasible, creating anonymized datasets for such purposes); and

"Covered Data" means personal data that is:

(a) provided by or on behalf of Customer to Utility3 in connection with the provision of the Service; or

(b) obtained, developed, produced or otherwise processed by Utility3, or its agents or subcontractors, in connection with providing the Service, in each case as further described in Schedule 1.

"Creator Data" means any Creator content, including images, audio and video provided by or on behalf of Customer to Utility3 in connection with the provision of the Services.

"Customer End User" means Customer's customers, who are permitted to use the Services.

"Digital Character" means a fictional digital character.

"Digital Twin" means an AI-powered digital avatar developed to imitate the likeness, voice and communication style of a specific Creator.

"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR", as defined in section 3(10) of the Data Protection Act 2018.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data Utility3 processes as a processor.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 and available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

"Sub-processor" means a processor engaged by another processor to carry out the instructions of the controller.

"Swiss Data Protection Laws" means the Swiss Federal Act on Data Protection of 25 September 2020 ("FADP") and the Swiss Data Protection Ordinance of 31 August 2022 (the "Ordinance"), and any new or revised version of these laws that may enter into force from time to time.

"Usage and Interaction Data" means:

(a) diagnostic, usage and performance information collected by Utility3 in relation to Customer's (and its Authorized Users'), Creators' and Customer End Users' use of the Service; and

(b) information relating to interactions between Customer End Users and Digital Twins / Digital Characters, including chat text, images and photographs submitted to Customer Application.

The terms "controller", "data subject", "processing" (and accordingly "process", "processes" and "processed"), "processor", and "supervisory authority" have the meanings given to them in the Applicable Data Protection Laws.

2. Interaction with the Agreement

2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Covered Data.

3. Role of the Parties

3.1 The Parties acknowledge and agree that:

(a) save as set out in paragraph 3.1(b), Utility3 processes Covered Data as a processor in the performance of its obligations under the Agreement and this DPA and Customer acts as a controller; and

(b) for the purposes of the GDPR, Utility3 acts as a controller with respect to the processing of Administration Data, Creator Data and Usage and Interaction Data for the Controller Purposes.

4. Details of Data Processing

4.1 The details of the processing of personal data under the Agreement and this DPA (including subject matter, duration, nature and purpose of the processing, categories of personal data and data subjects) are described in the Agreement and in Schedule 1 to this DPA.

4.2 Other than in respect of its processing of Administration Data, Creator Data and Usage and Interaction Data for the Controller Purposes:

(a) Utility3 will only process Covered Data under the instructions provided by Customer and in accordance with Applicable Data Protection Laws unless processing is otherwise required under applicable EU, UK or Member State law, in such a case, Utility3 shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; and

(b) the Agreement and this DPA shall constitute the instructions to Utility3 for the processing of Covered Data by Utility3, and Customer may issue further written instructions in accordance with this DPA.

4.3 Utility3 shall:

(a) provide Customer with information to enable Customer to conduct and document any data protection impact assessments and prior consultations with supervisory authorities required under Applicable Data Protection Laws; and

(b) promptly inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws.

5. Compliance

5.1 The Customer shall comply with its obligations under Applicable Data Protection Laws and shall ensure that:

(a) any instructions to Utility3 in relation to the processing of Covered Data comply with Applicable Data Protection Laws;

(b) it provides such information to data subjects (including Authorized Users, Creators and Customer End Users) regarding: (i) the processing of Covered Data by Utility3; and (ii) the processing of Creator Data and Usage and Interaction Data for the Controller Purposes (unless agreed otherwise between the parties), in each case as required under Applicable Data Protection Laws;

(c) it obtains any consents from data subjects (including Creators and Customer End Users) required for the lawful processing of: (i) the Covered Data by Utility3; and (ii) the Creator Data and Usage and Interaction Data for the Controller Purposes (unless agreed otherwise between the parties), in each case as required under Applicable Data Protection Laws; and

(d) it promptly notifies Utility3 of any request received from a data subject to exercise their rights under Applicable Data Protection Laws in respect of Administration Data, Creator Data and Usage and Interaction Data.

6. Confidentiality and Disclosure

6.1 Utility3 shall:

(a) limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and

(b) ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.

7. Sub-processors

7.1 Utility3 may process Covered Data anywhere that Utility3 or its sub-processors maintain facilities, subject to the remainder of this paragraph 7 and paragraph 13.

7.2 The Customer grants Utility3 general authorization to engage any Authorized Sub-processor to process Covered Data.

7.3 Utility3 shall:

(a) enter into a written agreement with each Authorized Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Utility3's obligations under this DPA; and

(b) remain liable for each Authorized Sub-processor's compliance with the obligations under this DPA.

7.4 Utility3 will provide Customer with at least seven (7) days' notice of any proposed changes to the Authorized Sub-processors. The Customer shall notify Utility3 if it objects to the proposed change to the Authorized Sub-processors by providing Utility3 with written notice of the objection within seven (7) days after Utility3 has provided notice to Customer of such proposed change (an "Objection").

7.5 In the event Customer submits an Objection, Utility3 and Customer shall work together in good faith to find a mutually acceptable resolution to address such Objection. If Utility3 and Customer are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, Utility3 may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to Customer. During such period Utility3 may suspend the affected portion of the Service.

8. Data Subject Rights Requests

8.1 Utility3 will notify Customer without undue delay of any request received by Utility3 or any Authorized Sub-processor from a data subject to assert their rights under Applicable Data Protection Laws in relation to Covered Data processed by Utility3 as a processor (a "Data Subject Request").

8.2 Other than in respect of Utility3's processing of Administration Data, Creator Data and Usage and Interaction Data for the Controller Purposes, as between Utility3 and Customer, Customer will have sole discretion in responding to the Data Subject Request. Utility3 shall not respond to the Data Subject Request without Customer's prior consent, save that Utility3 may advise the data subject that their request has been forwarded to Customer.

8.3 Utility3 will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests in respect of Covered Data.

9. Security

9.1 Utility3 will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage of or to Covered Data.

9.2 When assessing the appropriate level of security, Utility3 shall take into account the nature, scope, context and purpose of the processing as well as the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

9.3 Utility3 will implement and maintain as a minimum standard the measures set out in Schedule 2.

10. Information and Audits

10.1 The Customer may audit Utility3's compliance with this DPA in respect of its processing of Covered Data. The Parties agree that all such audits will be conducted:

(a) not more than annually, unless more frequent audits are required by a supervisory authority with jurisdiction over the processing of Covered Data or otherwise under Applicable Data Protection Laws;

(b) upon reasonable written notice to Utility3;

(d) in a manner that does not materially disrupt Utility3's business or operations.

10.2 With respect to any audits conducted in accordance with paragraph 10.1:

(a) Customer may engage a third-party auditor to conduct the audit on its behalf, save that Utility3 may reasonably object to the engagement of a third-party auditor if such third-party auditor is a competitor of Utility3; and

(b) Utility3 shall not be required to facilitate any such audit unless and until the Parties have agreed in writing the scope and timing of such audit.

10.3 The Customer shall promptly notify Utility3 of any non-compliance discovered during an audit.

10.4 The results of the audit shall be Utility3's confidential information.

10.5 Utility3 shall provide to Customer upon request, or may provide to Customer in response to any audit request submitted by Customer to Utility3, either of the following:

(a) data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or

(b) such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards.

10.6 If an audit requested by Customer is addressed in the documents or certification provided by Utility3 in accordance with paragraph 10.5, and:

(a) the certification or documentation is dated within twelve (12) months of Customer's audit request; and

(b) Utility3 confirms that there are no known material changes in the controls audited,

Customer agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.

11. Security Incidents

11.1 Utility3 shall notify Customer in writing without undue delay after becoming aware of any Security Incident.

11.2 Utility3 shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Customer timely information about the Security Incident, to the extent known to Utility3 or as the information becomes available to Utility3, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.

11.3 Utility3 shall provide reasonable assistance with Customer's investigation of any Security Incidents and any of Customer's obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to data subjects or supervisory authorities.

11.4 Utility3's notification of or response to a Security Incident under this paragraph 11 shall not be construed as an acknowledgement by Utility3 of any fault or liability with respect to the Security Incident.

12. Term, Deletion and Return

12.1 This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, the later of (a) Utility3's deletion of all Covered Data as described in this DPA; and (b) termination of Utility3's processing of Administration Data, Creator Data and Usage and Interaction Data for the Controller Purposes.

12.2 Utility3 shall:

(a) if requested to do so by Customer (on behalf of its Customers, as appropriate) within sixty (60) days of expiry of the Agreement (the "Retention Period"), provide a copy of all Covered Data in such commonly used format as requested by Customer, or provide a self-service functionality allowing Customer to download such Covered Data; and

(b) on expiry of the Retention Period, delete all copies of Covered Data processed by Utility3 or any Authorized Sub-processors, save to the extent that Utility3 is required by any applicable law to retain some or all of the Covered Data, and other than any Administration Data, Creator Data and Usage and Interaction Data that Utility3 processes for the Controller Purposes.

13. International Transfers

13.1 Utility3 shall not transfer any Covered Data to a recipient outside of the UK, Switzerland or EEA (as applicable) unless:

(a) the recipient is in an Adequate Jurisdiction;

(b) the transfer is governed by binding corporate rules approved by the Information Commissioner under Article 58(3)(j) of the GDPR; or

(c) the transfer is governed by an agreement implementing adequate safeguards in relation to the processing of the Covered Data, including as appropriate, (i) the Standard Contractual Clauses; (ii) the Standard Contractual Clauses as amended in accordance with the provisions of Swiss Data Protection Laws, or (ii) the Standard Contractual Clauses as amended by the template Addendum issued by the UK Information Commissioner or the international data transfer agreement, each as laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.

13.2 The Standard Contractual Clauses shall, as further set out in Schedule 3, apply to transfers of Covered Data from Utility3 to Customer, and form part of this DPA, to the extent that Customer is not in an Adequate Jurisdiction.

Schedule 1: Details of Processing

A. List of Parties

	Customer	Utility3
Role	Controller (data importer)	Controller / Processor (data exporter)
Contact person	The main administrator of Customer's account as notified to Utility3.	Nic Young CEO nic@oh.xyz
Activities relevant to the transfer	The performance of the Agreement.

B. Description of Processing

Categories of data subjects	As defined in the Agreement: Authorized Users; Creators; and Customer End Users.
Categories of personal data	Authorized Users: Name, contact information (including email), role at Customer; Contents of tickets raised, requests and communications sent to Utility3; and Usage data relating to use of the Services, including IP address. Creators: Name (or Creator pseudonym); Creator's preferences and original content for the development of a Digital Twin, including images, videos or other content shared; Creator's Digital Twin information, preferences and content, including interactions and any chat text, images, videos or other content shared via Customer Application, and any inferences collected via such interactions; and Usage data relating to use of the Services, including IP address. Customer End Users: Name (or Customer End User pseudonym); Interaction information, including any chat text, images, videos or other content shared via Customer Application, and any inferences collected via such interactions; and Usage data relating to use of the Services, including IP address.
Special categories of personal data	Special category data collected will include (and may include depending on interactions): data concerning a natural person's sex life or sexual orientation.
Frequency of the transfer	Continuous
Nature of the processing	Collection, storage, deletion, rectification, analysis and aggregation
Purposes of the data transfer and further processing	The delivery of the Service, including: Developing, maintaining and improving Digital Twins and Digital Characters for and on behalf of Customer; Facilitating access to and use of the current version of the AI System to facilitate Customer End User's experience on a Customer Application; Resolving queries and support requests submitted by Customer.
Retention period	For Covered Data processed as a processor, the duration of the Agreement, unless earlier deletion is requested or communicated by Customer.
Subprocessors	As set out in Schedule 4

Schedule 2: Technical and Organizational Measures

Utility3 has developed a suite of policies setting out the technical and organizational measures it has implemented to prevent the unauthorised use, access, destruction, disclosure or amendment of personal data.

1. Introduction

(a) Utility3 employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction.

2. Governance and Policies

(a) Utility3 assigns personnel with responsibility for the determination, review and implementation of security policies and measures.

(b) Utility3 has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents.

(c) Utility3 reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.

(d) Utility3 establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.

3. Breach Response

Utility3 has a breach response plan that has been developed to address data breach events. The plan is tested and updated at least annually.

4. Intrusion, Anti-virus and Anti-malware Defences

(a) Inbound and outbound traffic passes through firewalls that are monitored and protected by intrusion detection / prevention systems that allow traffic flowing through the firewalls to be logged.

(b) IT systems have antivirus, anti-spyware and anti-malware software installed. Such software is updated at least daily and performs ongoing scans for threats and malicious programs.

(d) Utility3 performs regular, and at least monthly vulnerability scans.

(e) Utility3 collects, maintains, reviews and audits event logs.

(f) Utility3 deploys data loss prevention tools at network and host level.

(g) Utility3 monitors all traffic leaving the organization and unauthorised use of encryption.

5. Access Controls

Utility3 limits access to personal data by implementing appropriate access controls, including:

(a) Limiting administrative access privileges and use of administrative accounts;

(b) Changing all default passwords before deploying operating systems, assets or applications;

(d) Only permitting user access to personal data which the user needs to access for his/her job role;

(e) Having in place appropriate procedures for controlling the allocation and revocation of personal data access rights;

(f) Enforcing password policies that require users to use strong passwords;

(g) Enforcing regular password renewal;

(h) Use of multi-factor authentication;

(i) Automatic timeout and locking of user terminals if left idle;

(j) Access to IT system is blocked after multiple failed attempts to enter correct authentication and/or authorization details;

(k) Monitoring and logging access to IT systems; and

(l) Monitoring and logging amendments to data or files on IT systems.

6. Availability and Back-up

(a) Utility3 has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated at least annually.

(b) Utility3 regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested at least annually.

7. Segmentation of Personal Data

(a) Utility3 separates and limits access between network components and, where appropriate, implements measures to provide for separate processing of personal data collected and used for different purposes.

(b) Utility3 does not use live data for testing its systems.

8. Disposal of IT Equipment

(a) Utility3 has in place processes to securely remove all personal data before disposing of IT systems.

(b) Utility3 uses appropriate technology to purge equipment of data and/or destroy hard disks.

9. Encryption

(a) Utility3 uses encryption technology to protect personal data at rest and in transit, including applying AES-256 encryption to data at rest and TLS 1.2 or higher to data in transit.

(b) Encryption of portable devices used to process personal data.

(c) Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.

10. Transmission or Transport of Personal Data

Appropriate controls are implemented by Utility3 to secure personal data during transmission or transit, including:

(a) Use of VPNs;

(b) Encryption in transit using TLS 1.2 or higher;

(d) Logging personal data when transported physically; and

(e) Ensuring physical security for personal data when transported on portable electronic devices or in paper form.

11. Device Hardening

(a) Utility3 removes unused software and services from devices used to process personal data.

(b) Utility3 ensures that default passwords that are provided by hardware and software producers are not used.

12. Asset and Software Management

(a) Utility3 maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.

(b) Utility3 documents and implements rules for acceptable use of IT assets.

(d) Utility3 deploys application whitelisting.

(e) Utility3 deploys automated patch management tools and software update tools for operating systems and software.

(f) Utility3 proactively monitors software vulnerabilities and promptly implements any out of cycle patches.

(g) Utility3 permits the use of only the latest versions of fully supported web browsers and email clients.

(h) Utility3 stores all API keys securely, including storing API keys directly in its environment variables, not storing API keys on client side, not publishing API key credentials in online code repositories, and using API key management tools to retrieve and manage credentials for large development projects.

13. Physical Security

Utility3 implements physical security measures to safeguard personal data, including:

(a) Deployment of appropriate building security, including visitor logs, ID card access for staff, logs of staff access to buildings, and CCTV.

(b) Deployment and enforcement of appropriate policies to ensure that personal data is printed only where this is necessary for a person to perform his/her job role.

(d) Hardcopy documents containing personal data are only taken off site where necessary for a person's job role.

(e) When travelling or working away from the office hard copy documents and portable devices containing personal data are kept secure.

(f) Paper records which contain confidential information are shredded after use.

14. Staff Training and Awareness

(a) Utility3's agreements with staff and contractors and employee handbooks set out its personnel's responsibilities in relation to information security.

(b) Utility3 carries out regular (and at least annual) staff training on data security and privacy issues relevant to their job role.

(c) Utility3 carries out appropriate screening and background checks on individuals that have access to sensitive personal data.

(d) Staff are subject to disciplinary measures for breaches of Utility3's policies and procedures relating to data privacy and security.

15. Selection of Service Providers

(a) Utility3 assesses service providers' ability to meet their security requirements before engaging them.

(b) Utility3 has written contracts in place with service providers which require them to implement appropriate security measures.

(d) Utility3's breach response protocol and agreements with vendors provide for the audit of vendors following receipt of any notice of a security incident.

16. Assistance with Data Subject Rights Requests

Utility3 has implemented appropriate policies and measures to identify and address data subject rights requests.

Schedule 3: Standard Contractual Clauses

1. EU SCCs

With respect to any transfers referred to in clause 13.2, the Standard Contractual Clauses shall be completed as follows:

1.1 Module Four (processor to controller) of the SCCs will apply to Utility3's processing of Covered Data.

1.2 Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.

1.3 The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

1.4 With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be English law.

1.5 In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of England.

1.6 For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties and the description of transfer.

2. UK Addendum

2.1 This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from Utility3 (as data exporter) to Customer (as data importer), to the extent that:

(a) the UK Data Protection Laws apply to Utility3 when making that transfer; or

(b) the transfer is an "onward transfer" as defined in the Approved Addendum.

2.2 As used in this paragraph 2:

(a) "Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.

(b) "UK Data Protection Laws" means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

2.3 The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.

2.4 The Approved Addendum shall be deemed completed as follows:

(a) the "Addendum EU SCCs" shall refer to the SCCs as they are incorporated into this Agreement in accordance with clause 13 and this Schedule 3;

(b) Table 1 of the Approved Addendum shall be completed with the details in paragraph A of Schedule 1;

(d) for the purposes of Table 4 of the Approved Addendum, Utility3 (as data exporter) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section 19 of the Approved Addendum; and

(e) Section 16 of the Approved Addendum does not apply.

3. Swiss Addendum

3.1 This Swiss Addendum will apply to any processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.

3.2 Interpretation of this Addendum

(a) Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

"Addendum" means this addendum to the Clauses;

"Clauses" means the Standard Contractual Clauses as incorporated into this DPA in accordance with paragraph 13 and as further specified in this Schedule 3; and

"FDPIC" means the Federal Data Protection and Information Commissioner.

(b) This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties' obligations under Article 16(2)(d) of the FADP.

(c) This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

(d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.

(e) In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:

(i) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter's processing when making that transfer; and

(ii) as standard data protection clauses approved, issued or recognised by the FDPIC for the purposes of Article 16(2)(d) of the FADP.

3.3 Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

3.4 Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws

To the extent that the data exporter's processing of personal data is exclusively subject to Swiss Data Protection Laws, or the transfer of personal data from a data exporter to a data importer under the Clauses is an "onward transfer" (as defined in the Clauses, as amended by the remainder of this paragraph 3.4 the following amendments are made to the Clauses:

(a) References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.

(b) Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter's Processing when making that transfer."

(c) References to "Regulation (EU) 2016/679" or "that Regulation" or "GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.

(d) References to Regulation (EU) 2018/1725 are removed.

(e) References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".

(f) Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the FDPIC;

(g) Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland".

(h) Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

3.5 Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws

(a) To the extent that the data exporter's processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of personal data from a data exporter to a data importer under the Clauses is an "onward transfer" under both the Clauses and the Clauses as amended by paragraph 3.4 of this Addendum:

(i) for the purposes of Clause 13(a) and Part C of Annex I:

(A) the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter's Processing when making that transfer, or such transfer is an "onward transfer" as defined in the Clauses (as amended by paragraph 3.4 of this Addendum); and

(B) subject to the provisions of paragraph 2 of this Schedule 3 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of personal data to the extent the GDPR applies to the data exporter's processing, or such transfer is an "onward transfer" as defined in the Clauses.

(b) the terms "European Union", "Union", "EU", and "EU Member State" shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.