Domain Names

Find, Secure & Register Your Perfect Domain

Get the perfect domain name, secure your online identity, and establish your brand presence.

Managed Hosting

Fast, Reliable & Secure Web Hosting Solutions

Experience lightning-fast loading speeds, 99.9% uptime, and robust security with our hosting plans.

Business Email

Professional Email Solutions for Business

Create a lasting impression with custom email addresses, reliable delivery, and advanced security features.

SSL Certificates

Protect Your Site with Advanced SSL Certificates

Safeguard user data, ensure trust, and boost SEO rankings with our premium SSL certificates.

Domain Transfer

Seamless Transfers Made Simple

Move your domain with ease, enhance your online identity, and boost your brand presence. Enjoy a seamless transfer that keeps your business secure and visible.

WordPress Hosting

Optimized WordPress Hosting for Seamless Performance

Enjoy fast loading speeds, automatic updates, and expert support with our WordPress-optimized hosting.

E-commerce Hosting

Secure & Scalable E-commerce Hosting Solutions

Drive sales with fast, secure, and reliable hosting optimized for online stores and shopping carts.

Website design & Dev.

WordPress Websites for Your Business

Transform your online presence with custom, responsive, and user-friendly WordPress websites designed for success.

Content Creation

Engaging Content for Your Target Audience

Capture attention, build trust, and drive conversions with high-quality, relevant, and engaging content tailored to your audience.

Facebook & Google Ads

Targeted Facebook Ads for Real Results

Reach your ideal customers, increase conversions, and maximize ROI with precision-targeted Facebook advertising campaigns.

SEO Optimization

Fast, scalable hosting for any website.

Improve search engine rankings, drive organic traffic, and grow your online presence with expert SEO strategies.

Logo Design

Professional Logo Design for Your Brand

Elevate your brand identity with unique, scalable, and memorable logos crafted by expert designers.

Digital Marketing

Comprehensive Digital Marketing Solutions

Grow your business with expert digital marketing strategies, from social media to SEO, and beyond.

Business Registration (CAC)

Fast & Secure Business Registration Services

Register your business quickly, securely, and hassle-free with our expert CAC registration services.

Tax Identification

Simplified Tax ID Registration Process

Obtain your Tax ID easily, securely, and efficiently with our streamlined registration process.

Corporate Banking

Expert Corporate Banking Solutions

Manage your business finances efficiently with customized corporate banking solutions and expert support.

Newspaper Publication

Reach Your Audience through Newspaper Advertising

Amplify your message, build brand awareness, and target local audiences with effective newspaper advertising.

Pencom Clearance Cert

Seamless Solutions for Pension Compliance

Get your PenCom Clearance Certificate easily with Microfidelity! We ensure quick issuance and compliance.

CBN Licensing

Helping Fintechs with Regulatory Expertise

Launch your fintech business faster with Microfidelity! We simplify CBN licensing and ensure seamless compliance."

About Us

Our Startup Story

Contact Us

Customer Care

Call Us

+1 650 684 8800

Live Chat

Chat with a Customer Representative

Help Center

Quick Solutions & Expert Guidance

WhatsApp Help

Our Startup Story

Leave a Message

help@microfidelity.uk

Terms of Service

Our Commitment to Transparency

Privacy Policy

Protecting Your Data and Trust Always

Cookie Policy

Clear and Transparent Cookie Disclosure

Report Abuse

Secure and Confidential Reporting

Acceptable Use Policy

Responsible Online Community Guidelines

Accessibility Statement

Accessible, Inclusive, & User-Friendly

Anti-Spam Policy

Zero Tolerance for Spam Activity

DCMA Notice

Respecting Intellectual Property Rights

Professional Services Agreement

Expert Business Solutions and Support

WordPress Migration Terms

Seamless Migration, No Technical Hassle

Domain Registration Terms

Clear Domain Registration Guidelines Provided

ICANN Domain Verification

Secure and Verified Domain Ownership

Data Processing Addendum

Robust Data Protection and Security

Legal & Government Requests

Compliant, Transparent, and Timely Response

Domain Name Dispute Policy

Fair, Efficient, and Impartial Resolution

Domain Registrant Rights & Duties

Registrant Rights, Responsibilities, and Obligations

NIN Modification

Create your address on the web.

Enjoy 99.9% uptime with our geo-redundant setup, splitting data between two secure centers

Microfidelity Business School

Learn Web Design & Tech Skills

Unlock your potential with expert-led web design and tech training, empowering your business growth.

Copyright © 2024 Microfidelity LTD.

All rights reserved.

Microfidelity Ltd is not a financial institution. All payment services on our website are processed through licensed partners like Paystack, Flutterwave, and PayPal to ensure secure transactions.

Microfidelity. Dedicated to you,
with every heartbeat of our team.❤️

Data Processing Addendum

Updated on: July 13, 2024

Jehmuel James

President & CEO

This Data Processing Addendum ("DPA"), effective as of July 13, 2024, is an integral part of the general contract and relationship governed by the Terms of Service and any other agreements governing our Services ("Agreement"), between you ("Customer") and Microfidelity ("Company"). Unless defined otherwise herein, capitalized terms used in this DPA shall have the meanings set forth in the Agreement.

Definitions:

1. Scope of this DPA

This Data Processing Addendum ("DPA") applies exclusively to the extent that Microfidelity processes Customer Data subject to Relevant Data Protection Laws on behalf of its clients during the provision of Services under the Agreement.

2. Roles and Scope of Processing

Roles of the Parties:

Microfidelity acts as a Processor of Customer Data on behalf of the Client, who retains the role of Controller. If the CCPA applies to Customer Data processing under the Agreement, Customer is classified as a "business," and Microfidelity as a "service provider," as defined in the CCPA.

Customer's Processing of Customer Data:

The Client agrees to comply with its obligations under Relevant Data Protection Laws regarding the processing of Customer Data and the issuance of processing instructions to Microfidelity. The Client confirms it has provided necessary notices and obtained consents required under Relevant Data Protection Laws for Microfidelity to process Customer Data.

Microfidelity's Processing of Customer Data:

Microfidelity will process Customer Data solely for the purposes outlined in this DPA and strictly in accordance with documented lawful instructions from the Client. This DPA and the Agreement constitute the complete and final instructions to Microfidelity concerning the processing of Customer Data. Any processing beyond these instructions requires prior written agreement between Microfidelity and the Client.

Processing Details:

Specific details of processing activities under the Agreement are provided in Schedule A.

Exceptions:

Notwithstanding anything in the Agreement or this DPA, the Client acknowledges that Microfidelity may use and disclose data related to Service operation, support, and use for legitimate business purposes such as billing, account management, technical support, product development, improvement, sales, and marketing. If such data qualifies as Personal Data under Relevant Data Protection Laws, Microfidelity acts as Controller and warrants compliance with its Privacy Policy and Data Protection Laws.

3. Sub-processing

Authorized Sub-processors:

The Client consents to Microfidelity engaging Sub-processors for processing Customer Data. A current list of authorized Sub-processors can be accessed in the "Profile & Privacy" tab of the Microfidelity Control Panel ("Sub-processor List").

Sub-processor Obligations:

Microfidelity will enter into written agreements with Sub-processors, imposing data protection terms that require them to protect Customer Data to the standard mandated by Relevant Data Protection Laws. Microfidelity remains responsible for compliance with this DPA and is liable for any acts or omissions by Sub-processors that lead to Microfidelity breaching its obligations under this DPA.

Changes to Sub-processors:

Microfidelity will notify the Client of any updates to Sub-processors by updating the Sub-processor List with at least five (5) days' notice before using a new Sub-processor. The Sub-processor List will always indicate the "last updated" date. The Client may receive email notifications regarding changes to the Sub-processor List. If the Client does not approve a new Sub-processor after receiving notice, the Client may terminate the affected Services by providing written notice to Microfidelity within five (5) days before Microfidelity begins using the new Sub-processor.

4. Security

Updates to Security Measures:

The Client is responsible for reviewing Microfidelity's data security information to independently determine if the Services meet its requirements and legal obligations under Relevant Data Protection Laws. Microfidelity's minimum technical and organizational measures to protect Customer Data are detailed in Schedule B ("Information Security Measures"). Microfidelity may update or modify these measures from time to time, ensuring no degradation in overall security of purchased Services.

Personnel:

Microfidelity ensures all authorized personnel, including staff, agents, and Sub-processors, maintain confidentiality obligations concerning Customer Data. Microfidelity ensures such personnel process Customer Data only based on the Client's instructions, except as required by Relevant Data Protection Laws.

Client Responsibilities:

Except as provided in this DPA, the Client is accountable for secure use of Services.

Personal Data Breach Response:

Upon discovering a Personal Data Breach, Microfidelity promptly notifies the Client and provides timely information related to the breach, as requested. Microfidelity takes immediate steps to mitigate and, where feasible, remedy the breach's effects.

5. Audit Reports

The Client acknowledges Microfidelity undergoes regular audits for DPA compliance and security standards. Upon written request, Microfidelity provides the Client with a summarized audit report ("Report"), subject to confidentiality provisions under any non-disclosure agreement. Microfidelity also responds to reasonable audit queries, limited to once per twelve (12) months by the Client.

6. International Transfers

Data Center Locations:

Microfidelity may transfer and process Customer Data worldwide, where Microfidelity, its Affiliates, or Sub-processors maintain processing operations. Microfidelity guarantees an adequate level of Customer Data protection, complying with Relevant Data Protection Laws at all times.

Model Clauses:

If Microfidelity processes Customer Data protected under GDPR or UK Data Protection Laws, originating from the EEA or the UK, in countries without adequacy designation, Microfidelity ensures adequate protection under Applicable Data Protection Law by adhering to Model Clauses. Microfidelity acknowledges its role as data importer under the Model Clauses, despite the Client's location outside the EEA.

7. Data Return or Deletion

Upon Agreement termination or expiration, Microfidelity, upon authenticated request, returns or securely deletes all Customer Data within its possession or control, as technically feasible. However, Microfidelity may retain or archive Customer Data on backup systems as required by law, contract, or legitimate business interests, ensuring isolated and protected Data from further processing.

8. Cooperation

Services provide the Client controls to retrieve, correct, delete, or restrict Customer Data, assisting the Client's compliance with Relevant Data Protection Laws. Microfidelity offers reasonable cooperation, at the Client's expense, in responding to data subject or data protection authority requests. If Microfidelity directly receives such requests, it notifies the Client promptly and provides a copy of the request, unless legally restricted.

Microfidelity doesn't disclose Customer Data to any entity or government except by valid law enforcement order. Upon disclosure obligation, Microfidelity notifies the Client promptly, unless legally prohibited.

9. CCPA Clauses

If CCPA applies, the parties comply with Schedule C.

10. General

Claims under this DPA follow Microfidelity's general terms (including Terms of Service) updated on the Legal webpage, with exclusions and limitations as per the Agreement. Claims against Microfidelity or its Affiliates under this DPA apply solely to the Agreement's contracting entity. The Client agrees Microfidelity's regulatory penalties related to Customer Data breach due to the Client's DPA or Data Protection Law non-compliance offset Microfidelity's liability under the Agreement as Client liability.

Only parties to this DPA, their successors, and assignees enforce its terms. This DPA follows governing law and jurisdiction in the Agreement, unless Data Protection Laws dictate otherwise.

This DPA supersedes any previous DPA, including applicable Model Clauses, concerning Services.

This DPA and Model Clauses terminate concurrently with the Agreement's termination, with provisions on secure data destruction and retention for legal, contractual, or regulatory compliance surviving.

Except for DPA changes, the Agreement remains fully effective. In case of conflict between this DPA and the Agreement, this DPA prevails.

Schedules to this DPA integrate into it by reference. In conflicts, this DPA prevails over Schedules. If this DPA conflicts with Model Clauses, Model Clauses govern.

This DPA's provisions are severable. Partial invalidity doesn't affect other provisions' validity.

Schedule A

Details of Processing

Subject matter:

The subject matter of the Processing under this DPA is the Client Data. Duration: As between Service Provider and Client, the duration of the Processing under this DPA is specified in Section 7 of this DPA.

Purpose and Nature:

The purpose and nature of the Processing under this DPA is the provision of Services to the Client and the fulfillment of Service Provider's obligations under the Agreement (including this DPA) or as otherwise agreed upon by the parties.

Categories of Data Subjects:

Client may upload Personal Data while utilizing the Services, the extent of which may be determined and controlled by Client. This may include, but is not limited to:

Types of Personal Data:

Client may upload Personal Data while utilizing the Services, the extent of which may be determined and controlled by Client. This may include, but is not limited to, categories such as name, address, phone number, date of birth, email, and other relevant Client Data.

Schedule B

Information Security Measures

The following items represent the minimum security requirements that Service Provider has implemented to safeguard Client Data:

Schedule C

CCPA Clauses

This schedule applies to the DPA to the extent that the CCPA governs the Processing of Client Data under the Agreement. As used herein, terms such as "Personal Information", "Sell", "Share", "Business Purpose", and "Commercial Purpose" carry the meanings as defined in the CCPA.

If Client Data qualifies as Personal Information under the Agreement:

Schedule D

Model Clauses

SECTION 1

Clause 1

Objective and Scope

(a) The aim of these standard contractual clauses is to ensure adherence to the requirements of Regulation (EU) 2016/679 of the European Parliament and Council dated 27 April 2016, concerning the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(c) These Clauses apply concerning the transfer of personal data as detailed in Annex I.B.

(d) The Appendix to these Clauses, containing the Annexes referred to therein, forms an integral part of these Clauses.

Clause 2

Effectiveness and Unchangeability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, under Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, concerning data transfers from controllers to processors and/or processors to processors, standard contractual clauses under Article 28(7) of Regulation (EU) 2016/679, provided they are not altered, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not preclude the Parties from integrating the standard contractual clauses laid out in these Clauses into a broader contract and/or adding other clauses or additional safeguards, provided they do not contradict, directly or indirectly, these Clauses or undermine the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations imposed on the data exporter under Regulation (EU) 2016/679.

Clause 3

Third-party Beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, except for the following:

(b) Paragraph (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Terms used in these Clauses that are defined in Regulation (EU) 2016/679 shall have the same meaning as in that Regulation.

(b) These Clauses shall be interpreted in light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be construed in a manner that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a conflict between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the Transfer(s)

The specifics of the transfer(s), particularly the categories of personal data being transferred and the purpose(s) for which they are being transferred, are specified in Annex I.B.

Clause 7

Docking Clause

Not applicable.

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 8

Data Protection Safeguards

The data sender ensures that it has made reasonable efforts to determine that the data recipient is capable, through suitable technical and organizational measures, of fulfilling its obligations under these Clauses.

8.1 Instructions

8.2 Purpose Limitation

The data recipient shall process the personal data only for the specific purpose(s) of the transfer, as outlined in Annex I.B, unless otherwise instructed by the data sender.

8.3 Transparency

Upon request, the data sender shall provide a copy of these Clauses, including the Appendix as completed by the Parties, to the data subject free of charge. To protect business secrets or other confidential information, including measures described in Annex II and personal data, the data sender may redact parts of the Appendix before sharing it but shall provide a meaningful summary where necessary for the data subject to understand its content and exercise their rights. Upon request, the Parties shall explain the reasons for any redactions without revealing the redacted information. This Clause does not affect the data sender's obligations under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data recipient discovers that the personal data it received is inaccurate or outdated, it shall inform the data sender without undue delay. In such cases, the data recipient shall cooperate with the data sender to erase or correct the data.

8.5 Duration of Processing and Erasure or Return of Data

Processing by the data recipient shall occur only for the duration specified in Annex I.B. After the end of the processing services, the data recipient shall, at the data sender's discretion, delete all personal data processed on behalf of the data sender and certify to the data sender that it has done so, or return all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data recipient shall continue to ensure compliance with these Clauses. In case of local laws preventing the data recipient from returning or deleting the data, the data recipient warrants that it will continue to comply with these Clauses and only process the data as required under those laws. This does not affect Clause 14, particularly the requirement for the data recipient under Clause 14(e) to notify the data sender throughout the contract's duration if it becomes subject to laws or practices that conflict with Clause 14(a).

8.6 Security of Processing

(a) The data recipient and, during transmission, the data sender shall implement suitable technical and organizational measures to secure the data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (hereinafter 'personal data breach'). The Parties shall consider the state of the art, implementation costs, processing nature, scope, context, purpose(s), and associated risks for data subjects in determining the appropriate security level. The Parties shall consider encryption or pseudonymization, including during transmission, where processing can be fulfilled that way. For pseudonymization, the additional information to attribute personal data to a specific data subject shall remain under the data sender's exclusive control. In complying with this paragraph, the data recipient shall at least implement the technical and organizational measures specified in Annex II and conduct regular checks to ensure these measures remain effective.

(b) The data recipient shall limit access to personal data to personnel members strictly necessary for contract implementation, management, and monitoring. It shall ensure authorized persons have committed to confidentiality or are under an appropriate statutory confidentiality obligation.

(c) In case of a personal data breach concerning personal data processed under these Clauses, the data recipient shall take appropriate measures to address the breach, including mitigating its adverse effects. The data recipient shall notify the data sender without undue delay upon becoming aware of the breach. The notification shall include contact details for more information, a description of the breach (including, where possible, categories and approximate numbers of data subjects and personal data records affected), its likely consequences, and measures taken or proposed to address the breach, including mitigation efforts. Where not possible to provide all information immediately, the initial notification shall include available details, with further information provided as it becomes available without undue delay.

(d) The data recipient shall cooperate with and assist the data sender in complying with its obligations under Regulation (EU) 2016/679, particularly in notifying the competent supervisory authority and affected data subjects, considering the nature of processing and information available to the data recipient.

8.7 Sensitive Data

For transfers involving personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, health data, sex life or sexual orientation data, or data relating to criminal convictions and offences (hereinafter 'sensitive data'), the data recipient shall apply specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward Transfers

The data recipient may only disclose personal data to a third party based on documented directives from the data provider. Additionally, personal data can only be shared with a third party located outside the European Economic Area (EEA) (either in the same country as the data recipient or another third country, hereinafter referred to as 'subsequent transfer') if the third party:

All subsequent transfers must adhere to all other safeguards in these Clauses, particularly regarding purpose limitation.

8.9 Documentation and Compliance

Clause 9

Use of Sub-processors

(a) General Written Authorization: The data recipient has the data provider's general authorization to engage sub-processors from an agreed list. The data recipient must inform the data provider in writing of any intended changes to that list, including adding or replacing sub-processors, at least five (5) days in advance. This provides the data provider with enough time to object to such changes before the sub-processor is engaged. The data recipient must provide the data provider with the necessary information to exercise their right to object.

(b) When the data recipient engages a sub-processor to perform specific processing activities on behalf of the data provider, it must do so via a written contract that includes, in essence, the same data protection obligations binding the data recipient under these Clauses, including third-party beneficiary rights for data subjects. The parties agree that by complying with this Clause, the data recipient fulfills its obligations under Clause 8.8. The data recipient must ensure the sub-processor complies with the obligations applicable to the data recipient under these Clauses.

(c) The data recipient must provide, upon the data provider's request, a copy of the sub-processor agreement and any subsequent amendments to the data provider. To protect business secrets or other confidential information, including personal data, the data recipient may redact the agreement text before sharing a copy.

(d) The data recipient remains fully responsible to the data provider for the sub-processor's performance under its contract with the data recipient. The data recipient must notify the data provider of any failure by the sub-processor to meet its contractual obligations.

(e) The data recipient must agree on a third-party beneficiary clause with the sub-processor, allowing the data provider to terminate the sub-processor contract and instruct the sub-processor to erase or return the personal data if the data recipient has factually disappeared, ceased to exist in law, or become insolvent.

Clause 10

Data Subject Rights

(a) The data recipient must promptly notify the data provider of any request received from a data subject. It must not respond to the request unless authorized by the data provider.

(b) The data recipient shall assist the data provider in fulfilling its obligations to respond to data subjects' requests for exercising their rights under Regulation (EU) 2016/679. The appropriate technical and organizational measures for providing such assistance, including the scope and extent of assistance required, must be outlined in Annex II, considering the nature of the processing.

(c) In fulfilling obligations under paragraphs (a) and (b), the data recipient must follow the data provider's instructions.

Clause 11

Remedial Actions and Accountability

11.1 - Remedial Actions

(a) If the data receiver gets a complaint or request concerning the handling of personal data covered by these Terms, they must promptly inform the data sender. The data receiver should not respond to such complaints or requests unless directed by the data sender, unless the response is mandated by applicable law. If legal requirements prevent prior notification, the data receiver must inform the data sender as soon as possible.

(b) The data receiver shall assist the data sender in addressing any complaints or requests from data subjects, considering the nature of the data processing and the information available to the data receiver.

11.2 - Accountability

(a) Each party is responsible to the other for any damage caused by a breach of these Terms. Liability is limited to actual harm incurred. Punitive damages are explicitly excluded.

(b) Each party is responsible to data subjects for any harm caused by a breach of their third-party beneficiary rights under these Terms. This does not affect the data sender's liability under the GDPR.

(c) If multiple parties are responsible for damages caused to a data subject due to a breach of these Terms, all responsible parties will be jointly and severally liable, allowing the data subject to pursue action in the courts of any of the responsible parties.

(d) The parties agree that if one party is held accountable for a breach of these Terms by the other party, the latter will indemnify the former for any incurred costs, damages, expenses, or losses to the extent of its responsibility. Indemnification is conditional upon:

(i) The data sender promptly informing the data receiver of the claim, and

(ii) The data receiver being given the opportunity to cooperate in the defense and settlement of the claim.

Clause 12

Oversight

(a) The supervisory authority responsible for ensuring the data sender's compliance with the GDPR concerning the data transfer will serve as the competent authority.

(b) The data receiver consents to the jurisdiction of the competent supervisory authority and agrees to cooperate with it in any procedures aimed at enforcing these Terms. This includes responding to inquiries, undergoing audits, and complying with measures taken by the supervisory authority, including remedial and compensatory actions. The data receiver will provide written confirmation of compliance.

Clause 13

Governing Law

These Terms will be governed by the law of the EU Member State where the data sender is located, unless otherwise dictated by the GDPR.

SECTION III - LOCAL LAWS AND PUBLIC AUTHORITY ACCESS

Clause 14

Amendment of Terms

The parties agree not to alter or modify these Terms. This does not prevent the addition of clauses on business-related matters, provided they do not conflict with these Terms.

Clause 15

Subprocessing

(a) The data receiver shall not subcontract any of its processing activities performed on behalf of the data sender under these Terms without prior written consent. If the data receiver does engage a subprocessor, it must do so through a written contract that imposes the same data protection obligations as those in these Terms, including third-party beneficiary rights for data subjects. If the subprocessor fails to meet its obligations, the data receiver remains fully liable to the data sender.

(b) The prior written agreement between the data receiver and the subprocessor must include a third-party beneficiary clause as described in Clause 8, ensuring that if the data receiver ceases to exist, the data sender has the right to terminate the subprocessor contract and instruct the subprocessor to erase or return the personal data.

(c) Any onward transfer by the subprocessor must meet the same requirements as those for onward transfers by the data receiver under these Terms.

SECTION IV - CONCLUDING PROVISIONS

Clause 16

Termination

(a) Either party may terminate these Terms if the other party significantly or repeatedly breaches these Terms or becomes insolvent.

(b) Termination of these Terms does not release the parties from confidentiality and other obligations stipulated in these Terms.

Clause 17

Obligations Upon Termination

(a) Upon termination of these Terms, the data receiver must return all transferred personal data and copies to the data sender or destroy the data and certify the destruction, unless laws require retention. In such cases, the data receiver guarantees confidentiality and ceases active processing.

(b) The data receiver warrants that after termination, it will maintain appropriate technical and organizational measures to secure and protect the personal data as required by these Terms.

Clause 18

Choice of Forum and Jurisdiction

(a) Any disputes arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that these courts shall be located in the Republic of Ireland.

(c) A data subject may also initiate legal proceedings against the data exporter and/or data importer in the courts of the Member State where they habitually reside.

(d) The Parties consent to the jurisdiction of these courts.

Endnotes

1. When the data exporter acts as a processor under Regulation (EU) 2016/679 on behalf of a Union institution or body as a controller, the use of these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725. This regulation concerns the protection of personal data by Union institutions, bodies, offices, and agencies, and repeals Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). The alignment of these Clauses and the data protection obligations in the contract or other legal acts between the controller and the processor under Article 29(3) of Regulation (EU) 2018/1725 must be ensured. This alignment is particularly relevant when the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

2. The European Economic Area (EEA) Agreement extends the internal market of the European Union to Iceland, Liechtenstein, and Norway. EU data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereof. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these Clauses.

3. This requirement may be fulfilled if the sub-processor agrees to these Clauses under the appropriate Module, in accordance with Clause 7.

4. When assessing the impact of such laws and practices on compliance with these Clauses, various factors must be considered as part of an overall assessment. These factors may include documented practical experience with previous instances of requests for disclosure from public authorities, or the absence of such requests, over a representative time frame. This includes internal records or other documentation maintained on an ongoing basis in accordance with due diligence and certified by senior management, provided that such information can be legally shared with third parties. If practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it must be supported by other relevant, objective elements. The Parties must carefully assess whether these elements together carry sufficient weight in terms of reliability and representativeness to support this conclusion. In particular, the Parties must take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

[Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Activities relevant to the data transferred under these Clauses: As described in this Appendix, the DPA, and the Agreement.

Data importer(s):

[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Activities relevant to the data transferred under these Clauses: As described in this Appendix, the DPA, and the Agreement.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: As detailed in Schedule A to this DPA.

Categories of personal data transferred: As outlined in Schedule A to this DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards: As specified in Schedule A to this DPA, including stringent purpose limitations, access controls, audit trails for data access, and additional security measures.

Frequency of the transfer: Continuous as required to deliver the Services.

Nature of the processing: As specified in Schedule A to this DPA.

Purpose(s) of the data transfer and further processing: As outlined in Schedule A to this DPA.

Retention period for personal data, or criteria used to determine that period: As detailed in Section 7 of this DPA.

For transfers to (sub-) processors, specify subject matter, nature, and duration of the processing: As per the terms of the Agreement, for the duration necessary to provide the Services.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: [To be completed based on the data exporter's operations]

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES FOR DATA SECURITY

Overview of the technical and organizational measures enforced by the data importer(s), including any pertinent certifications, to ensure a suitable level of security. This assessment takes into account the nature, scope, context, and purpose of the processing, as well as the risks posed to the rights and freedoms of individuals.

As detailed in Schedule B to this Data Processing Agreement (DPA).

For transfers to (sub-) processors, specify the particular technical and organizational measures that the (sub-) processor will implement to support the controller, and for transfers from a processor to a sub-processor, to the data exporter.

As specified in Schedule B to this DPA.

ANNEX III

UNITED KINGDOM ADDENDUM

This Addendum, issued by the Information Commissioner, applies to Parties making Restricted Transfers. The Information Commissioner regards it as providing appropriate safeguards for Restricted Transfers when executed as a legally binding contract.