Data Processing Agreement

1.1 This Data Processing Agreement (“DPA”) forms an integral part of the Agreement concluded between MEWS and the Service Provider. The Servicer Provider acknowledges that MEWS’s engagement with the Service Provider is conditioned upon the Service Provider’s agreement to the terms and conditions of this DPA. 

1.2 This version of the DPA is valid and effective from the effective date as stated above. 

1.3 In the event of a conflict between these DPA, Service Partner Terms, Agreement, and any Purchase Order, the order of precedence shall be as follows: (a) Purchase Order, (b) the Agreement (c) Data Processing Agreement (d) Service Partner Terms. 

1.4 For the purposes of this DPA, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined herein shall have the meaning ascribed to such words in the Service Partner Terms or the Agreement. 

1.4.1 "Affiliate" means any entity controlling, controlled by, or under common control of a Party where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity;

1.4.2 "MEWS Subsidiary" means any entity that is directly or indirectly controlled by, controlling or under common control with MEWS;

1.4.3 "CCPA" means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this DPA;

1.4.4 "Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Service Provider under this DPA;

1.4.5 "Data Protection Legislation" means, as applicable to a party and its Processing of Personal Data: (i) CCPA and any national data protection laws made under the CCPA, and (ii) EU/UK Data Protection Law;

1.4.6 "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;

1.4.7 “Personal Data” means any information that (i) is protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Legislation; and (ii) is Processed by the Service Provider on behalf of MEWS in the course of providing the Services, as more particularly described in Annex 1(B) of this DPA;

1.4.8 “Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

1.4.9 “Sub-processor” means any third party engaged by the Service Provider to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as Processor;

1.4.10 “Services” mean the services provided by the Service Provider to MEWS pursuant to and as more particularly described in the Agreement and Purchase Order;

1.4.11 "Standard Contractual Clauses" means: the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCCs")

1.4.12 "UK addendum" means: International Data Transfer Addendum to the EU SCCs, version B1.0, in force 21 March 2022; and

1.4.13 the terms "Controller", "Processor", "Process", "Processing" and "Data Subject" shall have the same meanings given to them under the EU/UK Data Protection Laws, and the terms "business", "service provider" and "sale" have the same meaning given to it under the CCPA. 

2.1 Roles. For the purposes of the EU/UK Data Protection Law, MEWS (or a third party on whose behalf MEWS is authorized to instruct the Service Provider) is the Controller or Processor of Personal Data and the Service Provider shall Process Personal Data as a Processor or Sub-Processor, as applicable; and for the purposes of the CCPA (to the extent the CCPA is applicable), MEWS is the "business" and the Service Provider is the "service provider". Whenever MEWS and Service Provider process Personal Data as independent controllers for the purpose of provision of Services under the Agreement, each Party individually shall fulfil its obligations attributed to the data controllers under the Data Protection Legislation and each Party individually shall bear its own liability related to the fulfilment and non-fulfilment of such obligations. 

2.2 Permitted Purposes. The Service Provider shall Process Personal Data for the purposes described in Annex 1(B) and in accordance with MEWS's documented lawful instructions ("Permitted Purposes"), except where otherwise required by laws that are not incompatible with applicable Data Protection Legislation. In no event will the Service Provider Process Personal Data for its own purposes or those of a third party. In particular and to the extent the CCPA is applicable, MEWS's transfer of Personal Data to the Service Provider is not a sale, and the Service Provider provides no monetary or other valuable consideration to MEWS in exchange for Personal Data. To the extent required by Data Protection Legislation, this Section 2.2 constitutes the certification from the Service Provider to the Processing instructions herein. The Service Provider is obliged at all times to Process Personal Data in compliance with Data Protection Legislation and fulfil all its obligations arising out of Data Protection Legislation.  

2.3 Processing Instructions. The Service Provider shall immediately inform MEWS if it becomes aware that MEWS's Processing instructions infringe Data Protection Legislation. If the Service Provider is unable to Process Personal Data in accordance with the MEWS's documented lawful instructions, the Service Provider is obliged to promptly notify MEWS of its inability to comply. 

2.4 Security Measures. The Service Provider shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect all data, including Personal Data, from Data Breaches and to preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, these measures must include the measures identified in Annex 2 of this DPA.  

2.5 Access and Confidentiality. The Service Provider shall ensure that any person it authorizes to Process the Personal Data (including the Service Provider's staff, agents, and Sub-processor's) ("Personnel") are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received appropriate training, and are informed about the confidential nature of the Personal Data and their obligations related to it and have access to Personal Data only in accordance with the need-to-know principle. The Service Provider shall ensure that all Personnel Process the Personal Data only as necessary for the Permitted Purposes.  

2.6 Data Returns and Deletion. Upon request, or termination or expiration of the Agreement, the Service Provider must (at MEWS's election) delete or return to MEWS all Personal Data (including copies) in its possession or control in accordance with the Agreement. At MEWS’ request, the Service Provider shall certify in writing to MEWS that all Personal Data has been deleted or returned, and that no copies or duplicates have been retained. 

3.1 Processing Records. The Service Provider shall maintain records of its Personal Data Processing activities in accordance with Data Protection Legislation. Upon request, the Service Provider shall provide the records of the Processing to MEWS, any auditor appointed by MEWS, or any supervisory authority. The Service Provider shall also respond to any written audit questions submitted to it by MEWS and that are necessary to confirm the Service Provider's compliance with this DPA. 

3.2 SMS Standards. If Service Provider maintains records in accordance with ISO 27001 or similar Information Security Management System ("ISMS") standards, the Service Provider shall provide to MEWS copies of relevant external ISMS certifications, audit report summaries and other documentation necessary to demonstrate compliance with this DPA. 

3.3 On-site audit. The Service Provider shall allow MEWS (or subject to complying with Section 3.3 of this DPA, a third-party licensed auditor) to carry out the on-site audit of the Service Provider's facilities, electronic data files, systems and documentation relating to the Processing of Personal Data, provided that each party bears its own costs of audit unless the audit is carried out following (i) a Security Breach or (ii) the audit relates to an investigation or potential enforcement action by a supervisory authority in which case all costs of the audit shall be borne by the Service Provider. 

3.4 Audit by a third party. MEWS may exercise its audits rights under Section 3 of this DPA through the engagement of a third independent party that is an external licensed auditor. 

4.1 Data Subject Rights. To the extent that MEWS is unable to independently access the relevant Personal Data within the Services, the Service Provider shall, taking into account the nature of the Processing, provide reasonable assistance (including by appropriate technical and organizational measures), to enable MEWS to: (i) respond to any requests from a Data Subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, supervisory authority, or other third party in connection with the processing of the Personal Data (collectively "Correspondence"). In the event that any such Correspondence is made directly to the Service Provider, it shall always promptly notify MEWS, and shall not respond directly, unless legally required. 

4.2 Data Protection Impact Assessment. To the extent required by Data Protection Legislation, the Service Provider shall provide all requested information regarding the Services to enable MEWS to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation.  

4.3 Disclosure Requests. The Service Provider is obliged to promptly notify MEWS about any legally binding request for disclosure of the personal data by a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist MEWS therewith.

5.1 Data Breach. Upon becoming aware of a Data Breach, the Service Provider shall notify MEWS without undue delay (and in no event later than 24 hours of becoming aware of such Data Breach) and shall provide such timely information and cooperation as MEWS may require in order to fulfill its data breach reporting obligations under Data Protection Legislation, including the type of data affected and the identity of the affected person as soon as such information becomes known or available to the Service Provider. 

5.2 Further Conduct. The Service Provider shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Data Breach and shall keep MEWS informed of all developments in connection with the Data Breach. 

5.3 Cooperation. If a Data Breach is caused or materially contributed to by MEWS, the Service Provider will cooperate in the investigation of the Data Breach subject to MEWS´s obligation to compensate the Service Provider for its reasonable costs. 

5.4 Notifications. The content and provision of any notification, public or regulatory communication, or press release concerning a Data Breach shall be solely at MEWS’s discretion, except as otherwise required by Data Protection Legislation. 

6.1 Sub-processors. The Service Provider shall not subcontract any processing of the Personal Data to a Sub-processor without the prior written consent of MEWS. Notwithstanding this, MEWS consents to the Service Provider engaging Sub-processors to process the Personal Data provided that: 
6.1.1 the Service Provider provides at least 30 days prior written notice to MEWS of the engagement of any new Sub-processor (including details of the processing and location) and the Service Provider shall update the list of all Sub-processors engaged to process Personal Data under this DPA at Annex 3 and send such updated version to MEWS prior to the engagement of the Sub-processor; 
6.1.2 the Service Provider imposes the same data protection terms on any Sub-processor it engages as contained in this DPA (including the Standard Contractual Clauses or other data transfer provisions, where applicable); and  
6.1.3 the Service Provider remains fully liable for any breach of this DPA or the Agreement that is caused by an act, error or omission of such Sub-processor. 

6.2 Objection. If MEWS objects to the engagement of any Sub-processor on data protection grounds, then either the Service Provider will not engage the Sub-processor to process the Personal Data or MEWS may elect to suspend or terminate the processing of Personal Data under the Service Partner Agreement without penalty, whereas MEWS shall be entitled to receive a pro-rata refund of any fees already paid to Service Provider. 

7.1 Data Transfer. The Parties agree that Personal Data may be transferred from the European Economic Area ("EEA") or the UK, as applicable, to a third country, only if one of the following conditions applies: (a) there is an applicable decision of the European Commission that states that the third country ensures an adequate level of protection; (b) the transfer is done in accordance with Clause 6.2 for transfers from the EEA and with Clause 6.3 for transfers from the UK; or (c) the derogations for specific situation under Art. 49 of the GDPR or UK GDPR, as applicable apply.  

7.2 Application of EU SCCs. The Parties agree that when and to the extent the transfer of Personal Data from MEWS to the Service Provider is a Restricted Transfer and EU Data Protection Law requires that appropriate safeguards are put in place, such transfer shall be governed by the EU SCCs, which shall be incorporated by reference into and form an integral part of this DPA as follows:

7.2.1 In relation to transfers of Personal Data protected by GDPR the EU SCCs will apply with following modifications: 

a. Where MEWS is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where MEWS is a Processor acting on behalf of third party Controllers, Module 3 (Processor to Processor Clauses) will apply; 
b. in Clause 7 (Docking Clause), the optional docking clause will apply; 
c. in Clause 9 (a) (Use of Sub-processors), Option 2 will apply, and the time period for notifying a new sub-processor changes shall be as set out in Clause 6.1.1. of this DPA; 
d. in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply; 
e. in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Dutch law; 
f. in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands; and 
g. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA;  (vii) Annex II of the New EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA. 

7.3 Application of UK addendum. The Parties agree that when and to the extent the transfer of Personal Data from MEWS to the Service Provider is a Restricted Transfer and UK Data Protection Law requires that appropriate safeguards are put in place, such transfer shall be governed by the UK addendum (see Appendix 4), which shall be incorporated by reference into and form an integral part of this DPA as follows: 

7.3.1 The UK Addendum incorporates the EU SCCs which are deemed to be amended to the extent necessary so they operate where MEWS is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where MEWS is a Processor acting on behalf of third party Controllers, Module 3 (Processor to Processor Clauses) will apply; 

7.3.1 The UK Addendum incorporates the EU SCCs with the following modifications: 

a. Clause 6 of the EU SCCs: Description of the transfer(s) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex 1 (B) of this DPA where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”; 
b. in Clause 9 (a) of the EU SCCs, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 5 (Sub-Processing) of this DPA; 
c. in Clause 11 of the EU SCCs, the optional language will not apply; 
d. Clause 13(a) of the EU SCCs and Part C of Annex I of the EU SCCs are not used; the “competent supervisory authority” is the UK Information Commissioner (the "ICO"); 
e. Clause 17 of the EU SCCs is replaced to state “These SCCs are governed by the laws of England and Wales”; 
f. Clause 18 of the EU SCCs is replaced to state: “Any dispute arising from these SCCs shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; 
g. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA. 

8.1 Liability. Notwithstanding anything else to the contrary in the Agreement, the Service Provider acknowledges and agrees that:  

8.1.1 it shall be liable for any loss of data (including Personal Data) arising under or in connection with the Agreement, and this DPA (including Standard Contractual Clauses) to the extent such loss results from any failure of the Service Provider (or its Sub-processors) to comply with its obligations under this DPA or Data Protection Legislation; and 

8.1.2 any exclusion of damages or limitation of liability that may apply to limit the Service Provider’s liability in the Agreement shall not apply to the Service Provider's liability arising under or in connection with this DPA (including Standard Contractual Clauses), howsoever caused, regardless of how such amounts or sanctions awarded are characterized and regardless of the theory of liability, which liability shall be expressly excluded from any agreed exclusion of damages or limitation of liability.  

For the avoidance of doubt, nothing in this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable. 

8.2 Indemnity. Service Provider agrees to fully indemnify and hold MEWS harmless from, and against, all expense, liability, claim or loss that results from any claims of third parties arising out of the breach of Data Protection Legislation, anti-spam law and electronic communication law attributable to the actions of Service Provider.  

9.1 Termination. The Service Provider is not entitled to terminate this DPA for convenience. MEWS shall have the right to terminate the DPA by sending a written notice of termination to the Service Provider, such termination being effective immediately unless stated otherwise in the applicable termination notice. Upon the termination or expiry of this DPA, any rights and obligations of the Parties, accrued prior to the termination or expiry thereof shall continue to exist. 

9.2 Survival Clause. The following provisions shall survive the termination or expiration of this DPA for any reason and shall remain in effect after any such termination or expiration: Section 1, 8, 9,  any obligation related to confidentiality and warranties and such provisions which by their nature shall survive any termination or expiration. Termination or expiration of this DPA shall not affect any obligation accrued or arising prior to such termination or expiration. 

9.3 Severability. The provisions of this DPA are severable, and if any part of this DPA is held to be illegal or unenforceable, the validity or enforceability of the remainder of this DPA will not be affected. The Annexes to this DPA constitute an integral part of this DPA. 

9.4 Third-Party Beneficiaries. Data Subjects are the sole third-party beneficiaries to the Standard Contractual Clauses, and there are no other third-party beneficiaries to the Agreement and this DPA.   

9.5 Governing Law and Jurisdiction. Nothing in this DPA amends the Governing Law section of the Agreement, which shall, for the avoidance of doubt, govern all claims brought under the Agreement and this DPA. 

9.6 Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA. 

9.7 Modifications. MEWS reserves the right to modify this DPA from time to time. If MEWS makes changes to this DPA, Mews will notify the Service Provider of such changes by publishing the revised version of this DPA on https://www.mews.com/en/terms-conditions/service-partner-dpa. If the Service Provider does not agree with the changes made to the DPA in accordance with this Section ("Changes") the Service Provider may exercise its right to terminate the Agreement within 30 days of notification of the respective Changes pursuant to Section “Modification, Amendments” of the Service Partner Terms.

9.8 Term. This DPA shall become effective on the effective date of the Agreement or upon starting with personal data processing by the Service Provider, whichever is sooner, and will continue to be in effect for the term of the Agreement plus the period from expiry or termination of the Agreement until the Service Provider ceases to process Personal Data on behalf of MEWS (the "Processing Term"). 

Description of the Processing Activities / Transfer 

Annex 1(A) List of Parties:  

Annex 1(B) Description of Transfer: 

Annex 1(C): Competent supervisory authority 

With respect to the Personal Data of Data Subjects in the EEA, the competent supervisory authority is the Dutch Data 

Protection Authority (the "Dutch DPA"). 

Technical and organizational measures 

Description of the technical and organizational security measures implemented by the Service Provider  

1. ACCESS CONTROL

1.1 Unauthorized persons shall be prevented from gaining physical access to premises, buildings or rooms, where data processing systems are located which process personal data. Exceptions may be granted for the purpose of auditing the facilities to third party auditors as long as they are supervised by the Service Provider and do not get access to the personal data themselves.

1.2 The Service Provider warrants that it has (without limitation) implemented the following controls:

1.2.1 controls to specify authorized individuals permitted to access personal data;

1.2.2 implemented an access control process to avoid unauthorized access to the company’s premises;

1.2.3 implemented an access control process to restrict access to data centres / rooms where data servers are located;

1.2.4 utilises video surveillance and alarm devices with reference to access areas; and

1.2.5 ensured that personnel without access authorization (e.g. technicians, cleaning personnel) are accompanied all times when accessing data processing areas.

2. SYSTEM ACCESS CONTROL

2.1 Data processing systems must be prevented from being used without authorization.

2.2 The Service Provider warrants that has (without limitation) implemented the following controls:

2.2.1 ensured that all systems processing personal data (this includes remote access) are password protected:

2.2.1.1 after boot sequences, and

2.2.1.2 when left even for a short period;

2.2.2 to prevent unauthorized persons from accessing any personal data;

2.2.3 provides dedicated user IDs for authentication against systems user management for every individual;

2.2.4 assigns individual user passwords for authentication;

2.2.5 ensured that access control is supported by an authentication system;

2.2.6 controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personal to access personal data in the performance of their function;

2.2.7 implemented a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords;

2.2.8 ensured that passwords are always stored in encrypted form;

2.2.9 implemented a proper procedure to deactivate user account, when a user leaves the company or function;

2.2.10 implemented a proper process to adjust administrator permissions, when an administrator leaves company or function; and

2.2.11 implemented a process to log all access to systems and review those logs for security incidents.

3. DATA ACCESS CONTROL

3.1 Persons entitled to use a data processing system shall gain access only to the data to which they have a right of access, and personal data must not be read, copied, modified or removed without authorization in the course of processing.

3.2 The Service Provider warrants that it has (without limitation) implemented the following controls:

3.2.1 restricted access to files and programs based on a "need-to-know-basis";

3.2.2 stored physical media containing personal data in secured areas;

3.2.3 controls to prevent use/installation of unauthorized hardware and software;

3.2.4 established rules for the safe and permanent destruction of data that are no longer required; and

3.2.5 controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personal to access personal data in the performance of their function.

4. DATA TRANSMISSION CONTROL

4.1. Personal data must not be read, copied, modified or removed without authorization during transfer or storage and it shall be possible to establish to whom personal data was transferred.

4.2 The Service Provider warrants that it has (without limitation) implemented the following controls:

4.2.1 encrypt data during any transmission and at rest;

4.2.2 transport physical media containing personal data in sealed containers; and

4.2.3 have shipping and delivery notes.

5. DATA ENTRY CONTROL

5.1 The Service Provider shall be able retrospectively to examine and establish whether and by whom personal data have been entered into data processing systems, modified or removed.

5.2 The Service Provider warrants that it has (without limitation) implemented the following controls:

5.2.1 controls to log administrators' and users' activities; and

5.2.2 controls to permit only authorized personnel to modify any personal data within the scope of their function.

6. JOB CONTROL

6.1 Personal data being processed in the performance of a service for the MEWS shall be processed solely in accordance with the services agreement in place between the MEWS and the Service Provider and in accordance with the instructions of the MEWS.

6.2 The Service Provider warrants that it has (without limitation) implemented the following controls:

6.2.1 established controls to ensure processing of personal data only for contractual performance;

6.2.2 controls to ensure staff members and contractors comply with written instructions or contracts; and

6.2.3 ensured that data is always physically or logically separated so that, in each step of the processing, the client from whom personal data originates can be identified.

7. AVAILABILITY CONTROL

7.1 Personal data shall be protected against disclosure, accidental or unauthorized destruction or loss.

7.2 The Service Provider warrants that it has (without limitation) implemented the following controls:

7.2.1 arrangements to create back-up copies stored in specially protected environments;

7.2.2 arrangements to perform regular restore tests from those backups;

7.2.3 contingency plans or business recovery strategies;

7.2.4 controls to ensure that personal data is not used for any purpose other than for the purposes it has been contracted to perform;

7.2.5 controls to prevent removal of personal data from the data importer’s business computers or premises for any reason (unless data exporter has specifically authorized such removal for business purposes);

7.2.6 controls to use only authorized business equipment to perform the services;

7.2.7 controls to ensure that whenever a staff member leaves its desk unattended during the day and prior to leaving the office at the end of the day, he/she places materials containing personal data in a safe and secure environment such as a locked desk drawer, filing cabinet, or other secured storage space. (clean desk);

7.2.8 implemented a process for secure disposal of documents or data carriers containing personal data;

7.2.9 implemented network firewalls to prevent unauthorized access to systems and services and

7.2.10 ensured that each system used to process personal data runs an up to date antivirus solution.

8. ORGANIZATIONAL REQUIREMENTS

8.1 The internal organization of the data importer shall meet the specific requirements of data protection. In particular, the data importer shall take technical and organizational measures to avoid the accidental mixing of personal data.

8.2 The Service Provider warrants that it has (without limitation) implemented the following controls:

8.2.1 designated a data protection officer (or a responsible person if a data protection officer is not required by law);

8.2.2 obtained the written commitment of the employees to maintain confidentiality;

8.2.3 trained staff on data privacy and data security;

8.2.4 implemented a formal security incident response process that is consistently followed for the management of security incidents; and

8.2.5 trained staff in the security incident responder roles on the security incident process.

9. FURTHER TECHNICAL AND ORGANIZATIONAL MEASURES

9.1 Furthermore, the Data Importer shall implement security measures that are equivalent to those required under the agreement between MEWS and Customers, as available at this link: https://www.mews.com/en/platform-documentation#security.

Approved Sub-processors 

The list of approved Sub-Processors of the Service Provider is included in the Agreement.  

Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses 

VERSION B1.0, in force 21 March 2022  

This UK addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. Information 

Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally 

binding contract. 

Part 1: Tables 

Table 1: Parties 

Table 2: Selected SCCs, Modules and Selected Clauses 

Table 3: Appendix Information 

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix 

of the Approved EU SCCs (other than the Parties), and which for this UK addendum is set out in: 

Table 4: Ending this UK addendum when the Approved Addendum Changes 

Part 2: Mandatory Clauses 

Mandatory Clauses of the Approved Addendum, being the template UK Addendum B.1.0 issued by the ICO and laid before 

Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 

of those Mandatory Clauses. By entering into the DPA, the Parties are deemed to have signed the mandatory clauses, 

incorporated herein by reference, as of the Effective date of the DPA. If the Information Commissioner issues a revised 

version of the Approved UK Addendum, this UK addendum is automatically amended as set out in the revised Approved  

UK Addendum from the start date specified therein unless the Parties agree otherwise.