This Anyscale Data Processing Addendum, including its Annexes and the Standard Contractual Clauses and UK Addendum (“DPA”), is supplemental to and forms part of the Anyscale Platform Terms and Conditions (currently located at anyscale.com/terms), and to the extent Customer utilizes Anyscale Endpoints and subject to the terms therein, the Generative AI Supplement (currently located at https://anyscale.com/gen-ai-terms) (“GenAI Supplement”), or other written or electronic terms of service or agreement for the provision of the Platform Services (collectively, the “Agreement”) entered into between Anyscale, Inc. ("Anyscale") and the entity referred to as “Customer” in the Agreement.
Customer enters into the DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of any Authorized Affiliate (defined below). Capitalized terms used herein and not otherwise defined in this DPA shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of this DPA and the Agreement, this DPA shall prevail.
This DPA applies solely to processing of Customer Personal Data within environments controlled by Anyscale or its Subprocessors and describes the parties' obligations with respect to the processing of such Customer Personal Data to ensure compliance with Applicable Data Protection Law.
The parties agree as follows:
1. Definitions
1.1 “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a party where "control" means either (a) direct or indirect ownership or control of greater than 50% of the voting securities of such entity; or (b) the ability to control the activities of the entity through contractual rights.
1.2 “Applicable Data Protection Law” means data protection and privacy laws and regulations applicable to a party and its respective processing of Customer Personal Data under the Agreement, including where applicable (a) the General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK GDPR”); and (c) the Swiss Federal Data Protection Act and its implementing regulations and ordinance (“Swiss Data Protection Act”); the California Consumer Privacy Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”) and other similar U.S. state data protection laws in effect; in each case, as amended, superseded or replaced from time to time.
1.3 “Authorized Affiliate” means a Customer Affiliate that is authorized to use the Platform Services under the Agreement and has not signed their own separate Agreement with Anyscale.
1.4 “Authorized Person” means any person authorized by Anyscale to process Customer Personal Data, including Anyscale employees, officers, contractors and consultants.
1.5 “Customer Personal Data” means any personal data contained in Customer Property, as further described in Annex A.
1.6 “Europe” means for the purposes of this DPA, the European Economic Area, Switzerland and the United Kingdom.
1.7 “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner, in each case whether such transfer is a direct or onward transfer.
1.8 “Personal Data Breach” means a confirmed breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed in environments controlled by Anyscale or its Subprocessors. A “Personal Data Breach” does not include activity that does not compromise Customer Personal Data, including (but not limited to) any unsuccessful attempt to access Customer Personal Data or Anyscale equipment or facilities storing Customer Personal Data, including without limitation pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
1.9 “Principles” means the EU-U.S. Data Privacy Framework Principles, the Swiss-U.S. DPF Principles, and UK Extension to the EU-U.S. Data Privacy Framework Principles, in each case, including the Supplemental Principles.
1.10 “Security Addendum” means the Anyscale Security Addendum located at anyscale.com/security-addendum, as may be updated from time to time in accordance with this DPA.
1.11 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as amended, superseded or replaced from time to time.
1.12 “Subprocessor” means any third party processor used by Anyscale to process Customer Personal Data, including any Anyscale Affiliate. A “Sub-processor” does not include any employee, contractor or consultant of Anyscale or its Affiliates.
1.13 “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
The lower case terms “controller,” “processor,” “personal data,” “data subject,” “process,” and “processing” have the meanings given to them by the GDPR. The term “controller” includes “business”, the term “data subject” includes “consumers”, and the term “processor” includes “service provider” (in each case, as defined by the CCPA).
2. Scope and Role of the Parties
2.1 Scope and details of processing. This DPA applies solely to the extent that Anyscale processes Customer Personal Data subject to Applicable Data Protection Law as a processor. The subject matter, nature, purpose, and duration of the processing, as well as the types of personal data processed and categories of data subjects involved, are described in Annex A.
2.2 Anyscale's role and processing instructions. Anyscale shall process Customer Personal Data as a processor on Customer's behalf and solely in accordance with Customer’s lawful documented instructions, which instructions shall include processing initiated by Customer in the use of and configuring of the Platform Services. For these purposes, Customer instructs Anyscale to process Customer Personal Data to perform the Platform Services in accordance with the Agreement, including this DPA (the “Permitted Purposes”). The parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Anyscale in relation to the processing of Customer Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
2.3 Customer’s responsibilities. Customer shall be responsible for complying with its obligations under Applicable Data Protection Law in its processing of Customer Personal Data. In particular, Customer agrees that it shall (a) be responsible for determining whether the Platform Services are appropriate for processing Customer Personal Data consistent with Customer's legal and regulatory obligations; (b) comply with its obligations under Applicable Data Protection Law in its use of the Platform Services and any processing instructions it issues to Anyscale; and (c) ensure it has the right make available Customer Personal Data to Anyscale, including providing notice and obtaining all consents necessary under Applicable Data Protection Law for Anyscale (and its Subprocessors) to lawfully process Customer Personal Data for the Permitted Purposes. Anyscale is not responsible determining if Customer's instructions are compliant with applicable law, however Anyscale shall inform Customer if, in its opinion, Customer's processing instructions infringe Applicable Data Protection Law and Anyscale shall not be required to comply with such instruction. Taking into account the nature of the processing, Customer agrees that it is unlikely that Anyscale would become aware that any Customer Personal Data processed by Anyscale is inaccurate or outdated. To the extent Anyscale becomes aware of such inaccurate or outdated data, Anyscale will inform the Customer.
2.4 Third-party controllers. Where Customer is itself a processor of Customer Personal Data acting on behalf of a third party controller (or other intermediaries), Customer represents and warrants that (a) it is authorized to provide Customer Personal Data to Anyscale and that Customer's processing instructions reflect and do not conflict with the instructions of such third party controller; and (b) it will act as the sole point of contact for Anyscale with regard to such third party controller and Anyscale need not interact directly with (including seeking authorizations directly from or providing notifications directly to) such third party controller other than through the regular provision of the Platform Services.
3. Anyscale Data Processing Obligations
3.1 Confidentiality. Anyscale shall ensure that any Authorized Person is subject to a duty of confidentiality (whether contractual or statutory) and that they shall only process Customer Personal Data for the Permitted Purposes.
3.2 Security. Anyscale shall implement and maintain appropriate technical and organizational measures designed to (a) protect Customer Personal Data from Personal Data Breaches and (b) preserve the security, confidentiality and integrity of Customer Personal Data, as further described in the Security Addendum.
3.3 Security Updates. Anyscale may update the Security Addendum from time to time, provided that any updates shall not materially diminish the overall security of Customer Personal Data. Customer shall be responsible for reviewing the Security Addendum and any other information made available by Anyscale relating to data security and making an independent determination as to whether the Security Addendum meets the Customer's requirements and obligations under Applicable Data Protection Law.
3.4 Personal Data Breaches. Anyscale shall inform Customer without undue delay upon becoming aware of a Personal Data Breach and take such measures as Anyscale may deem necessary and reasonable to remediate the Personal Data Breach. Anyscale shall provide Customer with timely information about the nature of the Personal Data Breach as such information becomes known or available to Anyscale, and provide reasonable cooperation and assistance to enable Customer to comply with its obligations under Applicable Data Protection Law with respect to notifying the relevant supervisory authority and/or affected data subjects. The obligations described in this Section 3.4 shall not apply to Personal Data Breaches that result from Customer's actions or omissions, and any obligation to report or respond to a Personal Data Breach will not be construed as an acknowledgement by Anyscale of any fault or liability with respect to such Personal Data Breach or the Customer Personal Data concerned.
3.5 Audits.
(a) Upon Customer's request, and no more than once per calendar year, Anyscale shall (a) make available for Customer's review summary copies (on a confidential basis) of existing audit reports and certifications (each, an "Audit Report") to help Customer assess Anyscale's compliance with this DPA and Applicable Data Protection Law; and (b) only to the extent a supervisory authority determines that Anyscale's provision of such Audit Reports does not provide sufficient information to allow Customer to assess Anyscale's compliance with this DPA or Applicable Data Protection Law, Customer shall have the right, at Customer's expense, to conduct an audit or assessment of reasonable scope and duration to a mutually agreed-upon audit or assessment plan with Anyscale that is consistent with the Audit Parameters ("Audit").
(b) Each Audit must conform to the following parameters (“Audit Parameters”): (i) be reasonable in scope taking into account the architecture of and use by Customer of the Platform Services (ii) be conducted by an independent third party that will enter into a confidentiality agreement with Anyscale; (iii) occur at a mutually agreed date and time and only during Anyscale’s regular business hours; (iv) occur no more than once annually with at least three weeks’ advance written notice; (v) cover only facilities controlled by Anyscale; (vi) not violate any obligation between Anyscale and its service providers or third-party, (vii) restrict findings to only Customer Personal Data relevant to Customer; and (viii) obligate Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
(c) The parties agree that the audit rights granted under the Standard Contractual Clauses shall be exercised in accordance with this Section 3.5.
3.6 Subprocessors.
(a) Customer provides a general authorization for Anyscale to appoint Subprocessors, including the Subprocessors listed at anyscale.com/subprocessors (or such other successor URL as may be notified to Customer from time to time) ("Subprocessor List").
(b) Anyscale will: (i) ensure that each Subprocessor shall be bound by a written agreement, including data protection terms and security measures, no less protective of Customer Personal Data than the Agreement and this DPA; and (ii) be liable for any breach of this DPA caused by an act, error or omission of its Subprocessors to the extent Anyscale would have been liable had such breach been caused by Anyscale. Notwithstanding the foregoing, Customer acknowledges and accepts that Section 3 of the GenAI Supplement shall apply with respect to the use of Anyscale Endpoints.
(c) Anyscale shall notify Customer if it engages a new Subprocessor at least ten (10) days prior to any such change if Customer opts-in to receive such notifications in the manner made available on the Subprocessor List.
(d) Customer may object in writing to Anyscale's appointment of a new Subprocessor based on reasonable data protection concerns by emailing privacy@anyscale.com within five (5) calendar days of notice of a new Subprocessor from Anyscale and the parties will discuss such concerns in good faith. If parties are unable to reach a mutually agreeable resolution, Anyscale shall either: (a) instruct the Subprocessor to not process Customer Personal Data; (b) with respect to new Subprocessors for the Platform Services, permit Customer to continue to use the Platform Services without the functionality offered by the new Subprocessor, or (c) notify Customer of its option to terminate the Agreement and this DPA within fourteen (14) calendar days. If Customer exercises its right to terminate the Agreement and this DPA, Anyscale will provide Customer, as its sole and exclusive remedy, with a pro rata reimbursement of any prepaid, but unused fees.
3.7 Cooperation.
(a) Data Subject Rights. Anyscale shall, taking into account the nature of the processing, provide Customer with reasonable assistance (including by appropriate technical and organization measures, in so far as this is possible) to enable Customer to respond to (i) any requests from a data subject seeking to exercise any of its rights under Applicable Data Protection Law (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Personal Data (collectively "Correspondence"). In the event the Correspondence is made directly to Anyscale, it shall where the Customer is identified or identifiable from the Correspondence, promptly notify Customer and shall not, unless legally compelled to do so, respond directly to the Correspondence except to refer the requestor to Customer to allow Customer to respond as appropriate. Any assistance provided shall be relevant to the Platform Services that support the processing of Customer Personal Data and commercially reasonable and proportionate to the objective of the exercise with which Anyscale is requested to assist.
(b) Law Enforcement Requests. If Anyscale receives a subpoena, court order, warrant or other legal demand from law enforcement or public or judicial authorities seeking the disclosure of Customer Personal Data, Anyscale shall, where the Customer is identified or identifiable from such disclosure request and to the extent required and permitted by applicable law, promptly notify Customer of such request and reasonably cooperate with Customer to limit, challenge or protect against such disclosure.
(c) Data Protection Assessments; Data Protection Impact Assessments. Anyscale shall provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under Applicable Data Protection Law to conduct a data protection assessment, data protection impact assessment and/or to consult with the competent supervisory authorities with respect to Anyscale's processing of Customer Personal Data. Anyscale shall comply with the foregoing by: (i) complying with Section 3.5 (Audits); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer's expense.
3.8 Deletion on Termination. Upon Customer’s request following termination or expiry of the Agreement, Anyscale shall return or delete all Customer Personal Data in its possession or control (except to the extent Anyscale is required to retain any Customer Personal Data under applicable law, in which case Anyscale shall isolate and protect such data from any further processing until it can be lawfully deleted).
4. International Transfers; CCPA Compliance
4.1 Processing Locations. Anyscale may transfer and Process Customer Personal Data in the United States and anywhere else in the world where Anyscale or Subprocessors maintain data processing operations. Anyscale shall ensure that Customer Personal Data is adequately protected in accordance with the requirements of Applicable Data Protection Law and this DPA.
4.2 Restricted Transfers. Where the transfer of Customer Personal Data from Customer to Anyscale is a Restricted Transfer and Applicable Data Protection Law requires that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form an integral part of this DPA in accordance with Annex B.
4.3 Alternative Transfer Mechanism. To the extent that Anyscale adopts an alternative data transfer mechanism (including, but not limited to, any new version of or successor to the Standard Contractual Clauses or participation in the EU-U.S. Data Privacy Framework) (“Alternative Transfer Mechanism”), such Alternative Transfer Mechanism shall automatically apply instead of the Standard Contractual Clauses described in this DPA, but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to territories to which Customer Personal Data is transferred.
4.4 EU-U.S. Data Privacy Framework. If Customer carries out a Restricted Transfer of Customer Personal Data to Anyscale in the United States and Anyscale is a participant in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework, Anyscale will: (a) provide at least the same level of privacy protection as is required by the Principles; (b) Process such Customer Personal Data in a manner consistent with the Principles; and (c) notify Customer if Anyscale makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles. If Customer reasonably believes that Anyscale is engaged in unauthorized Processing of Customer Personal Data that is subject to this Section 4.4, Customer will immediately notify Anyscale of such belief, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary. Customer may provide a summary or a representative copy of the relevant privacy provisions of the Agreement, including this DPA to the U.S. Department of Commerce.
4.5 CCPA Compliance. To the extent that Anyscale’s Processing of Customer Personal Data is subject to the CCPA, this Section 4.5 will also apply. Customer discloses or otherwise makes available Customer Personal Data to Anyscale for the Permitted Purposes. Anyscale shall: (a) comply with its applicable obligations under the CCPA; (b) provide the same level of protection as required under the CCPA; (c) notify Customer if it can no longer meet its obligations under the CCPA; (d) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (e) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than the Permitted Purposes or as otherwise permitted under the CCPA; (f) unless otherwise permitted by the CCPA, not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Anyscale; and (g) unless otherwise permitted by the CCPA, not combine Customer Personal Data with personal data that Anyscale (i) receives from, or on behalf of, another person, or (ii) collects from its own, independent consumer interaction. Anyscale will permit Customer, upon reasonable request, to take reasonable and appropriate steps to ensure that Anyscale Processes Customer Personal Data in a manner consistent with the obligations applicable to a “Business” under the CCPA by requesting that Anyscale attest to its compliance with this Section 4.5. Following any such request, Anyscale will promptly provide that attestation or notice about why it cannot provide it. If Customer reasonably believes that Anyscale is engaged in unauthorized Processing of Customer Personal Data that is subject to this Section 4.5, Customer will immediately notify Anyscale of such belief, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.
5. General
5.1 Governing law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.
5.2 Modifications. This DPA may not be modified except by a subsequent written instrument signed by both parties. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
5.3 Survival. The obligations placed upon Anyscale under this DPA shall survive so long as Anyscale and its Subprocessors processes Customer Personal Data on Customer's behalf.
5.4 Authorized Affiliates. Anyscale’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) Customer is solely responsible for communicating any processing instructions on behalf of its Authorized Affiliates; (b) Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations under this DPA; and (c) if an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against Anyscale (“Authorized Affiliate Claim”), Customer must bring such Authorized Affiliate Claim directly against Anyscale on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim, and all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability.
5.5 Limitation of Liability. The total and combined liability of each of the parties (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence), or any other theory of liability, shall be subject to the exclusions and limitations of liability set forth in the Agreement.
5.6 Third Party Rights. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a third party controller), but without prejudice to the rights or remedies available to data subjects under Applicable Data Protection Law or the Standard Contractual Clauses.
Last updated May 1, 2024.
ANNEX 1(A): LIST OF PARTIES
Data exporter: | Name of data exporter: | The entity referred to as “Customer” in the Agreement |
Contact person’s details: | If a Customer has signed an Order Form, the contact person’s details are those set forth therein; if not, the Customer’s admin users shall be deemed the contact. | |
Activities relevant to data transfer: | See Annex 1.B below | |
Signature and date: | Execution of the Agreement shall be deemed valid execution of the DPA (including the SCCs) | |
Role (controller/processor): | Controller (for Module 2) or processor (for Module 3) | |
Data importer: | Name of the data importer: | Anyscale, Inc. |
Contact person’s details: | Patrick Lonergan Head of Legal privacy@anyscale.com | |
Activities relevant to data transfer: | See Annex 1.B below | |
Signature and date: | Execution of the Agreement shall be deemed valid execution of the DPA (including the SCCs) | |
Role (controller/processor): | Processor |
ANNEX 1(B): DESCRIPTION OF THE TRANSFER AND PROCESSING
Categories of data subjects: | The categories of data subjects included in Customer Personal Data are determined and controlled by Customer in its sole discretion and may include, without limitation: (i) Customer's employees, agents, authorized sub-contractors and advisors; and/or (ii) Customer's prospects, customers, business partners, vendors, end-users or other subjects of Customers models. |
Categories of personal data: | The categories of personal data included in Customer Personal Data are determined and controlled by Customer in its sole discretion (as such data may be relevant to the Customer's model) and may include, without limitation: (i) images of individuals, (ii) contact information such as name, email address or other identifiers, and (ii) the contents of Customer queries saved as logs. |
Sensitive data (if applicable): | Customer Personal Data may include ‘special categories of personal data’ as defined under Applicable Data Protection Laws, subject to any applicable restrictions and/or conditions in the Agreement. The nature of any such data is determined and controlled by Customer in its sole discretion and may include, without limitation: (i) biometric data (including as such data may form part of any images of individuals submitted to the Platform Services); and/or (ii) health data (as may be a feature of any health records, lab reports, x-rays, insurance claims, etc. which may be submitted to the Platform Services). |
Frequency of the transfer: | Continuous or one-off depending on the nature of the Services being provided by Anyscale. |
Nature, subject matter and duration of processing: | The nature of the processing is the provision of the Platform Services as further described in the Agreement, and the subject matter is Customer Personal Data. The processing duration is the period for which Anyscale processes Customer Personal Data as determined by the Customer through its processing instructions. |
Purpose of processing: | Anyscale shall process Customer Personal Data for the Permitted Purposes, as described in the Agreement and this DPA. |
Retention period: | Anyscale will retain Customer Personal Data as instructed by Customer and in accordance with the Agreement, including this DPA. |
ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY
Competent supervisory authority | The data exporter's competent supervisory authority shall be determined in accordance with the GDPR. |
ANNEX B – STANDARD CONTRACTUAL CLAUSES (MODULES 2 AND 3)
1.1 To the extent the Standard Contractual Clauses are deemed incorporated into and form an integral part of the DPA pursuant to Section 4.2 of the DPA, they shall apply as follows:
(a) In relation to transfers of Customer Personal Data protected by the GDPR, the SCCs shall apply as follows:
(1) the Module Two terms shall apply where Customer is the controller of Customer Personal Data and the Module Three terms shall apply where Customer is a processor of Customer Personal Data;
(2) in Clause 7, the optional docking clause shall apply and Affiliates may accede to the SCCs subject to mutual agreement of the parties;
(3) in Clause 9, option 2 (“general authorization”) is selected and the process and time period for prior notice of Sub-processor changes is set out in Section 3.6 of the DPA;
(4) in Clause 11, the optional language shall not apply;
(5) in Clause 17, option 1 shall apply and the SCCs will be governed by the laws of the Republic of Ireland;
(6) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland;
(7) Annex I shall be deemed completed with the information set out in Annex A of the DPA;
(8) Annex II shall be deemed completed with the Security Measures (as described in Section 3.2 of the DPA).
(b) In relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs as implemented by Section 1.1(a) above shall apply with the following modifications:
(1) the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
(2) Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in the DPA (including its Annexes) and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “importer”; and
(3) any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with section 10 and section 11 of the UK Addendum.
(c) In relation to transfers of Customer Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented by Section 1.1(a) above shall apply with the following modifications:
(1) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
(2) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and “Swiss law” and references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “competent Swiss courts”; and
(3) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.