SCC – Standard contractual clauses for International transfer

Parties to the Standard Contractual Clauses:

Data Exporter: The data exporter is the party transferring personal data outside of the European Economic Area (EEA). The data exporter can be either a Data Controller or a Data Processor under applicable data protection laws.

Data Importer: The data importer is the party receiving personal data from the data exporter and processing it in accordance with the terms outlined in these Standard Contractual Clauses. The data importer may act as either a Data Processor (in the context of Module 2) or a Subprocessor (in the context of Module 3).

With regard to the Standard Contractual Clauses, the Parties agree as follows:

(a) Applicability of Modules

• Module 2 (Controller-to-Processor) will apply where NTH acts as the Company’s data processor.
• Module 3 (Processor-to-Processor) will apply where NTH acts as a Processor or Subprocessor to the Company who is also a Processor or a Subprocessor.

(b) Docking Clause

• Clause 7 (Docking Clause) is incorporated into this agreement.

(c) Use of Sub-Processors

• For the purposes of Clause 9.a) (Use of sub-processors), Option 2: General written authorization shall apply. The data importer has the data exporter’s general authorization for the engagement of sub-processors as described in the DPA.

(d) Redress

• The optional wording in Clause 11 (Redress) on independent resolution bodies is not incorporated.

(e) Supervision

For the purpose of Clause 13 (Supervision),  the competent supervisory authority shall be one of the following:

• If the data exporter is located within the European Union (EU): The supervisory authority of the data exporter’s place of establishment.
• If the data exporter is located outside the EU: The supervisory authority of the data importer’s place of establishment.

(f) Governing Law

Governing Law Agreed in Master Agreement:

• The governing law for these Standard Contractual Clauses shall be the law agreed upon by the parties in the Master Agreement, unless that law does not ensure the mandatory application of the General Data Protection Regulation (GDPR) or does not provide adequate protection for personal data as required by the GDPR.

Applicable Law Based on Party Location:

• If the agreed law in the Master Agreement does not ensure GDPR compliance, the governing law shall be determined as follows:
• If the data exporter is established within the European Union (EU): The laws of the EU member state where the data exporter is established shall govern these Standard Contractual Clauses.
• If the data exporter is established outside the EU: The laws of the jurisdiction where the data importer is established shall govern these Standard Contractual Clauses.

(g) Choice of Forum and Jurisdiction

Jurisdiction Agreed in Master Agreement:

• The courts specified in the Master Agreement shall have jurisdiction over any disputes arising out of these Standard Contractual Clauses, provided they ensure compliance with GDPR standards and offer adequate protection of data subject rights.

Applicable Jurisdiction Based on Party Location:

If the agreed forum in the Master Agreement does not ensure GDPR compliance or does not provide adequate protection, jurisdiction for resolving disputes under these SCCs shall be determined as follows:

• If the data exporter is established within the European Union (EU): The courts of the EU member state where the data exporter is established shall have jurisdiction over disputes arising out of these Standard Contractual Clauses.
• If the data exporter is established outside the EU: The courts of the jurisdiction where the data importer is established shall have jurisdiction over disputes arising out of these Standard Contractual Clauses.

(h) Description of Transfer

Appendix 1 to the DPA (Details of processing) shall be completed with transfer as follows:

• No sensitive data shall be transferred unless otherwise specified.
• The frequency of the transfer shall be continuous for the duration of the Agreement or as specified in the DPA.
• For transfers to sub-processors, the subject matter, nature, and duration of processing shall match those of the Data Importer as outlined in the DPA.

(i) Competent Supervisory Authority

• The competent supervisory authority in accordance with Clause 13 shall be the supervisory authority of the EU Member State in which the data exporter is established.
• If the data exporter is not established within the European Union (EU), the competent supervisory authority shall be the authority of the EU Member State in which the data representative is located, or where applicable, the data importer’s establishment within the EU.

(j) Technical and Organizational Measures

• Technical and organizational measures that NTH has in place are described in Appendix 2 to the DPA. Technical and organizational measures that the Company has in place will be described in DPA Acceptance document, if applicable.