Data Processing Agreement
Last Updated: 8-7-23
This Data Processing Agreement (“DPA”) is attached to and made a part of the Order Form between ATS and Customer and outlines the rights and responsibilities of each party with respect to data confidentiality as per Relevant Legislation (as defined herein), including instances when GDPR (as defined herein) or UK GDPR (as defined herein) is applicable to the services rendered by ATS for the Customer’s usage. In the event of any conflict between the terms and conditions of the Order Form and the terms and conditions of this DPA, the terms and conditions of this DPA shall govern. Any breach of the provisions of this DPA shall also be deemed a breach of the entire Agreement. Please note that we may update this DPA at any time and at our sole discretion, and the latest version can be found at https://loudspot.com/contracts/dpa. You are responsible for monitoring this link and being aware at all times of the most up-to-date DPA.
Glossary. All capitalized terms used but not defined herein shall have the meaning ascribed to them in the Order Form. Furthermore, the following terms shall have the meaning set forth below:
“2021 SCCs” pertains to: (i) for Personal Data of residents in the European Economic Area, the standard contractual clauses for transferring Personal Data from Controllers to Processors set up in third countries outside of the European Union, in line with the European Commission’s 2021 EU Standard Contractual Clauses (Module 2 Controller to Processor) annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, including Annexes I, II, and III, collectively attached herein as Annex A.
“California Privacy Laws” refers to the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2023.
“Controller” takes the definition given in the Relevant Legislation or, if undefined therein, the GDPR.
“Data Subject” signifies an identified or identifiable natural person whose rights are safeguarded by GDPR or a
“GDPR” stands for Regulation 2016/679 of the European Parliament and the Council of 27 April 2016.
“Personal Data” denotes any information related to an identifiable individual, either by itself or in conjunction with other information, that ATS will Process or have access to during the service provision, inclusive of any such data created by the Services. Personal Data includes “personal data” as defined under GDPR and “personal information” as defined under California Privacy Laws.
“Process,” when referring to Personal Data, means: (i) recording, storing, organizing, structuring, analyzing, querying, modifying, combining, encrypting, displaying, disclosing, transmitting, receiving, rendering unusable, or destroying, by automated means or otherwise; (ii) offering cloud or other remote technology hosting services for applications or services performing any of the aforementioned tasks; and (iii) any other use or activity that is defined or understood to be processing under Relevant Legislation.
“Processor” takes the definition given in the Relevant Legislation or, if not defined therein, the GDPR.
“Relevant Legislation” implies any decree, regulation, executive instruction, and other rule or laws issued by a governmental office or agency that possess legal authority and are universally applicable to Personal Data or the service provisions with respect to Personal Data, including GDPR, UK GDPR, Data Protection Act 2018, California Privacy Laws, and the state and federal laws of the United States.
“UK GDPR” signifies General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).
Confidential Information. The Personal Data that ATS Processes for you as part of the Services is your Confidential Information as per our confidentiality commitments outlined in the Agreement and anyone authorized to Process Personal Data is subject to confidentiality obligations or is under a suitable statutory obligation of confidentiality. We extend the commitments stated in this DPA regarding Personal Data.
Usage and Disclosure. To the extent that we are permitted to transfer Personal Data to other jurisdictions, we will provide a level of protection for the Personal Data that is at least equivalent to the level of protection that we are obligated to provide in the jurisdiction in which the Personal Data was first received by us.
Suspension and Termination of Processing. You may suspend or terminate our Processing of Personal Data if you reasonably believe that we are in breach of our obligations under this DPA, the Agreement, or Relevant Legislation. If you suspend or terminate our Processing of Personal Data, you may require us to return the Personal Data to you or delete it. If we cannot comply with your request to return or delete Personal Data, you may terminate the Agreement without liability. If you terminate the Agreement, we will return or delete the Personal Data unless required by law to retain it, in which case we will continue to protect the Personal Data in accordance with this DPA and the Agreement.
Indemnification. Without limiting any of your other indemnification obligations under the Agreement, you agree to indemnify, defend, and hold us harmless from and against all losses, liabilities, costs, damages and expenses (including reasonable attorneys’ fees and costs) resulting from any claim, suit, action, demand or proceeding brought by any third party against us arising from your breach of this DPA or the Agreement.
Transfers upon Termination or Expiration. Upon termination or expiration of the Agreement, we will return to you or destroy all Personal Data in our possession or control. This requirement will not apply to the extent that we are required by Relevant Legislation to retain some or all of the Personal Data, or to Personal Data we have archived on back-up systems, which Personal Data we will securely isolate and protect from any further Processing except to the extent required by such law.
ESTABLISHED AGREEMENT PROVISIONS (EU)
Objective and breadth
These established agreement provisions are designed to meet the prerequisites of Regulation (EU) 2016/679 of the European Parliament and the Council from 27 April 2016 concerning the safeguarding of individuals in relation to the handling of Personal Data and the unimpeded movement of such data for the relocation of Personal Data to an outside country.
The individual(s) or legal entity/entities, public institution/s, agency/ies or other body/ies (hereinafter referred to as “entity/ies”) moving the Personal Data, as listed in Appendix I.A. (hereinafter “data dispatcher”), and
The entity/ies in a foreign country obtaining the Personal Data from the data dispatcher, directly or indirectly through another entity also Participant to these Provisions, as itemized in Appendix I.A. (hereinafter “data receiver”) have accepted these established agreement provisions (hereinafter: “Provisions”).
These Provisions are applicable concerning the transfer of Personal Data as detailed in Appendix I.B. Appendix I.A and Appendix I.B constitute an essential part of this Appendix A.
Impact and immutability of the Provisions
These Provisions lay down suitable safeguards, including enforceable rights of Data Subjects and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, regarding data transfers from Controllers to Processors and/or Processors to Processors, established contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are unaltered, except to choose the relevant Module(s) or to supplement or revise information in the Addendum. This doesn’t inhibit the Participants from incorporating the established contractual clauses defined in these Provisions in a broader contract and/or to append other clauses or extra safeguards, provided they do not oppose, directly or indirectly, these Provisions or harm the basic rights or freedoms of Data Subjects. These Provisions are impartial to obligations to which the data dispatcher is subject by virtue of Regulation (EU) 2016/679.
Data Subjects may invoke and enforce these Provisions, as third-party beneficiaries, against the data dispatcher and/or data receiver, with the following exceptions: Provision 1, Provision 2, Provision 3, Provision 6, Provision 7; Provision 8 – Module One: Provision 8.5 (e) and Provision 8.9(b); Module Two: Provision 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Provision 8.1(a), (c) and (d) and Provision 8.9(a), (c), (d), (e), (f) and (g); Module Four: Provision 8.1 (b) and Provision 8.3(b); Provision 9 – Module Two: Provision 9(a), (c), (d) and (e); Module Three: Provision 9(a), (c), (d) and (e); Provision 12 – Module One: Provision 12(a) and (d); Modules Two and Three: Provision 12(a), (d) and (f); Provision 13; Provision 15.1(c), (d) and (e); Provision 16(e); Provision 18 – Modules One, Two and Three: Provision 18(a) and (b); Module Four: Provision 18. Provision (a) doesn’t prejudice rights of Data Subjects under Regulation (EU) 2016/679.
Where these Provisions utilize terms that are delineated in Regulation (EU) 2016/679, those terms will bear the same implication as in that Regulation. These Provisions should be examined and construed in the context of the stipulations of Regulation (EU) 2016/679. These Provisions should not be construed in a manner that clashes with rights and duties provided for in Regulation (EU) 2016/679.
In case of a contradiction between these Provisions and the terms of associated agreements between the Participants, existing at the time these Provisions are settled or entered into subsequently, these Provisions shall take precedence.
Characterization of the transfer(s)
The specifics of the transfer(s), especially the categories of Personal Data being transferred and the purpose(s) for which they are transferred, are detailed in Appendix I.B.
An entity that is not a Participant to these Provisions may, with the agreement of the Participants, accede to these Provisions at any time, either as a data dispatcher or as a data receiver, by completing the Addendum and signing Appendix I.A.
Upon completion of the Addendum and signing Appendix I.A, the incorporating entity shall become a Participant to these Provisions and have the rights and duties of a data dispatcher or data receiver as per its designation in Appendix I.A. The incorporating entity shall have no rights or obligations arising under these Provisions from the period prior to becoming a Participant.
SECTION II – RESPONSIBILITIES OF THE PARTICIPANTS
Data protection safeguards
The data dispatcher guarantees that it has exerted reasonable efforts to determine that the data receiver can, through the application of appropriate technical and organizational measures, fulfill its duties under these Provisions.
The data receiver shall Process the Personal Data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
Use of Sub-processors
The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list.
The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s).
The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
Where the data importer engages a sub-processor to carry out specific Processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under this annex, including in terms of third-party beneficiary rights for Data Subjects. The Parties agree that, by complying with this Provision, the data importer fulfils its obligations under Provision 8.
The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Provisions.
The data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer.
The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processing contract and to instruct the sub-processor to erase or return the Personal Data.
Data Subject rights
The data importer shall promptly notify the data exporter of any request it has received from a Data Subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter. The data importer shall assist the data exporter in fulfilling its obligations to respond to Data Subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the Processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. The data importer shall not refuse to assist the data exporter on the grounds of disproportionateness or because it involves disproportionate effort. Where the Data Subjects’ requests are manifestly unfounded or excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.
In case of a dispute between a Data Subject and one of the Parties as regards compliance with these Provisions, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them. Where the Data Subject invokes a third-party beneficiary right pursuant to Provision 3, the data importer shall accept the decision of the Data Subject to:
lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Provision 13; refer the dispute to the competent courts within the meaning of Provision 18. The Parties accept that the Data Subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. The data importer shall abide by a decision that is binding under the applicable EU or Member State law. The data importer agrees that the choice made by the Data Subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Provisions. Each Party shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages the Party causes the Data Subject by breaching the third-party beneficiary rights under these Provisions. The Parties agree that if one Party is held liable under Provision (b), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage. The Parties agree that they may be held liable for the entire damage in order to ensure effective compensation of the Data Subject, in accordance with Article 82(4) of Regulation (EU) 2016/679. They may subsequently claim back from each other that part of the compensation corresponding to their part of responsibility for the damage, in accordance with Article 82(5) of Regulation (EU) 2016/679. Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of these Provisions, all responsible Parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these Parties. The Parties agree that if one Party is held liable under Provision (e), it shall be entitled to claim back from each of the other Parties that part of the compensation corresponding to its part of responsibility for the damage, in accordance with Article 82(5) of Regulation (EU) 2016/679. The data importer may not invoke the conduct of a Processor or sub-processor to avoid its own liability.
The regulatory body tasked with ensuring the data provider’s adherence to Regulation (EU) 2016/679 concerning data transfer, as specified in Annex I.C, will serve as the relevant overseeing body. The data receiver commits to adhering to the regulatory authority’s jurisdiction and cooperating in any procedures designed to ensure compliance with these provisions. Specifically, the data receiver agrees to address inquiries, subject itself to audits, and adhere to measures implemented by the regulatory body, including remedial and compensatory actions. Written confirmation of necessary actions taken must be provided to the regulatory body.
SECTION III – LOCAL LAWS AND RESPONSIBILITIES IN THE EVENT OF PUBLIC AUTHORITY ACCESS
Local Laws and Practices Impacting Compliance with the Provisions
The involved parties affirm that they have no reason to suspect that the legal framework and practices in the recipient’s destination country, relating to the Processing of Personal Data by the data receiver, including any disclosure requirements or authorizations for public authorities’ access, prevent the data receiver from fulfilling these provisions’ obligations. This is based on the understanding that laws and practices preserving fundamental rights and freedoms’ essence, and not exceeding what is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, do not contradict these provisions.
The parties confirm that the assurance in the above Provision considers: the unique conditions of the transfer, including the Processing chain’s length, the number of participants involved, the used transmission methods, intended future transfers, recipient type, Processing purpose, transferred Personal Data’s categories and format, the economic sector of the transfer, and the storage location of the transferred data; the third destination country’s laws and practices– including requirements for data disclosure to public authorities or authorizations for such authorities’ access – relevant considering the specific transfer circumstances, and any existing limitations and safeguards; any relevant contractual, technical, or organizational safeguards implemented to supplement these provisions’ safeguards, including measures applied during transmission and to the Personal Data Processing in the destination country.
The data receiver guarantees that it has made every reasonable effort to provide the data provider with pertinent information in carrying out the above assessment and agrees to continue cooperating with the data provider to ensure compliance with these provisions.
The parties agree to record the above assessment and provide it to the competent regulatory authority when requested.
The data receiver commits to promptly notifying the data provider if it believes, after accepting these provisions and for the contract’s duration, that it is or has become subject to laws or practices inconsistent with the above requirements, including following a change in the third country’s laws or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the above requirements.
Upon notification in accordance with the above Provision or if the data provider has reason to suspect that the data receiver can no longer fulfill its obligations under these provisions, the data provider should quickly identify suitable measures (e.g., technical or organizational measures to ensure security and confidentiality) to be implemented by the data provider and/or data receiver to rectify the situation. The data provider should halt the data transfer if it determines that appropriate safeguards for such transfer can’t be ensured, or if directed to do so by the competent regulatory authority. In this case, the data provider has the right to terminate the contract, insofar as it concerns the Processing of Personal Data under these provisions. If the contract involves more than two parties, the data provider may only terminate with respect to the relevant party, unless otherwise agreed by the parties. Where the contract is terminated pursuant to this provision, Provision 16(d) and (e) shall apply.
Responsibilities of the Data Receiver in the Event of Public Authority Access
The data receiver commits to promptly informing the data provider and, if possible, the Data Subject (if needed with the assistance of the data provider) if it: receives a legally binding request for disclosure of Personal Data transferred under these provisions from a public authority, including judicial authorities, under the destination country’s laws. Such communication should include information about the requested Personal Data, the requesting authority, the request’s legal basis, and the response provided; or becomes aware of direct access by public authorities to Personal Data transferred under these provisions in accordance with the destination country’s laws. Such communication should include all available information to the importer.
If the data receiver is prohibited from informing the data provider and/or Data Subject under the destination country’s laws, the data receiver agrees to make every reasonable effort to obtain a waiver of the prohibition to provide as much information as possible, as soon as possible. The data receiver agrees to document these efforts to demonstrate them to the data provider when requested.
Where permissible under the destination country’s laws, the data receiver agrees to provide the data provider, at regular intervals for the contract’s duration, with as much relevant information as possible regarding the received requests (specifically, the number of requests, type of requested data, requesting authority/ies, whether requests have been contested, and the outcomes of such contests, etc.).
The data receiver commits to preserving information according to the above Provisions (a) to (c) for the duration of the contract and make it available to the competent regulatory authority when requested.
The obligations of the data receiver under Provision 14(e) and Provision 16 to promptly inform the data provider if it can’t comply with these provisions aren’t affected by Provisions (a) to (c).
15.2 Legality Review and Data Minimization
The data receiver commits to reviewing the legality of the disclosure request, particularly whether it remains within the powers granted to the requesting public authority, and to contest the request if, after careful evaluation, it concludes that there are reasonable grounds to believe that the request is illegal under the destination country’s laws, applicable international law obligations, and principles of international comity. The data receiver shall, under the same conditions, seek appeal possibilities. When contesting a request, the data receiver shall seek interim measures with a view to suspending the request’s effects until the competent judicial authority has decided on its merits. It shall not disclose the requested Personal Data until required to do so under the applicable procedural rules. These requirements don’t affect the obligations of the data receiver under Provision 14(e).
The data receiver agrees to document its legal evaluation and any challenge to the disclosure request and, to the extent permissible under the destination country’s laws, make the documentation available to the data provider. It shall also make it available to the competent regulatory authority when requested.
The data receiver commits to providing the minimum amount of information permissible when responding to a disclosure request, based on a reasonable interpretation of the request.
SECTION IV – FINAL TERMS
Breach and Termination
The party receiving the data (data importer) is required to immediately notify the party exporting the data (data exporter) if they are unable to adhere to the conditions set out in this agreement, for any reason. Should the data importer be unable to or fail to adhere to these conditions, the data exporter has the right to halt the transfer of Personal Data to the data importer until adherence can be guaranteed or the contract is terminated. This right is protected regardless of the provisions of Article 14(f). The data exporter holds the right to terminate the contract in relation to the handling of Personal Data under these conditions in instances where: the data exporter has paused the transfer of Personal Data to the data importer as mentioned in paragraph (b), and adherence to these conditions has not been re-established within a reasonable time frame and under no circumstances longer than one month from suspension; the data importer is in significant or continuous violation of these conditions; or the data importer fails to abide by a legally binding decision of an authorised court or regulatory body pertaining to its responsibilities under these conditions. In such instances, it should report any such non-adherence to the relevant regulatory authority. Where the contract involves more than two parties, the data exporter may execute this right of termination only with respect to the relevant party, unless otherwise agreed upon by the parties.
Any Personal Data transferred before the termination of the contract as outlined in paragraph (c) should be immediately returned to the data exporter or completely deleted at the discretion of the data exporter. The same applies to any duplicates of the data. The data importer should provide certification of the data deletion to the data exporter. Until the data is deleted or returned, the data importer is obligated to continue adhering to these conditions. If local laws applicable to the data importer prohibit the return or deletion of the transferred Personal Data, the data importer assures that it will continue to ensure compliance with these conditions and will only Process the data to the extent and for the duration required by the local law. Either party can withdraw its consent to be bound by these conditions where (i) the European Commission enacts a decision as per Article 45(3) of Regulation (EU) 2016/679 that encompasses the transfer of Personal Data to which these conditions apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the Personal Data is transferred. This right is preserved regardless of other obligations applying to the Processing in question under Regulation (EU) 2016/679.
The terms set out in this agreement will be governed by the law of the EU Member State in which the data exporter is situated. If such law does not provide for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does provide for such rights. The parties agree that this shall be the law of Ireland.
Selection of Forum and Jurisdiction
Any disputes arising from this agreement will be settled by the courts of an EU Member State. The parties consent to the jurisdiction of the courts of Ireland. A Data Subject may also institute legal proceedings against the data exporter and/or data importer before the courts of the Member State where he/she has his/her habitual residence. The parties consent to the jurisdiction of such courts. Where the data exporter is a Processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as a Controller, reliance on this agreement when engaging another Processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the Processing of Personal Data by the Union institutions, bodies, offices, and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295 of 21.11.2018, p. 39), to the extent these conditions and the data protection obligations as set out in the contract or other legal act between the Controller and the Processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will, in particular, be the case where the Controller and Processor rely on the standard contractual clauses included in Decision 2021/915. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein, and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these conditions. This requirement may be satisfied by the sub-processor acceding to these conditions under the appropriate Module, in accordance with Provision 7. As regards the impact of such laws and practices on compliance with these conditions, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these conditions, it needs to be supported by other relevant, objective elements, and it is for the parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
- LIST OF PARTICIPANTS
Name: The organization identified as “Customer” in the Agreement.
Address: The location for the Customer recorded in the User Portal or as otherwise specified in the Contract.
Contact person’s details, title, and contact information: The contact details associated with Customer’s account, or as otherwise specified in the Contract.
Activities associated with the data transferred under these conditions: Data Importer will Process the Personal Data to provide the Services according to the Contract.
Role (Controller/Processor): Controller
Name: American Technology Services
Address: 2751 Prosperity Way, Fairfax, VA
Contact person’s details, title, and contact information: Scott.McGovern@networkats.com, Director
Activities associated with the data transferred under these conditions: Data Importer will Process the Personal Data to provide the Services according to the Contract.
Role (Controller/Processor): Processor
DESCRIPTION OF TRANSFER
Types of Data Subjects whose Personal Data is transferred:
The users and administrators of Customer’s website and
The sub-processors have contractually committed to Processing data in accordance with these Provisions. They are required to comply with all applicable data protection laws, and implement appropriate technical and organizational security measures in relation to the Processing of Personal Data.
[Additional Details of the transfer of Personal Data]