QS Data Processing Addendum

Last updated: 17th December 2025

‍

This Data Processing Addendum (“DPA”) is made by and between the parties to any Main Agreement incorporating this DPA by reference and this DPA shall be in addition to any obligations set out in any Main Agreement.

This DPA outlines the obligations between the parties where QS acts as a data processor in providing Services to the Customer insofar as it relates to Customer Personal Data.

‍

Variables
Parties’ roles	Customer will act as the Controller (as defined in Section 1 of the Terms). QS will act as the Processor (as defined in Section 1 of the Terms).
Data protection contacts	QS Name: QS Group Data Protection Officer Email: DPO@qs.com	Customer Name: As listed in the Main Agreement or as set forth in this DPA. Email: As listed in the Main Agreement or as set forth in this DPA.
Main agreement	Means the agreement in place between Customer and QS covering the use of the Services.
Term	As listed in the Main Agreement.
Breach notification period	Without undue delay after becoming aware of a Personal Data breach.
Sub-processor notification period	As soon as reasonably practicable, but no later than fourteen (14) days’ prior to allowing such sub-processor to process Personal Data.
Liability cap	Notwithstanding anything to the contrary in this DPA, the liability of each party and each party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Main Agreement.
Governing law and jurisdiction	As per the Main Agreement.
Data protection laws	To the extent applicable, all laws, regulations and court orders which may apply to the processing of Personal Data in: the European Economic Area (EEA) the United Kingdom (UK) Switzerland the United States (US) Australia This includes the European Union General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018 (DPA 18), the Swiss Federal Act on Data Protection and its implementing regulations (Swiss FADP), California Consumer Privacy Act of 2018 (CCPA), California Privacy Rights Act of 2020 (CPRA), and the Privacy Act 1998, each as amended from time to time.
Services related to processing	As described in the Main Agreement.
Duration of processing	The Term plus the period from the end of the Term until deletion of all Personal Data by QS in accordance with this DPA or as otherwise specified in the Main Agreement.
Nature and purpose of processing	The nature and purpose of the processing is as described in Exhibit A, Annex I.
Personal data	The types of Personal Data processed are as described in Exhibit A, Annex I.
Data subjects	The individuals whose Personal Data will be processed are as described in Exhibit A, Annex I.
Transfer mechanism	The Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country (EU SCCs). The International Data Transfer Addendum issued by the Information Commissioner’s Office under section 119A of the Data Protection Act 2018, effective from 21 March 2022 (UK IDTA).
Security measures	The security measures are as described in Exhibit A, Annex II.
Sub-processors (current)	The current sub-processors are listed at www.qs.com/qs-sub-processor-list/.

‍

Terms

1. What is this Addendum about?

1.1 Purpose. The parties are entering into this Data Processing Addendum (DPA) for the purpose of processing Personal Data in connection with the provision of the products and services by QS (Services)to the Customer pursuant to the Main Agreement.

1.2 Definitions. All capitalised terms in this DPA shall have the meaning as prescribed by QS Main Agreement or as otherwise agreed between the parties, unless otherwise specified below. Under this DPA:

(a) adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data,

(b) Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws, and

(c) Sub-processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.

‍

2. What are each party’s obligations?

2.1 Role and Scope of the Processing. Customer will act as the Controller and QS will act as the Processor under this DPA. The Controller instructs the Processor to process its Personal Data in accordance with this DPA, and is responsible for providing any necessary notices, consents, licences and legal bases required to allow Processor to process Personal Data.

2.2 Processor obligations. Processor will:

(a) only process Personal Data in accordance with this DPA and Controller’s instructions(unless legally required to do otherwise),

(b) not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement,

(d) use the technical and organisational measures described in Exhibit A, Annex II when processing Personal Data to ensure a level of security appropriate to the risk involved,

(e) notify Controller of a personal data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it,

(f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations,

(g) without undue delay, and at the expense of the Controller, provide Controller reasonable assistance with:

i. data protection impact assessments,

ii. responses to data subjects’ requests to exercise their rights under Data Protection Laws, and

iii. engagement with supervisory authorities,

(h) if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,

(i) allow for audits of Processor’s compliance with its obligations under this DPA, on at least thirty (30) days’ notice at Controller’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a personal data breach, and

(j) return Personal Data upon Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.

2.3 Warranties. The parties warrant that they will comply with their respective obligations under Data Protection Laws.

2.4 Anonymisation: Processor may anonymise, de-identify and aggregate Personal Data (such that it does not identify or permit the identification of any individual), and may use such data for its legitimate business purposes, including to provide, maintain, improve and develop the Services.

‍

3. Sub-processing

3.1 Use of sub-processors. Controller authorises Processor to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Exhibit A, Annex I (Sub-Processor List).

3.2 Sub-processor requirements. Processor will:

(a) require its sub-processors to comply with equivalent terms as Processor’s obligations in this DPA,

(b) ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor, and

3.3 Changes. To receive notification concerning the addition or replacement of sub-processors, Controller shall subscribe by sending an email to DPO@qs.com to receive notifications of any new sub-processors used to process Personal Data in accordance with the Sub-processor Notification Period. If Controller does not object during the Sub-processor Notification Period, Processor will deem Controller to have authorised the relevant changes and sub-processors.

3.4 Objections. Controller may reasonably object inwriting to any future sub-processor within the Sub-processor Notification Period, provided that such objection is based on reasonable grounds relating to data protection. Controller may execute a written amendment to the Main Agreement implementing appropriate changes or exercise the right to terminate the Main Agreement in accordance with the termination provisions. Such termination shall not constitute termination for breach of the Main Agreement.

‍

4. International personal data transfers

4.1 Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.

4.2 Transfer mechanism. Parties agree that when the transfer of personal data from Controller (as data exporter) to Processor (as data importer) takes place the relevant Transfer Mechanism will apply. The parties agree that the Transfer Mechanism attached hereto as Exhibit A shall apply to transfers of personal data under this DPA.

‍

5. Other important information

5.1 Liability: Any claims arising from or in anyway related to this DPA or Processor’s processing of Personal Data hereunder, including the Standard Contractual Clauses, shall be subject to any limitation of liability, dispute resolution requirements, and other limitations set for thin the Main Agreement.

5.2 Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:

(a) Transfer Mechanism,

(b) DPA,

5.3 Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.

‍

Exhibit A

Standard Contractual Clauses

The newly applicable Standard Contractual Clauses based on European Commission’s decision(EU) 2021/914 4 June 2021 are fully part of the Main Agreement between the parties and DPA. The terms contained in Standard Contractual Clauses are available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. Details required by the Standard Contractual Clauses are outlined in the table below and in the Appendices. With respect to shared Personal Data originated from the EU or EEA:

1. in the event that both Parties are Controllers Module 1 shall apply;

2. in the event that either Party is a Controller and the other is the Processor, Module 2 shall apply.

3. in the event that either Party is a Processor and the other is the Controller, Module 4 shall apply.

‍

Section	Module 1	Module 2	Module 4
Relationship	Controller to controller	Controller to processor	Processor to controller
Clause 7 (Docking clause)	Included	Included	Included
Clause 9 Use of sub-processors	Not applicable	Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Clause 3.3 of this DPA.	Not applicable
Clause 11(a) Redress	Optional language not included	Optional language not included	Optional language not included
Clause 17 Governing law	Option 2, with selection of Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement, in which case the selected country shall be used.	Option 2, with selection of Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement, in which case the selected country shall be used.	Option 2, with selection of Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement, in which case the selected country shall be used.
Clause 18 Choice of forum and jurisdiction	Selected country shall be Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement.	Selected country shall be Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement.	Selected country shall be Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement.
Supervisory authority	The data exporters competent supervisory authority will be determined in accordance with the GDPR.

‍

Annex I
A. list of parties
Data exporter
To be completed by customer
Name	The Customer
Address	As listed in the Main Agreement
Contact	As listed in the Main Agreement
Role	Controller
Activities	Use of the Services.
Signature and date	By entering into the Main Agreement, the Controller is deemed to have signed the SCCs incorporated into this DPA and including their Annexes, as of the Effective Date of the Agreement.
Data importer
To be completed by QS
Name	QS QS Quacquarelli Symonds Ltd and its affiliates.
Address	QS Quacquarelli Symonds Ltd with its registered office is at 1 Tranley Mews, Fleet Road, London, NW3 2DG
Contact	As listed in this DPA.
Role	Processor
Activities	As applicable, the provision of student mobility, institution partner management, service management, reputation management, enrollment, engagement, outsourcing, software, and consulting services in the field of higher education, as described in the Main Agreement between the parties.
Signature and date	By entering into the Main Agreement, the Processor is deemed to have signed the SCCs incorporated into this DPA and including their Annexes, as of the Effective Date of the Agreement.

‍

B. description of processing and transfers
Data subjects
Includes the individuals about whom data is provided to QS via the Services by (or at the direction of) Customer or by its End Users.
Categories of data
Data relating to individuals provided to QS via the Services, by (or at the direction of) Customer or by its End Users.
Nature and purpose of the processing
QS will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with this DPA.
Duration of the processing
The Term plus the period from the end of the Term until deletion of all Personal Data by QS in accordance with this DPA or as otherwise specified in the Main Agreement.
Subject matter
QS provision of the Services to Customer.
Frequency of transfers
On a continuous basis (if applicable).
Data retention period
The Parties will retain personal data for as long as necessary in connection with the corresponding Services, or for other necessary purposes such as compliance with a law, regulation, or other legal authority, or as is otherwise permitted to be maintained for other legal purposes, such as audit, security, fraud prevention, or preserving and defending both Parties’ legal rights.
For transfers to (sub-)processors, specify subject matter, nature and duration of the processing
The Sub-processor list published at https://www.qs.com/qs-sub-processor-list/ sets out the Personal Data processed by each Sub-processor and the services provided by each Sub-processor.

‍

C. competent supervisory authority
Supervisory authority
Identify the competent supervisory authority/ies (e.g. in accordance with Clause 13 of the SCCs)	Where the GDPR applies, the competent supervisory authority will be determined in accordance with the GDPR. Where the UK GDPR applies, the UK Information Commissioner's Office (ICO). Where the FDPA applies, the Swiss Federal Data Protection and Information Commissioner (FDPIC).

‍

Annex II

‍

Technical and Organisational Security Measures

(Including Technical and Organisational Measures to Ensure the Security of Data)

Organisational Standards

Processor will maintain an information security program based on an industry standard security framework, such as an ISO 27001 certification, and/or other third party audits or certifications.

Security Measures

Processors hall implement and maintain reasonable and appropriate information security program with administrative, technical, and physical security measures to address (a) the confidentiality, integrity, or availability of an information system; (b) the information the system processes, stores, or transmits; (c)violations or imminent threats of violation of security policies, security procedures, or acceptable use policies. Safeguards shall include, but are not limited to, the following:

· Information Security Policy. Company shall maintain a reasonable and appropriate written information security policy that mirrors those found in Organisational Standards (above). Policy encompasses data classification, access, retention, transport, and destruction, and that provides for disciplinary action in the event of its violation. The policy is reviewed, updated (if necessary), and approved annually.

· Employee Training. Processor shall maintain a program which includes regular and periodic training and awareness of its staff concerning:(1) security measures and risks; (2) implementation of Processor’s information security program; and (3) the importance of the protection of personal data.

· Privacy, Security and Data Transfer Impact Assessment. Processor shall assess security risks, (sub-)processor risk, data privacy impacts and data transfer risks and impacts, and will assure appropriate safeguards are in place to protect confidential and personal data processed by Processor or its(sub-)processors.

· Access Controls. Processor shall maintain reasonable access controls that limits access to the minimal personal data needed, and to provide privilege access to only those individuals who have a business need to know, such information. Processor shall monitor such controls and reauthorises access regularly and make updates whenever individuals change roles or leave Processor.

· Password Policy. Processor shall maintain a password policy that reasonably ensures that its employee passwords meet or exceed industry standard password strength requirements.

· Security Incident Management. Processor shall ensure Security Incident response planning and notification procedures are implemented to monitor, react to, notify, and investigate any Security Incident. A “Security Incident” means any unauthorised access to, use, alteration, destruction, disclosure or other processing of, or other compromiseor breach of security (electronic or physical) involving or related to, any personal data or other confidential information in Processor’s possession or control. Security Incidents include, but are not limited to, information system failures and loss of service, denial of service, errors resulting from incomplete or inaccurate business data, and breaches of confidentiality.

· Anti-virus Tools and Malware Protection. Processor shall maintain software that detects, prevents, removes, and remedies malicious code or similar threats. Processor shall update such software at reasonable intervals and in response to changes in potential threats or Security Incident.

· Intrusion Detection System. Processor shall maintain policies, procedures, software, and/or hardware systems that automate the process for detecting, monitoring, and responding to actual or reasonably suspected intrusions and Security Incidents.

· Vulnerability Management. Processor shall maintain a vulnerability management program for its internal and external infrastructure that includes an annual external pen test and risk assessment conducted by an independent third party(ies), monthly third party external vulnerability scans, and weekly internal vulnerability scans, after which vulnerabilities are prioritised and mitigated to manage security risks. Software updates that address vulnerabilities or weaknesses in the security of a software program or operating system are monitored and reported to the Processor’s governance team.

· Data Anonymisation or Pseudonymisation. Processor shall ensure that it utilises policies, procedures, and tools as appropriate to de-identify personal data following industry best practices if personal data is required for purposes other than the intended purpose for which the data was collected, e.g., for business analytics supporting the services provided.

· Encryption. Processor shall ensure that personal data is processed using strong encryption at rest or in transit, taking into account the resources and technical capabilities, and that encryption keys are reliably managed.

· Retention and Destruction of Personal Data. Processor shall not store or retain any personal data except as necessary to perform the services agreed upon or as required by applicable laws. Processor shall securely destroy all copies of personal data following industry standards for secure data destruction.

· Physical Security. Processor shall maintain the physical security of Processor’s facilities, including datacenters, following industry best practices. Processor shall ensure that access to its data centers and controlled areas within the data center is limited by job role and subject to authorised approval.

· Business Continuity and Disaster Recovery. Processor shall ensure that it maintains a business continuity plan describing how its mission/business processes will be sustained during and after a significant disruption, including business impact assessments analysing Processor’s information system’s requirements, functions, and interdependencies used to characterise system contingency requirements and priorities in the event of a significant disruption, and that the same are reviewed at least annually and updated as necessary. Processor shall further ensure that it maintains a disaster recovery plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities to ensure availability of critical systems and data, as well as any customer data that may be processed in Processor’s systems and that such plan is regularly tested at least annually to ensure data is promptly restored for the continuation of operations.

· Data Subject Rights. Processor shall maintain procedures for guarantying data subject rights pertaining to personal data and promptly responding to any requests by the data subjects as required by applicable law.

· Audit. Processor shall re-evaluate its security controls and measures on an ongoing basis to ensure adequate levels of security, consistent with industry and legal standards, are always maintained over all information in its possession or control. Processor shall further ensure that security measures and audit requirements are contractually imposed upon sub-processors and are subject to audit/review by Processor.

‍

Exhibit B

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

‍

For data transfers originating from the United Kingdom, the following additional clauses will apply:

1. Tables

Table 1: Parties

Start date	The date set out in Exhibit A, Annex I of the EU SCCs.
The parties	Exporter (who sends the restricted transfer)	Importer (who receives the restricted transfer)
Parties’ details	Full legal name: As listed in Exhibit A, Annex I(A) Trading name (if different): As listed in Exhibit A, Annex I(A) or otherwise with the Agreement between the parties Main address (if a company registered address): As listed in Exhibit A, Annex I(A) Official registration number (if any) (company number or similar identifier): As listed in Exhibit A, Annex I(A) or otherwise with the Agreement between the parties	Full legal name: As listed in Exhibit A, Annex I(A) Trading name (if different): As listed in Exhibit A, Annex I(A) or otherwise with the Agreement between the parties Main address (if a company registered address): As listed in Exhibit A, Annex I(A) Official registration number (if any) (company number or similar identifier): As listed in Exhibit A, Annex I(A) or otherwise with the Agreement between the parties
Key contact	Full name (optional): As listed in Exhibit A, Annex I(A) Job title: As listed in Exhibit A, Annex I(A) Contact details including email: As listed in Exhibit A, Annex I(A)	Full name (optional): As listed in Exhibit A, Annex I(A) Job title: As listed in Exhibit A, Annex I(A) Contact details including email: As listed in Exhibit A, Annex I(A)
Signature (if required for the purposes of section 2)	No signature is required.	No signature is required.

‍

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: The date listed in the DPA or Exhibit B, whichever is later.
Reference (if any): N/A
Other identifier (if any): N/A

Or

☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Annex:

Module	Clause 7 (Docking clause)	Clause 11 (Option)	Clause 9a (Prior authorisation or general authorisation & time period)
1	Included	Optional language not included
2	Included	Optional language not included	Option 1, with a time period of two weeks, except where the Parties have already agreed to general written authorisation, then Option 2 with a time period of two weeks.
3	Included	Optional language not included	Option 1, with a time period of two weeks, except where the Parties have already agreed to general written authorisation, then Option 2 with a time period of two weeks.
4	Included	Optional language not included

‍

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Annex is set out in:

· Annex 1A: List of Parties: Annex I(A) of Exhibit B

· Annex 1B: Description of Transfer: Annex I(B) of Exhibit B

· Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II of Exhibit B

· Annex III: List of Sub processors (Modules 2 and 3 only): Annex III of Exhibit B

‍

Table 4: Ending this Annex when the Approved Addendum Changes

Ending this Annex when the approved Addendum changes

Which Parties may end this Addendum as set out in Section:

☐ Importer
☐ Exporter
☒ neither Party

‍

2. Each Party agrees to be bound by the terms and conditions set out in this Annex, in exchange for the other Party also agreeingto be bound by this Annex.

3. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Annex in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Annex. Entering into this Annex will have the same effect assigning the Approved EU SCCs and any part of the Approved EU SCCs.

4. Where this Annex uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

‍

Annex addendum	This International Data Transfer Annex (Addendum) which is made up of this Annex (Addendum) incorporating the Addendum EU SCCs.
Addendum EU SCCs	The version(s) of the Approved EU SCCs which this Annex (Addendum) is appended to, as set out in Table 2, including the Appendix Information.
Appendix information	As set out in Table 3.
Appropriate safeguards	The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved addendum	The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section .
Approved EU SCCs	The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO	The Information Commissioner.
Restricted transfer	A transfer which is covered by Chapter V of the UK GDPR.
UK	The United Kingdom of Great Britain and Northern Ireland.
UK data protection laws	All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR	As defined in section 3 of the Data Protection Act 2018.

‍

5. This Annex must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

6. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in anyway which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Annex and the equivalent provision of the Approved EU SCCs will take their place.

7. If there is any inconsistency or conflict between UK Data Protection Laws and this Annex, UK Data Protection Laws applies.

8. If the meaning of this Annex is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

9. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Annex has been entered into.

10. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.

11. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

12. Where this Annex incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU)2016/679 then the Parties acknowledge that nothing in this Annex impacts those Addendum EU SCCs.

13. This Annex incorporates the Approved EU SCCs which are amended to the extent necessary so that:

(a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that datatransfer, and they provide Appropriate Safeguards for those data transfers asset out in Annex II;

(b) Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Approved EU SCCs; and

(c) this Annex (including the Approved EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2)any dispute arising from it is resolved by the courts of England and Wales, ineach case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

14. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.

15. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

16. The following amendments to the Approved EU SCCs (for the purpose of Section 12 are made:

(a) References to the “Clauses” means this Annex, incorporating the Approved EU SCCs;

(b) In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

(d) Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UKGDPR that covers the onward transfer”;

(e) Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

(f) References to “Regulation (EU) 2016/679”,“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27April 2016 on the protection of natural persons with regard to the processingof personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

(g) References to Regulation (EU) 2018/1725 are removed;

(h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

(i) The reference to “Clause 12(c)(i)” at Clause10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

(j) Clause 13(a) and Part C of Annex I are not used;

(k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

(l) In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

(m) Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

(n) Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

(o) The footnotes to the Approved EU SCCs do not form part of the Annex, except for footnotes 8, 9, 10 and 11.

17. The Parties may agree to change Clauses 17and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts ofScotland or Northern Ireland.

18. If the Parties wish to change the format of theinformation included in Table 1 through Table 4, they may do so by agreeing tothe change in writing, provided that the change does not reduce the AppropriateSafeguards.

19. From time to time, the ICO may issue a revisedApproved Addendum which:

(a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

(b) reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Annex including the Appendix Information. This Annex is automatically amended as set out in the revised Approved Addendum from the start date specified.

20. If the ICO issues a revised Approved Addendum under Section , if any Party selected in Table 4 “Ending the Annex when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

(a) its direct costs of performing its obligations under the Annex; and/or

(b) its risk under the Annex,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Annex at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

21. The Parties do not need the consent of any third party to make changes to this Annex, but any changes must be made in accordance with its terms.

‍

Exhibit C

‍

‍Switzerland Addendum to the EU Commission Standard Contractual Clauses

‍

For data transfers subject to the Swiss Federal Acton Data Protection of 19 June 1992 (SR 235.1; FADP) and Article 16 paragraph 1of its totally revised version of 25 September 2020 (revised FADP)(collectively referred to as “FADP” for this Annex) the following terms shall apply:

1. The Parties agree that the standard contractual clauses issued pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021 and contained the annex ofthat decision will also be applicable for transfers of personal data to which the FADP applies prior to its processing by the data importer, subject to the following amendments:

(a) any references in the Clauses to the GDPR shall refer to the FADP;

(b) the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in theirplace of habitual residence in accordance with Clause 18(c) of the Clauses; and

‍