Data Protection Addendum

DATA PROTECTION ADDENDUM

Last Updated: August 21 2023

This Data Protection Addendum (“DPA”) forms part of the agreement which hyperlinks to this DPA (as amended from time to time, the “Agreement”) between Nasdaq Private Market, LLC and/or its Affiliate(s) (“NPM”), and each respective counterparty to the Agreement (“Counterparty”) (each a “Party”, and collectively the “Parties”), and sets out to reflect the Parties’ agreement related to Processing of Personal Data. This DPA is effective as of the date the hyperlink to this DPA is incorporated into the Agreement. Additional capitalized terms are defined below.

This DPA is binding on, and stipulates the obligations of, the Parties to the extent Privacy Laws apply with respect to Personal Data shared between the Parties, and shall manifest the purposes for which the Parties shall Process Personal Data in connection with the services covered by the Agreement. This DPA replaces any existing terms, addendums, or other attachments related to the Processing of Personal Data unless otherwise expressly stated in this DPA.

• Definitions

• “Affiliates” means any corporation, partnership, limited liability company, joint venture, or other entity that is directly or indirectly, through one or more intermediaries, controlled by, or under common control with, a Party hereto; where “control” means possession of the power to direct or cause the direction of the management, policies, and operations of an entity.
• “Counterparty Personal Data” means Personal Data transferred or otherwise disclosed to NPM by Counterparty pursuant to the Services under the Agreement.
• “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• “Data Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller.
• “Data Subject” means an identified or identifiable natural person.
• “EEA” means European Economic Area.
• “Standard Contractual Clauses” means the Commission Implementing Decision (EU) 2021/914 establishing Standard Contractual Clauses for data transfers to Third Countries (as amended, modified, or replaced from time to time).
• “Personal Data” means any information relating to a Data Subject.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed under this DPA. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
• “Privacy Laws” means any applicable data privacy, data protection, and/or data security laws, rules, and regulations, including, to the extent applicable, the European General Data Protection Regulation (the “GDPR”), the United Kingdom (UK) General Data Protection Regulation (the “UK GDPR”), and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”).
• “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Restricted Transfer” means a transfer of Personal Data from Counterparty to NPM where such transfer would be prohibited by applicable Data Protection Laws in the absence of appropriate safeguards, including the Standard Contractual Clauses or UK Standard Contractual Clauses (as applicable).
• “Services” means the services provided by NPM to Counterparty under the Agreement.
• “Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation; or such other similar types of information designated for heightened protection under applicable Privacy Laws.
• “Sub-Processor” means a Data Processor engaged by NPM for the purpose of Processing Counterparty Personal Data in performance of the Services.
• “UK International Data Transfer Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses version B1.0, in force 21 March 2022 as adopted under the UK GDPR or such successor clauses as may be adopted by the UK.

All other capitalized terms not defined herein shall have the meaning set forth in the Agreement.

• General

• Each Party shall comply with its respective obligations under applicable Privacy Laws with regard to the Personal Data Processed subject to the Agreement.

• Sections 3 to 5 of this DPA shall apply only to the extent that (a) Privacy Laws apply to NPM’s Processing of Counterparty Personal Data Processed pursuant to the Services; and (b) such laws impose or require that each of the following obligations be imposed on the Parties, in light of NPM’s Processing of such Personal Data. For the avoidance of doubt, this means that where Privacy Laws only impose or require certain of the following obligations, only those obligations shall apply between the Parties.

• The Parties agree that under this Privacy Schedule, each Party is a separate controller of Counterparty Personal Data processed for the provision of the Services.

• The Parties each agree that NPM is receiving Counterparty Personal Data as an independent Data Controller in connection with the Agreement and shall have all related rights and obligations with respect to such Personal Data.

• Counterparty has complied with all applicable data privacy and/or marketing laws in their collection of the Personal Data, has all necessary rights in the Personal Data and has obtained any necessary consents in order to provide the Personal Data to NPM for the purposes described in the Agreement, including as necessary for NPM’s communications with the Data Subjects to whom such Personal Data relates.

• The Parties agree that the disclosure of Counterparty Personal Data to NPM is not done for monetary or other valuable consideration, but is ancillary to the provision of the Services by NPM to Counterparty, and NPM shall not engage in the “sale” of such Counterparty Personal Data, as such term is defined by the CCPA.

• NPM represents and warrants that: (a) it will at all times comply with Privacy Laws, and otherwise ensure that the requirements of Privacy Laws are met in performing its obligations under the Agreement and this DPA; (b) it will provide appropriate technical and organizational security measures to the Personal Data as provided in the Agreement; (c) it will provide appropriate notice to and, where required by Privacy Laws, obtain appropriate consents from Data Subjects about whom Personal Data relate, regarding its Processing of Personal Data as required by Privacy Laws; and (d) to the extent required under applicable law, it will comply with appropriate requests by a Data Subject to access, change, delete, correct, or exercise related rights to Personal Data Processed pursuant to the Agreement, considering the nature of Processing, obligations under Privacy Laws, and Personal Data available to the Parties.

• Personal Data Breach. If NPM becomes aware of a Personal Data Breach of the Services involving Counterparty Personal Data, NPM will notify Counterparty of such Personal Data Breach without undue delay unless prohibited by law or as otherwise requested by a governmental authority. If NPM notifies Counterparty of a Personal Data Breach in accordance with this Section, NPM will provide Counterparty with assistance in relation to handling a supervisory authority’s request for information with respect to such Personal Data Breach as required by applicable Privacy Laws.

• Restricted Transfers

• Standard Contractual Clauses. To the extent that Counterparty makes a Restricted Transfer to NPM (except for a Restricted Transfer subject to the UK GDPR which shall be governed by Section 3.4 below), the Parties agree that the Standard Contractual Clauses will apply to such Restricted Transfer as provided below. The Standard Contractual Clauses are incorporated by reference into this DPA, and the remaining details required under the Standard Contractual Clauses are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA. The Parties agree that MODULE ONE (Transfer controller to controller) of the Standard Contractual Clauses shall apply and the Parties further agree:
  • The optional language in Clause 11 (Redress) shall not apply;
  • For Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead supervisory authority of the exporting Counterparty entity, shall act as the competent Supervisory Authority;
  • For Clause 17 (Governing Law), Option 2 shall apply and that, in the event that the law of the jurisdiction in which the data exporter is established does not allow for third-party beneficiary rights, the Standard Contractual Clauses shall be governed by the applicable law established in the Agreement; and
  • For Clause 18 (Choice of Forum and Jurisdiction), any dispute arising from these Clauses shall be resolved by the courts determined in the NPM Terms of Use.

• Details of the Standard Contractual Clauses. The Personal Data Processing activities in Appendix 1 to the Standard Contractual Clauses will be such activities as necessary for NPM to perform the Services. The categories of Data Subjects and categories of Personal Data in Appendix 1 to the Standard Contractual Clauses will be those provided by Counterparty to NPM pursuant to the Services as set forth in Appendix 1 (Processing Details) to this DPA. The data security measures in Appendix 2 to the Standard Contractual Clauses will be those identified in Appendix 2 (Information Security Program) of this DPA.

• Restricted Transfers From Non-EEA Jurisdictions; Conflicts. To the extent that the jurisdiction of the data exporter is not located in the European Economic Area or United Kingdom, but from which transfers of Personal Data would be Restricted Transfers, the Standard Contractual Clauses shall be deemed to be amended to remove references to the European Union and its laws and replace such references to the jurisdiction of the data exporter and that jurisdiction’s applicable Data Protection Laws. In the event of any inconsistency between the terms of the Standard Contractual Clauses and any terms of this DPA with respect to Restricted Transfers, the terms of the Standard Contractual Clauses will govern and control with respect to such Restricted Transfers.

• Restricted Transfers Under UK GDPR; Conflicts. To the extent that Counterparty makes a Restricted Transfer to NPM subject to the UK GDPR, the Parties agree that the terms of the UK International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers, Version B1.0 (available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), in conjunction with the Standard Contractual Clauses, shall apply and that the content of the Tables therein and the remaining details required thereunder are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA. The additional details required to be provided under Part 1 and Part 2 of the UK International Data Transfer Addendum are set out in Appendix 3.

• U.S. State Terms
  • CCPA. If NPM is Processing Counterparty Personal Data within the scope of the CCPA in connection with the Services, NPM makes the following additional commitments to Counterparty: (a) NPM will not retain, use, or disclose such Personal Data outside of the direct business relationship between NPM and Counterparty for any purpose other than the business purposes set out in this DPA or as otherwise permitted under the CCPA; (b) NPM will not sell, share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, such Personal Data to any third party for cross-context behavioral advertising, whether or nor not for monetary or other valuable consideration; (c) unless otherwise provided by the Services or permitted under the CCPA, NPM will not combine such Personal Data with personal information which it receives from or on behalf of any other customer, or collects from its own interaction with any individuals; (d) NPM shall only Process such Personal Data for the limited and specific purposes described in the Agreement and this DPA; (e) NPM will comply with any requirements directly applicable to it as a service provider under the CCPA and provide the same level of protection to such Personal Data as is required under the CCPA; and (f) NPM will notify Counterparty if it makes a determination that it can no longer meet its obligations under this Section and, in such event, reasonably comply with Counterparty’s reasonable instructions regarding ceasing and remediating such Processing that it not in compliance with this Section. With respect to Counterparty Personal Data that is covered by the CCPA, this Section takes precedence over any conflicting data protection commitments NPM makes to Counterparty in this DPA.

• Other Provisions

• The Agreement and this DPA shall apply only between the Parties and shall not confer any rights to any third parties.

• Except as amended herein, all other terms of the Agreement shall remain unchanged and in full force and effect.

• Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, (b) if the foregoing (a) is not reasonably possible, construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.

• In the event of a conflict between the terms of this DPA and the Agreement or Terms, then the terms of this DPA shall control.

APPENDIX 1 to the DPA
Processing Details

1. LIST OF PARTIES

DATA EXPORTER(S)
Name	Counterparty and its Affiliates
Address	As set forth in the Agreement
Contact person’s name, position and contact details	As set forth in the Agreement
Activities relevant to the data transferred under the Standard Contractual Clauses	Receipt of the Services
Signature and date	Counterparty’s signature and date on the Agreement
Role (controller/processor)	Data Controller

DATA IMPORTER(S)
Name	Nasdaq Private Market, LLC and/or its Affiliates, as specified in the Agreement
Address	The address for NPM as set forth in the Agreement
Contact person’s name, position and contact details	Legal Department legal@npm.com
Activities relevant to the data transferred under the Standard Contractual Clauses	Performance of the Services
Signature and date	NPM’s signature and date on the Agreement
Role (controller/processor)	Data Controller

• DESCRIPTION OF THE TRANSFER

• Categories of data subjects whose personal data is transferred:

• Counterparty personnel and representatives
• Counterparty control person
• Beneficial owners
• Potential program participants

• Categories of personal data transferred:

• Name
• Email address
• Postal Address (beneficial owners only)
• Date of Birth (beneficial owners only)
• Social security number or passport number (beneficial owners only)
• Government-issued identification (company control person only)
• Stock holdings information

• Sensitive data transferred (if any) and (if applicable) applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers, or additional security measures:

• None.

• The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

• Multi-transfers

• Nature of the processing:

• Processing as necessary to facilitate the Services and access to applicable programs.

• Purpose(s) of the data transfer and further processing:

• To facilitate Services and access to applicable programs.

• The period for which the personal data will be retained or, if that is not possible, the criteria used to determine that period:

• As long as necessary for the purposes of processing or as may be required by applicable law.

• For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing:
• Amazon Web Services, Inc.: Cloud hosting platform for SaaS products in scope of Services
• Nasdaq Technology AB: Technical support for Services, including cloud hosting platform for SaaS products
• Salesforce.com, Inc.: CRM platform and Cloud Hosting in scope of Services
• COMPETENT SUPERVISORY AUTHORITY

• As provided in Section 3.1.2 of the DPA.

APPENDIX 2 to the DPA
Information Security Program

Taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. NPM has implemented, and will maintain, a comprehensive written information security program (“Information Security Program”) with respect to the Personal Data transferred to or received by NPM in performance of the Services that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Counterparty Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Counterparty Personal Data.

In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Counterparty Personal Data:

Measures of pseudonymization and encryption of personal data

• Access Controls – policies, procedures, and physical and technical controls to encrypt and decrypt Counterparty Personal Data where appropriate.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

• Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Counterparty Personal Data and to protect against unauthorized access, use, disclosure, alteration, or destruction of Counterparty Personal Data.

• Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Counterparty Personal Data or systems that contain Counterparty Personal Data, including a data backup plan and a disaster recovery plan.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Counterparty Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.

• Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Counterparty Personal Data or systems that contain Counterparty Personal Data, including a data backup plan and a disaster recovery plan.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

• Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

Measures for user identification and authorization

• Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Counterparty Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Counterparty Personal Data or information relating thereto to unauthorized individuals.

• Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Counterparty Personal Data and protect it from disclosure, improper alteration, or destruction.

Measures for the protection of data during transmission

• Storage and Transmission Security – technical security measures to guard against unauthorized access to Counterparty Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Counterparty Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.

Measures for the protection of data during storage

• Storage Media – policies and procedures to ensure that prior to any storage media containing Counterparty Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Counterparty Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Counterparty Personal Data.

Measures for ensuring physical security of locations at which personal data are

Processed

• Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Counterparty Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Counterparty Personal Data

Measures for ensuring events logging

• Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

Measures for ensuring system configuration, including default configuration

• Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

Measures for internal IT and IT security governance and management

• Assigned Security Responsibility – The data importer will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. The data importer will inform the data exporter as to the person responsible for security.

• Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Counterparty Personal Data, internal or external threats to the data importer or the Counterparty Personal Data, and the data importer’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

Measures for certification/assurance of processes and products

• Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

• Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Counterparty Personal Data, internal or external threats to the data importer or the Counterparty Personal Data, and the data importer’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

Measures for ensuring data quality

• Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Counterparty Personal Data and protect it from disclosure, improper alteration, or destruction.

Measures for ensuring limited data retention

• Device and Media Controls – policies and procedures on hardware and electronic media that contain Counterparty Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Counterparty Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Counterparty Personal Data from electronic media before the media are made available for re-use.

• Storage Media – policies and procedures to ensure that prior to any storage media containing Counterparty Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Counterparty Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Counterparty Personal Data.

Measures for ensuring accountability

• Security Awareness and Training – a security awareness and training program for all members of the data importer’s workforce (including management), which includes training on how to implement and comply with its Information Security Program

• Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

Measures for allowing data portability and ensuring erasure

• Device and Media Controls – policies and procedures on hardware and electronic media that contain Counterparty Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Counterparty Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Counterparty Personal Data from electronic media before the media are made available for re-use.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

• NPM shall ensure Sub-Processors provide technical and organizational measures no less protective than those set forth in the DPA, including this Appendix 2 (Information Security Program).

APPENDIX 3 to the DPA
UK International Data Transfer Addendum

Any capitalized term used herein and not specifically defined in the DPA shall be deemed to have the meaning given to it in the UK International Data Transfer Addendum.

PART 1

Table 1: Parties
Start date	As set out on first page of the DPA
The Parties	Exporter (who sends the Restricted Transfer) as set out in Appendix 1 of the DPA to the extent such entities are located in the United Kingdom	Importer (who receives the Restricted Transfer) as set out in Appendix 1 of the DPA
Parties’ details Full legal name Trading name (if different): Main address:Official registration number:	As set out in the Agreement.N/AAs set out in the Agreement.To the extent applicable, as set out in the Agreement.	As set out in the Agreement.N/AAs set out in the Agreement.To the extent applicable, as set out in the Agreement.
Key contact	As set out in the DPA and/or relevant applicable ordering documents, including service orders, order forms, statements of work.	As set out in the DPA and/or relevant applicable ordering documents, including service orders, order forms, statements of work.
Signature	The parties agree that the Signature to the DPA to which this Appendix is attached shall serve as the signature for this UK International Data Transfer Addendum.	The parties agree that the Signature to the DPA to which this Appendix is attached shall serve as the signature for this UK International Data Transfer Addendum

Table 2: Selected SCCs, Modules and Selected Clauses

The version of the Approved EU SCCs which this UK International Data Transfer Addendum is appended to, detailed below, including this appendix information are the Commission Implementing Decision (EU) 2021/914 establishing for data transfers to Third Countries (as amended, modified, or replaced from time to time); specifically, the applicable module within the Standard Contractual Clauses is MODULE ONE (Transfer controller to controller).

The clauses options are set out in Section 3.1 of the DPA.

TABLE 3: Appendix Information
Annex 1A List of Parties	See appendix 1 to the DPA.
Annex 1B Description of Transfer	See appendix 1 to the DPA.
Annex II Technical and organizational measures	See appendix 2 to the DPA.
Annex III List of Sub processors	N/A

TABLE 4: Ending this Addendum when the Approved Addendum Changes

Neither party shall have the right to end this UK International Data Transfer Addendum if the approved addendum changes. In the event any such change occurs, the parties shall work together to agree to any relevant updates.

PART 2

Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) and laid before the UK Parliament in accordance with s119A of the UK GDPR on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses is hereby incorporated by reference into this UK International Data Transfer Addendum.