This Personal Data Referral Addendum (“Addendum”) is governed by, incorporated into, and forms an integral part of theCommerce Partner Agreement.This Addendum supplements, and does not replace, the Commerce Partner Agreement, and must be read together with the Commerce Partner Agreement to be fully understood and effective. Capitalized terms used but not defined in this Addencum have the meanings ascribed to them in the Commerce Partner Agreement.



  1. Definitions. For the purposes of this Addendum, the following terms shall have the meanings set forth below:
    1. “Data Protection Laws” means any data protection legislation or regulation applicable to the Processing of Personal Data by a BC Entity under the Agreement, including: (i) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); (ii) the General Data Protection Regulation as it forms part of UK domestic law by virtue of the UK Data Protection Act 2018 and Section 3 of the European Union (Withdrawal) Act 2018 and subsequent amendments (“UK GDPR”); and (iii) the California Consumer Privacy Act of 2018, as amended or modified, including as amended by the California Privacy Rights Act of 2020. Unless otherwise stated, “GDPR” means both the EU GDPR and UK GDPR.
    2. “Data Subject” has the same meaning ascribed to it under applicable Data Protection Laws and their cognate terms will be construed accordingly.
    3. “Personal Data” means any information relating to an identifiable or identified Data Subject.
  2. Referral Data which Constitutes Personal Data.
    1. Compliance. The Parties agree that to the extent that prospect referral information provided by a Party (“Referral Provider”) to the other Party (“Referral Recipient”) constitutes Personal Data (“Referral Personal Data”), each Party will ensure that the Referral Personal Data provided is in compliance with applicable law, rules, and regulations, including applicable Data Protection Laws. The Referral Recipient will implement appropriate technical and organizational measures to ensure the security and lawful processing of Referral Personal Data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. In assessing appropriate technical and organizational measures, the Referral Recipient will take into account the state of art, the costs of implementation, the nature, scope, context and purpose of processing and the risks involved in the processing for the Referral Personal Data.
    2. Permitted Use. The Parties further understand that any Referral Personal Data is provided solely for the purposes marketing and communicating with prospects about each Party’s respective services, and may not be shared with additional third-parties and shall not be processed for any other purpose unless it has obtained the Data Subject's prior consent, where necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings or where necessary in order to protect the vital interests of the Data Subject or of another natural person and has further evaluated the intended use, provided, notice where applicable, and made a determination of the intended legal processing and data use under applicable Data Protection Law. Any Referral Personal Data provided shall not be sold, published, disclosed, transferred, distributed, copied, forwarded, duplicated, or otherwise processed outside of the processing identified in the Agreement.
    3. Data Subject Rights. The Parties understand that each Party has obligations under Data Protection Law including the fulfillment of Data subject rights and other obligations under Data Protection Laws. Should the Referral Recipient receive any of the following implicating the Referral Provider: (i) Data subject rights request; (ii) complaint; or (iii) regulatory or supervisory authority inquiry, the Referral Recipient will immediately notify the Referral Provider unless prohibited by law from doing so.
    4. GDPR. Where EU GDPR applies and where a transfer of Referral Personal Data constitutes a transfer of Personal Data from the EEA/UK to a country outside of the EEA/UK which is not subject to an adequacy decision by the European Commission/Secretary of State or not considered an onward transfer under the EU-US Data Privacy Framework and an independently valid data transfer mechanism does not exist or either Party relies on a transfer mechanism that is subsequently modified, revoked or held in a court of competent jurisdiction to be invalid, the following applies:
      1. Where the EU GDPR applies, Module One of the Standard Contractual Clauses approved by the European Commission pursuant to the Implementing Decision 2021/914/EU of 4 June 2021, Controller-to-Controller Clauses (“EU SCCs”) (available at: https://commission.europa.eu/system/files/2021-06/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf) will apply between the Referral Provider as a data exporter and Referral Recipient as a data importer with respect to the transfer of data outside of the EEA where no adequacy decision exists. For the purposes of the EU SCCs, in clause 7, the optional docking clause will not apply, in clause 11, the optional language will not apply, in clause 17, the EU SCCs will be governed by the laws of the Republic of Ireland, in clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland. In Annex I, Part A and B are deemed completed with the information as set out in the Agreement. For the purposes of Part C, the competent supervisory authority is the Irish Data Protection Commission. Annex II of the EU SCCs is deemed completed with the list of specific technical and organizational measures which are implemented by Referral Provider in accordance with clause 2.a. of this Addendum.
      2. Where the UK GDPR applies, the EU SCCs, completed as set out above in clause 2.d.(i) of this Addendum, will apply between the Referral Provider as a data exporter and Referral Recipient as a data importer with respect to the transfer of data outside of the UK where no adequacy decision exists. The EU SCCs shall be modified by the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”). For this purpose, Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the option "Exporter" shall be deemed checked in Table 3. The start date of the UK Addendum (as set out in Table 1) shall be the date this Agreement was entered into.
    5. Privacy Framework. If the transfer of Referral Personal Data is considered an onward transfer under the EU-US Data Privacy Framework, the Referral Recipient will provide the same level of protection as mandated by the EU-US Data Privacy Framework and will notify the Referral Provider if it makes a determination that it can no longer meet this obligation. In such case, the Referral Recipient will cease the processing or take other reasonable and appropriate steps to remediate.