Standard Contractual Clause Selections and Addendum Standard Contractual Clause Selections and Addendum

Standard Contractual Clause Selections and Addendum

Last Updated September 27, 2023

The following selections and addendum shall supplement and/or amend the SCCs incorporated into the Independent Controller Data Processing Addendum (Sovrn as Data Exporter).

SCC Section Reference Concept Selection of the Parties

Section Governing law IV, Clause 17The laws of the Republic of Ireland.
Section IV, Clause 18 (b)Choice of forum and jurisdictionThe courts of the Republic of Ireland.
Annex I.AList of Parties – Data exporter(s)Name:Sovrn
Address:As set forth in the Agreement
Contact:As set forth in the Agreement
Activities relevant to the data transferred under these Clauses:Performance of the Agreement.
Signature and Date:The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA.
Role (controller/processor):controller
Annex I.AList of Parties – Data importer(s)Name:Company
Address:As set forth in the Agreement.
Contact:As set forth in the Agreement.
Activities relevant to the data transferred under these Clauses:Receipt of the Services as provided to  Customer by Sovrn under the Agreement.
Signature and Date:The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA.
Role (controller/processor):controller
Annex I.BDescription of the TransferCategories of data subjects whose personal data is transferredEnd users of digital properties owned or operated by Sovrn and/or Sovrn’s customers; data subjects whose personal data has been collected by other parties and transferred to Sovrn.


Categories of personal data transferredCategories of personal data transferred may include, depending on the agreed upon Exhibit: (i) Cookies (session, persistent, LSO, other) or other online unique IDs; (ii) Interest activity, behavioral targeting, or other profiling data (including inferences); (iii) IP address; (iv) hashed email; (v) User agent string/OS/chipset/screen; (vi) purchase intent and/or history; and (vii) mobile advertising ID.


Sensitive data transferred (if applicable) and applied restrictions or safeguardsN/A
Annex IITechnical and Organisational Measures
https://www.sovrn.com/about-sovrn/security/, unless Customer notifies Sovrn of an alternative set of measures by emailing privacy[at]sovrn.com.
The frequency of the transferContinuous basis for the term of the Agreement.
Nature of the processingAs set forth in the Agreement.
Purpose(s) of the data transfer and further processingTo allow the Parties to perform and/or receive the Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodData is retained only for as long as needed to fulfill obligations defined in the Agreement, or as long as needed to support a business purpose.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processingAs above.
Annex I.C Competent Supervisory AuthorityIrish Data Protection Commissioner

ADDENDUM TO THE STANDARD CONTRACTUAL CLAUSES

Sovrn and Customer agree that the SCCs shall be modified and/or supplemented as follows:

  1. Supplemental Business-Related Clauses.  In accordance with Clause 2 of the SCCs, the Parties wish to supplement the SCCs with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects.  The Parties therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the SCCs, including without limitation the following: (a) in the event of a data subject request for a copy of the clauses in accordance with Clause 8.2(c), each Party agrees to make all redactions reasonably necessary to protect business secrets or other confidential information of the other Party; and (b) the terms of the Agreement governing indemnification and limitation of liability, including Section 9 of the DPA, shall apply to each Party’s liability under Clauses 12(a), 12(c), and 12(d).
  2. Transfers from the United Kingdom. If the SCCs apply to the Transfer of Personal Data originating from the United Kingdom, this Section shall apply to and modify the SCCs to the extent that UK Data Protection Laws apply to Sovrn’s Processing when making that Transfer.  The Parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in the selections above; and (c) Sovrn may end the UK Addendum in accordance with Section 19 thereof.
  3. Transfers from Switzerland.If the SCCs apply to the Processing of Personal Data originating from Switzerland, the SCCs shall be modified as follows: (a) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c); (b) references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the Swiss FDPA; and (d) the Parties agree that the supervisory authority as indicated in Annex I.C shall be, insofar as the data transfer is governed by the Swiss FDPA, the Swiss Federal Data Protection and Information Commissioner.

/