Klaviyo Partner Data Protection Addendum


September 12, 2022

PARTIES AND BACKGROUND

(A)  Agency Partner or Technology Partner (each, a “Partner“) has entered into an agreement with Klaviyo, Inc. (“Klaviyo“) (each a “Party” and collectively the “Parties“) under which the Parties will share certain Personal Data (as defined below) with the other Party (pursuant to “Partner Program Agreement“). This Partner Data Protection Addendum (the “Partner DPA“) amends the Partner Program Agreement and shall be effective on the effective date of the Partner Program Agreement (“Effective Date“).

(B) To the extent that the Parties processes, uploads, transfers or otherwise providesany SharedPersonal Data (as defined below)in connection with the Partner Program Agreement, the Parties have agreed that it shall do so on the terms of this Partner DPA.In the event of any conflict between any of the terms of this Partner DPA, the provisions of the following documents shall prevail: (i) the SCCs; (ii) this Partner DPA; and (iii) the Partner Program Agreement.

1. DEFINITIONS

1.1 Capitalized terms used but not defined within this Partner DPA shall have the meaning set forth in the Partner ProgramAgreement. The following capitalized terms used in this Partner DPA shall be defined as follows:

“Adequate Jurisdiction” means the European Economic Area, the United Kingdom and Switzerland, or another country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data, as determined by the European Commission in the case that EU Data Protection Law applies respectively as determined by the ICO in the case that UK Data Protection Law applies;

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses;

“Data Protection Laws” means the applicable laws, rules, regulations, and governmental requirements relating to the privacy, or security of Personal Data as they may be amended or otherwise updated from time to time. Data Protection Laws may include, without limitation, the EU Data Protection Laws, UK Data Protection Laws, Swiss Data Protection Laws, and the California Consumer Privacy Act;

“Data Subject Rights” means the rights granted to data subjects under Data Protection Laws;

EU Data Protection Laws” means:

(a) the GDPR, and any applicable national implementing or supplementary legislation;

(b) the ePrivacy Directive 2002/58/EC and any application national implementing or supplementary legislation; and

(c) any other legislation in force in the European Economic Area or a Member State, Switzerland and in the United Kingdom protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data;

GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR”as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018;

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum;

Member State” means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;

Personal Data” means any information relating to an identified or identifiable individual or device, or is otherwise “personal data,” “personal information,” “personally identifiable information” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws;

“Shared Personal Data” means the Personal Data which a Party shares with the other, including to which it grants the other access, in each case in connection with the performance of the Partner Program Agreement. Specifically, (1) the Personal Data which Klaviyo shares with or to which Klaviyo grants access to Partner in connection with the performance of the Partner Program Agreement through an Integration or otherwise, and (2) the Personal Data which Partner shares with or to which Partner grants access to Klaviyo in connection with the performance of the Partner Program Agreement, through an Integration or otherwise.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Shared Personal Data.

“Standard Contractual Clauses” or “SCC” means Module One (controller to controller) of the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914;

“Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time; and

“UK Data Protection Laws” means all laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

1.2 The terms “controller”, “processor”, “data subject”, “process” and “supervisory authority” shall have the same meaning as set out in the GDPR.

2. DETAILS OF DATA PROCESSING

Klaviyo and Partner may each be Controllers of Personal Data and in certain cases, transfers that Personal Data to the other Party to provide certain services (e.g. performing services as part of an Integration or completing an API call). The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Partner Program Agreement and in Schedule 1 to this Partner DPA.

3. ROLE OF THE PARTIES

3.1 Klaviyo and Partner are independent controllers with regard to Shared Personal Data, unless otherwise specified in this Partner DPA.

3.2 To the extent that the services include a referral program whereby the Personal Data collection is initiated through a Klaviyo website landing page (whether such Personal Data is collected directly by Klaviyo on its website, or by the Partner on the Partner’s website via a branded landing page or otherwise) or via an enabled Integration and then shared with the other Party and the GDPR applies, the Parties act as Joint Controllers. To this extent the Parties:

(a) have defined their roles and relationship with respect to data subjects as specified in clause 2.2 and Schedule 2 to this Partner DPA;

(b) have, save to the extent that their responsibilities are determined by EU or Member State law respectively UK laws to which they are subject, determined their respective responsibilities for compliance with the obligations under the GDPR as specified in Schedule 2 to this Partner DPA.

To the extent this provision deviates to the provisions in clause 4, this clause 3.2 shall prevail.

4. OBLIGATIONS OF THE PARTIESE PARTIES

4.1 Each Party shall, with respect to the processing of the Shared Personal Data (including the transfer of, or granting access to, the Shared Personal Data), comply with applicable Data Protection Laws. If either Party can no longer meet this obligation, they shall either cease processing the Shared Personal Data or take other reasonable and appropriate steps to remediate.

4.2 Each Party shall provide all necessary notices to data subjects as required under applicable Data Protection Laws for the lawful processing by it of the Shared Personal Data.o remediate.

4.3 Each Party shall obtain consent from relevant data subjects as required under applicable Data Protection Laws to process the Shared Personal Data.

4.4 Each Party shall give effect to applicable Data Subject Rights and respond to inquiries by supervisory authorities and shall establish and maintain a procedure for the exercise of individuals whose Personal Data are being processed.

4.5 The Parties will provide all reasonable assistance requested by the other Party in connection with a request from, or audit by, a regulatory authority or other competent authority.

4.6 Each Party shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of the Shared Personal Data, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement technical and organizational security measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Shared Personal Data.

4.7 Each Party agrees to notify the other Party in the event of a Security Incident to the extent such breach is related to the Partner Program Agreement promptly, and in any case within such a period that the Parties can comply with their notification obligations under applicable Data Protection Laws.

4.8 Each Party shall cooperate and assist the other with the fulfilment of its obligations under the Data Protection Laws. Each Party shall in particular, unless prohibited under applicable law, notify the other without undue delay (i) of any requests to exercise Data Subject Rights received by that Party regarding the Shared Personal Data, (ii) about regulatory inquiries and requests, and (iii) any other occurrences that may be relevant to the other Party’s compliance with applicable Data Protection Laws.

4.9 Each Party shall process the Shared Personal Data as set out in the Partner Program Agreement or as otherwise authorized under applicable Data Protection Laws.

4.10 Each Party shall ensure that all of its employees engaged in the processing of such Shared Personal Data and third-party to which each Party grants access to Shared Personal Data are bound by appropriate confidentiality obligations and comply with the obligations of this Partner DPA. Data Protection Laws.

5. INTERNATIONAL TRANSFERS

5.1 The Parties agree that the SCC as further specified in Schedule 3 to this DPA shall apply to the transfer of, including access to, Shared Personal Data:

 (a) in the case of a transfer from Partner to Klaviyo in connection with the Partner Program Agreement, where the processing of the Shared Personal Data by the Partner is subject to EU Data Protection Laws;

 (b) in the case of a transfer from Klaviyo to Partner, where:

  (i)  the Partner is not established in an Adequate Jurisdiction; and

  (ii) the processing of the Shared Personal Data is subject to EU Data Protection Laws or Klaviyo is otherwise contractually required to enter into the SCC.

5.2 The Parties agree that the SCC as further specified in Schedule 3 to this DPA shall apply and be amended by Schedule 4 to this DPA in relation to any transfer of, including the access to, Shared Personal Data:

 (a) in the case of a transfer from Partner to Klaviyo in connection with the Partner Program Agreement, where the processing of the Shared Personal Data by the Partner is subject to UK Data Protection Law; or

 (b) from Klaviyo to Partner in the case that:

  (i)  the Partner is not established within the UK or in an Adequate Jurisdiction; and

  (ii)  the processing of the Shared Personal Data is subject to UK Data Protection Laws or Klaviyo is otherwise contractually required to comply with UK Data Protection Laws.

5.3 The Parties agree that the SCC as further specified in Schedule 3 to this Partner DPA shall apply and be amended by Schedule 5 to this Partner DPA in relation to any transfer of, including the access to, Shared Personal Data:

 (a) in the case of a transfer from Partner to Klaviyo in connection with the Partner Program Agreement, where the processing of the Shared Personal Data by the Partner is subject to Swiss Data Protection Law; or

 (b) from Klaviyo to Partner in the case that:(i)  the Partner is not established in an Adequate Jurisdiction; and

  (i) the Partner is not established within Switzerland or in an Adequate Jurisdiction; and

  (ii) the processing of the Shared Personal Data is subject to Swiss Data Protection Laws or Klaviyo is otherwise contractually required to comply with Swiss Data Protection Laws.

6. TERMINATION

6.1 This Partner DPA shall terminate automatically upon termination or expiry of the Partner Program Agreement unless Partner is obliged to continue processing Shared Personal Data by applicable law in which case this DPA shall automatically terminate once Partner ceased to process Shared Personal Data any longer.

SCHEDULE 1

DESCRIPTION OF THE TRANSFER

1. Categories of data subjects whose data is transferred

The Personal Data transferred could include the following categories of data subjects: Prospective and actual customers, individual recipients of marketing communications and other individuals being targets of other marketing activities of Klaviyo, the Partner and/or Klaviyo Affiliates’ or the Partner Affiliates’ or their prospective customers and any other third parties that have or may have a commercial relationship with either Klaviyo or Partner (e.g. advertisers, customers, contractors, product users).

2. Categories of data transferred

The categories of personal data transferred are: Determined by Partner’s configuration of the Services via an Integration, and may include, but is not limited to, the following:

 a) Agency Partner: first name, last name, phone number, email address, address data, IP address, device identifiers, usage data (such as interactions between an end user and Klaviyo’s online system, website or email, used browser, used operating system, or referrer URL) or other contact information (including prospective sales leads and customer lists).

 b) Technology Partner: first name, last name, phone number, email address, address data, IP address, device identifiers, usage data (such as interactions between an end user and Klaviyo’s online system, website or email, used browser, used operating system, or referrer URL) or other contact information (including prospective sales leads and customer lists).

3. Sensitive data transferred (if applicable)

The Personal Data transferred concern the following categories of sensitive data: N/A – Klaviyo’s Acceptable Use Policy and API Terms prohibits any end users, including Partner, from using the Services to solicit, display, store, process, send or transmit special categories of data.

The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: N/A.

4. The frequency of the transfer

Transfers will be made on a one-off basis determined by Partner’s and Klaviyo’s configuration of the Integration and/or Services. Transfers may be made on a continuous and/or one-off basis subject to the applicable Integration and related documentation as provided by Partner.

5. Nature of the processing and Purpose of the transfer(s) and further processingency of the transfer

The nature of the processing and Purpose of the transfer is to extend Klaviyo’s core product and data functionality of its analytics and marketing automation platform to end users via Partner’s Integration and otherwise enable the relationship between the Parties and performance of each Party’s respective obligations contemplated under the Partner Program Agreement.

6. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

This Partner DPA will commence on the Effective Date and, notwithstanding any termination of this Partner DPA, will remain in effect until, and automatically expire upon, Klaviyo and Partner’s deletion of all Personal Data as described in this Partner DPA. The Parties agree to reasonably cooperate with the other Party to otherwise comply with the applicable Data Protection Laws.

7. For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

This does not apply in a controller-to-controller relationship as Cl. 9 of the standard contractual clauses does not apply.

SCHEDULE 2

JOINT CONTROLLER ARRANGEMENT

The primarily responsible entity shall handle the exercise of the privacy rights under the GDPR, shall inform the affected individuals about the processing of their personal data and serve as the point of contact.

SCHEDULE 3

STANDARD CONTRACTUAL CLAUSES

For the purposes of the Standard Contractual Clauses, the following shall apply:

  1. Clause 7 SCC (Docking Clause) does not apply.
  2. The option in Clause 11(a) SCC (Independent dispute resolution body) does not apply.
  3. With regard to Clause 17 SCC (Governing law), the Parties agree that option one shall apply. The Parties agree that the governing law shall be the law of the Republic of Ireland.
  4. In Clause 18 SCC (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
  5. For the Purpose of Annex I SCC, Annex 1 to this Schedule 3 contains the specifications regarding the Parties, the description of transfer, and the competent supervisory authority.
  6. For the Purpose of Annex II SCC, Annex 2 to this Schedule 3 contains the technical and organizational measures.
  7. The specifications for Annex III of the standard contractual clauses, do not apply to the SCC.

ANNEX 1

A. LIST OF PARTIES

Data exporter(s): Klaviyo, Inc., 125 Summer Street, Floor 6, Boston, MA, 02110, United States, Tel.: +1 (800) 338-1744

The data exporter’s contact person can be contacted at privacy@klaviyo.com.

Partner is the data exporter to the extent Partner provides and processes Personal Data as stipulated in the Partner Program Agreement.

The data exporter’s activities relevant to the data transfer under these Clauses are further described in Schedule 1 to this Partner DPA.

Data importer(s): Partner is the data importer as stipulated in the Partner Program Agreement.
Partner’s contact person’s name, position and contact details as well as (if appointed) the data protection officer’s

and (if relevant) the representative’s contact details will be notified to Klaviyo upon request.

Klaviyo is the data exporter to the extent Klaviyo provides and processes Personal Data as stipulated in the Partner Program Agreement.

The data importer’s activities relevant to the data transfer under these Clauses are further described in Schedule 1 to this Partner DPA.

B. DESCRIPTION OF TRANSFER

Please see Schedule 1 to this Partner DPA.

C. COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie/ ).

ANNEX 2

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

1. Measures for pseudonymization and encryption of Shared Personal Data:

A. Data minimization and privacy-by-design into its software or other product/service development lifecycle to prevent Shared Personal Data from being used in a manner inconsistent with this Partner DPA.

B. Does not utilize sensitive Personal Data (e.g., “special categories of Personal Data” under the GDPR) or directly identifiable Personal Data in connection with its use of the Services.

C. Utilizes appropriate, industry best cryptography when storing Shared Personal Data (e.g., encryption at rest and appropriate encryption for data in transit) and when utilizing hashed or other cryptographically protected identifiers wherever feasible.

2. Measures for ensuring ongoing confidentiality of processing systems and services:

A. Implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability, and security of Personal Data, including regular vulnerability scans and endpoint protection.

B. Has a documented data retention/deletion schedule that aligns with the retention/deletion requirements under the Partner DPA or Partner Program Agreement with respect to Shared Personal Data.

3. Measures for ensuring ongoing integrity of processing systems and services:

A. Has implemented and maintains a written information security program that contains administrative, technical, and physical safeguards appropriate to protect against potential Security Incidents and remediate actual or reasonably suspected Security Incidents, and that meet (i) industry best practices in relation to industry and (ii) any security requirements required under Data Protection Laws.

4. Measures for ensuring ongoing availability and resilience of processing systems and services:

A. Maintains Shared Personal Data availability and resilience via its written information security program, such as via secured and monitored operational sites, event and other auditable logs, tolerant infrastructure with appropriate redundancies, processes and policies for incident response and vendor due diligence, business continuity plans, backup procedures, and disaster recovery plans.

5. Measures for ensuring the ability to restore the availability and access to Shared Personal Data in a timely manner in the event of a physical or technical event:

A. See responses above.

6. Processes for regularly testing, assessing, and evaluating the effectiveness of technical andorganizational measures in order to ensure the security of the Processing:

A. At least annually, security measures and the written information security program are reviewed and tested for alignment with the requirements herein and industry best practices.

B. Security compliance is integrated within the software or other product/service development lifecycle and teams collaborate regularly to ensure those standards are kept up to date.

7. Measures for user identification and authorization:

A. Has procedures in place to authenticate and respond to requests from Data Subjects who have submitted rights requests (e.g., access, portability, erasure), and such procedures comply with Data Protection Laws.

B. Has operational and technical controls in place to ensure appropriate system access control with respect to Shared Personal Data and related infrastructure, such that only authorized personnel are granted access based on a “need to know” (and that unauthorized current or former personnel cannot improperly access such systems).

8. Measures for the protection of Shared Personal Data during storage:

A. See above, and the Partner DPA and the Partner Program Agreement more broadly, for limitations on how the parties can Process the Shared Personal Data.

B. Has implemented and maintains data minimization procedures with respect to Shared Personal Data stored on each party’s, or its subprocessors’, systems.

9. Measures for ensuring physical security of locations at which Shared Personal Data is Processed:

A. Facilities involved in the Processing of Shared Personal Data are accessible only be authorized personnel and there are technical and physical controls in relation thereto (e.g., two-factor authentication, firewalls, anti-malware, access controls, VPNs, access badges and logs, physical barriers).

10. Measures for ensuring accountability

A. Has performed a data mapping exercise that is compliant with Data Protection Laws and has created an appropriate record of Processing activities in relation thereto.

B. Has implemented a privacy program appropriate to the scope and nature of the Personal Data Processed, including, as applicable, reviewing and complying with self-regulatory frameworks where appropriate, conducting data protection impact assessments, and appointing a data protection officer (DPO) or other individuals responsible for privacy and data security as appropriate.

SCHEDULE 4

UK ADDENDUM

As stipulated in clause 5.2 of the Partner DPA, with respect to any transfers of Shared Personal Data falling within the scope of the UK GDPR from the data exporter to data importer, the Approved Addendum as set out in this Schedule 4 shall form part of this Partner DPA, and the SCC shall be incorporated hereby and be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 lit. 1 of the Mandatory Clauses;

1. In deviation to Table 1 of the Approved Addendum and in accordance with Clause 17 of the Mandatory Clauses, the parties are further specified in Annex 1 to Schedule 3 of this Partner DPA.

2. The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Schedule 3 of this Partner DPA as amended by the Mandatory Clauses.

3. Annex 1 A to the Approved Addendum is specified by Annex 1 to Schedule 3 of this Partner DPA, Annex 1 B of Table 3 to the Approved Addendum is specified by Schedule 1 of this Partner DPA, Annex II of the Approved Addendum is further specified by Annex 1 to Schedule 3 of this Partner DPA, and Annex III of the Approved Addendum does not apply to controller-to-controller relationships.

4. Table 4 of the Approved Addendum shall be determined as follows: the data exporter may end this Partner DPA, to the extent the Approved Addendum applies.

5. Clause 16 of the Mandatory Clauses shall not apply.

SCHEDULE 5

SWISS ADDENDUM

As stipulated in clause 5.3 of the Partner DPA, this Swiss Addendum shall apply to any processing of Shared Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR.

1. Interpretation of this Addendum

1.1  Where this Addendum uses terms that are defined in the Standard Contractual Clauses as set out in Schedule 3 of this Partner DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

1.2  This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

1.3  This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

1.4  Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

2. Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.

3. Incorporation of the Clauses

3.1 In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Laws and the GDPR, this Addendum amends the Partner DPA as set out in Schedule 3 of this Partner DPA to the extent necessary so they operate:

 (a)  for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and

 (b)  to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

3.2 To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the Partner DPA including the SCC, as set out in Schedule 3 of this Partner DPA and as required by clause 1.1 of this Swiss Addendum, include (without limitation):

 (a)  References to the “Clauses” or the “SCC” means this Swiss Addendum as it amends the SCC.

 (b)  Clause 6 Description of the transfer(s) is replaced with: “The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this Partner DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”

 (c)  References to “Regulation (EU) 2016/679” or “that Regulation” or “”GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.

 (d)  References to Regulation (EU) 2018/1725 are removed.

 (e)  References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.

 (f)  Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws;

 (g)  Clause 17 is replaced to state “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws”.

 (h)  Clause 18 is replaced to state:

“Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.

3.3 To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the Partner DPA including the Clauses as set out in Schedule 3 of this Partner DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 1.1 and 1.2 of this Swiss Addendum, with the sole exception that Clause 17 of the SCC shall not be replaced as stipulated under clause 3.2(g) of this Swiss Addendum.