This Data Processing Agreement (“DPA”) is an agreement between you and the entity you represent (“Customer” or “you”), on the one hand, and Visa and/or any other applicable affiliated Visa contracting entity(ies) ("Visa”), on the other hand. It forms part of any written or electronic agreement between you and Visa (each, an “Agreement”) under which Visa Processes Personal Information on your behalf (“Customer Personal Information”), except with respect to any Agreement under which you and Visa have entered data processing terms that address the subject matter hereof.
1 Processing of Customer Personal Information. The parties acknowledge and agree that under Applicable Data Protection Law, that Visa may act in various data processing roles. To enable each party to comply with its obligations under Applicable Data Protection Law, each party further agrees to comply with any required provisions of Schedule A: California Consumer Privacy Act and/or Schedule B: General Data Protection Regulation, each, to the extent applicable.
1.1 GDPR. Where the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”) applies to your use of Transaction Services or if Applicable Data Protection Law imposes a comparable requirement, the parties acknowledge and agree that with respect to the Customer Personal Information that Visa Processes, that:
1.1.1 Visa is a “processor” or such equivalent term under Applicable Data Protection Law, if any (referred to as “Processor” for purposes of this DPA) for the “Processor Services”. Such Processor Services include, by way of example and for illustrative purposes the Processing detailed on Details of Processing (Exhibit 2, section 1); and
1.1.2 both Customer and Visa are “joint controllers”, or such equivalent term under Applicable Data Protection Law, if any, for the “Controller Services”. Such Controller Services include the Processing detailed on Details of Processing (Exhibit 2, section 2).
1.2 Other Applicable Data Protection Law. Where section 1.1 does not apply, the parties acknowledge and agree that Visa is a Processor for all Transaction Services.
2 Compliance with law. Each of Visa, in its provision of Transaction Services to Customer, and Customer, in its use of the Transaction Services, shall Process Customer Personal Information in accordance with Applicable Data Protection Law.
3 Privacy Notice. Customer shall provide its End-User(s) with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable the parties to comply with Applicable Data Protection Law with respect to the Transaction Services.
4 Processor obligations
4.1 Authorization to Process. Where Visa is acting as a Processor, it will Process Personal Information on behalf of Customer to provide such Transaction Services, and Processor is authorized to Process Customer Personal Information solely in connection with the following activities:
4.1.1 In accordance with the applicable Agreement(s), including, without limitation, any exhibits, schedules, and applicable price schedule(s), to provide the Transaction Services, and any Processing required under applicable law or regulations;
4.1.2 Based on the instructions of Customer and in its use of the Transaction Services, Processor transfers Personal Information to acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers performing payer authentication services used by Customer, such as Verified by Visa and MasterCard Identity Check (ID Check); and
4.1.3 As reasonably necessary to enable Processor to comply with any other directions or instructions provided by Customer.
4.2 Data Subject Rights. Processor will, to the extent legally permitted, provide reasonable assistance to Customer to respond to requests from End-Users to exercise their rights under Applicable Data Protection Law (e.g., rights to access or delete Personal Information) in a manner that is consistent with the nature and functionality of the Transaction Services. Customer shall submit such requests for assistance to the Business Center. Where Processor receives any such request, it shall advise the End-User that the Customer is responsible for handling such requests by an End-User in accordance with Applicable Data Protection Law.
4.3 Engaging with Sub-Processors. Processor shall ensure that when engaging with another data processor including any Affiliates (a “Sub-Processor”) for the purposes of carrying out specific Processing activities on behalf of Customer, there is a written contract in place between Processor and the relevant Sub-Processor. Such written contracts, to the extent applicable to the nature of the Transaction Services provided by the relevant Sub-Processor will provide at least the same level of protection for Customer Personal Information as set out in this DPA.
4.4 Staff. Processor shall ensure that persons authorized to Process Customer Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.5 Security of Processing. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Processor shall, in particular, take into account the sensitivity of the Personal Information and the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information transmitted, stored or otherwise Processed. Processor shall provide reasonable assistance to Customer in ensuring Customer meets its own compliance obligations with respect to these same security measures. The parties shall also comply with PCI-DSS as set out in the Agreement.
5 Security Breach. A party shall promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of Customer Personal Information. In the event of an actual Security Breach (defined below) affecting Customer Personal Information the parties shall cooperate and assist one another in good faith as needed to comply with Applicable Data Protection Laws including as applicable, notifying a Supervisory Authority of the Security Breach and communicating the Security Breach to the relevant Data Subjects. In the event of an actual Security Breach (defined below) affecting Customer Personal Information contained in:
5.1 Visa’s systems, Visa shall notify Customer of the Security Breach without undue delay and continue to keep Customer informed on a regular basis of the progress of investigation and remediation efforts. Notice in accordance with this section shall be made by sending an email and/or text message to the email address and/or mobile phone number registered by Customer in the Business Center. For Controller Services, Customer shall cooperate and assist Visa as necessary for Visa to communicate the Security Breach to the relevant Supervisory Authorities.
5.2 Customer’s systems, Customer may elect to notify Visa of the Security Breach, and such notice should be made by sending an email to [email protected] . Visa shall cooperate and assist Customer as necessary for Customer to communicate the Security Breach to the relevant Supervisory Authorities.
5.3 Customer shall be responsible for communicating any Security Breach to End Users if notice is required under Applicable Data Protection Laws.
5.4 Except as required by applicable law or regulation, neither party will make (or permit any third party to make) any statement concerning the Security Breach that directly or indirectly references the other party, unless the other party provides its explicit written authorization.
5.5 To the extent that a Security Breach was caused by Customer or Customer’s End Users, Customer shall be responsible for the costs arising from the Processor’s provision of assistance under this section 5.
6 Deletion and Retention. Processor shall, at the choice of Customer, delete or return all Customer Personal Information upon termination of the Agreement and delete existing copies unless storage is required by applicable law.
7 Miscellaneous. The terms of this DPA shall apply only to the extent required by Applicable Data Protection Law. To the extent not inconsistent herewith, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term or condition of the DPA, the DPA does not apply to any data or information that does not relate to one or more identifiable individuals under Applicable Data Protection Law, such as data that has been aggregated, de-identified or anonymized, or to the extent that Visa and you have entered separate data processing terms that address the subject matter hereof.
8 Definitions. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Law.
“Applicable Data Protection Law”
means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, Applicable Data Protection Laws include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), UK Data Protection Laws, Swiss DP Laws and any associated regulations or any other legislation or regulations that transpose, supersede or are deemed substantially similar to the above.
“EEA Standard Contractual Clauses”
means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as amended or replaced from time to time by a competent authority under the Applicable Data Protection Law.
means any person that purchases goods or services of Customer, whose information is submitted by Customer to Visa during the course of Customer using the Transaction Services hereunder.
means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household or that is regulated as “personal data,” “personal information,” or otherwise under Applicable Data Protection Law. For the avoidance of doubt, this includes any information relating to an End-User as defined in the Agreement.
“Process” or “Processed” or “Processing”
means any operation or set of operations which is performed upon Personal Information , whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction.
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system” (as defined in any US law), a “breach of security safeguards” (as defined in PIPEDA) or similar term (as defined in any other applicable privacy laws) as well as any other event that compromises the security, confidentiality or integrity of Personal Information.
means the Federal Act on Data Protection of June 19, 1992 (as updated, amended and replaced from time to time), including all implementing ordinances.
means to transmit or otherwise make Customer Personal Information available across national borders in circumstances which are restricted by Applicable Data Protection law.
“UK Data Protection Laws”
means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions.
means the International Data Transfer Addendum to the EEA Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
SCHEDULE A
CALIFORNIA CONSUMER PRIVACY ACT
This CCPA Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the CCPA applies to your use of Transaction Services or if Applicable Data Protection Law imposes a comparable requirement outlined under Schedule A. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this CCPA Schedule and the DPA, this CCPA Schedule shall prevail.
1 Visa shall not:
(i) sell, or share for cross-contextual behavioral advertising, Customer Personal Information;
(ii) combine Customer Personal Information with personal information obtained from different sources;
(iii) retain, use, or disclose Customer Personal Information other than for the specific purposes set forth in the body of the DPA; or
(iv) where applicable, use any Sensitive Personal Information received from Customer other than to assist the Customer in purposes authorized by Customer instruction;
in each case, except as required to perform a business purpose defined in this Agreement or as permitted by Applicable Data Protection Law.
2 To the extent required by Applicable Data Protection Law, this CCPA Schedule constitutes its certification to the Processing restrictions herein to enable Customer to:
(i) ensure Customer Personal Information is used consistent with Applicable Data Protection Law;
(ii) stop and remediate unauthorized use of Customer Personal Information, and
(iii) to conduct reasonable assessments of Visa’s policies and technical and organizational measures. Visa grants Customer the rights set forth in Schedule B, Section 4 for the purposes of Section 2(iii) of this Schedule.
3 Sub-processor obligations pursuant to the CCPA shall be governed by Section 4.3 of the DPA.
4 Each of Visa and Customer shall comply with applicable provisions of the CCPA, including, in the case of the Customer, to provide required notices and disclosures with respect to the obligations of the business under the CCPA; and in the case of Visa, to notify Customer promptly (and, in any event, within any period required by law) upon making a determination that it can no longer meet its obligations with respect to Customer Personal Information under the CCPA.
SCHEDULE B
GENERAL DATA PROTECTION REGULATION
This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR applies to your use of Transaction Services or if Applicable Data Protection Law imposes a comparable requirement outlined under Schedule B. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.
1 Processor Obligations. Processor shall Process Customer Personal Information only on documented reasonable instructions from Customer (including instructions with respect to transfers of Customer Personal Information to a third country, if applicable) unless Processor is required to otherwise Process Customer Personal Information by Applicable Data Protection Law. In such circumstances, Processor shall inform Customer of that legal requirement before Processing, unless prohibited from doing so by applicable law, on important grounds of public interest. Processor shall immediately inform Customer if, in Processor’s opinion, Customer’s instructions would be in breach of Applicable Data Protection Law. Customer agrees that Processor shall be under no obligation to take actions designed to form any such opinion.
2 Use of Sub-Processor
2.1 Customer provides authorization for Processor to engage with the Sub-Processors listed in the Business Center. Processor reserves the right to maintain its Sub-Processor list through means such as publication of its Sub-Processor list online.
2.2 Processor shall inform Customer of any intended changes concerning the addition or replacement of other Sub-Processors to give Customer a reasonable opportunity to object to such changes. In the event Customer objects to Processor’s change or addition of a Sub-Processor, Customer shall promptly notify Processor of its objections in writing within 10 business days after receipt of Processor’s notice of such change or addition.
2.3 Processor may, at its option, undertake reasonable efforts to make available to Customer a change in the Transaction Services or recommend a commercially reasonable change to Customer’s configuration or use of the Transaction Services to avoid Processing of Customer Personal Information by the objected-to new Sub-Processor. If Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the Agreement with respect to only those aspects of the Transaction Services, which cannot be provided by Processor without the use of the objected-to new Sub-Processor by providing written notice to Processor. If the Transaction Services as a whole cannot be performed without the objected-to new Sub-Processor, Customer may terminate the entire Agreement.
2.4 Processor agrees not to impose a penalty on Customer for any termination under this section 2.
3 Data Protection Impact Assessments and Prior Consultation with Regulator. Processor shall provide reasonable assistance to Customer with any legally required (i) data protection impact assessments; and (ii) prior consultations initiated by the Customer with its regulator in connection with such data protection impact assessments. Such assistance shall be strictly limited to the Processing of Customer Personal Information by Processor on behalf of Customer under the Agreement taking into account the nature of the Processing and information available to the Processor.
4 Demonstrating Compliance with this DPA. Processor shall make available to Customer all information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by Customer or another auditor under the instruction of the Customer for the same purposes of demonstrating compliance with obligations set out in this DPA. Customer’s right under section 4 of this GDPR Schedule is subject to the following:
4.1 If Processor can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification or by providing Customer with an audit report issued by an independent third party auditor (provided that Customer will comply with appropriate confidentiality obligations as set out in the Agreement and shall not use such audit report for any other purpose), Customer agrees that it will not conduct an audit or inspection under section 4 above; and
4.2 In acknowledgement of the time, expense and disruption to business associated with performing audits and inspections involving interviews and onsite visits, Customer agrees to only conduct such audits and inspections on condition that Customer can demonstrate such audit or inspection is necessary beyond the information made available by Processor under section 4 above. Such audits and inspections, shall be at reasonable intervals (but not more than once per year) upon not less than 60 days' notice and at a date mutually agreed by the Parties, provided that the audit will (i) not disrupt Processor's business; (ii) be conducted during business hours and at the Customer’s expense; (iii) not interfere with the interests of Processor’s other customers; and (iv) not exceed a period of two successive business days.
5 Cross-Border Transfers for Processor Services. Processor shall comply with Customer’s documented instructions concerning the Transfer of Customer Personal Information to a third country. The Processor shall only Transfer any Customer Personal Information outside the Customer’s applicable jurisdiction or the End-User’s resident jurisdiction, including, without limitation, outside the European Economic Area (“EEA”), the UK or Switzerland, in compliance with the Applicable Data Protection Law. Customer agrees and acknowledges that Processor Transfers and stores certain Customer Personal Information (including relating to individuals located in the EEA, Switzerland and/or the UK) in the United States.
5.1 Transfers subject to the GDPR, UK GDPR or Swiss DP Laws. Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses shall apply with respect to any Transfer of Customer Personal Information from the EEA, UK or Switzerland to Visa and any of its affiliated entities in the United States or other third countries ("Visa Entities"). The parties acknowledge and agree that Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses is hereby incorporated by reference and;
5.1.1 Customer and any of its commonly owned or controlled affiliates that have signed an Agreement for Processor Services ("Customer Entities") shall be deemed to be “data exporter” and the Visa Entities shall be the "data importer";
5.1.2 Clause 7 – Docking clause shall apply;
5.1.3 Clause 9 – Use of subprocessors Option 2 shall apply and the “time period” shall be 10 business days;
5.1.4 Clause 11(a) – Redress the optional language shall not apply;
5.1.5 Clause 13(a) – Supervision
5.1.5.1 Where the data exporter is established in an EU Member State the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C , shall act as competent supervisory authority.”
5.1.5.2 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.”
5.1.5.3 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of the GDPR, the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.”
5.1.6 Clause 17 – Governing law Option 1 shall apply and the “Member State” shall be Ireland;
5.1.7 Clause 18 – Choice of forum and jurisdiction the Member State shall be Ireland; and
5.1.8 the information in Exhibit 1 (Table 1) of this GDPR Schedule is incorporated into Annexes 1, 2 and 3 of the EEA Standard Contractual Clauses.
5.1.9 Transfers subject to the UK GDPR: Where the Transfer is subject to the UK GDPR, the EEA Standard Contractual Clauses shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA. For the purposes of Table 4 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option. Otherwise, the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Exhibit 1. If there is any conflict or inconsistency between a term in the body of this DPA, an Agreement and a term in Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses, incorporated into this DPA, the term in Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses shall take precedence.
6 Joint Controller Obligations. The obligations in this DPA, including those set out below in this GDPR Schedule, shall constitute the written arrangement allocating responsibilities between joint controllers required under Article 26 of the GDPR with respect to the Controller Services.
7 Reasonable Assistance. With respect to the Controller Services, each party shall assist the other party as reasonably required, in meeting any regulatory obligations in relation to data security, notification of a Security Breach, and data protection impact assessments for the Controller Services.
8 Notice. With respect to the Controller Services, Customer shall provide its End-User(s) with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable the parties to comply with Applicable Data Protection Law with respect to the Transaction Services.
9 Data Subject Rights. The parties agree that the Customer shall be the designated point of contact for the Data Subject with respect to Data Subject Rights requests for Controller Services, and Visa shall reasonably cooperate with and assist Customer in the execution and fulfilment of its obligations under Applicable Data Protection Laws in relation to such requests.
10 Supervisory Authority. The parties shall without undue delay notify each other upon receipt of any correspondence from a Supervisory Authority in respect of the Controller Services where and to the extent permitted by applicable law.
11 Security of Processing. Each party shall be responsible for ensuring adequate security in respect of processing of Personal Information for Controller Services that takes place within that party’s own systems.
12 Security Breach. For the avoidance of doubt, in the event of a Security Breach related to Controller Services, section 5 of the body of the Agreement shall govern.
13 Cross border transfers for Controller Services
13.1 Transfers subject to the GDPR, UK GDPR or Swiss DP Laws: Module 1 (transfer controller to controller) of the EEA Standard Contractual Clauses shall apply with respect to any Transfer of Customer Personal Information from the EEA, UK or Switzerland to Visa in the United States, solely when Visa is acting as a controller for the purposes of the Controller Services. The parties acknowledge and agree that Module 1 (transfer controller to controller) of the EEA Standard Contractual Clauses is hereby incorporated by reference and;
13.1.1 Customer and any Customer Entities shall be deemed to be “data exporters” and the Visa Entities shall be the "data importer";
13.1.2 Clause 7 – Docking clause shall apply;
13.1.3 Clause 11(a) – Redress the optional language shall not apply;
13.1.4 Clause 13(a) – Supervision
13.1.4.1 Where the data exporter is established in an EU Member State the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C , shall act as competent supervisory authority.”
13.1.4.2 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.”
13.1.4.3 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of the GDPR, the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.”
13.1.5 Clause 17 – Governing law Option 1 shall apply and the “Member State” shall be Ireland;
13.1.6 Clause 18 – Choice of forum and jurisdiction the Member State shall be Ireland;
13.1.7 the information in Exhibit 1 (Table 1) of this GDPR Schedule is incorporated into Annexes 1, 2 and 3 of the EEA Standard Contractual Clauses.
13.2 Transfers subject to the UK GDPR: where the Transfer is subject to the UK GDPR, the EEA Standard Contractual Clauses shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA. For the purposes of Table 4 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option. Otherwise, the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Exhibit 1.
13.3 If there is any conflict or inconsistency between a term in the body of this DPA, an Agreement and a term in Module 1 (transfer controller to controller) of the EEA Standard Contractual Clauses incorporated into this DPA, the term in the EEA Standard Contractual Clauses shall take precedence.
EXHIBIT 1
INFORMATION REQUIRED FOR THE EEA STANDARD CONTRACTUAL CLAUSES AND THE UK IDTA
Table 1: Information to be incorporated into the EEA Standard Contractual Clauses
ANNEX I A. List of Parties
Data EXPORTER identity and contact details