CROSS BORDER DATA TRANSFER ADDENDUM (SUBSCRIPTIONS)
This Cross Border Data Transfer Addendum (Subscriptions) forms part of the agreement entered into between PGML and the Client (“Agreement”). This Cross Border Data Transfer Addendum (Subscriptions) is not intended to act as a stand-alone agreement.
BACKGROUND
(A) This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
(B) This Addendum is entered into between all of the Exporters and all of the Importers. The Exporters and the Importers are entities within the PGML group of companies. The Exporters are all located within the United Kingdom and are entering into this Addendum with the Importers in order to fulfil their legal obligations to institute Appropriate Safeguards for Restricted Transfers when sharing personal data with entities within the PGML group who are based in countries which do not benefit from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679.
| AGREED TERMS Table 1: Parties The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
| Parties’ details | As set out in the Agreement. | As set out in the Agreement. |
| Key contacts | Full name (optional): Sam Compagnoni Job Title: Managing Director Contact Details: sam.compagnoni@egr.global | Full name (optional): As set out in the Agreement Job Title: As set out in the Agreement Contact Details: As set out in the Agreement |
| Table 2: Selected SCCs, Modules and Selected Clauses Addendum EU SCCs | The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum. | ||||||
| Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? | |
| 1 | X | – | – | – | |||
| 2 | – | ||||||
| 3 | – | ||||||
| 4 | – | – | |||||
Table 3: Appendix Information
| “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in: List of Parties: Annex 1A |
| Description of Transfer: Annex 1B |
| Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II |
| List of Sub processors (Modules 2 and 3 only): N/A |
Table 4: Ending this Addendum when the Approved Addendum changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ⮽ Importer ⮽ Exporter ☐ Neither Party |
Part 2: Mandatory Clauses
| Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
Annex 1A – List of Parties
Data exporter(s):
1. Name: The PGML entity which is a party to the Agreement
Address: Pageant Gaming Media Ltd, 11 St John Street, London, EC1M 4AA, UK
Contact person’s name, position and contact details: Sam Compagnoni, Managing Director, sam.compagnoni@egr.global
Activities relevant to the data transferred under these Clauses: Export of personal data in accordance with Annex 1B to this agreement.
Role (controller/processor): Controller
Data importer(s):
Name: The Client which is a party to the Agreement
Address: As per the Agreement
Contact person’s name, position and contact details: As per the Agreement
Activities relevant to the data transferred under these Clauses: Import and receipt of personal data in accordance with Annex 1B to this agreement.
Role (controller/processor): Controller
Annex 1B – Description of Transfers
Data subjects
The personal data transferred concern the following categories of data subjects:
Employees of the Data Exporter and details of data subjects who have been captured and added to the Data Exporter’s product databases.
Purposes of the transfer(s)
The transfer is made for the following purposes:
To enable PGML to provide the Services pursuant to the terms of the Agreement, to permit the Authorised Users to access the Services and to administer, update and improve the Services.
Categories of data
The personal data transferred concern the following categories of data:
Identity data, including first names, last names, job titles, employer, dates of birth and gender;
Contact data including business addresses, email addresses and telephone numbers;
Recipients
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
The data exporter shall limit access to personal data received via the Services shall be limited to Authorised Users only.
Sensitive data (if appropriate)
The personal data transferred may include the following categories of sensitive data: gender, marital status, nationality, country of birth, and ethnic origin.
Data protection registration information of a data exporter (where applicable)
Pageant Gaming Media Limited is registered with the UK ICO under number ZA591417
Additional useful information (storage limits and other relevant information)
Access to personal data shall be permitted by the Client on a strictly need-to-know basis only within both the data exporter and the data importer. All personal data must be deleted in accordance with the terms of the Agreement.
| Contact points for data protection enquiries Exporter: PGML | Importer: The Client |
| sam.compagnoni@egr.global | Contact details as per the Agreement |
Annex II – Technical and organisational measures including technical and organisational measures to ensure the security of the data:
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the importer shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 GDPR or an approved certification mechanism as referred to in Article 42 GDPR may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 above.
4. The importer shall take steps to ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.