Request consultation
§ 00 / Addendum

Data Processing Addendum.

Article 28 GDPR processor terms. Standard Contractual Clauses. UK and Swiss transfer addenda.

Processor
Grizzly Systems, Inc.
Entity
Delaware corporation
Version
1.0
Contact
privacy@grizzlysystems.io

§ 00 · IntroductionPurpose and scope.

This Data Processing Addendum (this DPA) forms part of the End User License Agreement and any other written or electronic agreement between Grizzly Systems, Inc., a Delaware corporation (Grizzly Systems, or Processor) and the customer entity identified on the cover page or in the underlying agreement (Customer, or Controller) (together, the Agreement). This DPA governs Grizzly Systems’ processing of Personal Data on behalf of Customer in connection with the Software and Services.

This DPA applies where, and to the extent that, Grizzly Systems processes Personal Data subject to European Data Protection Laws (defined below) and/or applicable U.S. State Data Protection Laws on behalf of Customer. To the extent of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls. To the extent of any conflict between the body of this DPA and the Standard Contractual Clauses in Exhibit D, the Standard Contractual Clauses control.

By executing the Agreement, or by clicking to accept this DPA, Customer enters into this DPA on behalf of itself and its Affiliates that use the Services.

§ 01 · Definitions

Capitalized terms not defined herein have the meanings given in the Agreement. In this DPA:

  • “Affiliate” — with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with such party.
  • “Controller” — the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including “business” within the meaning of the CCPA.
  • “Customer Data” — data submitted to or generated by the Services on behalf of Customer, as further defined in the Agreement, including Personal Data.
  • “Data Subject” — the identified or identifiable natural person to whom Personal Data relates, including “consumer” within the meaning of the CCPA.
  • “EEA” — the European Economic Area.
  • “European Data Protection Laws” — (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC, as amended) and any national implementing legislation; (iii) in respect of the United Kingdom, the UK GDPR and the Data Protection Act 2018 (“UK Data Protection Laws”); and (iv) in respect of Switzerland, the Federal Act on Data Protection (FADP), each as amended from time to time.
  • “Personal Data” — any information relating to an identified or identifiable Data Subject that is processed by Grizzly Systems on behalf of Customer in connection with the Services. Personal Data includes “personal information” within the meaning of the CCPA.
  • “Personal Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • “Processor” — the natural or legal person which processes Personal Data on behalf of the Controller, including “service provider” within the meaning of the CCPA.
  • “Restricted Transfer” — a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant supervisory authority.
  • “Standard Contractual Clauses” or “SCCs” — the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the GDPR, as set out in Exhibit D.
  • “Sub-processor” — any third party engaged by Grizzly Systems to process Personal Data in the course of providing the Services.
  • “Supervisory Authority” — an independent public authority established by a Member State pursuant to Article 51 GDPR, or its UK or Swiss equivalent.
  • “U.S. State Data Protection Laws” — the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”); the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Connecticut Data Privacy Act; the Utah Consumer Privacy Act; the Texas Data Privacy and Security Act; the Oregon Consumer Privacy Act; the Montana Consumer Data Privacy Act; and any analogous U.S. state laws, each as amended from time to time.

§ 02 · Roles and scope of processing

2.1 Role of the parties.

With respect to Personal Data processed in connection with the Services, the parties acknowledge and agree that: (a) Customer acts as Controller (or where Customer is itself a processor for another controller, as a processor); (b) Grizzly Systems acts as Processor (or sub-processor, as applicable); and (c) Grizzly Systems will process Personal Data only on documented instructions from Customer, except where required to do so by applicable law.

2.2 Documented instructions.

Customer’s documented instructions to Grizzly Systems are set out in: (a) the Agreement; (b) this DPA, including the processing details in Exhibit A; (c) Customer’s lawful use of the Services in accordance with the Documentation; and (d) any further written instructions agreed to in writing by the parties. Grizzly Systems will inform Customer if, in its opinion, an instruction infringes European Data Protection Laws.

2.3 Compliance with law.

Each party will comply with European Data Protection Laws and U.S. State Data Protection Laws applicable to it in its role under this DPA. Customer is responsible for ensuring it has a valid lawful basis under applicable law for its processing, including its instructions to Grizzly Systems.

2.4 AI training.

The parties acknowledge that under the Agreement and the Privacy Policy, Grizzly Systems may use Customer Data to train, improve, and develop its AI Models, subject to the opt-out described in Section 8.7 of the EULA. To the extent such training involves processing of Personal Data, the parties agree that this processing is performed on Customer’s documented instructions for the purpose of providing and improving the Services. Customer may opt out of this processing at any time as described in the Agreement; opt-out is effective with respect to Personal Data ingested after the opt-out is processed. Grizzly Systems’ use of Aggregated Data and Derived Data (as defined in the EULA) that does not identify any Data Subject is not subject to this DPA.

§ 03 · Processor obligations

3.1 Confidentiality of personnel.

Grizzly Systems will ensure that personnel authorized to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Personnel access to Personal Data is restricted to those who need it to perform their duties, subject to the access controls described in Exhibit B.

3.2 Security measures.

Grizzly Systems will implement and maintain the technical and organizational security measures set out in Exhibit B to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

3.3 Personal Data Breach notification.

Grizzly Systems will notify Customer without undue delay, and where feasible no later than seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will include the information specified in Article 33(3) GDPR to the extent then known, including: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects and records concerned; (c) likely consequences; and (d) measures taken or proposed to address the breach. Grizzly Systems will cooperate reasonably with Customer in investigating and remediating any Personal Data Breach.

3.4 Assistance with Data Subject requests.

Grizzly Systems will, taking into account the nature of the processing and insofar as possible, provide reasonable assistance to Customer by appropriate technical and organizational measures for the fulfillment of Customer’s obligation to respond to requests by Data Subjects to exercise their rights under European Data Protection Laws (including rights of access, rectification, restriction, erasure, data portability, objection, and not to be subject to automated decision-making). If Grizzly Systems receives a request directly from a Data Subject, it will (unless prohibited by law) inform the Data Subject to direct the request to Customer.

3.5 Assistance with data protection impact assessments.

Grizzly Systems will, taking into account the nature of the processing and the information available to Grizzly Systems, provide reasonable assistance to Customer in carrying out data protection impact assessments and prior consultations with Supervisory Authorities under Articles 35 and 36 GDPR.

3.6 Return or deletion of Personal Data.

Upon termination or expiration of the Agreement, Grizzly Systems will, at Customer’s choice, delete or return all Personal Data to Customer in accordance with the data export procedures described in the Agreement. Grizzly Systems will delete all existing copies unless applicable law requires storage of the Personal Data. Personal Data that has been incorporated into AI Models prior to deletion or return is not stored as Personal Data and is not subject to deletion under this Section 3.6; it remains in the form of model patterns and weights as described in the EULA.

3.7 Audits.

Grizzly Systems will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Customer’s audit rights are satisfied in the first instance by Grizzly Systems’ provision of third-party audit reports (such as SOC 2 Type II, ISO 27001, or equivalent), industry-recognized certifications, and responses to reasonable security questionnaires. If Customer reasonably believes those materials are insufficient, Customer may, on reasonable prior written notice and not more than once per twelve (12) month period (except where required by a Supervisory Authority or after a Personal Data Breach), audit Grizzly Systems’ compliance with this DPA. Any such audit will be conducted during regular business hours, in a manner that does not unreasonably interfere with Grizzly Systems’ business activities, and subject to confidentiality obligations. Customer will bear its own costs and Grizzly Systems’ reasonable costs.

§ 04 · Sub-processors

4.1 General authorization.

Customer provides general authorization for Grizzly Systems to engage Sub-processors to process Personal Data, subject to the requirements of this Section 4. A current list of Sub-processors is set out in Exhibit C and at grizcam.com/sub-processors.

4.2 Notice of new Sub-processors.

Grizzly Systems will provide Customer with at least thirty (30) days’ prior notice of the addition of any new Sub-processor, by updating the list at grizcam.com/sub-processors and (if Customer has subscribed) by email. Customer may object to the engagement of a new Sub-processor on reasonable grounds related to data protection by providing written notice within fifteen (15) days of the notice. The parties will work together in good faith to address Customer’s objection. If the parties cannot reach a resolution, Customer may, as its sole remedy, terminate the affected portion of the Services on written notice, and Grizzly Systems will refund any prepaid fees for the terminated portion covering the period after termination.

4.3 Sub-processor obligations.

Grizzly Systems will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those imposed on Grizzly Systems under this DPA. Grizzly Systems remains liable to Customer for the acts and omissions of its Sub-processors as if they were its own.

§ 05 · International data transfers

5.1 Lawful transfer mechanism.

To the extent that Grizzly Systems’ processing of Personal Data involves a Restricted Transfer, the parties agree that the transfer mechanism set out in this Section 5 will apply.

5.2 EU SCCs.

For transfers of Personal Data subject to the GDPR from the EEA to a third country not subject to an adequacy decision, the parties agree to the Standard Contractual Clauses, which are incorporated into this DPA by reference and are deemed completed as set out in Exhibit D, Part 1.

5.3 UK transfers.

For transfers of Personal Data subject to the UK GDPR from the United Kingdom, the parties agree to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office (the “UK IDTA Addendum”), version B1.0 in force as of 21 March 2022 (and as updated). The UK IDTA Addendum is incorporated into this DPA by reference and is deemed completed as set out in Exhibit D, Part 2.

5.4 Swiss transfers.

For transfers of Personal Data subject to the Swiss FADP from Switzerland, the parties agree to the SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner’s guidance, with the modifications set out in Exhibit D, Part 3.

5.5 Supplementary measures.

In light of the Schrems II judgment, Grizzly Systems has assessed its transfers and has implemented, in addition to the SCCs, the supplementary technical, contractual, and organizational measures set out in Exhibit B.

5.6 Adequacy decisions.

If, during the term of this DPA, the European Commission, the UK Information Commissioner’s Office, or the Swiss Federal Council issues an adequacy decision covering Grizzly Systems’ processing of Personal Data, the parties will rely on such adequacy decision as the transfer mechanism and the SCCs will be of no further effect to the extent superseded by that adequacy decision.

§ 06 · U.S. State Data Protection Laws

6.1 Service provider / processor status.

With respect to Personal Data subject to the CCPA or other U.S. State Data Protection Laws, Grizzly Systems acts as a “service provider” or “processor” (as those terms are defined under the applicable law) and not as a “third party.” Grizzly Systems certifies that it understands and will comply with the restrictions set out in this Section 6.

6.2 Restrictions.

Grizzly Systems shall not:

  1. sell or share Personal Data (as those terms are defined under the CCPA), and shall not engage in cross-context behavioral advertising involving Personal Data;
  2. retain, use, or disclose Personal Data outside of the direct business relationship between the parties, except as expressly permitted by this DPA, the Agreement, and the Privacy Policy, or as otherwise permitted by applicable law;
  3. retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA and the Agreement, including the AI-training purposes set forth in Section 4 of the EULA which are necessary and proportionate to provide and improve the Services; or
  4. combine Personal Data with Personal Data received from any other source, except as permitted by the CCPA for service providers.

6.3 Compliance assistance.

Grizzly Systems will provide Customer with reasonable assistance in fulfilling Customer’s obligations under U.S. State Data Protection Laws, including in responding to consumer rights requests and conducting any required risk assessments.

6.4 Notice of inability to comply.

Grizzly Systems will notify Customer if it determines it can no longer meet its obligations under U.S. State Data Protection Laws or this Section 6.

§ 07 · Liability

The liability of each party (and each party’s Affiliates) under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits or excludes the liability of a party to the extent such limitation or exclusion is not permitted by applicable law (including for Data Subjects’ direct claims under the SCCs).

§ 08 · Term and termination

This DPA is effective for the term of the Agreement, and survives termination of the Agreement to the extent necessary to give effect to its terms (including Section 3.6 and Section 5).

§ 09 · General provisions

9.1 Order of precedence.

In the event of any conflict between (a) the body of this DPA, (b) the SCCs (and the UK IDTA Addendum and Swiss adaptation, as applicable), and (c) the Agreement: the SCCs prevail over the body of this DPA and the Agreement; the body of this DPA prevails over the Agreement with respect to the subject matter of this DPA.

9.2 Severability.

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect. The parties will negotiate in good faith to replace any invalid provision with a valid one that achieves the original intent to the maximum extent permitted by law.

9.3 Updates.

Grizzly Systems may update this DPA from time to time to address changes in applicable law, regulatory guidance, or industry standards, by posting an updated DPA at grizcam.com/dpa and notifying Customer. Updates that materially reduce Customer’s protections under this DPA will not apply to Customer without Customer’s written consent.

9.4 Counterparts and electronic signature.

This DPA may be executed in counterparts and by electronic signature, each of which is an original, and all of which together constitute one instrument.

Exhibit A · Processing details

Description of the processing — equivalent to Annex I.B of the SCCs.

A.1 List of parties.

Data exporter: Customer, as identified in the Agreement. Role: Controller (or Processor for its end-customers, where applicable). Activities relevant to the data transferred: receiving the Services under the Agreement.

Data importer: Grizzly Systems, Inc., a Delaware corporation, with its principal place of business in Emigrant, Montana, USA. Role: Processor (or Sub-processor). Activities relevant to the data transferred: providing the Software and Services to Customer under the Agreement.

A.2 Categories of Data Subjects.

  • Customer’s authorized users of the Services (employees, contractors, agents).
  • Individuals whose images, voices, or other identifiable information may be incidentally captured by Customer’s GrizCam Hardware (for example, individuals passing through the camera’s field of view or audio range).
  • Customer’s representatives, billing contacts, and points of contact for support.

A.3 Categories of Personal Data.

  • Identifiers (name, email, phone, organization, billing address, account credentials).
  • Audio-visual data (images, video, infrared, thermal imagery, audio recordings) that may include Data Subjects.
  • Geolocation data (GPS coordinates of GrizCam Hardware deployments and, where applicable, devices used to access the Services).
  • Sensor telemetry (radar, magnetometer, environmental readings) that does not generally identify individuals but is processed alongside identifying data.
  • Technical and usage data (IP address, device identifiers, software version, session logs, feature-usage signals).
  • Communications content (support messages, survey responses, annotations).

A.4 Sensitive Data.

The Services are not designed to process special categories of Personal Data within the meaning of Article 9 GDPR, or “sensitive Personal Information” within the meaning of the CCPA. Customer is responsible for not deploying GrizCam Hardware in locations or configurations intended to capture such data. Precise geolocation may, in some U.S. jurisdictions, constitute sensitive Personal Information; the Services rely on precise geolocation for their core functionality, and Customer’s use of the Services constitutes its instruction for such processing.

A.5 Frequency of the transfer.

Continuous, for the duration of the Agreement.

A.6 Nature of the processing.

Hosting, storage, transmission, encryption, indexing, analytics, classification, alerting, support, security operations, and AI model training and evaluation, all as further described in the Agreement and the Privacy Policy.

A.7 Purpose of the processing.

To provide, secure, operate, and improve the Software and Services for Customer, including by training AI Models subject to the opt-out described in the Agreement.

A.8 Period for which the Personal Data will be retained.

For the duration of the Agreement, plus any additional retention period set out in the Privacy Policy or required by law. Customer Data is deleted or de-identified in accordance with Customer’s chosen retention configuration and the schedules in the Privacy Policy.

A.9 Sub-processors.

As listed in Exhibit C and at grizcam.com/sub-processors.

Exhibit B · Technical and organizational measures

Security measures equivalent to Annex II of the SCCs. As further described in Grizzly Systems’ Security Whitepaper.

Grizzly Systems maintains the following technical and organizational measures, designed in accordance with the state of the art and the risk profile of the Services. Measures evolve over time; Grizzly Systems will not materially reduce protections during the term of the Agreement.

B.1 Encryption.

  • Customer Data is encrypted in transit between GrizCam Hardware, the Software, and Grizzly Systems’ infrastructure using TLS 1.2 or higher, with modern cipher suites.
  • Customer Data is encrypted at rest in Grizzly Systems’ production storage using AES-256 or equivalent industry-standard algorithms.
  • Encryption keys are managed using a key-management service with role-based access controls and key rotation.

B.2 Access control.

  • Production systems are accessible only from authorized devices over authenticated, encrypted channels.
  • Multi-factor authentication is required for all personnel access to production systems and administrative tools.
  • Personnel are granted access on a need-to-know basis, with periodic review and automatic revocation upon role change or separation.
  • Customer Data access by personnel is logged and limited to the narrow circumstances described in the Privacy Policy and EULA Section 7.3.

B.3 Network and infrastructure security.

  • Production environments are isolated from development and corporate environments through network segmentation.
  • Intrusion detection and prevention systems monitor production traffic.
  • Web application firewalls protect public-facing surfaces.
  • Vulnerability scanning is performed on a regular cadence; identified vulnerabilities are tracked to remediation.

B.4 Application security.

  • Secure software development lifecycle including peer code review, dependency scanning, and security review of significant architectural changes.
  • Periodic third-party penetration testing of the Services.
  • Bug-bounty or responsible-disclosure intake at security@grizzlysystems.io.

B.5 Physical security.

  • Production infrastructure is hosted in commercial data centers operated by sub-processors that maintain physical security controls including access logging, video surveillance, and environmental controls. These sub-processors hold third-party certifications such as ISO 27001 and SOC 2 Type II.
  • Grizzly Systems’ corporate facilities include access controls and visitor management.

B.6 Personnel security.

  • Personnel undergo background checks where permitted by law, prior to access to production systems.
  • Personnel are bound by written confidentiality obligations covering Personal Data and Customer Data.
  • Personnel receive privacy and security training upon hire and on an annual basis.

B.7 Incident response.

  • A documented incident response plan governs detection, triage, containment, eradication, recovery, and post-incident review.
  • Personal Data Breach notification procedures are designed to meet the 72-hour notification timeline under Article 33 GDPR.

B.8 Backups and resilience.

  • Customer Data is backed up regularly with appropriate retention; backups are encrypted and access-controlled.
  • Disaster recovery procedures are tested periodically.

B.9 Data minimization and pseudonymization.

  • Personal Data is collected and retained on a need-to-process basis, in accordance with the configurations selected by Customer.
  • Pseudonymization or de-identification is applied where practicable, particularly in AI training pipelines.

B.10 Sub-processor management.

  • Sub-processors are assessed for security and data-protection posture before engagement.
  • Sub-processors are bound by written agreements that include data-protection terms equivalent to those in this DPA.

B.11 Supplementary measures for international transfers.

In addition to the measures above, Grizzly Systems implements the following supplementary measures with respect to Restricted Transfers:

  • Encryption in transit and at rest as described in Section B.1, with keys under Grizzly Systems’ sole control.
  • Contractual commitments to challenge overbroad government requests for Personal Data and to notify Customer of any binding legal request affecting Personal Data, to the extent legally permitted.
  • Transparency reporting on government requests, where legally permitted.
  • Personnel training on responding to government requests.

Exhibit C · Sub-processors

List of Sub-processors authorized as of the Effective Date. Equivalent to Annex III of the SCCs. The current list is maintained at grizcam.com/sub-processors.

Grizzly Systems engages Sub-processors in the categories listed at grizcam.com/sub-processors for hosting, content delivery, email and communications, customer support, analytics and monitoring, payment processing, AI training infrastructure, and identity and authentication. The specific named entities corresponding to each category, including legal entity name, processing location, and certifications, are listed there. Grizzly Systems updates that list as Sub-processors are added or changed and provides notice as set out in Section 4.2 of the body of this DPA.

Exhibit D · Transfer mechanisms

EU Standard Contractual Clauses, UK International Data Transfer Addendum, and Swiss FADP adaptation.

D.1 · Part 1 — EU Standard Contractual Clauses

The parties hereby enter into the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, the full text of which is available at eur-lex.europa.eu. The Standard Contractual Clauses are incorporated into this DPA by reference and apply to Restricted Transfers from the EEA as set out in Section 5.2 of the body of this DPA. The parties agree:

Modules. Module Two (Controller to Processor) applies where Customer is a Controller and Grizzly Systems is a Processor. Module Three (Processor to Processor) applies where Customer is a Processor and Grizzly Systems is a Sub-processor.

Optional clauses. Clause 7 (Docking clause): the optional docking clause applies. Clause 9(a) (Use of sub-processors): Option 2 (general written authorization) applies, with the notice period set in Section 4.2 of the body of this DPA. Clause 11(a) (Redress): the optional language providing for an independent dispute-resolution body does not apply. Clause 17 (Governing law): Option 1 applies; the governing law is the law of Ireland. Clause 18(b) (Choice of forum and jurisdiction): the parties agree that disputes arising from the SCCs will be resolved by the courts of Ireland.

Annex I. Annex I.A (List of parties) is completed by reference to the Customer identified in the Agreement (data exporter) and Grizzly Systems, Inc. (data importer). Annex I.B (Description of transfer) is completed by Exhibit A of this DPA. Annex I.C (Competent supervisory authority) is the supervisory authority of the EU Member State in which the data exporter is established. Where the data exporter is not established in an EU Member State, the competent supervisory authority is the Irish Data Protection Commission.

Annex II. Annex II (Technical and organizational measures) is completed by Exhibit B of this DPA.

Annex III. Annex III (List of sub-processors) is completed by Exhibit C of this DPA, supplemented by the up-to-date list at grizcam.com/sub-processors.

D.2 · Part 2 — UK International Data Transfer Addendum

The parties hereby enter into the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A(1) of the Data Protection Act 2018 (the “UK IDTA Addendum”), in force as of 21 March 2022. The UK IDTA Addendum is incorporated by reference and is deemed completed by reference to the Effective Date, parties’ details, key contacts, signatures, and the SCC modules, optional clauses, and annexes specified in Part 1.

D.3 · Part 3 — Swiss FADP Adaptation

For transfers of Personal Data subject to the Swiss Federal Act on Data Protection (FADP), the parties agree that the Standard Contractual Clauses entered into pursuant to Part 1 of this Exhibit D apply, subject to the following adaptations as recommended by the Swiss Federal Data Protection and Information Commissioner (FDPIC):

  • Competent supervisory authority. The competent supervisory authority under Clause 13 of the SCCs is the Swiss Federal Data Protection and Information Commissioner with respect to transfers exclusively subject to the FADP, and the supervisory authority designated in Part 1 with respect to transfers subject to both the GDPR and the FADP.
  • Governing law. The governing law for purposes of Clause 17 of the SCCs is the law of Switzerland for transfers exclusively subject to the FADP. The forum for purposes of Clause 18 of the SCCs is the courts of Switzerland for transfers exclusively subject to the FADP.
  • References to the GDPR. References to the GDPR in the SCCs are deemed to be references to the FADP, to the extent of any conflict with the FADP, for transfers exclusively subject to the FADP.
  • Legal persons. Until the entry into force of revised Swiss law that no longer protects the data of legal persons, the SCCs (as adapted above) also apply to Personal Data of legal persons.
  • Data Subject rights. Data Subjects in Switzerland whose Personal Data is transferred under this Exhibit D may enforce the SCCs (as adapted) as third-party beneficiaries before the competent Swiss courts.
© Grizzly Systems, Inc. · All rights reserved. · End of DPA.