Data Transfer Agreement

This Data Transfer Agreement ("DTA") is entered into between the Data Transfer Initiative ("DTI"), and your organization ("Partner", together with DTI the "Parties," and each a "Party") as of the date you accepted this DTA. You represent and warrant that you have all necessary power and authority to bind the Partner to this DTA and that entering into and performing under this DTA will not cause Partner to be in violation of any law or agreement to which Partner is subject.

Effective Date: March 27, 2025

1. Definitions.

  1. "Affiliate" means any entity which is controlled by, controls, or is in common control with a Party.
  2. "Agreement" means, collectively, any master agreement, membership agreement, participation agreement, terms of use, or other agreements between the Parties under which Personal Data will be Processed and subject to a Data Transfer hereunder.
  3. "Controller" means an entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, and includes without limitation any and all similar concepts as defined by Data Protection Laws.
  4. "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, which may include without limitation the GDPR (as defined below) and other applicable laws and regulations.
  5. "Data Subject" means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
  6. "Data Transfer" means any transfer of Personal Data from Europe (as defined below) to any other country that has not received an adequacy decision from the European Commission or, where applicable, the relevant data protection authority of Switzerland and/or the United Kingdom.
  7. "Europe" means the European Economic Area (EEA), Switzerland, and the United Kingdom;
  8. "GDPR" means, collectively, European Union Regulation (EU) 2016/679 and, for the United Kingdom, the Retained Regulation (EU) 2016/679, and any and all legally binding guidance issued thereunder, as each may be amended or replaced from time to time.
  9. "Personal Data" means (i) any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, indirectly or directly, with a particular Data Subject or household or that is otherwise defined as "personal information," "personal data," or a similar term under Data Protection Laws; and (ii) that is Processed by a Party hereunder in connection with the Agreement.
  10. "Personnel" means employees, contractors, Affiliates, Sub-processors, and other agents.
  11. "Process," and all conjugations thereof, mean any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  12. "Processor" means an entity which Processes Personal Data for or on behalf of a Controller, and includes without limitation a "processor" as defined under the GDPR and other similar concepts as defined by Data Protection Laws.
  13. "SCCs" means, collectively, the applicable Standard Contractual Clauses for the transfer of Personal Data from Europe to a party established in third countries, approved by the European Commission, and the UK International Data Transfer Addendum to the Standard Contractual Clauses ("UK Addendum").
  14. "Sub-processor" means any Processor engaged by a Party when acting as a Processor, or engaged by a Party's Processor or Sub-processor.

2. Data Protection Terms.

The following may be incorporated into a "Data Protection Terms" or equivalent section of the agreement/terms:

  1. Controller to Controller. As between the Parties, DTI and Partner shall each be a Controller in common (and not a "joint controller" under GDPR) with respect to Personal Data Processed or made available to the other hereunder. The details of the Processing are set forth in the Schedules hereto.
  2. Personal Data. When a Party makes Personal Data available to the other Party hereunder, the providing Party represents, warrants, and covenants that it has all rights, has provided all notices, has obtained all consents, and has otherwise met all obligations necessary for the Processing of the Personal Data by the receiving Party in compliance with the Agreement and this DTA to comply with Data Protection Laws.
  3. Personnel Personal Data. Each Party will be a Controller with respect to any Personal Data about a Party's and its Affiliate(s)'s Personnel who are Data Subjects Processed by or made available to the other hereunder in connection with the business relationship between the Parties ("Personnel Personal Data"), both continuously during the term of the Agreement and for a reasonable time after the end of the term of the Agreement consistent with the Parties' respective policies regarding retention of Personnel Personal Data. The categories of Personnel Personal Data to be Processed hereunder include, without limitation, names, contact details (such as email addresses, mailing addresses, and telephone numbers), work affiliation data (such as job titles), and any other Personnel Personal Data provided by or about a Party's Personnel in the course of the Parties' relationship. The nature and purpose of the Processing of Personnel Personal Data will be Processing for the purposes of developing, administering, and maintaining the relationship between the Parties, including without limitation performing under the Agreement, exercising rights and obligations under the Agreement, and providing, promoting, and receiving products, services, and support.
  4. Special Categories of Personal Data. No Party will share or make available to another Party any sensitive or special categories of Personal Data, as defined under Data Protection Laws.
  5. Compliance and Cooperation. Each Party will comply with all Data Protection Laws as applicable to each Party's Processing of Personal Data in connection with the Agreement. Each Party will notify the other Party in writing if the Party makes a determination that it can no longer meet its obligations under Data Protection Laws.
  6. Data Transfers. In the event of a Data Transfer, the Parties hereby incorporate Module One (Controller to Controller) of the applicable SCCs by reference, with the optional Clause 7 (Docking Clause), without the optional paragraph in Clause 11, and with the applicability of the laws and competent supervisory authority as determined pursuant to the requirements of the SCCs, provided that if the Personal Data originates from the UK, the laws and competent supervisory authority of the applicable UK country will be applicable, and provided further that if the Personal Data originates from Switzerland, the laws and competent supervisory authority of Switzerland will be applicable. Schedule 1 contains the applicable Annexes for the SCCs, which shall be deemed to be completed with the applicable information from the Agreement and this DTA. If Personal Data originates from Switzerland, the Parties agree that the terms of the SCCs shall apply, are hereby incorporated by reference and shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner. If Personal Data originates from the UK, the UK Addendum shall be incorporated by reference and completed with the information in this DTA, the Agreement, and the Schedules thereto, provided that Table 4 of the UK Addendum shall be completed by selecting "neither party" and the Mandatory Clauses of the UK Addendum shall be Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

3. General Terms.

  1. Entire Agreement; Order of Precedence; Amendments. This DTA, along with the Agreement, and any schedules and exhibits hereto and thereto, constitutes the entire agreement between the Parties relating to the subject matter hereof and supersedes and replaces all prior or contemporaneous oral and written agreements and understandings. This DTA controls and supersedes the Agreement in all respects with respect to any inconsistent, contrary, or conflicting (directly or indirectly) provision or term, except to the extent the applicable provision or term of the Agreement expressly states that such provision or term supersedes this DTA. Notwithstanding the foregoing, in the event of a conflict or inconsistency between this DTA and the SCCs, the SCCs shall control solely to the extent of such conflict or inconsistency and solely with respect to a Data Transfer. The Parties agree that DTI may make amendments to this DTA from time to time as necessary for the Processing of Personal Data and the Data Transfer thereof to comply with Data Protection Law, and any such amendments to this DTA will be posted online with the Effective Date thereof listed above, and shall be effective and binding between the Parties as of the Effective Date thereof.
  2. Governing Law; Venue. Except as otherwise expressly set forth in this DTA with respect to the SCCs, the law and venue designated in the Agreement shall apply to all matters with respect to this DTA.

SCHEDULE 1

STANDARD CONTRACTUAL CLAUSES ANNEXES

ANNEX I

A. LIST OF PARTIES

Data importer:

Name: Data Transfer Initiative

Address: 2661 N. Pearl St #404, Tacoma, WA 98407

Contact person's name, position and contact details: Chris Riley, Executive Director

Activities relevant to the data transferred under these Clauses: Receiver of Personal Data from Partner for Processing in furtherance of the data trust registry and related services as described in the DTA.

Signature and date: This section shall be deemed completed with the signature of DTI as of the later of (i) the date Partner accepts the DTA; or (ii) the Effective Date identified in the DTA.

Role (controller/processor): Controller

Data exporter: Name: As identified in the application submitted by Partner(s) subject to this DTA

Address: As provided by the Partner upon request

Contact person's name, position and contact details: as identified in the application(s) submitted by Partner subject to the DTA

Activities relevant to the data transferred under these Clauses: Provider of Personal Data to DTI in furtherance of the data trust registry and related services as described in the DTA.

Signature and date: This section shall be deemed completed with the signature of Partner as of the later of (i) the date Partner accepts the DTA; or (ii) the Effective Date identified in the DTA..

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • Personnel Personal Data
  • Business contact information for entities and their Personnel that participate in DTI or Partner initiatives relating to the data trust registry and related services as described ("Participant Data")

Categories of personal data transferred

  • Contact information (e.g., name, email address, telephone number, business mailing address)
  • Employment information (e.g., job title, position, time at employer)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Personnel Personal Data: Continuous
  • Participant Data: One-off

Nature of the processing

  • Personnel Personal Data: Processing activities in furtherance of the relationship between the Parties
  • Participant Data: Processing activities in furtherance of the data trust registry and handling of applications to the registry

Purpose(s) of the data transfer and further processing

  • Personnel Personal Data: Processing to administer the relationship between the Parties
  • Participant Data: Processing in furtherance of the data trust registry and handling of applications to the registry

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • Personnel Personal Data: During the term of the Agreement and for a reasonable time thereafter
  • Participant Data: For the relevant registration period and until registration is updated, lapses, or is terminated, except as otherwise agreed between the Parties

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • As above.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

See Section 2(f) of the DTA.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Where DTI is a data importer: DTI as the Data Controller shall implement and maintain reasonable and appropriate technical and organizational measures. These measures shall include, but are not limited to: maintaining a secure database; encrypting data in transit; implementing strict access control policies designed to grant access to Personal Data only to authorized personnel with a legitimate business need; regularly monitoring its systems for vulnerabilities and potential breaches; implementing appropriate data backup and disaster recovery procedures; and maintaining policies and procedures designed to prevent unauthorized access, use, disclosure, alteration, or destruction of Personal Data. DTI shall regularly review and update these security measures to ensure their ongoing effectiveness in light of evolving security risks and best practices.