Data Transfer Agreement
Effective: July 25, 2023
PLEASE NOTE: WE'VE PUBLISHED THE TERMS BELOW IN CONNECTION WITH THE ADOPTION OF THE 2022 UK APPROVED ADDENDUM TO THE 2021 EUROPEAN COMMISSION-APPROVED STANDARD CONTRACTUAL CLAUSES AND TO CLARIFY SUCH 2021 EC-APPROVED SCCS APPLY TO TRANSFERS OF SWISS CUSTOMER PERSONAL DATA.
This Data Transfer Agreement (“DTA”) forms a legally binding contract between you and Snap, and applies to any transfer subject to Data Protection Law of Customer Personal Data from you to Snap outside the EEA, Switzerland or the UK, and is incorporated into the Data Processing Agreement and Data Sharing Agreement, as applicable. Some terms used in this DTA are defined in those agreements.
"Data Transfer" means a processing activity whereby Customer Personal Data which is processed in accordance with Data Protection Law is transferred from you to Snap (or our premises) in a third country other than the EEA, UK, Switzerland or a country subject to an adequacy decision made by the European Commission or UK Secretary of State (as applicable) in accordance with the relevant provisions of applicable Data Protection Law.
"SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognised as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
"UK IDTA Addendum" means the Mandatory Clauses of Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
The terms “personal data”, “data subject”, “processing”, “controller”, ”processor”, “representative” and “supervisory authority” shall have the meanings given in the GDPR or UK GDPR, as applicable, in each case irrespective of whether Data Protection Law applies. In addition, some terms used in this DTA are defined in the Business Services Terms.
a. EEA / Swiss Data: Where a Data Transfer occurs for which you are acting as a data controller and share Customer Personal Data of EEA or Swiss data subjects with Snap as a data controller under the Data Sharing Agreement, then: (i) any Data Transfers that occur of such data shall be governed by the EEA controller to controller SCCs, which are incorporated into this DTA; and (ii) Annexes I and II of those SCCs shall be completed with the information set out in Schedules 1 and 2 of the Data Sharing Agreement, respectively.
b. UK Data: Where a Data Transfer occurs for which you are acting as a data controller and share Customer Personal Data of UK data subjects with Snap as a data controller under the Data Sharing Agreement, then any Data Transfers that occur of such data shall be governed by the EEA controller to controller SCCs incorporating the amendments set out in clause 2.a. and the UK IDTA Addendum.
a. EEA / Swiss Data: Where a Data Transfer occurs for which you are acting as data controller and provide Customer Personal Data of EEA or Swiss data subjects to Snap as a processor under the Data Processing Agreement, then any Data Transfers that occur of such data shall be governed by the EEA controller to processor SCCs which are incorporated into this DTA with the following amendments (with references in this clause 3 to Clauses being to Clauses of the SCCs): (i) in respect of Clause 9 (sub-processors), Snap shall inform you of intended changes by updating the list available here; and (ii) Annexes I and II of the EEA controller to processor SCCs shall be completed with the information set out in Schedules 1 and 2 of the Data Processing Agreement, respectively.
b. UK Data: Where a Data Transfer occurs for which you are acting as a data controller and provide Customer Personal Data of UK data subjects to Snap acting as a processor under the Data Processing Agreement, then any Data Transfers which occur of such data shall be governed by the EEA controller to processor SCCs incorporating the amendments set out in clause 3.a. and the UK IDTA Addendum.
In respect of any Data Transfers, the following supplementary measures shall apply:
a. Snap represents and warrants that, at the time of the transfer, it has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the relevant Customer Personal Data is being exported, for access to (or for copies of) Customer Personal Data that has been transferred to Snap pursuant to this Agreement ("Government Agency Requests"); and
b. if, during the term of this DTA, Snap receives any Government Agency Requests, it will (unless prohibited by Applicable Law from doing so) inform you in writing as soon as reasonably practicable and you and Snap shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Customer Personal Data pursuant to this Agreement should be suspended in the light of such Government Agency Requests.
a. If Data Protection Law requires you to execute the SCCs or UK IDTA Addendum applicable to a particular transfer of Customer Personal Data to Snap as a separate agreement, then Snap shall, on your request, promptly execute such SCCs or UK IDTA Addendum incorporating such amendments as may reasonably be required by you to reflect the applicable clauses, Schedules and Annexes of this DTA, the details of the transfer and the requirements of the relevant Data Protection Law.
b. If either: (i) any of the means of legitimising transfers of personal data outside of the EEA countries, Switzerland or UK which are referred to in this DTA cease to be valid; or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then Snap may by notice to the other party, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by the relevant Data Protection Law.
If there is any conflict or inconsistency between any provision of this DTA and any other applicable agreement, the order of precedence shall be as follows: the UK IDTA Addendum and the relevant SCCs (as applicable), this DTA, the Data Processing Agreement or Data Sharing Agreement (as applicable), and the Business Service Terms.
In summary: this Agreement applies to any transfer of customer personal data from you to Snap outside of the EEA, Switzerland, the UK, or a country subject to an adequacy decision made by the European Commission or UK Secretary of State (as applicable). Different transfer mechanisms apply depending on the customers' country of residence and whether the data is being shared with Snap as a data controller or as a data processor. Snap promises that at the time of any data transfer it has not received any Government Agency Requests for the data and that Snap will inform you of any such requests as soon as reasonably practicable. If Data Protection Laws require the execution of separate transfer mechanisms, then Snap will assist with putting these in place. If the transfer mechanisms set out above become invalid or are otherwise suspended by a regulator, Snap may amend or put in place alternative transfer mechanisms.