{"id":664,"date":"2023-11-08T14:13:53","date_gmt":"2023-11-08T19:13:53","guid":{"rendered":"https:\/\/www.employinc.com\/?page_id=664"},"modified":"2025-05-21T11:51:28","modified_gmt":"2025-05-21T15:51:28","slug":"dpa","status":"publish","type":"page","link":"https:\/\/www.employinc.com\/dpa\/","title":{"rendered":"Employ Data Protection Addendum"},"content":{"rendered":"\n
\n
\n
\n

Employ Data Protection Addendum<\/h1>\n\n\n\n

Effective\u00a0as of November 8, 2023 This DPA was last updated October 24, 2023May 20th<\/sup>, 2025.<\/p>\n\n\n\n

Archived Data Protection Addendum\u2019s effective prior to the Effective Date, are available within our legal center.<\/p>\n\n\n\n

Visit Employ Legal Center<\/a><\/p>\n<\/div>\n\n\n\n

<\/div>\n<\/div>\n<\/div><\/div><\/div>\n\n\n\n
\n

Employ Data Protection Addendum<\/u><\/strong><\/p>\n

This Data Processing Addendum and Standard Contractual Clauses (\u201cDPA\u201d) supplements the master subscription agreement or terms of service agreement between Employ and Customer (the \u201cAgreement\u201d), when the GDPR applies to Customer\u2019s use of Employ\u2019s Services to Process Customer Data.\u00a0 Except as amended by this DPA, the Agreement will remain in full force and effect.<\/p>\n

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.\u00a0 Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.\u00a0<\/p>\n

Employ reserves the right to periodically modify this DPA upon written notice to Customer, and such modification will automatically become effective in the next service term. Archived versions of this DPA are available\u00a0here<\/a>.\u00a0\u00a0<\/p>\n

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.\u00a0Nothing in this Addendum is intended to alter or have any adverse effect on the Standard Contractual Clauses incorporated into this Addendum in Exhibit A (\u201cStandard Contractual Clauses\u201d). In the event that a competent government authority determines that a conflict exists between the Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.<\/strong>\u00a0If there is a conflict between any other agreement between the Parties including the Agreement and this DPA, the terms of this DPA will control.<\/p>\n

    \n
  1. Introduction<\/strong><\/li>\n<\/ol>\n

    1.1.\u00a0Definitions.<\/strong><\/p>\n

    1.1.1. \u201ccontroller<\/em>\u201c, \u201cprocessor<\/em>\u201c, \u201cdata subject<\/em>\u201c, \u201cpersonal data<\/em>\u201d and \u201cprocessing<\/em>\u201d (and \u201cprocess<\/em>\u201c) means the meanings given in Applicable Data Protection Law.<\/p>\n

    1.1.2. \u201cApplicable Data Protection Law<\/em>\u201d means data protection laws in the United States, United Kingdom, Switzerland, and the European Union including Regulation 2016\/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC and the\u00a0 UK GDPR and the Data Protection Act 2018 (\u201cGeneral Data Protection Regulation<\/em>\u201d or \u201cGDPR<\/em>\u201d).\u00a0<\/p>\n

    1.1.3.\u00a0\u201c<\/strong>Customer Account Data<\/em>\u201d\u00a0<\/strong>means personal data that relates to Customer\u2019s relationship with Employ, including the names and\/or contact information of individuals authorized by Customer to access Customer\u2019s Employ Product account and billing and\/or contact information of individuals that Customer has associated with its Employ Product account.<\/p>\n

    1.1.4.\u00a0\u201c<\/strong>Customer Usage Data<\/em>\u201d\u00a0<\/strong>means data processed by Employ for the purposes of managing the use of the Employ Product; including data used to trace and identify the activities of a user of the Employ Product, and the date, time, duration and the type of use. \u2028<\/p>\n

    1.1.5.\u00a0\u201c<\/strong>Customer Data<\/em>\u201d\u00a0<\/strong>means data provided to Employ by Customer for processing by the Employ Product including the results of such processing.<\/p>\n

    1.1.6.\u00a0\u201cSecurity Objectives\u201d<\/em>\u00a0means protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other unlawful forms of processing.<\/p>\n

    1.1.7. \u201cEmploy Data\u201d<\/em>\u00a0means any personal data provided to Customer by Employ related to the activities contemplated under the Agreement or this Addendum, such as personal data Customer may obtain in the course of performing a permitted audit of Employ.<\/p>\n

    1.1.8.\u00a0\u201c<\/strong>Employ Product<\/em>\u201d\u00a0<\/strong>means the Employ Services as defined in the Agreement.<\/p>\n

    1.2.\u00a0Relationship of the Parties.\u00a0<\/strong>The parties acknowledge and agree that with regard to the processing of Customer Data, Customer is a controller or processor, as applicable, and Employ is a processor. With regard to the processing of Customer Account Data and Customer Usage Data, Customer is a controller, and Employ is an independent controller, not a joint controller with Customer.<\/p>\n

      \n
    1. Employ Obligations<\/strong><\/li>\n<\/ol>\n

      2.1.\u00a0Obligation:\u00a0<\/strong>Employ will comply with Applicable Data Protection Laws which impose an obligation directly upon Employ as a Processor by virtue of the specific Processing of Customer Data that Employ is doing related to Employ Products. Employ is not responsible for determining the requirements of laws or regulations applicable to Customer\u2019s business, or whether a Employ Product and related Processing by Employ meets the requirements of any such applicable laws or regulations. As between the parties, Customer is responsible for the lawfulness of the Processing of the Customer Data.\u00a0 Customer will not use the Employ Product or request Processing by Employ in a manner that would violate Applicable Data Protection Laws.<\/p>\n

      2.2.\u00a0Details of the processing.<\/strong><\/p>\n

      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.2.1.\u00a0\u00a0Subject Matter:\u00a0<\/strong>Employ\u2019s provision of the Employ Product to Customer.<\/p>\n

      2.2.2.\u00a0Purpose of the Processing:\u00a0<\/strong>The purpose of the data processing under this Addendum is the provision of the Employ Product as initiated by Customer from time to time.<\/p>\n

      2.2.3.\u00a0Data Processing, Transfer, and sales. Employ will process Customer Data only as necessary to perform the services.<\/strong><\/p>\n

      2.2.4.\u00a0Restriction:\u00a0<\/strong>Employ shall not: Collect, combine, disclose, share, use, retain, access, transger, or otherwise use Customer Data except as required to provide the Services. Employ will refrain form any action that would cause any transfer of Customer Data to qualify as sharing or selling personal data, as that term is defined under Applicable Law, except that Employ will not be responsible for any thirdy party Cusotmer may integrate with the services. Employ shall not combine Customer Data with data obtained from source including Employ\u2019s own internal sources. Employ certifies that Employ understands the restrictions in this Section and will comply with them in accordance with the requirements of Applicable Data Protection Laws, including the CCPA.<\/em><\/p>\n

      2.3.\u00a0Customer Instructions.\u00a0<\/strong>Customer appoints Employ as a processor to process Customer Data on behalf of, and in accordance with, Customer\u2019s instructions as set out in the Agreement and this Addendum, as otherwise necessary to provide the Employ Product, or as otherwise agreed in writing (\u201cPermitted Purposes<\/em>\u201d). Additional instructions outside the scope of the Agreement, this Addendum, or as otherwise needed to provide the Employ Product may result in additional fees payable by Customer to Employ for carrying out those instructions. Customer shall ensure that its instructions comply with all laws, regulations and rules applicable to the Customer Data and the related processing, and that Employ\u2019s processing of the Customer Data in accordance with Customer\u2019s instructions will not cause Employ to violate any applicable law, regulation or rule, including Applicable Data Protection Law. Customer is responsible for providing the necessary notice to the Data Subjects under the Data Protection Laws.\u00a0 Customer is responsible for obtaining, and demonstrating evidence that it has obtained, all necessary consents, authorizations and required permissions under the Data Protection Laws in a valid manner for Employ to perform the Services.<\/p>\n

      2.4.\u00a0Confidentiality of Customer Data and Responding to Third Party Requests.<\/strong><\/p>\n

      2.4.1. Data Subject Requests.\u00a0 If Employ receives a request from any Data Subject made under Data Protection relating to Customer Data, Employ will provide a copy of that request to the Customer within two (2) business days of receipt. Employ provides Customer with tools to enable Customer to respond to a Data Subjects\u2019 requests to exercise their rights under the Data Protection Laws. To the extent Customer is unable to respond to Data Subject\u2019s request using these tools, Employ will provide reasonable assistance to the Customer in responding to the request.<\/p>\n

      2.4.2. Supervisory Authority Requests. Employ will assist Customer in addressing any communications and abiding by any advice or orders from the Supervisory Authority relating to the Customer Data.<\/p>\n

      2.4.3. Retention. Employ will retain Customer Data only for as long as the Customer deems it necessary for the Permitted Purpose, or as required by applicable laws. At the termination of this DPA, or upon Customer\u2019s written request, Employ will\u00a0 destroy the Customer Data to the Customer, unless legal obligations require storage of the Customer Data. Except as may be stated owtherwise in the Agreement between the Parties, Customer is responsible for the retrieval of their data through available functionality or the purchase of the associated professional services.<\/p>\n

      2.4.4. Disclosure to Third Parties and Confidentiality.\u00a0 Employ will not disclose the Customer Data to third parties except as permitted by this DPA or the Agreement, unless Employ is required to disclose the Customer Data by applicable laws, in which case Employ shall (to the extent permitted by law) notify the Customer in writing and liaise with the Customer before complying with such disclosure request. Employ treats all Customer Data as strictly confidential and requires all employees, agents, and Sub-processors engaged in Processing the Customer Data to commit themselves to confidentiality, and not Process the Customer Data for any other purposes, except on instructions from Customer.<\/p>\n

      2.4.5. Assistance. Taking into account the nature of the Processing and the information available, Employ will provide assistance to Customer in complying with its obligations under applicable Data Protection Laws (which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation). Upon request, Employ will provide Customer a list of processing operations.<\/p>\n

      2.4.6. Employ will provide the features and functionality to allow Customer to comply with its obligations<\/p>\n

      2.5.\u00a0Deletion of Customer Data.\u00a0<\/strong>Following termination or expiry of the Agreement, Employ, in accordance with the Agreement, shall provide Customer with a copy of the Customer Data and delete the same. This requirement will not apply to the extent that Employ is required by law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Employ shall securely isolate and protect from any further processing until deletion in accordance with the Agreement, except to the extent required by law.<\/p>\n

      2.6.\u00a0Third Party Certifications & Audit Obligations.<\/strong><\/p>\n

      2.6.1.\u00a0Employ Certification\/SOC Report<\/strong>. In addition to the information contained in this DPA, upon Customer\u2019s request, and subject to the confidentiality obligations set forth in the Agreement place, Employ will make available the following documents and information regarding the System and Organization Controls (SOC) 2 Report (or the reports or other documentation describing the controls implemented by Employ that replace or otherwise available by Employ), so that Customer can reasonably verify Employ\u2019s compliance with its obligations under this DPA<\/p>\n

      2.6.2.\u00a0Employ\u2019s Audit Program.<\/strong>\u00a0To the extent the reports provided in Section 2.7.1 do not verify Employ\u2019s compliance with its obligations under this DPA, and subject to the audit requirements described in Clause 8 of the Standard Contractual Clauses, Customer may audit Employ\u2019s compliance with this DPA up to once per year, unless requested by a Supervisory Authority or in the event of a Security Incident. Such audit will be conducted by an independent third party (\u201cAuditor\u201d) reasonably acceptable to Employ. Employ will work cooperatively with Customer and Auditor to agree on a final audit plan in advance of the audit.\u00a0 The results of the inspection and all information reviewed during such inspection will be deemed Employ\u2019s confidential information and shall be protected by Auditor in accordance with the confidentiality provisions to be made between Employ and Auditor. Notwithstanding any other terms, the Auditor may only disclose to the Customer specific violations of the Addendum, if any, and the basis for such findings, and shall not disclose to Customer any of the records or information reviewed during the inspection.<\/p>\n

        \n
      1. Security<\/strong><\/li>\n<\/ol>\n

        3.1.\u00a0Security Measures.\u00a0<\/strong>Employ has implemented and shall maintain appropriate technical and organizational measures (\u201cSecurity Standards<\/em>\u201d) to protect Customer Account Data, Customer Usage Data, and Customer Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to such data (a \u201cSecurity<\/em>\u2028Incident<\/em>\u201c). Security Standards are described in Annex III.<\/p>\n

        3.2.\u00a0Determination of Security Requirements.<\/strong>\u00a0Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR. Employ is not responsible for determining the requirements of laws applicable to Customer\u2019s business or that Employ\u2019s provision of the Services meet the requirements of such laws.<\/p>\n

        3.3.\u00a0Security Incident Notification.<\/strong>\u00a0Employ shall, to the extent permitted by law, prompyly after becoming aware of any Security Incident. Employ\u2019s notification of a Security Incident to the Customer to the extent known should include: (a) the nature of the incident; (b) the date and time upon which the incident took place and was discovered; (c) the number of data subjects affected by the incident; (d) the categories of Customer Data involved; (e) the measures, such as encryption, or other technical or organizational measures, that were taken to address the incident, including measures to mitigate the possible adverse effects; (f) whether such proposed measures would result in a disproportionate effort given the nature of the incident; (g) the name and contact details of the data protection officer or other contact; and (h) a description of the likely consequences of the incident.\u00a0 The Customer alone may notify any public authority.<\/p>\n

        3.4. Remediation. \u00a0If Customer has reasonable cause to suspect that Employ is providing the platform in a manner consistent with applicable Data Protection laws and may be allowing unauthorized use of personal information, Customer may (i) submit an inquiry to privacy@employinc.com, (ii) cease use of their license until they are able to confirm Employ\u2019s compliance, or (iii) with evidence of non-compliance of applicable Data Protection Laws terminate the Agreement between the parties.<\/p>\n

        3.5. Notice of Inability to Meet Obligations. Employ will provide notice if it believes it can no longer meet its obligations under this Data Protection Agreement, including applicable Data Protection Laws.<\/p>\n

          \n
        1. Subprocessor<\/li>\n<\/ol>\n

          4.1.\u00a0\u00a0<\/strong>SCC\u2019s. Pursuant to Clause 9 of the Standard Contractual Clauses, Customer acknowledges and \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0expressly agrees Employ may engage new Sub-processors as described in Section 4 of this DPA.<\/p>\n

          4.2. General Consent. Customer agrees that Employ may engage third-party Sub-processors in connection with the provision of Services, subject to compliance with the requirements below. As a condition to permitting a Sub-processor to Process Customer Data, Employ will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. Employ will provide copies of any Sub-processor agreements to Customer pursuant only upon reasonable request by Customer. To the extent necessary to protect business secrets or other confidential information, including personal data, Employ may redact the text of the agreement prior to sharing a copy.<\/p>\n

          4.3.\u00a0\u00a0<\/strong>Current Sub-processor List. Customer acknowledges and agrees that Employ may engage its current Sub-processors listed in Annex IV.Written Notice Via Mailing List. Employ will provide Customer with notice (\u201cNew Sub-processor Notice\u201d) of the addition of any new Sub-processor to the Sub-processor List at any time during the term of the Agreement. Employ will provide Customer with additional information about any Sub-processor on the Sub-processor List that Customer may reasonably request upon receipt of a New Sub-processor Notice<\/p>\n

          4.4.\u00a0\u00a0<\/strong>Customer Objection. If Customer has a reasonable basis to object to Employ\u2019s use of a new Sub-processor, Customer will notify Employ promptly in writing within 15 days after receipt of a New Sub-processor Notice. Employ will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer\u2019s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Employ is unable to make available such change within a reasonable period of time, which will not exceed 30 days, Customer may terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing written notice to Employ.<\/p>\n

          4.5.\u00a0\u00a0<\/strong>Responsibility. Employ will remain responsible for its compliance with the obligations of this DPA and for any acts and omissions of its Sub-processors that cause Employ to breach any of Employ\u2019s obligations under this DPA.<\/p>\n

            \n
          1. International Transfers of Data and GDPR Transfers<\/strong><\/li>\n<\/ol>\n

            5.1.\u00a0<\/strong>Customer is responsible to ensure that the transfer of personal data out of the jurisdiction it originated to Employ complies with Applicable Data Protection Law (\u201cLegal Basis for Transfer<\/strong>\u201d). The Parties agree that the Data Privacy Framework will apply to any Customer Data \u00a0that is transferred outside the EEA, UK, or Swiss territories. Each Party agrees to comply with the principles of the Data Privacy Framework as may be further outlined in Exhibit A Annex 1. Should the Data Privacy Framework not apply or ever be invalidated, the Parties agree the Standard Contractual Clauses, as further outlined in \u00a0Exhibit A (includingAnnexes I-IV), will apply to Customer Data that is transferred outside the EEA, UK, or Swiss territories, either directly or via onward transfer, to any country not recognized by the European Commission as providing as adequate level of protection for personal data (as described by the GDPR).<\/p>\n

              \n
            1. \u00a0<\/li>\n<\/ol>\n

              6.3. Obligations Post-termination<\/strong>. Termination or expiration of this DPA shall not discharge the Parties from their obligations meant to survive the termination or expiration of this DPA.<\/p>\n

              Severability<\/strong>. Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.<\/p>\n

              6.2. Updating to Reflect Changes to Applicable Data Protection Laws.<\/strong>\u00a0To the extent required, the Parties undertake to reasonably re-negotiate this Addendum to reflect changes made to a Party\u2019s obligations under Applicable Data Protection Laws. The Parties acknowledge that substantial changes to a Party\u2019s obligations may be subject to changes in Fees for the Employ Services or may not be able to be made. For example, a data protection law in a country that would require Customer Data to be stored physically separate from other third-party data, or to be stored and processed solely on servers physically located in such country.<\/p>\n

              6.3.\u00a0Liability<\/strong>.\u00a0 Any claims brought under pursuant to this Addendum or any Exhibit hereto will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.<\/p>\n

              6.4. Entire Agreement<\/strong>. This Addendum supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this Addendum, including any prior data processing or security addenda entered into between Employ and Customer.<\/p>\n

              EXHIBIT A<\/strong><\/p>\n

              \u00a0<\/strong><\/p>\n

              Controller to Processor\u00a0Standard Contractual Clauses<\/strong><\/p>\n

              For the purposes of Article 26(2) of Directive 95\/46\/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection<\/p>\n

              This data transfer agreement is between<\/p>\n

              Customer who has executed the Agreement into which the above Data Protection Addendum is incorporated, hereafter \u201cdata exporter\u201d<\/p>\n

              And<\/p>\n

              Employ, Inc. and it\u2019s Affiliates,<\/strong>\u00a020 North Meridian Street, Suite 300, Indianapolis, IN 46204-3028 USA hereinafter \u201cdata importer;\u201d<\/p>\n

              each a \u201cparty\u201d; together \u201cthe parties\u201d<\/p>\n

              HAVE AGREED on the following Standard Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.<\/p>\n

              ANNEX I<\/strong><\/p>\n

              Transfer Mechanisms<\/strong><\/p>\n

                \n
              1. Data Privacy Framework<\/li>\n<\/ol>\n

                1.1. Customer may confirm Employ or the applicable affiliate status under the Data Privacy Framework on the\u00a0active participant list<\/a>.<\/p>\n

                1.2. Independent Recourse Mechanism:\u00a0JAMS<\/a><\/p>\n

                  \n
                1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS2.1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Schedule 2.<\/li>\n<\/ol>\n

                  2.2. Docking clause. The option under clause 7 shall not apply.<\/p>\n

                  2.3. Instructions. This DPA and the Agreement are Customer\u2019s complete and final documented instructions at the time of signature of the Agreement to EMPLOY for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in section 2.3 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.<\/p>\n

                  2.4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by EMPLOY to Customer only upon Customer\u2019s written request.<\/p>\n

                  2.5. Security of Processing. Security of Processing shall be provided as outlined in Annex III.<\/p>\n

                  2.11. Supervision. Clause 13 shall apply as follows:<\/p>\n

                  2.11.1 Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016\/679 as regards the data transfer shall act as competent supervisory authority.<\/p>\n

                  2.11.2 Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016\/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016\/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016\/679 is established shall act as competent supervisory authority.<\/p>\n

                  2.11.3. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016\/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016\/679, Data Protection Commission of Ireland (DPC) shall act as competent supervisory authority.<\/p>\n

                  2.11.4 Where Customer is established in the United Kingdom or falls within the territorial scope of application of the Data Protection Laws and Regulations of the United Kingdom (\u201cUK Data Protection Laws and Regulations\u201d), the Information Commissioner\u2019s Office (\u201cICO\u201d) shall act as competent supervisory authority.<\/p>\n

                  2.11.5 Where Customer is established in Switzerland or falls within the territorial scope of application of the Data Protection Laws and Regulations of Switzerland (\u201cSwiss Data Protection Laws and Regulations\u201d), the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.<\/p>\n

                  2.12. Notification of Government Access Requests. For the purposes of clause 15(1)(a), EMPLOY shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.<\/p>\n

                  2.13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of England and Wales..<\/p>\n

                  2.14. Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the Venue section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the courts of England and Wales shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.<\/p>\n

                  2.15. Appendix. The Appendix shall be completed as follows:<\/p>\n