EU&UK DPA – Veritas Int EU&UK DPA – Veritas Int This Data Protection Agreement and any applicable appendices or attachments (collectively “DPA”) is between you, the ordering healthcare provider (“Controller”) associated with the Jeffrey Model Foundation, and VERITAS INTERCONTINENTAL SL (the Processor).Controller is responsible for ensuring that any additional requirements of Applicable Privacy Laws are included in this DPA or otherwise addressed with Processor in writing, to ensure Controller is able to meet their data protection obligations under Applicable Privacy Laws. For any questions in relation to this Data Processing Agreement, please email dpo@veritasint.com.HOW TO EXECUTE THIS DPA: 1. This DPA consists of three parts: the main body of the DPA, Annexes 1, 2 and 3, and the UK Addendum.2. This DPA has been pre-signed on behalf of Veritas Intercontinental SL.3. To complete this DPA, the Controller must click on the ‘I agree’ button on the bottom of this document.This DPA will become legally binding upon the Controller selecting ‘I agree’ on the bottom of this page and for the avoidance of doubt, shall be deemed to constitute signature and acceptance of Annexes 1, 2 and 3 and the UK Addendum.In accordance with the Spanish Agency for Data Protection’s (AEDP’s) ‘Guide for healthcare professionals’, Processor will be responsible for the processing of personal data of testing participants, derived from the clinical analyses that it carries out, and may be considered a Data Controller of certain health and genetic data it processes. This DPA applies where Veritas Intercontinental SL acts in its capacity as a Data Processor to Controller.1. General. In performance of the Services (as set out in Annex 1), the Processor will Process data (including Personal Data) of or at the direction of the Controller. This DPA applies to the Controller and its Affiliates and references herein to the Controller apply with equal force and effect to the Controller’s Affiliates as if such Affiliate had executed this DPA. Where the concepts of Data Controller and Data Processor are not expressly contemplated by Applicable Privacy Laws, the Parties’ obligations in connection with this DPA shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws. 2. Definitions. “Applicable Privacy Laws” means any applicable data protection, privacy, or information security laws (including codes and regulations or other legally binding restrictions) governing Processing of the Personal Data and that are applicable to or required by (i) the Processing Location(s) identified in this DPA, (ii) the jurisdiction(s) in which the Processor or its Sub-processors are located or (iii) the jurisdiction(s) in which the Data Subjects are located. This includes, where applicable, but is not limited to European Privacy Laws.“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.“Data Protection Authority” or “Data Protection Authorities” means the competent body (or bodies) in the relevant jurisdiction that is charged with enforcement of Applicable Privacy Laws. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data/Personal Information and is protected under Applicable Privacy Laws. “European Privacy Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (iv) any EU Member State or UK law made under or pursuant to items (i) – (iii); in each case as amended, superseded or replaced from time to time. “Order” means each mutually executed order form or statement of work for Services. “Permitted Transfer” means that the European Privacy Laws do not require the SCCs or an alternative transfer solution in order to Process Controller Personal Data in or transfer it to an adequate country. “Personal Data/Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated or could reasonably be linked, directly or indirectly, with a natural person (“Data Subject”) or household. Personal Data includes, but is not limited to, identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; biometric information and genetic data; internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application.“Processor” means a natural or legal person, which processes personal data on behalf of the Controller or another Processor. “Processing “Processes” or “Process”” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.“Processing Instructions” means Controllers written instructions (including but not limited to the terms contained in any Order, and this DPA) that govern the Processor’s Processing of Personal Data.“Processing Location” means the location(s) in which the Controller or any Controller Affiliate to which this DPA applies, is established, and any countries where the Processor or its Sub-processors Process Personal Data, including but not limited to the jurisdictions expressly authorized in this DPA. “Restricted Transfers” means that the transfer of Controller Personal Data is not a Permitted Transfer, and the European Privacy Laws applies to those transfers. “SCCs” means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); in each case as may be amended, superseded, or replaced from time to time. “Security Incident” means the Personal Data has been subject to: (A) both (i) a compromise of the systems in which Personal Data has been accessed or acquired by one or more unauthorized parties or by the Processor not in compliance with this DPA; and (ii) where the risk of harm to Data Subjects merits notification to Data Subjects. For the avoidance of doubt, “a compromise of the systems” includes, but is not limited to: misuse, loss, destruction, or unauthorized access, collection, retention, storage, or transfer. “Services” means any and all services that the Processor performs or enables the Processor’s systems and technology to perform under this DPA and/or any Order. “Sub-Processor” means a third party processor engaged by a Processor who has or will have access to or process personal data from a Controller3. Details of Personal Data Processing. The details of the Personal Data Processing (subject matter, duration, purpose, nature of processing, categories of Personal Data and Data Subjects) are contained in Annex 1. 4. Compliance. Each Party represents and warrants that it shall comply, at all times during the term of this DPA and for as long as the Party retains the Personal Data, with all Applicable Privacy Laws. The Controller expressly warrants that it has or will obtain any legally required consents and/or notices to authorize and engage the Processor to Process Personal Data pursuant to Controller’s Processing Instructions. The Processor shall retain and Process the Personal Data no longer than is necessary to perform the Services or as long as it is required to retain and Process the Personal Data by Applicable Privacy Laws. The Processor agrees that it shall acquire no rights or interests in the Personal Data and will not use the Personal Data for any other purpose than for performance of the Services and only pursuant to Controller’s Processing instructions. The Processor shall inform the Controller in a timely manner if, in its opinion, the Controller’s Processing Instruction(s) infringes or otherwise violates Applicable Privacy Laws and if the Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated. At the Controller’s request, the Processor shall promptly cooperate with the Controller to permit the Controller to meet its obligations under Applicable Privacy Laws, including assisting the Controller with responding to requests by Data Subjects, exercising their rights under Applicable Privacy Laws. The Processor will inform the Controller immediately if it has received such a request directly from the Data Subject. The Processor shall assist the Controller with compliance with the Controller’s obligation to carry out a Data Privacy Impact Assessment including, where applicable, prior consultation with the relevant Data Protection Authority. 5. International transfers. Personal Data may be stored and Processed in the EEA by the Processor and the Processor’s sub-processors. Where the Processor wishes to transfer to and Process in a country other than the country in which the Personal Data was first collected, the Processor shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws. Such measures may include (without limitation) transferring the Personal Data to a recipient that has executed applicable SCCs or transferring the Personal Data to a recipient that has executed a contract with the Processor that ensures the Personal Data will be protected to the standard required by Applicable Privacy Laws.6. Standard Contractual Clauses. To the extent that the transfer of Personal Data from the Controller to the Processor involves a Restricted Transfer, the parties agree to be subject to the appropriate Standard Contractual Clauses as follows:a) in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:(i) Module Two will apply;(ii) in Clause 7, the optional docking clause will apply;(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 9.1 of this DPA;(iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by applicable member state law;(v) in Clause 18(b), disputes shall be resolved before the courts of Ireland;(vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA;(vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA; and(viii) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this DPA; b) in relation to Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:(i) For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to Processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between the Controller and the Processor on the following basis:Appendix 1 shall be completed with the relevant information set out in Annex 1 to this DPA;Appendix 2 shall be completed with the relevant information set out in Annex 2 to this DPA; andthe optional illustrative indemnification Clause will not apply.(ii) Where sub-clause (b)(i) above does not apply, but the Controller and the Processor are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:The EU SCCs shall also apply to transfers of such Data, subject to sub-clause (B) below;The UK Addendum shall be deemed executed between the transferring Controller and the Processor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Controller Data. If neither sub-clause (b)(i) or sub-clause (b)(ii) applies, then the Controller and the Processor shall cooperate in good faith to implement appropriate safeguards for transfers of such Data as required or permitted by the UK GDPR without undue delay.c) in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.7. Confidentiality of processing. The Processor shall ensure that any person that it authorizes to process the Personal Data knows that the Personal Data is confidential information of the Controller and is subject to any confidentiality, non use, and non-disclosure obligations in this DPA. The Processor shall Process the Controller Personal Data only as necessary for the purposes of delivering Services. 8. Security, Retention & Disposal. The Processor shall implement appropriate technical and organizational measures appropriate to the nature of the Personal Data to protect the Personal Data from a Security Incident and to preserve the security, integrity, and confidentiality of the Personal Data, whose policies, practices and procedures shall comply with all Applicable Privacy Laws. At a minimum, such measures shall include the measures identified at Annex 2 (the “Security Measures”). The Processor agrees to keep the Security Measures under review and update them where necessary so that they remain appropriate, provided that such updates and modifications do not result in the degradation of the overall security. The Processor shall limit access to its Personnel and Sub-processors on a need-to-know basis only. The Processor shall comply with all data retention and erasure (or destruction) requirements under this DPA and Applicable Privacy Laws. The Processor’s group members shall have implemented appropriate technical and organizational measures and be subject to the same data protection obligations as the Processor. 9. Sub-processing. The Processor shall not engage Sub-processors to Process the Personal Data without the Controller’s prior written consent. Notwithstanding the preceding sentence, the Controller consents and hereby provides its general written authorization to the Processor for engaging Sub-processors to Process the Personal Data for the Purpose provided that:9.1. The Processor provides reasonable prior notice at least 30 days before the proposed addition or replacement of any Sub-processor, in order to allow the Controller to raise any reasonable objections on grounds of data protection; and 9.2. The Processor imposes data protection terms on any Sub-processor it engages that ensure at least the same standard of protection provided under this DPA and the Processor remains liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors. 9.3. The Processor’s current Sub-processors are identified at Annex 3. The Controller may object to the addition or replacement of any Sub processor on reasonable grounds relating to data protection and the Processor will act in good faith to resolve such objection, including honoring any of the Controller’s rights under Applicable Privacy Laws. 10. Notification and Audit. If the Processor learns or has reason to believe that there has been a Security Incident relating to or affecting the Personal Data of the Data Subjects, the Processor shall notify the Controller without undue delay. The Processor shall cooperate with and assist the Controller to allow the Controller to comply with its obligations under all Applicable Privacy Laws, including with respect to notification requirements. The Controller shall have the right, upon written request, to audit the Processor’s policies, procedures and practices used to maintain the privacy, security, and confidentiality of Personal Data. Unless agreed to otherwise in writing by the Parties or required by Applicable Privacy Laws, such audit response shall consist of written documentation in relation thereto, including information regarding any independent, third-party audit of the Processor, the Processor’s group members ‘s or Sub-processors’ systems, processes, policies, practices and procedures. Except in the circumstances of a Security Incident, the Controller’s audits pursuant to this Section shall be limited to once per rolling twelve (12) month period. 11. Order of Precedence & Further Documents. In the event of a conflict between the terms and conditions of this DPA and any Order, the terms and conditions of this DPA shall supersede any such conflicting terms. Where there is no conflict, this DPA is intended to supplement any Order(s) with respect to the subject matter hereof. 12. Miscellaneous. This DPA will remain in effect until, and automatically expire when the Processor deletes and/or procures deletion of all the Personal Data Processed by the Processor. The Parties’ relationship is and shall remain that of independent contractors and nothing herein shall be deemed or construed to create an employer/employee, joint venture, agency, trust, fiduciary, or other relationship between the Parties. This DPA, its Annexes, the SCCs, and all Orders represent the entire understanding and agreement between the Parties that relate to the subject matter hereof, superseding any prior privacy and data protection terms. Except as specifically provided for in this DPA, this DPA may be amended, altered, waived, cancelled or changed only by written mutual agreement signed by both Parties. Each of the Parties acknowledges that there are no other promises, representations, or warranties whatsoever, whether by a Party, its Affiliate, its Sub-processors, and each of their employees, contractors, officers, directors, and agents or attorneys of such Party, and acknowledges that it has not executed or authorized the execution of this DPA in reliance upon any such promise, representation or warranty, that is not expressly contained in this DPA. Annex 1 Categories of data subjects whose Personal Data is ProcessedController’s workforce members, and Controller’s patients (i.e. individual data subject testing participants)Categories of Personal Data ProcessedPersonal Data necessary to deliver the services under the Agreement, including Personal Data such as name, date of birth, gender/sex, contact details such as address, email address, phone number, employment details if required to deliver the services.Sensitive data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measuresData Concerning Health (Special Category Data) and Genetic data. If required to deliver the services, race, ethnicity and information about sex life may also be Processed.Safeguards and restrictions to ensure the protection of this data are set out in this Agreement and Annex 2Nature of the ProcessingHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Purpose(s) for which the Personal Data is Processed on behalf of the ControllerHealth and Genetic Testing. Processing is being conducted in order to facilitate the performance of the Services documented in the relevant Agreement.Duration of the processingThe Processing shall continue until the later of the relevant Agreement being terminated in accordance with its terms and any notice period or transition period prescribed by that Agreement having expired and Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.Processor will retain data where it has legal basis to do so under applicable laws and regulations, including where it acts as a Data Controller.Processing shall be performed with the required frequency to test individual Data Subject Participants at request of Controller or individual Data Subject.For processing by (sub-) processors, also specify subject matter, nature and duration of the processingAs above, for the sole purpose of supporting Processor in delivery of services under this AgreementAnnex 2 Technical and Organizational Security Measures including technical and organisational measures to ensure the security of dataVeritas Intercontinental prioritizes the privacy and security of all information we process on behalf of our customers as a Data Processor, or that we process in our capacity as a Data Controller. We are committed to complying with all applicable privacy and security laws and regulations, including the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act of 2018, and other global privacy laws. This includes maintaining a group-wide privacy and security program that is aligned to the requirements of global privacy and security laws and industry standards, where they apply to us. Technical and Organizational Measures are in place to protect the confidentiality, integrity and availability of Personal Data protected under this Agreement, including (without limitation) policies, procedures, and operational controls to ensure: Information Security Program ManagementEndpoint ProtectionPortable Media SecurityMobile Device SecurityWireless SecurityConfiguration ManagementVulnerability ManagementNetwork ProtectionTransmission ProtectionPassword ManagementAccess ManagementAudit Logging and MonitoringEducation, Training & AwarenessThird Party Assurance (including ensure adequate privacy and security of sub-processors)Incident Management and Response, including meeting any breach notification reporting obligationsBusiness Continuity and Disaster RecoveryRisk ManagementPhysical and Environmental SecurityTopic areas that our privacy program addresses include (without limitation):Workforce Privacy Training and WorkshopsPrivacy by Design and DefaultMaintaining a Record of Data Processing ActivitiesPrivacy Notice and Consent ManagementPerforming Data Privacy Impact AssessmentsThird Party Risk and Contract Management Cross-border Data Transfers Review and SecurityData Subject Rights Requests Program ManagementIncident Management and Response ProgramsBreach Notification ProceduresThese measures ensure the security and compliant processing of Personal Data under this Agreement.Annex 3Sub-processors Entity NameDescription of ProcessingLocationAWSCloud Data StorageEU Microsoft AzureCloud Data StorageEU Fulgent GeneticsCarrier genetic testingEU UK AddendumStandard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018International Data Transfer Addendum to the EU Commission Standard Contractual ClausesVERSION B1.0, in force 21 March 2022This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.Part 1: TablesTable 1: PartiesStart dateAs per the start date of this Data Protection AgreementThe PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)Parties’ detailsSee DPA aboveFull legal name: VERITAS INTERCONTINENTAL SL Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier): Key ContactSee DPA aboveVP Data Compliance and PrivacyContact details including email: DPO@veritasint.com Signature (if required for the purposes of Section 2)See DPA aboveThomas Bently, VP Data Compliance and PrivacyTable 2: Selected SCCs, Modules and Selected ClausesAddendum EU SCCs☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:Date: EU SCCs version published on 4th June 2021Reference (if any): Controller to Processor EU SCCs implemented as part of the Agreement for services between Data Exporter and Data Importer. Other identifier (if any): Standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council implemented between Data Importer and Data Exporter. Table 3: Appendix Information“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:Annex 1A: List of Parties: Data Importer and Data Exporter referenced in Table 1Annex 1B: Description of Transfer: As described in Annex 1 of the version of the Approved EU SCCs which this Addendum is appended to.Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 2 of the version of the Approved EU SCCs which this Addendum is appended to.Annex III: List of Sub processors (Modules 2 and 3 only): As described in Annex 3 of the version of the Approved EU SCCs which this Addendum is appended to.Table 4: Ending this Addendum when the Approved Addendum ChangesEnding this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19:☐ Importer☒ Exporter☐ neither PartyPart 2: Mandatory ClausesEntering into this AddendumEach Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.Interpretation of this Addendum Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.Addendum EU SCCsThe version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.Appendix InformationAs set out in Table 3.Appropriate SafeguardsThe standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.Approved AddendumThe template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.ICOThe Information Commissioner.Restricted TransferA transfer which is covered by Chapter V of the UK GDPR.UK The United Kingdom of Great Britain and Northern Ireland.UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.UK GDPR As defined in section 3 of the Data Protection Act 2018.This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into. Hierarchy Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.Incorporation of and changes to the EU SCCsThis Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; andthis Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made: References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;In Clause 2, delete the words:“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;Clause 6 (Description of the transfer(s)) is replaced with:“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;Clause 8.7(i) of Module 1 is replaced with:“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;Clause 8.8(i) of Modules 2 and 3 is replaced with:“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;References to Regulation (EU) 2018/1725 are removed;References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;Clause 13(a) and Part C of Annex I are not used; The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;In Clause 16(e), subsection (i) is replaced with:“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;Clause 17 is replaced with:“These Clauses are governed by the laws of England and Wales.”;Clause 18 is replaced with:“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; andThe footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11. Amendments to this Addendum The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.From time to time, the ICO may issue a revised Approved Addendum which: makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/orreflects changes to UK Data Protection Laws;The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: its direct costs of performing its obligations under the Addendum; and/or its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.Alternative Part 2 Mandatory Clauses:Mandatory ClausesPart 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.The Controller: THE ORDERING HEALTHCARE PROVIDER ASSOCIATED WITH THE JEFFREY MODEL FOUNDATIONThe Processor: VERITAS INTERCONTINENTAL SL BY: NAME: Thomas BentlyTITLE: VP Data Compliance and Privacy, DPODATE: (As per date when Controller electronically agrees to DPA) DATE: (As per date when Controller electronically agrees to DPA)