As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.

Data Processing Addendum

Last update: 
January 1, 2025

This TRM Data Processing Addendum (the "DPA") dated as of the latest date subscribed below ("DPA Effective Date") forms part of the Customer Agreement and Order Form with any incorporated terms and conditions, exhibits, annexes, appendices or other attachments thereto, as may be updated or amended from time to time (collectively, the "Principal Agreement") by and between: (i) TRM Labs, Inc. or the affiliate that executed the Order Form with customer, such as TRM Labs Limited B.V. or TRM Labs Ltd. ("TRM"); and (ii) the named customer on the pertinent Order Form  ("Customer"). (Each of TRM and Customer constitutes a “Party,” collectively the “Parties” to this DPA.)

This DPA supplements, is incorporated into, and forms an integral part of the Principal Agreement. To the greatest extent possible, shall be interpreted and construed as consistent with the terms and conditions of the Principal Agreement. In the event of an unavoidable conflict between the terms of this DPA and those of the Principal Agreement, the terms of this DPA shall control solely to the extent of such conflict. 

This DPA applies to the extent that TRM Processes Personal Data submitted by Customer to the Services on behalf of Customer (“Customer Personal Data”), and establishes the rights and obligations of TRM and Customer with respect to such Customer Personal Data. Capitalized terms used but not defined in this DPA have the meaning provided in the Principal Agreement.

  1. Definitions
    In this DPA, the following terms shall have the meaning(s) set out below, and cognate terms shall be construed accordingly:

    “Adequate Country”     means a country into which Personal Data may be imported because it is deemed by the governing authority of the exporting country to provide an adequate level of data protection under the applicable Data Protection Laws.

    Controller” means the entity which determines the purposes and means of the Processing of Personal Data and includes, as applicable, the term “Controller” also means “business” and any other similar or equivalent terms under applicable Data Protection Laws.

    "Data Protection Laws" means all laws and regulations as amended from time to time regarding data protection and information security to the extent applicable to the Processing of Customer Personal Data by TRM under the Principal Agreement, such as (if applicable): (a) the EU General Data Protection Regulation 2016/679 (GDPR); (b) the GDPR as incorporated into UK law (UK GDPR) and Data Protection Act (2018); (c) the Swiss Federal Data Protection Act [Datenschutzgesetz]; (d) the California Consumer Privacy Act of 2018, and similar privacy statutes of U.S. states.  

    Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates; the term “Data Subject” includes the term “consumer” and any other similar or equivalent terms under applicable Data Protection Laws.

    Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as accessing, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms “process”, “processes” and “processed” will be interpreted accordingly.  

    “Processor    ” means the entity which Processes Personal Data on behalf of the Controller; as applicable, the term “Processor” includes the terms “Service Provider” and any equivalent or similar terms that address the same, or similar, responsibilities under applicable Data Protection Laws.

    "Restricted Transfer" means a transfer, or onward transfer, of Personal Data from to a country not deemed an Adequate Country by applicable Data Protection Laws, and which would thus be restricted or prohibited without implementing a transfer mechanism such as the Standard Contractual Clauses to be established under Section 9 below.

    Sell” or “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating Personal Data to a third party for monetary or other valuable consideration.

    "Services" means the services supplied by TRM to Customer pursuant to the Principal Agreement;

    “Security Incident”     means any breach, as defined by applicable Data Protection Laws, of TRM’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by TRM.  Security Incidents do not include acts or omissions which do not breach TRM’s or any Subprocessor’s security; port scans, authorized penetration tests, and denial of service attacks; or any access to or Processing of Customer Personal Data that is consistent with Customer’s Instructions.

    “Share”     means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating Personal Data to a third party for cross-context behavioral advertising.

    "Subprocessor"     means any Processor (including any third party and any TRM Affiliate, but excluding an employee of TRM or an employee of any of its sub-contractors) appointed by or on behalf of TRM or any TRM Affiliate to Process Customer Personal Data on TRM’s or Customer’s behalf to provide Services to Customer.

    "Supervisory Authority" means a government authority of competent jurisdiction responsible for supervising or enforcing the application of the applicable Data Protection Laws, and includes any data protection authority, privacy regulator, supervisory authority, Attorney General, state privacy agency or any governmental body or agency enforcing Data Protection Laws.

    “TRM Trust Center”     means that certain Trust Center provided at https://trust.trmlabs.com/, or any subsequent or successor URL, as updated from time to time. 
  1. Roles of the Parties; Customer Obligations 
    1. Roles of Parties. Customer, and any relevant Customer Affiliate, hereby appoints and instructs TRM as a Processor of the Customer Personal Data. Each of the Parties shall comply with applicable Data Protection Laws as relevant to their respective Processing of Customer Personal Data under the Agreement. 
    2. Customer as Processor.  In the event that Customer holds Customer Personal Data as a Processor (or Subprocessor), Customer represents and warrants to TRM that it is validly authorized by the relevant Controller to enter into the Principal Agreement and this DPA and to provide Instructions (as defined below) on behalf of Customer’s Controller(s) in relation to Customer Personal Data.   
    3. Instructions. Customer hereby instructs TRM to Process Customer Personal Data: (a) to provide the Service specified in the Principal Agreement or otherwise perform its obligations thereunder; (b) for any Permitted Purpose(s) set out in Annex 1 to this DPA; (c) as further initiated by Customer via Customer’s use of the Service in accordance with the Principal Agreement; and/or (d) in accordance with any additional written instruction outside the scope of the Principal Agreement and this DPA, if and to the extent agreed by TRM in writing as constituting instructions for purposes of this DPA (collectively, “Instructions”). 
    4. Customer Responsibilities. By providing Customer Personal Data to TRM, Customer represents and warrants that: 
      1. Customer has a valid legal basis for the Processing of Customer Personal Data, and has provided (or procured the provision of) all required notifications and obtained (or procured the provision of) all consents and/or agreements required under applicable laws or policies in order to enable TRM to Process Customer Personal Data in accordance with this DPA, the Agreement and Instructions.
      2. Without limiting the foregoing, Customer has (or has procured) all lawful authorization(s), approvals, and/or permissions (collectively “Permissions”) required to provide Customer Personal Data to TRM for Processing in accordance with this DPA, the Agreement, and Instructions, including, if applicable, any required warrant, court order, or other legal process.  Customer will, upon TRM’s request, provide TRM with written confirmation and/or copies of such Permission(s). With respect to any Customers who are subject to the Law Enforcement Directive 2016/680 (LED), Customer will use the Services solely for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
      3. Customer shall have sole responsibility for the lawful Processing of Customer Personal Data in connection with its use of the Services, including without limitation, the accuracy, quality, and legality of the Customer Personal Data, the means by which it acquires, uses, and discloses Customer Personal Data, and the Instructions regarding the Processing of Customer Personal Data. 
  2. Obligations on TRM relating to Processing of Customer Personal Data
    1. TRM will Process Customer Personal Data for the business purposes of providing to Customer the Services pursuant to Customer’s Instructions ("Business Purposes"), in accordance with the terms of the Principal Agreement and any requirements set out by applicable Data Protection Laws.  Customer is disclosing Customer Personal Data to TRM only for the limited and specified Business Purposes set forth within the Principal Agreement and the Instructions. TRM shall process Customer personal Data pursuant to Customer’s instructions and shall:
      1. not Sell or Share Customer Personal Data, or Process Customer Personal Data outside the direct business relationship with the Customer or for any purpose other than the fulfillment of the Business Purposes, unless otherwise permitted or required by applicable law, and Process Customer Personal Data in a manner consistent with the level of privacy protection that is required of Customer under applicable Data Protection Laws;
      2. not combine Customer Personal Data with Personal Data that TRM has received from other sources, or collects from its own interactions with a Data Subject, except as in connection with providing the Service (including and performing internal business purposes relating thereto), or as otherwise permitted by applicable law; 
      3. inform Customer, in each case unless legally prohibited from doing so, if (1) TRM believes any Instruction may violate applicable law (in which case TRM is not obligated to engage in such Processing until Customer provides alternative Instructions that comply with applicable law), (2) Processing inconsistent with the Principal Agreement and this DPA is required by applicable law, or (3) TRM believes it is not able to comply with the terms of this DPA; 
      4. ensure that TRM employees and contractors who are engaged in the Processing of Customer Personal Data are subject to enforceable obligations of confidentiality;
      5. notify Customer if TRM receives a request from a Data Subject to exercise rights provided by applicable Data Protection Laws in respect of Customer Personal Data, such as a right to access, erase/delete, or correct/rectify Personal Data, that TRM can reasonably identify as relating to Customer (collectively, a “Request”). Customer shall be responsible for responding to and fulfilling such Request; TRM will provide reasonable assistance to Customer’s fulfillment of the Request to the extent Customer cannot fully fulfill the request using controls, functionalities, or Personal Data available through the Services;
      6. where required under Data Protection Laws, reasonably assist Customer in complying with Customer’s obligations in respect of data protection impact assessments (including a risk assessment, privacy impact assessment, data protection assessment or equivalent documentation defined and required under applicable Data Protection Laws) and prior consultation with a Data Protection Authority by providing preexisting documentation; 
    2. Annex 1 to this DPA sets forth the subject matter, duration, nature and purpose of the Processing; the types of Customer Personal Data Processed; categories of Data Subjects; and Permitted Purposes of Processing.  Customer shall ensure that its acts or omissions, including in relation to any Instructions to TRM relating to Processing of Customer Personal Data, do not put TRM in breach of Data Protection Laws.
    3. Upon Customer request, TRM shall reasonably cooperate at Customer’s cost with Customer’s response to a request, inquiry, investigation, or proceeding of a Supervisory Authority in the performance of its tasks, taking into account the nature of the Processing by, and information available to, TRM.
  3. Subprocessing
    1. Customer hereby specifically authorizes the engagement of the following as Subprocessors: (a) TRM Affiliates, and (b) the Subprocessors listed in the TRM Trust Center.
    2. Customer further provides TRM with a general authorization to engage additional Subprocessors to Process Customer Personal Data, provided that prior to permitting such additional Subprocessors to Process Customer Personal Data, TRM shall (a) enter into a written agreement with such additional Subprocessor imposing terms consistent with those of this DPA or otherwise sufficient to meet the requirements of applicable Data Protection Laws, (b) provide Customer with at least 30 days’ notice prior to such Subprocessor Processing Customer’s Personal Data. TRM’s notification to Customer under this Section 4.2 will be provided via TRM’s standard customer communication platform, such as Slack.  If Customer has not provided a written objection to such addition within seven (7) days of TRM’s notice to Customer, the Subprocessor shall be deemed approved by Customer.  Customer must provide its written objection via the methods permitted in the “Notices” section of the Principal Agreement.  Where Customer provides a written objection to an additional Subprocessor as set forth in this Section, the parties shall seek to resolve the Customer’s concerns; where necessary, either Party may exercise its applicable rights to terminate the Agreement.
    3. To the extent required by applicable Data Protection Law, TRM remains liable to Customer for the Subprocessor’s performance of data protection obligations relating to the Services.  To the extent TRM provides professional services to Customer, TRM shall be permitted to re-perform or to procure the re-performance of any such obligations, and Customer acknowledges that such re-performance shall diminish any claim that Customer has against TRM in respect of any liability concerning Subprocessor’s performance of obligations.
  4. Data Protection Queries. Any queries about TRM’s data privacy program should be directed to privacy@trmlabs.com
  5. Security Measures; Security Incidents
    1. TRM will implement appropriate technical and organizational measures described in the TRM Trust Center (the “Security Measures”) that are designed to ensure a level of security appropriate to the risk of Processing Customer Personal Data.  Customer has assessed the level of security appropriate to the Processing in the context of its obligations under Data Protection Laws and agrees that the Security Measures are consistent with such assessment.  Customer further acknowledges that TRM’s Security Measures are general in nature and TRM is not able to assess, and does not have knowledge of, security risks that may be specific to Customer or Customer’s Personal Data.
    2. TRM shall notify Customer without undue delay, and in any event within 72 hours, upon becoming aware of a Security Incident. TRM’s notification shall include information required under applicable Data Protection Law to the extent known by TRM. TRM will take reasonable commercial steps to investigate, contain, and resolve the Security Incident.  
    3. TRM may offer Customer assistance with making required or appropriate notifications relating to the Security Incident to individuals, Supervisory Authorities, other third parties, or the general public; if TRM offers this assistance to Customer, Customer agrees TRM may make such notifications on Customer’s behalf.
    4. Following TRM’s notification to Customer of a Security Incident, Customer may request TRM’s assistance in resolving data protection of security issues relating to such Security Incident.  If TRM agrees to provide such assistance, Customer shall maintain and follow an effective cyber incident response policy, which shall include the use of legal professional, litigation, or client attorney privilege, work in good faith with TRM, and agree with TRM the form and method of any reports, announcements, or other communications relating to the Security Incident, including (but not limited to) communications with a Supervisory Authority.   
    5. Any information provided by TRM pursuant to this Section shall be the Confidential Information of TRM under the Principal Agreement. TRM’s notification of or response to a Data Incident under this Section will not be construed as an acknowledgement by TRM or, if relevant, its Subprocessors of any fault or liability with respect to the performance of any Service.
  6. Deletion of Customer Personal Data
    1. Following termination of the Principal Agreement, or when the Parties agree Customer Personal Data is no longer necessary for purposes of performing the Services, TRM shall take reasonable steps to delete Customer Personal Data, unless storage is otherwise required by applicable law.  Customer acknowledges that Customer must download Customer’s Personal Data prior to the termination date in the contract, after which time TRM may delete Customer’s Personal Data from its systems.  
  7. Audits and Verification
    1. TRM annually audits its security measures.  The audit is performed under the Service Organization Controls 2 (SOC 2) or substantially equivalent framework, by independent and reputable third parties at TRM’s expense.  TRM also obtains an annual penetration test of systems involved in providing the Services; the penetration test is also conducted by independent and reputable third parties at TRM’s expense.  Each of these generates an auditing or testing report (each a “Report”), which constitutes Confidential Information of TRM under the Principal Agreement.
    2. So that Customer can reasonably verify TRM’s compliance with the data protection and security obligations of this DPA, upon Customer’s written request, TRM will provide Customer either with copies of the Report(s) or a confidential summary of the Report(s), at TRM’s reasonable discretion in response to Customer’s request. Subject to Section 8.3, If the Reports (or summaries thereof) are not sufficient for Customer to verify TRM’s compliance with the data protection and security obligations of this DPA, where required by applicable Data Protection Laws or the Principal Agreement, Customer may require TRM to provide Customer with access to TRM policies, procedures, and information to permit Customer to audit TRM’s compliance with the terms and conditions of this DPA as it applies to Customer Personal Data to the extent expressly required by the Principal Agreement or Data Protection Laws.  
    3. To request an audit under this Section 8, Customer shall notify TRM in writing, and the Parties shall then agree, as soon as reasonably possible but always in advance, the reasonable dates, duration and scope of the audit, the identity and qualifications of the auditor, and any security and confidentiality controls required for access to the policies, procedures, or information in scope for such audit; provided that the scope of any audit under this Section 8 shall be limited to TRM policies, procedures, and information directly relating to the Processing of Customer Personal Data. The Customer shall bear the reasonable costs of TRM in fulfilling any requirements under this Section. All information and/or materials provided or made available to Customer, the auditor, or any other third party authorized under this DPA to have access to the foregoing in connection with an audit shall constitute Confidential Information of TRM.  
  8. Data Transfers
    1. Customer acknowledges and agrees that TRM may Process Customer Personal Data in countries outside the country in which Customer is established, including in countries where TRM or Subprocessors maintain facilities, employees, or infrastructure. Customer hereby instructs that in accordance with Section 9.2, TRM may undertake transfers of Customer Personal Data, including Restricted Transfers, in the course of providing the Services.
    2. Where the Processing of Customer Personal Data in the course of the provision of the Service involves a Restricted Transfer of Customer Personal Data by or on behalf of Customer, from a country which places restrictions on the transfer of Personal Data to countries not deemed to be an Adequate Country, then TRM will implement a transfer mechanism that supports such transfer under applicable Data Protection Law. 
    3. For Restricted Transfers from Customer to TRM, Customer and TRM hereby agree that: 
      1. TRM is registered under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”). TRM will provide a copy of the U.S. Department of Commerce’s public record of such registration to Customer upon request. To the greatest extent possible, Restricted Transfers to TRM shall be based on the DPF.   
      2. To the extent that a Restricted Transfer to TRM cannot be based on the DPF (such as, for instance, if the DPF later expires or is invalidated), the Parties agree that the Restricted Transfer shall be based on the EU Standard Contractual Clauses and UK International Data Transfer Agreement. For this purpose, by entering into and executing this DPA, Customer and TRM also execute and enter into:  
        1. in respect of Restricted Transfers from the EEA or Switzerland, the EU Standard Contractual Clauses, Module 2 (Controller to Processor) and Module 3 (Processor to Processor), as applicable, which are incorporated by reference into this DPA, subject to the specifications for their content contained in Annex 2 to this Addendum (the “EU SCCs”); and
        2. in respect of Restricted Transfers from the United Kingdom, the UK International Data Transfer Agreement, which is incorporated by reference into this DPA, subject to the specifications for its content contained in Annex 3 to this DPA.  
      3. The Parties further agree that the EU Standard Contractual Clauses or the UK International Data Transfer Agreement shall apply to, and serve as the basis for, Restricted Transfers of Customer Personal Data to TRM from other countries which require and recognize the effectiveness of such clauses.  
  9. General Terms
    1. Principal Agreement remains in Effect. For the avoidance of doubt, nothing in this DPA serves to modify, revoke, or otherwise amend the terms of the Principal Agreement relating to: 
      1. liability and/or indemnification, including but not limited to any exclusions and/or limitations of liability or indemnity; the total combined liability of either Party and its Affiliates towards the other Party and its Affiliates under or in connection with Principal Agreement and this DPA and the Standard Contractual Clauses combined remain subject to, and will be, the liability cap with all liability limitations set forth for the relevant Party in the Principal Agreement.
      2. governing law, including but not limited to the law that governs the Principal Agreement and which governs disputes, controversies, and/or claims arising out of, relating to, or in connection with the Principal Agreement; the Parties agree that this DPA, and any disputes, controversies, and/or claims arising out of, relating to, or in connection with the DPA (including relating to its subject matter or formation), will be governed by and construed in accordance with the law(s) that govern the Principal Agreement; 
      3. the forum for disputes, controversies, and/or claims agreed in the Principal Agreement; the Parties irrevocably agree that the forum set out in the Principal Agreement shall have exclusive jurisdiction to settle any dispute which may arise out of, relating to, or in connection with this DPA and all other documents referenced by and/or incorporated into it and that, accordingly, any proceedings arising out of, relating to, or in connection with this DPA shall be brought in such forum, unless expressly agreed otherwise in this DPA.  
    2. Term.  This DPA will take effect upon the DPA Effective Date and remain in effect until the deletion of Customer Personal Data by TRM, upon which it will automatically terminate.   
    3. TRM may notify customer in writing from time to time of any variations to this DPA, including relating to transfers of Personal Data, which TRM implements as a result of a change in Data Protection Laws. 
    4. Notwithstanding the notice terms of the Principal Agreement, TRM may provide any notice to Customer contemplated in this DPA via the TRM’s standard customer communication platform, such as Slack.

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

PART 1: Details of Processing of Customer Personal Data

  1. Subject matter and duration of the Processing of Customer Personal Data
    The subject matter and duration of the Processing of Customer Personal Data are set out in the Principal Agreement.
  2. Nature and purpose of the Processing of Customer Personal Data
    The nature and purpose of the Processing of Customer Personal Data are set out in the Principal Agreement and this DPA. TRM may also: (i) transfer Customer Personal Data as described in the Principal Agreement and/or this DPA, and (ii) also carry out any incidental processing relating to operation, support, or maintenance of the Services or any service provided by a Subprocessor used to provide the Services. 
  3. The categories of Data Subject to whom the Customer Personal Data relatesCustomer determines, via the Personal Data Customer submits to the Services, the categories of Data Subjects to whom Customer Personal Data may relate. Customer Personal Data to be Processed includes identifiers that may be submitted by Customers to TRM’s Services, but only to the extent that such identifiers constitute Personal Data under applicable Data Protection Law.
  4. The types of Customer Personal Data to be Processed
    Customer Personal Data to be Processed includes identifiers that may be submitted by Customers to TRM’s Services, but only to the extent that such identifiers constitute Personal Data under applicable Data Protection Law.
    No sensitive Personal Data is contemplated to be submitted by Customer to the Service for Processing by TRM.
  5. PART 2: Permitted Purposes
    Any additional agreed purposes for which TRM and/or the TRM Affiliates are permitted to Process Personal Data which constitutes, or which at any time has constituted, Customer Personal Data: None, except as may be agreed in accordance with Section 2.3(d) of the DPA.

ANNEX 2: SPECIFICATIONS FOR EU STANDARD CONTRACTUAL CLAUSES

PART 1: Selected Content of the EU Standard Contractual Clauses, Modules 2 and 3 

For the purposes of Section 9 of the DPA, Customer and TRM agree that for Module 2 (Controller to Processor) and Module 3 (Processor to Processor) of the EU Standard Contractual Clauses executed between the Parties and incorporated by reference into the DPA, the content of the EU SCCs shall be as follows:

Clause 7 (Docking clause)

Clause 7 shall not be incorporated;

Clause 9 (Use of sub-processors)

Option 1 is selected, and the specific time period referred to shall be 30 days;

Clause 11 (Redress)

The Option in Clause 11(a) shall not be incorporated;

Clause 13 (Supervision)

All paragraphs of Clause 13(a) are incorporated on an “as applicable” basis;

Clause 17 (Governing law)

Option 1 is selected, provided that:

  • In respect of Restricted Transfers from EEA member states, the applicable law inserted shall be the laws of the Netherlands.
  • In respect of Restricted Transfers from Switzerland, the applicable law inserted shall be the laws of Switzerland.

Clause 18 (Choice of forum and jurisdiction)

Clause 18(b) shall be completed as follows:

  • In respect of Restricted Transfers from EEA member states, the Parties agree on the courts of the Netherlands.
  • In respect of Restricted Transfers from Switzerland, the Parties agree on the courts of Switzerland.


PART 2: Content of Annex 1 to the EU SCCs

  1. List of Parties
    Data Exporter: Customer
    Name: as set out in the Principal Agreement.
    Address: as set out in the Principal Agreement.
    Contact person's name, position and contact details: as set out in the Principal Agreement.
    Activities relevant to the data transferred under these Clauses: as set out in the Principal Agreement.
    Role (controller/processor): Controller (or Processor, as applicable).

    Data importer(s): TRM
    Name: as set out in the Principal Agreement.
    Address: as set out in the Principal Agreement.
    Contact person's name, position and contact details: as set out in the notice provisions in the Principal Agreement, unless the data importer notifies the data exporter otherwise.
    Activities relevant to the data transferred under these Clauses: as set out in the Principal Agreement.
    Role (controller/processor): Processor
  2. Description of Transfer
    Categories of data subjects whose personal data is transferred: as set forth in Annex 1 to the DPA.

    Categories of personal data transferred: as set forth in Annex 1 to the DPA.

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: none, as set forth in Annex 1 to the DPA.

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): continuous unless otherwise specified in the Principal Agreement.

    Nature of the processing: as set forth in Annex 1 to the DPA.

    Purpose(s) of the data transfer and further processing: as set forth in the DPA and Annex 1 thereto. 

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: as per Section 8 of the DPA.

    For transfers to (sub-)processors, also specify the subject matter, nature and duration of the processing: as set forth in Annex 1 to the DPA.
  3. Competent Supervisory Authority
    Identify the competent supervisory authority/ies in accordance with Clause 13:
    1. In respect of Restricted Transfers from EEA member states, the competent Supervisory Authority is the Supervisory Authority of the Netherlands (Autoriteit Persoonsgegevens). 
    2. In respect of Restricted Transfers from Switzerland, the competent Supervisory Authority is the Federal Commissioner of Data Protection and Freedom of Information (Eidgenössischer Datenschutz- and Öffentlichkeitsbeauftragter).

ANNEX 3: CONTENT OF UK INTERNATIONAL DATA TRANSFER AGREEMENT

For the purposes of Section 9 of the DPA, Customer and TRM agree that for the UK International Data Transfer Agreement (UK IDTA) executed between the Parties and incorporated by reference into the DPA, the content of the UK IDTA shall be as follows:

PART 1: TABLES

Table 1: Parties and Signatures

Start Date
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties' details

Customer

Official registration number (if any) (company number or similar identifier): As provided by Customer to TRM

TRM

Official registration number (if any) (company number or similar identifier): 14005353
Key Contact

See Principal Agreement

See Principal Agreement
Importer Data Subject Contact

See Principal Agreement

See Principal Agreement
Signatures confirming each Party agrees to be bound by this IDTA

See DPA

See DPA

Table 2: Transfer Details

UK country's law that governs the IDTA: England and Wales
Primary place for legal claims to be made by the Parties England and Wales
The status of the Exporter In relation to the Processing of the Transferred Data: Exporter may be a Controller or Processor, depending on the capacity in which Exporter holds Personal Data
The status of the Importer In relation to the Processing of the Transferred Data: Importer is the Exporter’s Processor or Sub-Processor
Whether UK GDPR applies to the Importer UK GDPR does not apply to the Importer’s Processing of the Transferred Data
Linked Agreement If the Importer is the Exporter’s Processor or Sub-Processor – the agreement(s) between the Parties which sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data:

See Principal Agreement
Term The Importer may Process the Transferred Data for the following time period:

See Principal Agreement and DPA
Ending the IDTA before the end of the Term The Parties can end the IDTA before the end of the Term, in accordance with Section 7 of the DPA.
Ending the IDTA when the Approved IDTA changes Which Parties may end the IDTA as set out in Section 29.2: As permitted in Section 7 of the DPA
Can the Importer make further transfers of the Transferred Data? The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1: there are no specific restrictions.
Review Dates The Parties must review the Security Requirements at least once each year; for this purpose TRM makes the Security Measures available to Importer in the TRM Trust Center.

Table 3: Transferred Data

Transferred Data The personal data to be sent to the Importer under this IDTA consists of:

The categories of Transferred Data will update automatically if the information is updated in the Principal Agreement.
Special Categories of Personal Data and criminal convictions and offences The Transferred Data includes no special category personal data.
Relevant Data Subjects The Data Subjects of the Transferred Data are:

The categories of Data Subjects will update automatically if the information is updated in the Principal Agreement.
Purpose The Importer may Process the Transferred Data for the following purposes:

See Section 2 of the DPA

Table 4: Security Requirements

Security of Transmission See Security Measures referenced in the DPA.
Security of Storage See Security Measures referenced in the DPA.
Security of Processing See Security Measures referenced in the DPA.
Organisational security measures See Security Measures referenced in the DPA.
Technical security minimum requirements See Security Measures referenced in the DPA.
Updates to the Security Requirements The Security Requirements will update automatically if the information is updated in the Principal Agreement.

PART 2: EXTRA PROTECTION CLAUSES

Extra Protection Clauses:
(i) Extra technical security protections See Security Measures referenced in the DPA.
(ii) Extra organisational protections See Security Measures referenced in the DPA.
(iii) Extra contractual protections See Security Measures referenced in the DPA.
Commercial Clauses See the Principal Agreement and the DPA.

PART 3: COMMERCIAL CLAUSES

Commercial Clauses See the Principal Agreement and the DPA.
Subscribe to our latest insights