Last Updated: 1 January 2023

This Data Sharing Addendum ("Addendum") operates in conjunction with the Master Services Agreement, and Order Form, where applicable (collectively the "Agreement"). The Parties have agreed to put this Addendum in place to facilitate the sharing of Personal Data (as defined below) as part of the Paddle Services;

1. Definitions
   
   Except as defined in this Addendum, capitalised terms used in this Addendum shall have the meanings given to them in the Agreement to which this Addendum is attached and forms part of. To the extent that there is a conflict among the Order Form and Master Services Agreement, the Order Form shall prevail. 
   
   Adequate Country: a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner’s Office and/or under applicable UK law (including the UK GDPR), and/ or (ii) the European Commission under the EU GDPR.
   Agreed Purpose: the Processing of Shared Personal Data to fulfil the provision of the Services, carry out the sale of the Product and comply with the terms of the Agreement.
   Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
   Data Discloser: the party disclosing the Shared Personal Data.
   Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time applicable to the Agreement including the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”); the Data Protection Act 2018 and the UK General Data Protection Regulation 2016/679 (as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020) (the "UK GDPR"); the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020(“CPRA”) (together the “California Privacy Acts”); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party
   Data Receiver: the party receiving the Shared Personal Data.
   Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
   Restricted Transfer: a transfer of Personal Data from the EEA or UK to a country which is not an Adequate Country.
   Shared Personal Data: the Personal Data to be shared between the parties under Clause 4 of this Addendum.
   Special Categories of Personal Data: the categories of Personal Data set out in Article 9(1) of the UK GDPR.
   Standard Contractual Clauses or SCCs: i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council incorporating Module 1 (Controller to Controller transfers) (EU SCCs); and ii) where the UK GDPR applies, the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and approved by Parliament in accordance with s119A of the Data Protection Act 2018 (UK Approved Addendum) and the accompanying Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any further version published by the Information Commissioner's Office (UK Mandatory Clauses)
   Subject Access Request: the exercise by a Data Subject of his or her rights under Article 15 of the EU GDPR and UK GDPR and section 45 of the DPA 2018.
   Supervisory Authority: the relevant supervisory authority in the territories where the parties to the Agreement are established, as set out in the Data Protection Legislation.
   Controller, Processor, Data Subject, Personal Data, Processing and "appropriate technical and organisational measures": shall each have the meanings given to them in the UK GDPR.
   
   
2. Purpose
   
   2.1 This Addendum sets out the framework for the sharing of Personal Data when one Controller (the Data Discloser) discloses Personal Data to another Controller (the Data Receiver). This Addendum defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other in respect of the disclosure of the Shared Personal Data in this context.
   
   2.2 The parties consider that data sharing is necessary in order to fulfil the provision of the Services, including the sale of the Product, under the Master Services Agreement.
   
   2.3 The parties agree to only Process Shared Personal Data for the Agreed Purpose.
   
   
3. Compliance with Data Protection Legislation
   
   3.1 Each party must ensure compliance with applicable Data Protection Legislation at all times when processing Shared Personal Data.
   
   3.2 In the event of any conflict between the requirements of applicable Data Protection Legislation, the requirement that results in the higher standard of protection of Personal Data shall be applied (unless otherwise prohibited by applicable legislation).
   
   3.3 Each party has such valid registrations and has paid such fees as are required by applicable Data Protection Legislation.
   
   
4. Shared Personal Data
   
   4.1 The following categories of Personal Data will be shared between the parties during the term of this Agreement:
   
   Names and Addresses of Buyers;
   Email addresses of Buyers; 
   Buyer’s purchasing history; 
   All transactional analytics available to Supplier on the Paddle Dashboard for which Personal Data is processed
   
   4.2 Special Categories of Personal Data will not be shared between the parties.
   
   
5. Lawful, fair and transparent processing
   
   5.1 Each party shall ensure that it Processes all Shared Personal Data fairly and lawfully during the term of the Agreement. Each party shall bear responsibility for its own compliance obligations under applicable Data Protection Legislation in relation to the Processing of Shared Personal Data. The Parties shall provide one another with reasonable assistance, on request, for the purposes of achieving and demonstrating compliance with applicable Data Protection Legislation in relation to such Processing.
   
   5.2 Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the Processing of Shared Personal Data.
   
   5.3 The Data Discloser shall, in respect of Shared Personal Data, ensure that it has, in advance of the disclosure of any Shared Personal Data to the Data Receiver, provided clear and sufficient information to the affected Data Subjects, in accordance with the requirements of applicable Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes, and such other information as is required by applicable Data Protection Legislation, including Article 13 of the EU GDPR and UK GDPR.
   
   5.4 The Data Receiver undertakes to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by applicable Data Protection Legislation, including Article 14 of the EU GDPR and UK GDPR.
   
   
6. Data subjects' rights
   
   The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation.
   
   
7. Transfers
   
   7.1 The following categories of Personal Data will be shared between the parties during the term of this Agreement:
   
   7.1.1 Is subject to the EU GDPR: then the Parties shall enter into the Standard Contractual Clauses as set out at Annex 2.
   
   7.1.2 Is subject to the UK GDPR: then the Parties shall enter into the Standard Contractual Clauses in Annex 2, subject to the UK Approved Addendum as set out in Annex 3.
   
   7.2 If the Data Receiver appoints a third party Processor to Process any Shared Personal Data, the Data Receiver shall comply with Article 28 of the EU and/or the UK GDPR in respect of the appointment of that Processor, and shall be liable to the Data Discloser for the acts and/or omissions of the Processor insofar as they relate to the Shared Personal Data.
   
   
8. Security and training
   
   8.1 The parties shall have in place throughout the term of this Agreement appropriate technical and organisational security measures to:
   
   8.1.1 prevent:
   
   - unauthorised or unlawful Processing of Shared Personal Data; and
   - the accidental loss or destruction of, or damage to, Shared Personal Data 
   
   8.1.2 ensure a level of security appropriate to:
   
   - the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage; and
   - the nature of the Shared Personal Data to be protected.
   
   8.2 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and Process Shared Personal Data in accordance with any other applicable Data Protection Legislation and have entered into confidentiality Agreements relating to the Processing of Personal Data.
   
   
9. Personal data breaches and reporting procedures
   
   9.1 Each party shall comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) Data Subjects under applicable Data Protection Legislation and shall, to the extent permitted by applicable law, each inform the other party of any material Personal Data Breach relevant to the Shared Personal Data irrespective of whether there is a requirement to notify any Supervisory Authority or Data Subject(s).
   
   9.2 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
   
   
10. Resolution of disputes with Data Subjects or the Supervisory Authority
    
    In the event of a dispute or claim brought by a Data Subject or a competent Supervisory Authority concerning the Processing of Shared Personal Data against either or both parties, the parties shall, to the extent permitted by applicable law: (i) inform each other about any such disputes or claims, and (ii) cooperate with a view to settling them amicably in a timely fashion.
    
    
11. Warranties
    
    11.1 Each party warrants that it shall:
    
    11.1.1 process all Shared Personal Data in compliance with all applicable Data Protection Legislation;
    11.1.2 respond within a reasonable time, and as far as reasonably possible, to enquiries from the relevant Supervisory Authority in relation to any Shared Personal Data; and
    11.1.3 respond to Subject Access Requests in accordance with the requirements of applicable Data Protection Legislation.
    
    11.2 The Data Discloser warrants that it is entitled to provide the Shared Personal Data to the Data Receiver and it will ensure that all Shared Personal Data are accurate.
    
    
12. California Privacy Acts
13. To the extent that the California Privacy Acts are applicable, then, notwithstanding anything to the contrary herein the Parties acknowledge:  
    undefined
    - In the context of the transfer of personal information to Paddle from the Supplier; Paddle is a service provider for the Supplier. Supplier shall disclose Personal Data to the Paddle solely for: (i) a valid business purpose as it is specified at clause 2; and (ii) Paddle to perform the business purpose, and (iii) for the avoidance of doubt, the transmission of personal information is not for the purposes of cross-context behavioural advertising . 
    undefinedundefined
14. For the purposes of this clause 12, the terms “personal information,” “consumer”, “service provider,” “business purpose”, “sale,” “cross-context behavioural advertising”, “share” and “sell” are as defined in Section 1798.140 of the California Privacy Acts.
    
15. Indemnity
    
    13.1 The Data Discloser and Data Receiver undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of this Addendum or of applicable Data Protection Legislation, except to the extent that any such liability is excluded under clause 15.
    
    13.2 Indemnification hereunder is contingent upon:
    
    13.2.1 the party to be indemnified (the indemnified party) promptly notifying the other party (the indemnifying party) of a claim
    13.2.2 the indemnifying party having sole control of the defence and settlement of any such claim; and
    13.2.3 the indemnified party providing reasonable cooperation and assistance to the indemnifying party in defence of such claim.
    
    
16. Allocation of cost
    
    Each party shall perform its obligations under this Agreement at its own cost.
    
    
17. Limitation of liability
    
    15.1 Subject to clause 13, neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
    
    15.1.1 any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
    15.1.2 loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or
    15.1.3 any loss or liability (whether direct or indirect) under or in relation to any other contract;
    
    arising out of or in relation to any breach of this Addendum or the Data Protection Legislation.
    
    15.2 Clause 15.1 shall not prevent claims for:
    
    15.2.1 direct financial loss that are not excluded under any of the categories set out in clause 15.1; or
    15.2.2 tangible property or physical damage.
    
    
18. Direct marketing
    
    16.1 If the Data Receiver Processes any Shared Personal Data for the purposes of direct marketing, the Data Receiver shall first ensure that:
    
    16.1.1 the appropriate level of consent has been obtained from the relevant Data Subjects to allow Shared Personal Data to be used for the purposes of direct marketing in compliance with applicable Data Protection Legislation; and
    
    16.1.2 effective procedures are in place to allow the data subject to "opt-out" from having their Shared Personal Data used for such direct marketing purposes, in accordance with applicable Data Protection Legislation.
    
    
19. Changes to the applicable law

If, during the term of the Agreement, the Data Protection Legislation changes in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree that they will negotiate in good faith to review this Addendum the light of the new legislation.

Annex 1

Data Processing Details

For the purposes of clause 7 and Annexes 2 and 3, the parties set out below a description of the Shared Personal Data being processed under the Agreement and further details required pursuant to the Data Protection Legislation.

A. List of Parties

Controller(s) / Data exporter(s): 

Name: Paddle (as defined in the Agreement)

Address: As specified in the Agreement

Contact person’s name, position and contact details: As specified in the Agreement (unless otherwise specified)

Activities relevant to the data transferred under these Clauses: The sharing and processing of Shared Personal Data as described in the Agreement

Signature and date:  The Annexes shall be deemed executed upon execution of the Agreement (incorporating this Data Sharing Addendum).

Role (controller/processor): Controller

Controller(s) / Data importer(s): 

Name: As set out in the Agreement

Address: As set out in the Agreement

Contact person’s name, position and contact details: As specified in the Agreement (unless otherwise specified)

Activities relevant to the data transferred under these Clauses: The sharing and processing of Shared Personal Data as described in the Agreement

Signature and date:  The Annexes shall be deemed executed upon execution of the Agreement (incorporating this Data Sharing Addendum).

Role (controller/processor): Controller

B. Description of Transfer

Nature and purpose of Transfer: As specified in clause 2

Types of Personal Data: As specified in clause 4

Sensitive Personal Data: None

Categories of Data Subject: As specified in clause 4

Duration of Processing: Until the earliest of (i) expiry/termination of the Agreement, or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement (to the extent applicable)

Frequency of Transfer: Continuous unless otherwise specified

Technical and Organisational measures: As set out in Clause 8

Annex 2

EU SCCs

1. For the purposes of this Addendum, the EU Clauses (Module 1), available at eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by reference to this Annex and the Agreement and shall be considered an integral part thereof, and the Parties’ signatures in the Agreement shall be construed as the Parties’ signature to the EU SCCs. In the event of an inconsistency between the Agreement and the EU SCCs, the latter will prevail.  
   
2. For the purposes of the EU SCCs, the following shall apply:
   
   2.1 Module One will apply (Controller – Controller);
   
   2.2 Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the EU SCCs.
   
   2.3 Clause 7 (Docking clause) shall be deemed as included.
   
   2.4 Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included. 
   
   2.5 Clause 13 (a) (Supervision): The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority, which shall be the Irish Data Protection Commission.
   
   2.6 Clause 17 (Governing law): The Parties agree that this shall be the law of Ireland.
   
   2.7 Clause 18 (b) (Choice of forum and jurisdiction): The Parties agree that any dispute between them arising from the EU SCCs shall be resolved by the courts of Ireland.
   
   2.8 Annex I of the EU Clauses shall be deemed completed with the information set out at Annex 1.
   
   2.9 The Technical and Organisational Measures are set out at Clause 8 of this Addendum (Data Sharing Terms).

Annex 3

UK Clauses

For the purposes of the UK Approved Addendum,

1. the information required for Table 1 is contained in Annex 1 of this Addendum (Data Sharing Terms) and the start date shall be deemed dated the same date as the EU SCCs;
2. in relation to Table 2, the version of the EU SCCs to which the UK Approved Addendum applies is Module One for Controller to Controller;
3. in relation to Table 3, the list of parties and description of the transfer are as set out in Annex I of this Addendum  (Data Sharing Terms). Technical and organisational measures are set in Clause 8 of this Addendum (Data Sharing Terms); and
4. in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.