Want to learn more about testinvite
This Data Processing Addendum (“Addendum”) forms part of the TestInvite Terms and Conditions for the Supply of Services (the “Agreement”) between: (i) Vanilya Elektronik Hizmetler ve Bilişim Tic. A.Ş. and its Affiliates (collectively, “TestInvite”) and (ii) Customer and its Affiliates (collectively, “Customer”).
The terms used in this Addendum shall have the meanings set forth in the Agreement unless otherwise provided. Except as modified below, the terms of the Agreement remain in effect.
In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
1.1 In this Addendum, the following terms shall have the meanings set out below:
1.1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, or that is a successor (whether by change of name, dissolution, merger, consolidation, reorganization, sale or other disposition) to any such business entity or its business and assets.
1.1.2 “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which the Customer is subject to EU Data Protection Laws; or (b) the laws of any other jurisdiction as applicable.
1.1.3 “Customer Personal Data” means any Personal Data Processed by TestInvite on behalf of the Customer pursuant to or in connection with the Agreement.
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other jurisdiction.
1.1.5 “EEA” means the European Economic Area.
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as implemented into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “GDPR” means the EU General Data Protection Regulation 2016/679.
1.1.8 “Restricted Transfer” means a transfer of Customer Personal Data from the Customer to TestInvite outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
1.1.9 “Services” means, for the purposes of this Addendum, Services (as defined in the Agreement).
1.1.10 “Standard Contractual Clauses” means the contractual clauses set out in Annex 1 (EU SCC) as amended where required (as the case may be) by Annex 2 (UK SCC) depending on the laws of jurisdiction governing the transfer.
1.1.11 “Subprocessor” means any third party appointed by or on behalf of TestInvite to Process Customer Personal Data.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” have the same meaning as in the GDPR.
2.1 This Addendum applies to TestInvite’s Processing of Customer Personal Data in the course of TestInvite providing Services to the Customer. As such, TestInvite is the Processor and the Customer is the Controller.
2.2 TestInvite will only Process Customer Personal Data in accordance with the Customer’s documented instructions unless Processing is required by Applicable Laws to which TestInvite is subject, in which case TestInvite will, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before Processing the Personal Data.
2.3 The Customer (i) instructs TestInvite and (and authorises TestInvite to instruct each Subprocessor) to Process Customer Personal Data, and in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement; and (ii) represents and warrants that (a) it is and will at all relevant times remain authorised to give such instructions, and (b) all such instructions comply with Applicable Laws.
2.4 TestInvite will promptly notify the Customer if, in TestInvite’s reasonable opinion, any instructions violate Applicable Laws.
2.5 Appendix 1 to this Addendum sets out certain information regarding TestInvite’s Processing of the Customer Personal Data as required by Article 28(3) of the GDPR. Customer may make reasonable amendments to Appendix 1 by written notice to TestInvite from time to time as Customer reasonably considers necessary to meet those requirements.
TestInvite will ensure that any TestInvite employee, agent or contractor who may have access to the Customer Personal Data is subject to confidentiality undertakings in respect of the Customer Personal Data.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, TestInvite will implement appropriate technical and organisational measures in respect of Customer Personal Data to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, TestInvite will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1 Customer authorises TestInvite to appoint (and permit each Subprocessor appointed in accordance with this Clause 5 to appoint) Subprocessors in accordance with this Clause 5 and any restrictions in the Agreement.
5.2 TestInvite may continue to use those Subprocessors it has engaged as at the date of this Addendum.
5.3 TestInvite will post a notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor, on its website (Privacy Policy). If, within 10 business days, Customer notifies TestInvite in writing of any reasonable objections to the proposed appointment, TestInvite will not appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken.
5.4 With respect to each Subprocessor, TestInvite will:
5.4.1 Ensure that the arrangement between TestInvite and the Subprocessor is governed by a written contract including terms offering at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR; and
5.4.2 If that arrangement involves a Restricted Transfer, and if TestInvite does not have, at the time of a Restricted Transfer a certification under the Privacy Shield programme or an arrangement covered under the Trans-Atlantic Data Privacy Framework, ensure that the Standard Contractual Clauses are incorporated into the agreement between TestInvite and the Subprocessor.
5.5 TestInvite will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of any Subprocessor that cause TestInvite to breach any of its obligations under this Addendum.
6.1 The Services provide the Customer with a number of means by which the Customer may retrieve, correct, delete or restrict Customer Personal Data. Customer may use these means as technical and organizational measures to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from Data Subjects.
6.2 TestInvite will (i) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and (ii) not respond to that request except as required by Applicable Laws to which TestInvite is subject, in which case TestInvite will, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before TestInvite responds to the request.
7.1 TestInvite will notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 TestInvite will cooperate with Customer and take such reasonable commercial steps as requested by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8.1 Unless our contract requires otherwise or unless the Customer has requested TestInvite to delete all such Customer Personal Data before such date, subject to Clause 8.3, TestInvite will delete permanently (without an obligation to provide notice):
a) Customer Personal Data in the form of Category 2 - Supplementary Test Taker Data (as defined in Appendix 1), within 1 year of its collection;
b) any other form of Customer Personal Data (including Category 1 - Exam Response Data - (as defined in Appendix 1)), within 5 years from the date on which the Customer ceases to be a Customer.
8.2 For the purposes of clause 8.1 (b), TestInvite has the right to determine whether and when a Customer has ceased to be a Customer in its entire discretion taking into consideration customer engagement. Unless material evidence to the contrary, a Customer shall be deemed to have ceased being a Customer if it has not engaged in a financial transaction with TestInvite at least once on a 1 year rolling basis.
8.3 Notwithstanding the foregoing, TestInvite may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws (and TestInvite may retain business contact information for Customer’s staff); provided, however, that TestInvite will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its retention, and for no other purpose.
9.1 TestInvite will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of it by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, TestInvite. Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing TestInvite to carry out the audit.
10.1 If TestInvite does not have, at the time of a Restricted Transfer, certification under the Privacy Shield programme or an arrangement covered under the Trans-Atlantic Data Privacy Framework, TestInvite will enter into the Standard Contractual Clauses in respect of any Restricted Transfer.
11.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
11.1.1 the Parties agree to submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
11.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
11.2 In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses prevail. In the event of inconsistencies between this Addendum and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum prevail.
11.3 This Addendum remains in effect until termination or expiration of the Agreement.
11.4 The liability of each Party under this Addendum is subject to the exclusions and limitations of liability set out in the Agreement.
11.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties” intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This Appendix 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Details of the transfer
(a) Data exporter:
Name: Customer that has engaged TestInvite to provide the Service pursuant to the Agreement or other written or electronic agreement, which govern the provision of the Service to Customer, as such terms or agreement may be updated from time to time (the “Agreement”).
Address: As set out in the Agreement or as supplied to TestInvite.
Contact person’s name, position, and contact details: As set out in the Agreement or as supplied to TestInvite.
Activities relevant to the data transferred under these Clauses: TestInvite provides the Service and Customer uses the Service, and TestInvite processes personal data as described in the Agreement.
(b) Data importer:
Name: Vanilya Elektronik Hizmetler ve Bilişim Tic. A.Ş. d/b/a TestInvite
Address: Esentepe mah. Kore Şehitleri Cad. No:29 Zincirlikuyu Şişli İstanbul.
Contact person’s name, position and contact details: hello@testinvite.com.
Activities relevant to the data transferred under these Clauses: TestInvite provides the Service and Customer uses the Service, and TestInvite processes personal data as described in the Agreement.
(c) Categories of data subjects:
The Personal Data to be Processed by TestInvite on behalf of Customer may relate to, but is not limited to, the following categories of Data Subjects:
(d) Categories of personal data:
The Personal Data to be Processed by TestInvite on behalf of Customer may include, but is not limited to the following categories of Personal Data:
(e) Special categories of data (if applicable):
TestInvite does not want to, nor does it intentionally, collect or process any special categories of data in connection with the provision of the Service.
(f) Processing operations:
TestInvite provides software and/or services designed to support Customer’s preparation and conducting of secure, high-quality online exams globally.
Description of the technical and organisational measures implemented by the data importer in accordance with Clauses 4(d) and 5(c)
Physical Security
TestInvite uses cloud services for its operations. The physical facilities where TestInvite is located requires an RFID chip to gain access.
Information Access
Employees only have access to data contained in business applications on a 'need-to-know' basis. Privileged users are granted on a 'need-to-access' basis.
Endpoint Security
TestInvite uses Sophos for end-point security and protection against viruses and ransomware. All devices are encrypted with a remote swipe enabled should the device be lost or stolen.
Subprocessor Security
Once TestInvite has assessed the risks presented by the Subprocessor, then the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to processor transfers)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, TestInvite whose legal name is Vanilya Elektronik Hizmetler ve Bilişim Tic. A.Ş. (hereinafter the "data importer") and Customer (hereinafter the "data exporter") each a “party”; together “the parties”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1 - Definitions
For the purposes of the Clauses:
Clause 2 - Details of the Transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 - Third-party beneficiary clause
Clause 4 - Obligations of the data exporter
The data exporter agrees and warrants:
Clause 5 - Obligations of the data importer
The data importer agrees and warrants:
Clause 6 - Liability
Clause 7 - Mediation and jurisdiction
Clause 8 - Cooperation with supervisory authorities
Clause 9 - Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10 - Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 - Subprocessing
Clause 12 - Obligation after the termination of personal data processing services
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | Full legal name: Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier): | Full legal name: Trading name (if different): Main address (if a company registered address): Official registration number (if any) (company number or similar identifier): |
Key Contact | Full Name (optional): Job Title: Contact details including email: | Full Name (optional): Job Title: Contact details including email: |
Signature (if required for the purposes of Section 2) |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Reference (if any): Other identifier (if any): Or the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
Module | Module in operation | Clause 7 (Docking Clause) | Clause 11(Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
1 | ||||||
2 | ||||||
3 | ||||||
4 |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties:
Annex 1B: Description of Transfer:
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:
Annex III: List of Sub processors (Modules 2 and 3 only):
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☐ Importer ☐ Exporter ☐ neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data |
Protection Act 2018 on 2 February 2022, as it is revised under Section 18. | |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/orb. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a its direct costs of performing its obligations under the Addendum; and/or
b its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Alternative Part 2 Mandatory Clauses:
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |