Data Privacy Trust Center

Website Privacy Notice

The Privacy Notice was last reviewed and updated on March 20, 2024 and is effective as of that date.

This Privacy Notice contains:

• What Personal Data we collect about you and how we obtain it;
• The legal bases for processing your Personal Data;
• For what purposes we use that Personal Data;
• How long we keep your Personal Data;
• With whom we share your Personal Data;
• Your rights about the Personal Data we collect about you and how you can exercise those rights;
• How we protect your Personal Data; and
• How to contact us.

HR Privacy Notice

The HR Privacy Notice was last reviewed and updated on March 20, 2024 and is effective as of that date.

This Privacy Notice contains information on:

• The categories of Personal Data we collect;
• Why we collect your Personal Data;
• How we obtain your Personal Data;
• With whom we share your Personal Data;
• Your rights as they relate to your Personal Data, and how you can exercise those rights;
• How we protect your Personal Data; and
• How to contact us.

This Cookie Notice applies to all websites offered by Production Resource Group, LLC and, where applicable, any of its affiliates (hereinafter ”PRG", "we" or "us"), which refer to this Cookie Notice. As this Cookie Notice applies to all of our websites (unless otherwise expressly provided), they are collectively referred to as “Websites” throughout this Cookie Notice.

When you visit our Websites, we may use cookies or similar technologies as described herein. By clicking on "Accept All Cookies" on the cookie banner which is presented to you, you are agreeing to our use of cookies in accordance with this Cookie Notice, and you acknowledge that we will use the underlying personal data processing as we have set out here.

If you do not agree to our use of cookies in this way, you should click "Cookie Settings". You will be able to manage your cookie preferences by toggling the relevant controls. Please note, however, that disabling cookies might affect your online experience and/or prevent you from taking full advantage of our Websites.

Should you wish to exercise your privacy rights or raise a complaint about your personal data, please contact dataprivacy@prg.comor or submit a request through the Data Privacy Rights Request form. Based on your country of residence you might be able to exercise on the rights below:

• Right to access / Right to know
• Right to rectification / Correction of personal data
• Right to erasure / Deletion of personal data
• Right to portability
• Right to restrict
• Right to object
• Right to automated processing
• Withdrawal of consent
• Unsubscribe from marketing communication
• Right to opt out

You can find more information about your Data Subject Rights here.

Last updated: August, 2023

These Jurisdiction Specific Terms are an integral part of the PRG Data Processing Addendum (“Addendum”) entered into between the Parties. By signing the Addendum, the Parties have agreed to comply with these Jurisdiction Specific Terms which apply to the extent that a Party Processes Personal Data originating from or protected by Applicable Data Protection Laws in a jurisdiction identified herein.

The terms and definitions specified in these Jurisdiction Specific Terms shall apply with respect to the applicable jurisdiction in addition to the terms of the Addendum. Capitalized terms which are used but not defined shall have the meaning given to those terms in the Addendum.

Argentina

1.1. Wherever the Processing pursuant to the Addendum falls within the scope of the Argentine Republic’s Personal Data Protection Law 25,326, Regulatory Decree 1558/2001, or any other corresponding decrees, regulations, or guidance governing the Processing of Personal Data in Argentina (collectively “Argentine Data Protection Laws”), the provisions of the Addendum and these Argentine Terms shall apply to such Processing.

1.2. Any Restricted International Transfer subject to Argentine Data Protection Laws between the Parties must comply with the Applicable Data Protection Laws, and the transfer mechanism shall be one of the following, in the stated order of precedence:

(a) Where the Restricted International Transfer both originates from and terminates in a country, a sector within a country, or an international organization which the Argentine National Bureau of Personal Data Protection (“NBPDP”) has determined provides an adequate level of protection to Personal Data, such adequacy determination shall be the transfer mechanism.

(b) Where it is not possible to rely on an NBPDP adequacy determination, the transfer mechanism shall be the Parties’ accession to Annex II of the Standard Contractual Clauses promulgated by the NDPDP in its Provision 60-E/2016, or, in the event the NBPDP updates or amends the Standard Contractual Clauses, the transfer mechanism shall be the Parties’ accession to the appropriate module of the updated or amended Standard Contractual Clauses, as promulgated by the NDPDP.

1.3. Where it is necessary to do so, the Addendum therefore incorporates by reference Annex II of the Standard Contractual Clauses. The contents required to be set forth in Annex A to Annex II of the Argentine Standard Contractual Clauses are set forth in Exhibit A (Details of Processing) of the Addendum. The Parties are deemed to have accepted, executed, and signed Annex II of the Standard Contractual Clauses where necessary in its entirety.

1.4. In cases where Annex II of the Standard Contractual Clauses applies and there is a conflict between the terms of the Addendum and the terms of Annex II of the Standard Contractual Clauses, the terms of Annex II of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.

Australia

When applicable, the Processing of Personal Data shall be compliant with the Australian Privacy Principles, the Australian Privacy Act (1988), or any other applicable law, regulation, or decree of Australia pertaining to the protection of such information, as they may be amended and supplemented from time to time.

Brazil

When applicable, the Processing of Personal Data shall be compliant with Brazil’s Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 and any corresponding decrees, regulations, or guidance, as they may be amended and supplemented from time to time.

Bulgaria

1.1. Wherever the Processing pursuant to the Addendum falls within the scope of Bulgaria’s Personal Data Protection Act (as amended in November 2019) (“PDPA”), and as applicable, the Electronic Communications Act (“ECA”), including the ECA Supplementary Provisions, or any other corresponding decrees, regulations, or guidance, the provisions of the Addendum and these Bulgaria Terms shall apply to such Processing.

1.2. To the extent that a Party provides public Electronic Communications Services (as set forth in Section 1(17) of the ECA Supplementary Provisions), if there is a Personal Data Breach that is likely to adversely affect the privacy or Personal Data of the Data Subjects, such Party shall provide notice of the Personal Data Breach to the affected Data Subjects within three days of the detection of such Personal Data Breach.

1.3. The Parties agree and acknowledge that, when a Party acts as a Processor, such Party shall comply with Article 25a of the PDPA which requires the Party to:

(a) Return to the other Party any Personal Data Processed pursuant to the Addendum within a period of one month after having become aware of any Personal Data that has been disclosed (i) without a legal basis pursuant Article 6(1) of the GDPR, or (ii) contrary to the principles under Article 5 of the GDPR; or, if this is impossible or would involve disproportionate efforts, erase or destroy the Personal Data; and

(b) document such erasure and destruction if the Personal Data is erased or destroyed in accordance with Section 1.3(a) of these Bulgaria Terms.

California

1.1. Wherever the Processing pursuant to the Addendum falls within the scope of California Consumer Privacy Act of 2018, the California Consumer Privacy Act Regulations, and the California Privacy Rights Act of 2020, or any other corresponding decrees, regulations, or guidance governing the Processing of Personal Data in California (collectively “California Data Protection Laws”), the provisions of the Addendum and these California Terms shall apply to such Processing.

1.2. Definitions

(a) “Personal Data Breach” includes “Breach of the Security of the System” as defined under Section 1798.82(g) of the California Civil Code.

(b) The terms “Business Purpose”, “Commercial Purpose”, “Share”, “Sell”, along with their corresponding terms, whether capitalized or not, shall have the same meaning as in the California Data Protection Laws, and their related terms shall be construed accordingly.

1.3. The Parties disclose Personal Data to one another solely for: (i) valid Business Purposes; and (ii) to enable the performance of the Services under the Agreement.

1.4. The Party acting as a Processor of the other Party shall not: (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data for a Commercial Purpose other than pursuant to the provision of Services specified in the Agreement or as otherwise permitted by the California Data Protection Laws; (iii) retain, use, or disclose Personal Data except where permitted under the Agreement; nor (iv) combine Personal Data with Personal Data that such Processor receives from third parties. The Party acting as a Processor of the other Party certifies that it understands these restrictions and will comply with them.

Canada

When applicable, the Processing of Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable Canadian privacy or data protection laws, as they may be amended and supplemented from time to time.

Colombia

1.1. Wherever the Processing pursuant to the Addendum falls within the scope of Colombia’s Data Protection Law No. 1581 of 2012 (“Data Protection Law”), Data Protection Decree No. 1377 of 2013 (“Data Protection Decree”), and any corresponding decrees, regulations, or guidance (collectively “Colombian Data Protection Laws”), the provisions of the Addendum and these Columbian Terms shall apply to such Processing.

1.2. Definitions

(a) “Information Processing Policy” (“Política de Tratamiento de la información”) shall have the meaning set forth in Article 13 of the Data Protection Decree.

(b) “Personal Data Breach” (as used in the Addendum) includes “violations of security codes” [that] “result in risks to the administration of Data Subjects’ information” (“violaciones a los códigos de seguridad y existan riesgos en la administración de la información de los Titulares”), as that phrase is construed under Articles 17(n) and 18(k) of the Data Protection Law.

(c) “Rights of the Data Subjects” (as used in the Addendum) include such Data Subjects’ hábeas data rights, as that phrase is construed under the Constitution of Colombia and Colombian Data Protection Laws.

(d) “Supervisory Authority” (as used in the Addendum) includes Colombia’s Superintendency of Industry and Commerce (Superintendencia de Industria y Comercio).

1.3. When acting as a Processor or Sub-Processor in connection with the Processing of Personal Data, the respective Party shall comply with all requirements applicable to Processors under the Colombian Data Protection Laws, including but not limited to obligations under Article 18 of Data Protection Law and Articles 11, 23, and 25 of the Data Protection Decree. The Party acting as a Processor or Sub-Processor of the other Party shall also comply with the other Party’s Information Processing Policy, if any.

1.4. The Addendum sets out the additional required contractual elements under Article 25 of the Data Protection Decree, such as the scope of Processing, the activities that the Parties are authorized to perform on one another’s behalf, the Parties’ obligations relative to one another and the Data Subjects, and the Parties’ obligations to safeguard the security and confidentiality of Personal Data.

European Economic Area

1.1. Definitions

(a) “EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.

(b) “EEA Data Protection Laws” means the EU GDPR and all laws and regulations of the EEA applicable to the Processing of Personal Data, as they may be amended and supplemented from time to time.

(c) “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

(d) “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation).

1.2. With regard to any Restricted International Transfer subject to EEA Data Protection Laws from one Party to the other within the scope of the Agreement, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the GDPR

(b) The appropriate Standard Contractual Clauses adopted by the European Commission from time to time.

(c) Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.

1.3. Standard Contractual Clauses:

(a) The Addendum hereby incorporates by reference the Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).

(b) The Parties agree that any references to sections, annexures, exhibits, modules and choices within the Standard Contractual Clauses as set out in this Section 1.3 of these EEA Terms shall be deemed to be the same as the cognate and corresponding references to sections, annexures, exhibits, modules, and choices within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to the Addendum.

(c) For the purposes of the annexures to the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:

i. Annex I(A): The content of Annex I(A) is set forth in Part A (List of Parties) of Exhibit A (Details of Processing) of the Addendum.

ii. Annex I(B): The content of Annex I(B) is set forth in Part B (Description of Transfer) of Exhibit A (Details of Processing) of the Addendum.

iii. Annex I(C): The content of Annex I(C) is set forth in Section 1.3(d) of these EEA Terms.

iv. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A (Technical and Organizational Security Measures) of the Addendum.

v. Annex III: The contents of Annex III is set out in Appendix II to Exhibit A (List of Contracted Processors) of the Addendum.

vi. The Parties agree to apply the following modules:

(A) With respect to any Controller-to-Processor Restricted International Transfers, the Parties agree to implement Module Two of the EU 2021 Standard Contractual Clauses.

(B) With respect to any Processor-to-Sub-Processor Restricted International Transfers, the Parties agree to implement Module Three of the EU 2021 Standard Contractual Clauses.

(C) With respect to any Processor-to-Controller Restricted International Transfers, the Parties agree to implement Module Four of the EU 2021 Standard Contractual Clauses.

(d) The Parties further agree to the following choices under the EU 2021 Standard Contractual Clauses:

i. Clause 7: The Parties choose not to include the optional docking clause.

ii. Clause 9(a): (Applicable only when Modules 2 and/or 3 apply) The Parties choose Option 2, “General Written Authorization,” and the time period set forth in Section 6.4 of the Addendum (Sub processing). The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum (Sub processing).

iii. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.

iv. Clause 13 (Annex I.C): (Applicable only when Modules 2 and/or 3 apply) Where PRG is the Data Exporter, the competent Supervisory Authority is the Irish Data protection Commission. Where the other Party is the Data Exporter, the competent Supervisory Authority is:

(A) The lead Supervisory Authority in any EEA country where such Party is established;

(B) The Supervisory Authority where such Party’s EU Representative is registered, if applicable and stated in Part A (List of Parties) of Exhibit A (Details of Processing) of the Addendum; or

(C) The relevant Supervisory Authority of any EEA country in which the Data Subjects are located (whose Personal Data is transferred in terms of the Standard Contractual Clauses).

v. Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.

vi. Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.

1.4. The Terms contained in Exhibit C to the Addendum supplement the Standard Contractual Clauses.

1.5. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.

Israel

1.1. Wherever the Processing pursuant to the Addendum falls within the scope of Israel’s Protection of Privacy Law, 1981, the Protection of Privacy Regulations (Data Security) 5777-2017 (“PPL Regulations”), and any corresponding decrees, regulations, or guidance (collectively “Israeli Data Protection Laws”), the provisions of the Addendum and these Israel Terms shall apply to such Processing.

1.2. For purposes of Article 15 of the PPL Regulations, to the extent that a Party acts as an external service provider (ספק שירות) as that term is construed under Israeli Data Protection Laws:

(a) Exhibit A (Details of Processing) to the Addendum contains information about the Personal Data being Processed; the purposes of the Processing; the database systems (if any) that the relevant Party will access in connection with the Processing; the types of Processing that the relevant Party will perform; and the duration of the Processing.

(b) Appendix I to Exhibit A (Technical and Organizational Security Measures) contains information about the security measures that the relevant Party has implemented to protect Personal Data.

1.3. The Party acting as a Processor or Sub-Processor of the other Party shall notify the other Party in the event of a Personal Data Breach and shall notify the other Party, at least once annually (and in a format to be agreed upon by the Parties), on the manner in which the Party acting as a Processor or Sub-Processor has implemented its obligations pursuant to these in these Israel Terms.

Poland

When applicable, the Processing of Personal Data shall be compliant with Poland’s Act of 10 May 2018 on the Protection of Personal Data, and as applicable, the Telecommunications Act of 16 July 2004, and any other relevant Polish privacy or data protection laws, as they may be amended and supplemented from time to time.

Switzerland

1.1. Definitions

(a) “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

(b) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(c) “Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection.

1.2. With regard to any Restricted International Transfer subject to Swiss Data Protection Laws from one Party to the other within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a) The inclusion of the Third Country, a territory, or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of states that provide an adequate level of protection for Personal Data within the meaning of the FADP.

(b) The Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Swiss Data Protection Laws).

(c) Any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.

1.3. Standard Contractual Clauses:

(a) The Addendum hereby incorporates by reference the Standard Contractual Clauses, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).

(b) The Parties agree that any references to sections, annexures, exhibits, modules and choices within the Standard Contractual Clauses as set out in this Section 1.3 of these Switzerland Terms shall be deemed to be the same as the cognate and corresponding references to sections, annexures, exhibits, modules, and choices within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to the Addendum.

(c) For the purposes of the annexures to the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:

i. Annex I(A): The content of Annex I(A) is set forth in Part A (List of Parties) of Exhibit A (Details of Processing) of the Addendum.

ii. Annex I(B): The content of Annex I(B) is set forth in Part B (Description of Transfer) of Exhibit A (Details of Processing) of the Addendum.

iii. Annex I(C): The content of Annex I(C) is set forth in Section 1.3(d) of these Switzerland Terms.

iv. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A (Technical and Organizational Security Measures) of the Addendum.

v. Annex III: The contents of Annex III is set out in Appendix II to Exhibit A (List of Contracted Processors) of the Addendum.

vi. The Parties agree to apply the following modules:

(A) With respect to any Controller-to-Processor Restricted International Transfers, the Parties agree to implement Module Two of the EU 2021 Standard Contractual Clauses.

(B) With respect to any Processor-to-Sub-Processor Restricted International Transfers, the Parties agree to implement Module Three of the EU 2021 Standard Contractual Clauses.

(C) With respect to any Processor-to-Controller Restricted International Transfers, the Parties agree to implement Module Four of the EU 2021 Standard Contractual Clauses.

(d) The Parties further agree to the following choices under the EU 2021 Standard Contractual Clauses:

i. Clause 7: The Parties choose not to include the optional docking clause.

ii. Clause 9(a): (Applicable only when Modules 2 and/or 3 apply) The Parties choose Option 2, “General Written Authorization,” and the time period set forth Section 6.4 of the Addendum (Sub processing). The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of the Addendum (Sub processing).

iii. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.

iv. Clause 13 (Annex I.C): (Applicable only when Modules 2 and/or 3 apply) The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.

v. Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.

vi. Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.

vii. References to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there any Restricted International Transfers subject to Swiss Data Protection Laws.

viii. The Standard Contractual Clauses also protect the data of legal entities until the entry into force of the revised FADP.

1.4. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted International Transfer in question.

Turkey

When applicable, the Processing of Personal Data shall be compliant with Turkey’s Personal Data Protection Law No. 6698 of 2016, and as applicable, Electronic Communications Law No. 5809 of 2008, the Personal Data in the Electronic Communications Sector Processing and Protection of Privacy Related Regulation (2020), and any corresponding decrees, regulations, or guidance as they may be amended and supplemented from time to time.

United Kingdom

1.1. Definitions

(a) “UK Data Protection Laws” includes the Data Protection Act 2018 and the UK GDPR (as defined below).

(b) “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

(c) “UK ICO” means the UK Information Commissioner’s Office.

(d) “UK IDTA” means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.

1.2. With regard to any Restricted International Transfer subject to UK Data Protection Laws from one Party to the other within the scope of the Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a) A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR.

(b) The UK IDTA.

(c) Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.

1.3. UK IDTA:

(a) The Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.

(b) For the purposes of the tables to the UK IDTA:

i. Table 1: The information required by Table 1 appears within Part A (List of Parties) of Exhibit A (Details of Processing) of the Addendum.

ii. Table 2:

(A) The UK IDTA shall be governed by the laws of England and Wales.

(B) The Parties agree that any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales.

(C) The Parties’ controllership and data transfer roles are set out in Part A (List of Parties) of Exhibit A (Details of Processing) of the Addendum.

(D) The UK GDPR applies to the Data Importer’s Processing of the Personal Data.

(E) The Addendum and the Agreement set out the instructions for Processing Personal Data.

(F) The Data Importer shall Process Personal Data for the time period set out in Part B (Description of Transfer) of Exhibit A (Details of Processing) of the Addendum. The Parties agree that either Party may terminate the UK IDTA before the end of such time period by serving one month’s written notice.

(G) The Data Importer may only transfer Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of the Addendum (Sub processors), or to such third parties that the Data Exporter authorizes in writing or within the Agreement.

iii. Table 3: The content of Table 3 is set forth in Part B (Description of Transfer) of Exhibit A (Details of Processing) of the Addendum and may be updated in accordance with Section 3.3 of the Addendum (Processing of PRG Personal Data) and Section 15 of the Addendum (Updates to Exhibits to this Addendum).

iv. Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A (Technical and Organizational Security Measures) and may be updated in accordance with Section 3.3 of the Addendum (Processing of PRG Personal Data) and Section 15 of the Addendum (Updates to Exhibits to this Addendum).

(c) Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout the Addendum.

(d) The terms contained in Exhibit C to the Addendum supplement the UK IDTA.

(e) In cases where the UK IDTA applies and there is a conflict between the terms of the Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.

Vietnam

1.1. Wherever the Processing pursuant to the Agreement falls within the scope of Vietnam’s Law on Cyberinformation Security No. 86/2015/QH13 (19 November 2015) (“Cyberinformation Security Law”) and any corresponding decrees, regulations, or guidance, the provisions of the Addendum and these Vietnam Terms shall apply to such Processing.

1.2. To the extent required by Article 18 of the Cyberinformation Security Law and unless otherwise prescribed by law, the Parties shall notify the relevant Data Subjects: (a) when the duration of Processing, as indicated within Part B (Description of Transfer) of Exhibit A (Details of Processing) of the Addendum, has expired; and/or (b) when the Personal Data is deleted pursuant to Section 10 (for the avoidance of doubt, the section entitled ‘Deletion or Return of Personal Data’) of the Addendum