Privacy Statement

PURPOSE OF THIS PRIVACY NOTICE

HKA is a global professional services firm, with its registered office at 3200, Daresbury Park, Warrington, WA4 4BU, United Kingdom.   This privacy notice aims to give you information on how HKA Global collects and processes your personal data through your use of this website, including any data you may provide through this website.  Where services are provided to you by other entities in the HKA group, the entity providing those services will be responsible for your personal data.  This notice applies to all such entities.

This website is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

This privacy notice should be read in conjunction with our cookie policy at: Cookie Policy – HKA.

CONTROLLER

HKA Global Limited is made up of different legal entities. This privacy notice is issued on behalf of the HKA Global Group so when we mention “HKA Global”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the HKA Global Group responsible for processing your data.  HKA Global Limited is the controller and responsible for this website.

CONTACT DETAILS

Our full details are:

Full name of legal entity: HKA Global Limited

Email address: privacy@HKA.com

Postal address: 3200 Daresbury Park, Warrington, WA4 4BU, United Kingdom

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

THIRD-PARTY LINKS

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Personal data, or personal information, means any information about an individual that identifies you either directly from that information or indirectly, by reference to other information we have access to. It does not include data where the identity has been removed (anonymous data).

The personal data we collect, and how we collect it, depends upon how you interact with us.  Categories of personal data that we collect include:

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

• Contact information such as name, email address and telephone number
• Biographical Information such as job title, employer, photograph and video or audio content including you.
• Technical Information such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
• Usage Information such as information about how you use our website, products and services.

• Marketing and Communications Preferences and related information such as meal preferences, feedback and survey responses and your preferences in receiving marketing from us.
• Billing and financial information such as billing address, bank account and payment information.
• Special categories of data such as race and ethnicity, trade union membership, information about health or information about political opinions or religious beliefs
• Other information such as in relation to criminal matters or relating to children

Most of the personal data that we collect about you will be information that you provide to us voluntarily. In some circumstances we may also receive information from:

• other HKA entities
• our clients, when we handle personal data on their behalf
• regulatory bodies
• credit reference agencies
• other companies providing services to us.

Some of these third party sources may include publicly available sources of information.

We will also receive information about you from Google Analytics, a web analytics service provided by Google, Inc. (“Google”) whose servers are in the European Union. Google Analytics uses cookies to help us analyse how users use our site.

We may also receive information about you from advertising networks and search information providers, some of whom are based in the UK, some based in the EU and some based outside both the UK and the EU.

When you visit one of our websites, we automatically collect, store and use technical information about your equipment and interaction with our website. This information is sent from your computer to us using a variety of cookies[A4] . It is possible to manage your cookie preferences by visiting the cookie settings icon at Claims Advisory & Dispute Resolution Experts | HKA

We may also receive technical data about you if you visit other websites employing our cookies.  Our cookie policy can be found at Cookie Policy – HKA.

We will only use your personal data fairly and where we have a lawful reason to do so.

We are allowed to use your personal data if we have your consent or another legally permitted reason applies.  These include to fulfil a contract with you, when we have a legal duty to comply with, or when it is in our legitimate business interest to use your personal data. We can only rely on our legitimate business interest if it is fair and reasonable to do so.

Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
• Where you have consented to such processing.

We will only process special category data where the processing is necessary for the purposes of providing our client with advice or in the context of an employment relationship.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and the lawful basis for the use of such data.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact privacy@hka.com if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Uses of personal data	Our lawful basis for the use of your personal data
To provide news and information services including email briefings and newsletters; to give access to online tools and to invite you to events that we organise or sponsor	Where you have consented and expressed a preference to receive such marketing communications; or where it is appropriate and relevant to our business relationship with you.
To send you details of surveys, campaigns or other initiatives that we co-ordinate.	Where you have consented and expressed a preference to receive such marketing communications; or where it is appropriate and relevant to our business relationship with you
To operate suppression lists to ensure that you do not receive communications if you object or unsubscribe	To respect your rights and comply with our legal obligations
To collect insights into how you interact with our services so that we can personalise our communications with you and improve our websites and services.	Where we have your consent or where it is necessary so that we can deliver our websites and online services effectively
To maintain contact with past employees and consultants.	To promote networking and communication with and between HKA and its former employees and consultants
To conduct client due diligence and conflict checks when on-boarding a new client or supplier.	To comply with our legal and regulatory obligations including compliance with anti-money laundering legislation, anti-bribery, fraud and crime prevention.
To provide legal advice and related relevant services, to manage and administer our business relationships, including to communicate with our clients, their employees and representatives, to manage billing and payments and to keep records.	To fulfil our contract with our client(s) and to comply with legal and regulatory obligations including accounting, tax and data privacy
To maintain security and manage access to our offices, systems and our websites	To comply with legal obligations, and because we have a legitimate interest in maintaining the security of our buildings, websites and networks
Enforcing our terms of engagement, website terms of use and other terms and conditions	To protect our legal interests
Sharing personal data in connection with acquisitions and transfers of our business	To comply with legal obligations and to facilitate the transaction
To manage our supply chain including identifying and maintaining contact with service providers	Where necessary for the efficient running of our business
Other purposes that we have identified at the point of collection.	Where we have your consent.

MARKETING

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

PROMOTIONAL OFFERS FROM US

We may use your personal data  to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or if you provided us with your details otherwise and, in each case, you have not opted out of receiving that marketing.

THIRD-PARTY MARKETING

We will get your express opt-in consent before we share your personal data with any company outside the HKA Global group of companies for marketing purposes.

OPTING OUT

You can ask us or third parties to stop sending you marketing messages at any by Contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service purchase, service experience or other transactions.

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact privacy@hka.com

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not keep your personal data for any longer than is necessary to fulfil the purpose for which we collected it, or to comply with any legal, regulatory or reporting obligations or to assert or defend against legal claims.

You have certain rights regarding how we use and keep your personal data. These are:

• you can require us, to update or correct any inaccurate personal data, or to complete any incomplete personal data, concerning you. If you do, we will take reasonable steps to check the accuracy of, and correct the information. Please let us know if any of your information changes so that we can keep it accurate and up to date;
• you can require us to stop processing your information for direct marketing purposes; if you withdraw your consent, we may not be able to provide certain products or services to you; and
• you have the right to object to our use of your personal data more generally.

You may also have the right, in certain circumstances to:

• be provided with a copy of any personal data that we hold about you, with certain related information. There are exceptions to this right; for example where information is legally privileged or if providing you with the information would reveal personal data about another person
• to require us, without undue delay, to delete your personal data
• to “restrict”  our use of your information, so that it can only continue subject to restrictions; and
• to require personal data which you have provided to us and which are processed by using automated means, based on your consent or the performance of a contract with you, to be provided to you in machine readable format so that they can be “ported” to a replacement service provider.

You can exercise the above rights, where applicable by contacting privacy@hka.com. We will require you to provide satisfactory proof of your identity in order to ensure that your rights are respected and protected. This is to ensure that your personal data is disclosed only to you.

This Data Processing Addendum (“Addendum”) applies between the Client named in the Agreement (“Client”), and the HKA entity named in the Agreement (“HKA”).

This Addendum forms a part of the Agreement between Client and HKA, as referred to in the Terms of Business or Client Engagement Terms and Conditions (the “Agreement”) related to HKA’s provision of certain services described in the Agreement (the “Services”). Except as modified herein, the terms of the Agreement shall remain in full force and effect.

The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

1. Definitions. For purposes of this Addendum, the following terms will have the meanings set forth below. Capitalized terms used but not otherwise defined in this Addendum will have the meaning given to them in the Agreement. Where definitions herein are provided by the GDPR, their meaning shall be interpreted with their equivalent under other Data Protection Laws.

i. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with, either Client or HKA respectively. “Control,” for purposes of this definition, means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

ii. “Anonymised Data” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.

iii. “Client Personal Data” means any Personal Data received by HKA or a Subprocessor on behalf of Client in connection with the Agreement, or any Personal Data received, created, or otherwise Processed by HKA or Subprocessor pursuant to the Agreement.

iv. “Controller” means the Client and its Affiliates,  natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data and includes a “business” as defined under the Data Protection Laws.

v. “Data Protection Laws” means all current and future applicable laws and regulations relating to the processing, security, protection, and retention of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable but not limited to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CPRA”), Cal. Civ. Code 1798.100, et seq., and any related regulations, each as amended and supplemented from time to time, General Data Protection Regulation (EU) 2016/679, Personal Information Protection Law of the People’s Republic of China, Australian Privacy Act 1988, PDPA (Malaysian Personal Data Protection Act 2010), Protection of Personal Information Act 2013 (South Africa), the UAE Federal Law No. 2 of 2019 on the Protection of Personal Data, the UAE Federal Decree – Law No. 45 of 2021, Personal Data Privacy Law in Saudi Arabia  and any applicable regulations and national standards protecting individuals’ personal information in the People’s Republic of China, UK General Data Protection Regulation, UK Data Protection Act 2018, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, any national laws or regulations implementing the foregoing Directives, and any data protection laws of Norway, Iceland, Liechtenstein and Switzerland and any amendments to or replacements for such laws and regulations.

vi. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

vii. “Personal Data” means information that directly or indirectly identifies, relates to, describes an identified or identifiable living individual.

viii. “Personal Data Breach” means the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Client Personal Data transmitted, stored or otherwise Processed by HKA.

ix. “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

x. “Processor” means any HKA entity which Processes Client Personal Data, including as applicable any “HKA” or “contractor” as those terms are defined by applicable Data Protection Laws.

xi. “Regulator” means any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Data Protection Laws.

xii. “Subprocessor” means any Processor (including any third party and any HKA Affiliate) appointed by or on behalf of HKA who may Process Client Personal Data in accordance with Part 2.

2. Processing of Personal Data

2.1. Client agrees to make Client Personal Data available to HKA for the limited and specified purpose of providing the Services as contemplated by the Agreement. The subject-matter and details of HKA’s Processing (including the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects) are set forth in Exhibit 1 attached to this Addendum.

2.2. The Parties acknowledge and agree that, with regard to the Processing of Client Personal Data, the Client is the Controller and HKA is the Processor. The Client retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Laws, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to HKA. Client represents and warrants that HKA’s use of Client Personal Data for its provision of Services and as specifically instructed by Client will comply with all Data Protection Laws.

2.3 Client shall, in using the Services, direct the Processing of Personal Data consistently with the requirements of the Data Protection Laws.

2.4 HKA will only Process Client Personal Data on behalf of Client (a) to the extent, and in such a manner, as is necessary for the purposes of fulfilling its obligations under the Agreement; and (b) in accordance with the terms of the Agreement and this Addendum, which together constitute Client’s instructions. The restrictions set forth in this section shall not restrict HKA’s ability to Process Client Personal Data where required to do so by applicable laws to which HKA is subject;.

2.5 If HKA receives Anonymised Data from Client, or creates Anonymised Data at Client’s instruction, HKA will (a) take reasonable measures to ensure the Anonymised Data cannot be associated with a Data Subject or household, (b) maintain and use the Anonymised Data in deidentified form, and (c) not attempt to reidentify the Anonymised Data except for the sole purpose of determining whether the HKA’s deidentification processes satisfy the requirements of applicable Data Protection Laws.

2.6. Notwithstanding any other provision in this Section, HKA may internally use Client Personal Data about individuals to build or improve the quality of the Services it provides to Client.

2.7. If the Client provides any categories of Personal Data not expressly covered by this DPA, Client acts at its own risk and HKA shall not be responsible for any potential compliance deficits related to such use.

3. HKA Personnel. HKA will take reasonable steps to ensure that access to Client Personal Data is limited to those of its Affiliates, employees, agents, and subcontractors who need access to the information for the purpose for which it was provided.

4. Security. HKA will implement and maintain appropriate technical and organizational safeguards that it considers appropriate to protect Client Personal Data and will ensure that all such safeguards comply with applicable Data Protection Laws. Such safeguards are further specified in Exhibit 2 attached to this Addendum. In assessing the appropriate level of security, HKA will take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Client Personal Data transmitted, stored, or otherwise Processed.

5. Personal Data Breach. In the event of a Personal Data Breach, HKA will (a) notify Client as soon as reasonably practical; (b) provide Client with sufficient details of the Personal Data Breach to allow Client to meet any obligations under Data Protection Laws to report or inform Data Subjects or relevant Regulators of the Personal Data Breach; and (c) cooperate, and require any Subprocessor to cooperate, with Client in the investigation, mitigation, and remediation of any such Personal Data Breach.

6. Subprocessors

6.1. In the event HKA engages a Subprocessor, HKA will enter into a written agreement with each Subprocessor containing, in substance, data protection obligations no less protective than those in this Addendum with respect to the Processing of Client Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Client consents to HKA’s use of Subprocessors. Details of Subprocessors that may be utisled can be obtained by asking HKA’s engagement Partner.

6.2. HKA may, at its discretion, at any time appoint additional or replacement Sub-processors provided that Client does not legitimately object to such changes. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor’s non-compliance with applicable Data Protection Laws.

7. Data Subject Rights

7.1. HKA will promptly notify Client if it receives a request from a Data Subject regarding Client Personal Data, including a request by a Data Subject to exercise a right under Data Protection Laws.

7.2. At the Client’s cost, HKA will reasonably assist Client in fulfilling Client’s obligations to respond to such requests, including at minimum, maintaining the ability to access, modify, or irrevocably delete or destroy the Personal Data of an individual Data Subject when requested by Client.

8. Deletion or Return of Client Personal Data

8.1. At any time during the term of the Agreement at Client’s request, or upon the termination or expiration of the Agreement for any reason, HKA will promptly take reasoanble steps to delete or return to Client all copies of Client Personal Data in its possession. HKA will comply with all reasonable directions provided by Client with respect to the return or deletion of Client Personal Data.  Deletion shall encompass Client Personal Data that is ordinarily accessible and shall not include any back-up data that is not ordinarily accessible.

8.2. Notwithstanding Section 8.1 above, HKA may retain Client Personal Data if required by applicable Data Protection Laws, but only to the extent and for such period as required by such legal requirement.

9. Compliance and Audits

9.1. Upon Client’s request, subject to the Client or the Client’s auditor executing such confidentiality agreements as HKA may require, HKA will provide such assistance as Client reasonably requires in ensuring compliance with Client’s obligations under applicable Data Protection Laws.

9.2. In addition to any audit rights Client may have under the Agreement, HKA will make available to Client the information necessary to demonstrate HKA’s compliance with this Addendum, as well as any applicable Data Protection Laws, and will allow for and contribute to audits, including inspections, by Client, or a third-party auditor mandated by Client, in order to assess HKA’s compliance. Any audits may be conducted with at least five (5) business days’ written notice to HKA subject to the auditor and each individual executing a confidentiality agreement in such terms as HKA may require.

9.3. HKA will notify Client if it determines it can no longer meet its obligations under this Agreement or Data Protection Law.

10. International Data Transfers

10.1 The Client consents that, insofar as the Agreement involves the transfer of Client Personal Data from a jurisdiction, HKA may do so whilst adhering to the requirements for additional steps or safeguards in accordance with applicable Data Protection Laws. HKA agrees to cooperate with Client to take appropriate steps to comply with applicable Data Protection Laws.

10.2. If the Processing (including storage) of Client Personal Data involves the transfer of Client Personal Data from the European Economic Area (“EEA”) to a jurisdiction outside of the EEA where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the European Commission, the parties agree that such transfer(s) will be carried out in accordance with and subject to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) as set out in Exhibit 3 attached to this Addendum. To the extent there is any conflict between this Addendum and the EU SCCs, the terms of the EU SCCs will prevail.

10.3. If the Processing (including storage) of Client Personal Data involves the transfer of Client Personal Data from the United Kingdom (“UK”) to a jurisdiction outside of the UK where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the UK Information Commissioners Office (“ICO”), the Parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Agreement A1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (“UK IDTA”) as set out in Exhibit 4 attached to this Addendum. To the extent there is any conflict between this Addendum and the UK IDTA, the terms of the UK IDTA will prevail.

10.4 European-U.S. Approved Adequacy Mechanism: Any transfer under a European-U.S. Approved Adequacy Mechanism must be made in accordance with the rules of the mechanism including, where required, the registration or certification of HKA’s Affiliate(s) located in the United States of America, which will process Client Personal Data for purposes of the Services.

10.5 Insofar as the Agreement involves the transfer of Client Personal Data from any other jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, HKA agrees to cooperate with Company to take appropriate steps to comply with applicable Data Protection Laws.

11. Changes in Data Protection Laws. If any variation is required to this Addendum as a result of a change in or subsequently applicable Data Protection Laws, the parties agree to discuss and negotiate in good faith any variations to this Addendum necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable.

12. General Terms. This Addendum supersedes any prior data processing agreements, addenda or similar terms between the parties. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. This Addendum and the other portions of the Agreement will be read together and construed, to the extent possible, to be in concert with each other. In the event of any conflict between the Agreement and this Addendum, this Addendum will govern with respect to the subject matter of this Addendum.

Exhibit 1

Details of Processing

1. Subject Matter of Processing

The subject-matter of Processing of Client Personal Data by HKA is the performance of the Services pursuant to the Agreement.

• Nature and Purpose of Processing

Client Personal Data will be incidental and Processed as necessary to perform the Services pursuant to the Agreement and will be subject to the processing activities described in the Agreement.

• Duration of Processing

Subject to section 8 of the Addendum, HKA will Process Client Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

• Categories of Data Subjects

The types of Data Subject shall be incidental and incremental as is contemplated or related to the Processing described in the Agreement.  

• Types of Personal Data

The types of Client Personal Data shall be as is contemplated or related to the Processing described in the Agreement.

• Special Categories of Data

Unless the Engagement Letter states otherwise the Processing will not include any Special Categories of Data

Exhibit 2

Description of Technical and Organizational Security Measures

HKA will implement and maintain appropriate technical and organisational measures to meet its obligations under applicable Data Protection Laws. For example, HKA will:

• require that all devices used to store or transfer Client Personal Data are encrypted and subject to a strong password policy that requires a password at initial startup and upon waking from sleep;
• require multi-factor authorization and other account protection as available;
• use reasonable technical and organizational measures to ensure that Client Personal Data is encrypted when in transit and at rest in a manner designed to prevent access by third parties without appropriate credentials.

Exhibit 3

Standard Contractual Clauses – Controller to Processor

The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. The Parties agree that the following terms apply:

1. Clause 7: The Parties have chosen not to include Clause 7.
2. Clause 9(a): The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s). The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 60 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3. Clause 11(a): The Parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.
4. Clause 13(a): The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
5. Clause 17: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of England.
6. Clause 18(b): The Parties agree that those shall be the courts of England and Wales.

ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES

1. LIST OF PARTIES

Data exporter(s):

Name:	Refer to Client Signatory of the Agreement
Address:	Refer to Client Signatory of the Agreement
Contact person’s name, position and contact details:	Refer to Client Signatory of the Agreement
Activities relevant to the data transferred under these Clauses:	Activities relevant to the data transferred under this Annex is set out in the Agreement
Signature and date:	Refer to Signatories of the Agreement
Role (controller/processor):	Controller

Data importer(s):

Name:	Refer to HKA Signatory of the Agreement
Address:	Refer to HKA Signatory of the Agreement
Contact person’s name, position and contact details:	Refer to HKA Signatory of the Agreement
Activities relevant to the data transferred under these Clauses:	Activities relevant to the data transferred under this Annex is set out in the Agreement
Signature and date:	Refer to HKA Signatory of the Agreement
Role (controller/processor):	Processor

• DESCRIPTION OF TRANSFER

Refer to Exhibit 1 of this Addendum.

• COMPETENT SUPERVISORY AUTHORITY

The Information Commissioner’s Office (ICO)

ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES –

 TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

A description of the technical and organisational measures implemented by the data importer(s) is set forth in Exhibit 2 of the Addendum.

Exhibit 4:

 UK International Data Transfer Agreement

Part 1: Tables

Table 1: Parties and signatures

Start date	The Effective Date of the Addendum
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Refer to Client Signatory of the Agreement	Refer to HKA Signatory of the Agreement
Key Contact	As Above	As Above
Importer Data Subject Contact	Refer to Signatories of the Agreement	Refer to Signatories of the Agreement
Signatures confirming each Party agrees to be bound by this IDTA	As Above	As Above

Table 2: Transfer Details

UK country’s law that governs the IDTA:	England and Wales  Northern Ireland  Scotland
Primary place for legal claims to be made by the Parties	England and Wales  Northern Ireland  Scotland
The status of the Exporter	In relation to the Processing of the Transferred Data:  Exporter is a Controller
The status of the Importer	In relation to the Processing of the Transferred Data:  Importer is the Exporter’s Processor or Sub-Processor
Whether UK GDPR applies to the Importer	UK GDPR applies to the Importer’s Processing of the Transferred Data  UK GDPR does not apply to the Importer’s Processing of the Transferred Data
Linked Agreement	If the Importer is the Exporter’s Processor or Sub-Processor – the agreement(s) between the Parties which sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data: Name of agreement: Data Processing Addendum (the “Addendum”) Date of agreement: Refer to the Signature page of the Agreement Parties to the agreement: Refer to Signatories of the Agreement Reference (if any): If applicable, see in the Agreement Other agreements – any agreement(s) between the Parties which set out additional obligations in relation to the Transferred Data, such as a data sharing agreement or service agreement: Name of agreement: If applicable, see in the Agreement Date of agreement: If applicable, see in the Agreement Parties to the agreement: If applicable, see in the Agreement Reference (if any): If applicable, see in the Agreement If the Exporter is a Processor or Sub-Processor – the agreement(s) between the Exporter and the Party(s) which sets out the Exporter’s instructions for Processing the Transferred Data: Name of agreement: If applicable, see in the Agreement Date of agreement: If applicable, see in the Agreement Parties to the agreement: If applicable, see in the Agreement Reference (if any): If applicable, see in the Agreement
Term	The Importer may Process the Transferred Data for the following time period:  the period for which the Linked Agreement is in force
Ending the IDTA before the end of the Term	the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing.
Ending the IDTA when the Approved IDTA changes	Which Parties may end the IDTA as set out in Section 29.2.:  Importer  Exporter
Can the Importer make further transfers of the Transferred Data?	The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1. (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data	The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1.: there are no specific restrictions.
Review Dates	each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment, to the extent that Importer is made aware of such changes; Importer will conduct a review at the time of contract renewal

Table 3: Transferred Data

Transferred Data	The personal data to be sent to the Importer under this IDTA consists of that data outlined in Exhibit 1 of the Addendum.
Special Categories of Personal Data and criminal convictions and offences	The Transferred Data includes data relating to that data outlined in Exhibit 1 of the Addendum.   The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
Relevant Data Subjects	The Data Subjects of the Transferred Data are those data subjects outlined in Exhibit 1 of the Addendum.   The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
Purpose	The Importer may Process the Transferred Data for the purposes set out in the Addendum. The purposes will update automatically if the information is updated in the Linked Agreement referred to.

Table 4: Security Requirements

Security of Transmission	As set out in Exhibit 2 of the Addendum.
Security of Storage	As set out in Exhibit 2 of the Addendum.
Security of Processing	As set out in Exhibit 2 of the Addendum.
Organisational security measures	As set out in Exhibit 2 of the Addendum.
Technical security minimum requirements	As set out in Exhibit 2 of the Addendum.
Updates to the Security Requirements	The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.

Part 2: Extra Protection Clauses

Extra Protection Clauses:

N/A

Part 3: Commercial Clauses                                                                                                           

Commercial Clauses

Commercial Clauses are not used

Part 4: Mandatory Clauses

Mandatory Clauses

Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses.