Local Data Protection Laws Covered by the DPA

(Revision May 18, 2023)

The IDEXX Customer Data Processing Agreement here ("DPA") and its applicable Data Processing Agreement Schedules (each a "DPA Schedule") apply to the Processing of Personal Data ("Customer Personal Data") by IDEXX on behalf of the customer ("Customer") under the agreement between IDEXX and Customer ("Agreement") in order to provide IDEXX Services, if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (GDPR); or ii) any other data protection laws identified below apply.

European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Article 28 of the GDPR.

Brazil:
Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados Pessoais (“LGPD”). For the sake of clarity, IDEXX’s obligations to a Customer under the DPA are only those express obligations imposed by LGPD on a “Data Processor (operador)” for the benefit of a “Controller (controlador) (including new Section 3.5 below), as “Processor (operador)” and “Controller (controlador)” are defined by the LGPD:

• 3.5 Each party is responsible to fulfill its respective obligations under the LGPD, and Customer will only issue Processing instructions, as set forth in Section 3 of the DPA, that enable IDEXX to fulfill its LGPD obligations. For the purposes of Section 9 of the DPA, the EU SCCs will apply to transfers to Third Countries as per GDPR.

South Africa:
South African Protection of Personal Information Act 4 of 2013 (“POPIA”). For the sake of clarity, IDEXX’s obligations to Customer under the DPA are those express obligations imposed by POPIA on an “Operator” (equivalent to “Processor”) for the benefit of a “Responsible Party” (equivalent to a “Controller”). Each party is responsible to fulfill its respective obligations under POPIA. For the purposes of Section 9 of the DPA, the EU SCCs will apply to transfers to Third Countries as per GDPR.
 

United Kingdom:
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act of 2018), the UK Data Protection Act of 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations of 2019, as amended, superseded or replaced. For the purpose of Section 9 of the DPA, the following will be implemented for transfers to Non-Adequate Countries subject to the UK General Data Protection Regulation. The parties rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to the completion of a “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (the “UK Addendum”). The EU SCCs, completed as set forth in Section 9 of the DPA shall also apply to transfers of such Personal Data. The UK Addendum shall be deemed executed between IDEXX and Customer, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data.

Japan:
The Japanese Act on the Protection of Personal Information no. 57 of 2003 (“APPI”), as amended. For the sake of clarity, IDEXX’s obligations to Customer under the DPA are those that the APPI requires Customer to have in place as a “Personal Information Handling Business Operator”, to entrust the processing of Customer Personal Data to IDEXX as an “entrusted person”, as such terms are used in the APPI.