Common use of Data Transfers Clause in Contracts

Data Transfers. If Lenovo or its Subcontractors are located outside the EEA, Lenovo and Controller hereby execute the controller to processor standard contractual clauses as set out in MODULE TWO in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or superseded from time to time (the "C2P Standard Contractual Clauses") and hereby incorporate them into this Addendum by reference. The parties acknowledge and agree that: a. Lenovo and Controller shall each comply with their respective obligations in the C2P Standard Contractual Clauses; b. If there is any conflict or inconsistency between the C2P Standard Contractual Clauses and this Addendum or the Agreement, the C2P Standard Contractual Clauses shall control to the extent of the conflict; and c. The information in the following tables is hereby incorporated into the C2P Standard Contractual Clauses between the Parties: Clause 9. Use of sub-processors Option 2 GENERAL WRITTEN AUTHORISATION is selected. Data importer shall provide information at least 30 days in advance as per Clause “Subprocessing” Clause 17. Governing law These Clauses shall be construed in accordance with the governing law set forth in the Parties’ base agreement unless that governing law is not that of an EU Member State that allows for third-party beneficiary rights. In such event, the Parties agree that these Clauses shall be governed by the law of IRELAND. Clause 18 (b). Choice of forum and jurisdiction The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of IRELAND. Data Exporter’s Name Controller, and any of its commonly owned or controlled affiliates Data Exporter’s Address The address of the Customer entity that entered into the Agreement. Data Exporter´s contact person´s name, position and contact details As agreed as part of the Agreement. Data Exporter´s activities relevant to the data transferred under these Clauses The Services provided by the Data Importer to the Data Exporter in accordance with the Agreement Data Exporter´s signature and date The parties agree that acceptance of the Agreement by the Data Importer and the Data Exporter has the equivalent legal effect of a signature. The date of signature is the date of such acceptance Data Exporter´s role Controller Data Importer’s name Lenovo and its subcontractors Data Importer´s address The address of the Lenovo entity that is providing the Services Data Importer´s contact details ▇▇▇▇@▇▇▇▇▇▇.▇▇▇ Data Importer´s activities relevant to the data transferred under these Clauses The Services provided by the Data Importer to the Data Exporter in accordance with the Agreement Data Importer´s signature and date The parties agree that acceptance of the Agreement by the Data Importer and the Data Exporter has the equivalent legal effect of a signature. The date of signature is the date of such acceptance Data Importer’s Role Processor Categories of data subjects As set out in Exhibit A Categories of personal data As set out in Exhibit A Sensitive data As set out in Exhibit A Frequency of the Transfer As required for the provision of the Services Nature of the processing As set out in Exhibit A Purpose of the processing As set out in Exhibit A Period for which personal data will be retained As set out in Exhibit A Subject matter, nature and duration of the processing carried out by subprocessors As set out in Exhibit A Competent Supervisory Authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 ty The supervisory authority that will act as competent supervisory authority will be that of the EU member State where Data Exporter is established in the EU. If Data Exporter (i.e., contracting legal entity) is not established in EU, then the Competent Supervisory Authority will be such of the EU Member State in which the Data Exporter´s EU representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established. If the Data Exporter is not established in the EU but does not need to appoint an EU representative, then the Competent Supervisory Authority will be that of the EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights andfreedoms of natural persons. Set forth at Section 11 of this Addendum and in its Exhibit A. List of authorised subprocessors As set out in Annex 1 to Exhibit A

Data Transfers. If Lenovo a. District authorizes Magic School to make international transfers of the Personal Information only if (i) applicable Data Privacy Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA. b. With respect to Personal Information transferred from the United Kingdom for which UK Data Protection Law (and not the law in any European Economic Area (“EEA”) jurisdiction or its Subcontractors are located outside Switzerland) governs the EEAinternational nature of the transfer, Lenovo the 2021 Standard Contractual Clauses along with the UK International Data Transfer Addendum form part of this DPA and Controller hereby execute take precedence over the controller rest of this DPA to processor standard contractual clauses the extent of any conflict and shall be deemed completed as follows: ● The “exporter” is District, and the exporter’s contact information is set out in MODULE TWO forth in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament Agreement, ● The “importer” is Magic School, and of the Council as amended or superseded from time to time (the "C2P Standard Contractual Clauses") and hereby incorporate them Magic School’s contact information is set forth below. ● By entering into this Addendum by reference. The parties acknowledge and agree that: a. Lenovo and Controller shall each comply with their respective obligations in DPA, the C2P Standard Contractual Clauses; b. If there is any conflict or inconsistency between Parties are deemed to be signing the C2P 2021 Standard Contractual Clauses and this Addendum or their applicable Appendices. c. With respect to Personal Information transferred from the AgreementEEA and Switzerland, the C2P 2021 Standard Contractual Clauses shall control form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and they will be deemed completed as follows: ● District acts as a controller and Magic School acts as District’s processor with respect to the conflict; and c. The information in Personal Information subject to the following tables is hereby incorporated into the C2P 2021 Standard Contractual Clauses between Clauses, and its Module 2 applies. ● Clause 7 (the Parties: optional docking clause) is included. ● Under Clause 9. 9 (Use of sub-processors processors), the parties select Option 2 GENERAL WRITTEN AUTHORISATION (General written authorization). The initial list of sub-processors is selected. Data importer set forth as indicated in Section 11(b) of this DPA and Magic School shall update that list and provide information notice to District at least 30 thirty (30) days in advance as per of any intended additions or replacements of sub-processors. ● Under Clause “Subprocessing” 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply. ● Under Clause 17. 17 (Governing law), the parties choose Option 1 (the law These Clauses shall be construed in accordance with the governing law set forth in the Parties’ base agreement unless that governing law is not that of an EU Member State that allows for third-party beneficiary rights). In such event, The parties select the Parties agree that these Clauses shall be governed by the law laws of IRELANDIreland. ● Under Clause 18 (b). Choice of forum and jurisdiction The Parties agree that any dispute arising from these Clauses shall be resolved by jurisdiction), the parties select the courts of IRELANDIreland. Data Exporter’s Name Controller● Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule B of the DPA. ● Annex III of the 2021 Standard Contractual Clauses (List of subprocessors) is inapplicable. d. Additional Safeguards for the Transfer and Processing of Personal Information from the EEA, Switzerland, and any the United Kingdom. To the extent that Magic School Processes Personal Information of its commonly owned Data Subjects located in or controlled affiliates subject to the applicable Data Exporter’s Address The address Privacy Laws of the Customer entity EEA, Switzerland, or the United Kingdom, Magic School agrees to the following safeguards to protect such data to an equivalent level as applicable Data Privacy Laws: ● Magic School and District shall encrypt all transfers of the Personal Information between them, and Magic School shall encrypt any onward transfers it makes of such personal data, to prevent the acquisition of such data by third parties. ● Magic School will use all reasonably available legal mechanisms to challenge any demands for data access through national security process it receives as well as any non-disclosure provisions attached thereto. ● At 12-month intervals or more often if required by applicable Data Privacy Law, Magic School shall create a transparency report that entered into it will make available to District upon request, indicating the Agreementtypes of binding legal demands for the Personal Information it has received, including national security orders and directives, which shall encompass any process issued under FISA Section 702. Data Exporter´s contact person´s name● Magic School will promptly notify District if Magic School can no longer comply with the applicable Standard Contractual Clauses or the clauses in this Section. Magic School shall not be required to provide District with specific information about why it can no longer comply, position if providing such information is prohibited by applicable law. Such notice shall entitle District to terminate the Agreement (or, at District’s option, affected statements of work, order forms, and contact details As agreed as part like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to District’s other rights and remedies with respect to a breach of the Agreement. Data Exporter´s activities relevant to the data transferred under these Clauses The Services provided by the Data Importer to the Data Exporter in accordance with the Agreement Data Exporter´s signature and date The parties agree that acceptance of the Agreement by the Data Importer and the Data Exporter has the equivalent legal effect of a signature. The date of signature is the date of such acceptance Data Exporter´s role Controller Data Importer’s name Lenovo and its subcontractors Data Importer´s address The address of the Lenovo entity that is providing the Services Data Importer´s contact details ▇▇▇▇@▇▇▇▇▇▇.▇▇▇ Data Importer´s activities relevant to the data transferred under these Clauses The Services provided by the Data Importer to the Data Exporter in accordance with the Agreement Data Importer´s signature and date The parties agree that acceptance of the Agreement by the Data Importer and the Data Exporter has the equivalent legal effect of a signature. The date of signature is the date of such acceptance Data Importer’s Role Processor Categories of data subjects As set out in Exhibit A Categories of personal data As set out in Exhibit A Sensitive data As set out in Exhibit A Frequency of the Transfer As required for the provision of the Services Nature of the processing As set out in Exhibit A Purpose of the processing As set out in Exhibit A Period for which personal data will be retained As set out in Exhibit A Subject matter, nature and duration of the processing carried out by subprocessors As set out in Exhibit A Competent Supervisory Authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 ty The supervisory authority that will act as competent supervisory authority will be that of the EU member State where Data Exporter is established in the EU. If Data Exporter (i.e., contracting legal entity) is not established in EU, then the Competent Supervisory Authority will be such of the EU Member State in which the Data Exporter´s EU representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established. If the Data Exporter is not established in the EU but does not need to appoint an EU representative, then the Competent Supervisory Authority will be that of the EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights andfreedoms of natural persons. Set forth at Section 11 of this Addendum and in its Exhibit A. List of authorised subprocessors As set out in Annex 1 to Exhibit A