Last updated: April 15, 2025
This Data Privacy Addendum (the “DPA”) supplements and is incorporated into the Membership Agreement as updated from time to time between the customer and the Avinode Group entities listed as parties to the Membership Agreement (referred to herein as “Member” and “Processor” respectively). By executing the Membership Agreement, you enter into this DPA on behalf of yourself and in the name of your affiliates as appropriate. Any capitalized term not defined herein will have the meaning given to it in the Membership Agreement.
1. Definitions: Unless otherwise defined herein, all terms shall be as defined in Data Protection Laws.
1.1 “Member Personal Data” or “MPD” means any information provided to, collected by, or accessed by Processor under the Membership Agreement, in any form or format, that is defined as personal information, personal data, or equivalent term under Data Protection Laws and that: (a) relates to Member’s employees, representatives, personnel or end users in their use of the Products, or (b) relates to individuals whose information is processed by Processor as a result of Member’s use of the Products.
1.2 “Data Protection Laws” means any laws, statutes, declarations, decrees, directives, legislative enactments, orders, ordinances, regulations, rules, or other binding restrictions (including any amendments or successors thereto) pertaining to data protection, privacy, security, and/or the processing of MPD, to the extent applicable to a party’s obligations under the Membership Agreement.
1.3 “SCC” means sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as well as any amendment, or new legal requirement or contract that replaces, supersedes, or is required to be implemented in connection with the SCC) and as set forth in this DPA.
1.4 “Products” means software, features enabling third-party integrations, and other offerings provided by Processor to Member as more fully described in the Membership Agreement.
1.5 “Security Incident” means a breach of Processor’s security leading to the accidental or unauthorized access, loss, alteration, or disclosure, of MPD transmitted, stored, or processed by Processor. A Security Incident shall not include unsuccessful attempts or activities that do not compromise the security of MPD, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
2. Processing Details:
2.1 Roles of the Parties. The parties acknowledge and agree that with respect to processing MPD under this DPA, Member is a “Controller” or “Business” and Processor is a “Processor” or “Processor”. The Membership Agreement and this DPA constitute Member’s instructions to Process MPD. The description of the processing is set out in Annex 1 Part 1.
2.2 Scope of Processing. Processor will use and Process MPD to: (i) adhere to Member instructions to deliver the Products and fulfill Processor’s obligations under this DPA, (ii) communicate about the Products and Processor’s affiliate offerings, (iii) detect, investigate, and remediate a Security Incident, fraud, or other illegal activities, (iv) fulfill internal business purposes, including finance, accounting, screening and compliance functions, and auditing, (v) comply with applicable laws, regulations, and legal processes, and (vi) as otherwise described in the Membership Agreement. To the extent required under Data Protection Laws, Processor will not “Sell” or “Share” MPD, and Processor will inform Member of any legal requirement which prevents it from complying with Member’s instructions, unless prohibited from doing so by applicable law.
2.3 Member Obligations. Member represents and warrants that, as applicable to Member’s use of the Products, Member shall: (i) comply with Data Protection Laws with respect to MPD collected, processed, shared, or provided to Processor in using the Products, (ii) maintain a conspicuous privacy notice or equivalent statement that meets applicable notice requirements under Data Protection Laws and/or other legally-required statement, which accurately discloses all applicable data collection, use, sharing, disclosure, and security practices, (iii) secure any required permissions and/or consents or, if required under Data Protection Laws, establish a valid legal basis to collect, obtain, and share MPD with Processor for the purposes of providing the Products, and (iv) establish and maintain processes for the exercise of privacy rights individuals may have with respect to their MPD.
3. Data Subject Rights. Member is responsible for responding to any request by a data subject to exercise their rights under Data Protection Laws (each a “Request”). Processor shall reasonably cooperate with Member to enable Member to respond to a Request. In the event that any Request is made directly to Processor, Processor shall direct the data subject to Member to exercise their rights in relation to MPD.
4. Subcontractors and Personnel
4.1 Personnel. Processor shall: (i) inform its personnel with access to MPD of the confidential nature of MPD, (ii) obligate such personnel to maintain the confidentiality of MPD, and (iii) train such personnel in the handling and processing of MPD under Data Protection Laws.
4.2 Subcontractors. Member consents to Processor engaging subcontractors or subprocessors to process MPD for to provide the Products. The current list of subcontractors/subprocessors (“Subprocessor List”) may be viewed at https://avinodegroup.com/subprocessors/. Processor shall update the Subprocessor List with any change in processors at least 30 days prior to such change (except where shorter notice is required due to exceptional circumstances). In the event Member reasonably objects to a change made to the Subprocessor List and Processor is unable to provide the Products without the use of such subprocessor and no other reasonable solution can be mutually agreed to, either party may promptly terminate the Membership Agreement (in whole or in part), by providing written notice to the other party and Member will receive a prorated refund of any prepaid, unused fees for the period following the effective date of termination.
5. Security Measures and Privacy Audits. In providing the Products, Processor will implement appropriate technical and organizational security measures to protect MPD from a Security Incident using measures appropriate to the risks that are presented by the nature of the processing of MPD (and such measures will meet or exceed those identified in Annex 1 Part I). Processor shall, upon Member’s reasonable request, provide information and records concerning the processing of MPD in providing the Products as needed to demonstrate Processor’s compliance with Data Protection Laws or this DPA.
6. Security Incident. In the event of a confirmed Security Incident affecting MPD, Processor shall: (i) promptly inform Member and provide details of the Security Incident; (ii) provide timely information and reasonable cooperation as Member may require to fulfill its data breach reporting obligations under Data Protection Laws or respond to any inquiries by a data protection authority that may arise from the Security Incident; (iii) investigate the Security Incident, and; (iv) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security
Incident. Processor shall not be liable for any Security Incident caused by Member or Member’s personnel or end users.
7. Data Protection Impact Assessments. Processor will provide Member with reasonable cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that Member is required to make in respect of MPD under Data Protection Laws.
8. De-Identified Information. Processor may de-identify, anonymize and/or aggregate MPD and other information derived from the Products, including information related to the performance, operation and use of the Products. Processor may use such information for its own purposes and share such information with others.
9. Cross-Border Data Transfers. Member agrees that Processor and its subprocessors may transfer, store, and Process MPD in locations other than Member’s country. Where Processor engages in an onward transfer of MPD, Processor shall employe a lawful data transfer mechanism for transferring MPD from one country to another.
9.1.1 To the extent legally required, by entering into the Membership Agreement and/or accessing the Products, Member and Processor are deemed to have signed the SCCs, which form part of this DPA and (except as described in Sections 9.1.2 and 9.1.3 below) will be deemed completed as follows: (i) Processor is the “data importer”, and Member and its affiliates established within the European Economic Area that are using the Products are collectively the “data exporter” and each shall comply with the SCC, including the additional terms in this section and Annex 1 Part I; (ii) this DPA and the Membership Agreement constitute Member’s written instructions for purposes of Clause 8.1(a) of the SCC and for the avoidance of doubt include onward transfers to a third party located outside the EEA for the purpose of the performance of the Products; and (iii) by executing this DPA, the parties are executing the SCC. In case of any transfers of MPD under the SCC from Switzerland subject exclusively to Swiss Data Protection Laws (i) general and specific references in the SCC to GDPR or EU or Member State Law shall hereby be deemed to have the same meaning as the equivalent reference in Swiss Data Protection Laws; and (ii) any other obligation in the SCC determined by the Member State in which the data exporter or data subject is established shall hereby be deemed to refer to an obligation under Swiss Data Protection laws.
9.1.2 With respect to MPD transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as set forth in Annex 1 Part II (“UK SCCs”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs.
9.1.3 Notwithstanding the foregoing, to the extent an alternative legally permissible data transfer mechanism for international transfers under this DPA is available during the term of the Agreement, the parties may cooperate to implement such alternative mechanism in lieu of the SCC.
10. Miscellaneous. All notices under this DPA shall be directed to [email protected]. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected. In the event of any conflict or inconsistency between this DPA and any privacy or security provisions set out in any agreement, the parties agree that the terms of this DPA shall prevail only with respect to the matters specifically addressed in this DPA. Each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them.
Annex 1
Part I: Information Required for the SCC
For the purposes of the SCC, Member is the data exporter and Processor is the data importer and the Parties agree to the following. The information required for the purposes of the Appendix to the SCC is set out in this Annex 1 Part
| Information required for Sections I – IV of the SCC | |
| Clause 7 (Docking Clause) | The option under clause 7 shall apply. |
| Clause 9 (use of sub-processors) | Option 2 under clause 9 shall apply. For the purposes of clause 9(a), the agreed list of sub-processors is set out as provided in Section 4.2 of this DPA. Processor shall inform Member of any changes to sub-processors following the procedure provided for in Section 4.2 of this DPA. Where Processor enters into the SCC with a sub-processor in connection with the provision of the Products, Member hereby grants Processor authority to provide a general authorisation on Member’s behalf for the engagement of sub-processors by those sub-processors engaged in the provision of the Products, as well as decision making and approval authority for the addition or replacement of any such sub-processors. |
| Clause 11 (Redress) | The option under Clause 11 shall not apply. |
| Clause 13 (Supervision) | At Clause 13(a), all three options are retained and apply as relevant where the transfer falls within the territorial scope of Regulation (EU) 2016/679. Where Member is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner’s Office shall act as competent supervisory authority. Where Member is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations. |
| Clause 17 (Governing Law) | The governing law for the purposes of Clause 17 shall be (i) the laws of Sweden; or (ii) the laws of England & Wales. |
| Clause 18 (Choice of forum and jurisdiction) | The courts under Clause 18 shall be (i) Sweden; or (ii) the courts of England & Wales. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes. |
| Information to be incorporated into Annex I of the SCC | |
| Data Exporter | Name: The Data Exporter is Member as specified in the Membership Agreement defined on page 1 of the DPA and its affiliates established within the EU, Switzerland and/or the UK that are using the Products. Address: As specified in the Membership Agreement. Contact person’s name, position and contact details: As specified in the Membership Agreement. Activities relevant to the data transferred under these Clauses: Recipient of the Products pursuant to the Membership Agreement. Signature and date: By entering into this DPA, Data Exporter is deemed to have signed the SCC, including the Appendix to the SCC. Role (controller/processor): Controller |
| Data Importer | Name: The Data Importer is Processor as defined on page 1 of the DPA. Address: 11 Continental Blvd, Suite C Merrimack, New Hampshire 03054 Contact person’s name, position and contact details: Privacy Team, [email protected] Activities relevant to the data transferred under these Clauses: Provision of the Products pursuant to the Membership Agreement. Signature and date: By entering into this DPA, Data Importer is deemed to have signed the SCC, including the Appendix to the SCC. Role (controller/processor): Processor. |
| Categories of data subjects whose personal data is transferred | Depending on the Product, Members and their authorized representatives and users, as well as individuals on whose behalf Members make arrangements, including aircraft owners, pilots, crew members, and passengers. |
| Categories of personal data transferred | Depending on the data subject, the personal data transferred may include: • Personal and work contact information (name, postal address, phone number, email address) • Financial information which Member chooses to provide (e.g., payment card information, transactional data, booking information) • Flight and aircraft information (e.g., origin and destination, airports, estimated travel time) • Training and certification information (e.g., pilot certification, flight times, training status) • Information about passengers and crew members for compliance purposes(e.g., government identifier, visa status, gender, date of birth) • Other information inputted by Member’s representatives from time to time as notes |
| Sensitive data transferred (if applicable) | None |
| Frequency of the transfer | On-going basis depending on the use of the Products by Member |
| Nature of the processing | Processor will use the personal data transferred on behalf of and at the direction of the Member to provide the Products contracted by the Member, and as set forth in Section 2.2 of this DPA. |
| Purpose(s) of the data transfer and further processing | Processor will process MPD as necessary in order to perform the Products and any related activities set forth in the Membership Agreement. |
| Duration of Processing | Processor will process MPD for the duration of the Membership Agreement unless otherwise agreed upon in writing. |
| Sub-Processor Transfers | Sub-processors will process MPD (i) as necessary to perform the Products pursuant to the Membership Agreement and (ii) for the duration of the Membership Agreement, unless otherwise agreed in writing. |
| Competent Supervisory Authority | As set out above against Clause 13. |
| Information to be incorporated into Annex II of the SCC | |
| Technical and Organisational Measures | Processor will implement, maintain, and continuously control and update, appropriate technical and organisational security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. Such measures are further described at https://avinodegroup.com/security-compliance/. |
Part II: UK Addendum
For the purposes of this UK Addendum, Member is the data exporter and Processor is the data importer and the Parties agree to the following. To the extent that any transfer of MPD is subject to United Kingdom law, the UK SCCs shall be deemed executed as follows:
Part 1:
Part 2:
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.