Transfer Impact Assessment

Whenever Messente (or its sub-processors) processes personal data in other countries than the country in which the Messente is established, Messente will ensure an adequate level of protection for personal data by means of organisational, technical and contractual measures as is required by Data Protection Legislation and our Data Protection Agreements.

1. Where Personal Data of a Data Controller based in the EEA, the United Kingdom, or Switzerland is processed in a country outside the EEA, the United Kingdom, Switzerland, or any country, organization or territory acknowledged by the European Union as a safe country with an adequate level of data protection under art. 45 GDPR and no other lawful transfer mechanism such as Binding Corporate Rules (art. 47 GDPR) or Code of Conduct (art. 40 GDPR) are available, or where Personal Data of another Data Controller is processed internationally and such international processing requires adequacy means under the laws of the country of the Data Controller and the required adequacy means can be met by entering into Standard Contractual Clauses, the transfer is made pursuant to European Commission approved Standard Contractual Clauses or the UK International Data Transfer Agreement for the transfer of Personal Data.

2. In case European Commission-approved standard contractual clauses are concluded between Messente and the Customer, the following applies until a competent Member State supervisory authority, or an EU or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (in case if such mechanism applies only to some of the data transfers, the following clauses will remain applicable for the transfers that cannot be covered by this new lawful transfer mechanism):

2.1 Rights granted to data subjects under this DPA and the European Standard Contractual Clauses may be enforced by the data subject against Messente irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. These rights are personal and may not be assigned to others. The data subject may only bring a claim under this DPA and the European Standard Contractual Clauses on an individual basis, and not part of a class, collective, group or representative action.

2.2 In addition to Clause 5(b) of the Standard Contractual Clauses, Messente agrees that it, at the time of concluding this Agreement, has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the customer and its obligations under the Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Standard Contractual Clauses, it will notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.

2.3 For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalties such as contempt of court under the laws of the relevant jurisdiction:

In case Messente receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, Messente will where possible, redirect the third party to request data directly from the Customer.

In case Messente receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law.

Messente transfers Customer Content outside of the European Union as necessary to provide Messente products and services to our Customers. For example, utilising carriers located outside of the EEA for the purposes of delivery to markets outside of the EEA, such as Mobile Network Operators located outside of the EEA.

As each market and carrier can come with a varying degree of associated risks, Messente conducts the following to ensure traffic delivery:

Use of carriers only deemed as those who process in countries deemed as “safe” by the European Union

Limiting retention times in accordance with our Data Handling Policy with the respective retention periods included within the Data Processing Agreements and associated Addendums to those agreements signed with each respective carrier

Data Processing Agreements and associated Addendums are made with each carrier and sub-processor before engaging in any processing activities

We evaluate the data privacy and security practices of each subprocessor prior to engaging and onboarding such a subprocessor - this included reviewing data retention times, adequate documentation relating to the needed technical provisions as well as their respective Data Protection Documentation.