To: Teradata Vendor Legal/Privacy Teams (as applicable) From

To: Teradata Vendor Legal/Privacy Teams (as applicable)

From: Teradata Privacy Legal Team

Re:

Notice of Amended Privacy Laws, including revised Standard

Contractual Clauses (EU &

Swiss SCCs & UK Clauses) and CPRA

Dear Teradata Vendor,

We are writing to you in relation to your company’s provision of goods or services to Teradata under a

master or other governing agreement and the related data processing agreement or addendum

(collectively, the “Agreement”). As a Teradata vendor, you have agreed to comply with laws, including

privacy laws, applicable to the goods and services you provide to Teradata Operations, Inc., having its

principal place of business at 17095 Via Del Campo, San Diego, CA 92127, USA, and/or any of its direct or

indirect subsidiaries or affiliates (hereinafter each and collectively referred to as “Teradata”). This Notice

recognizes recent updates to certain privacy laws and the need to comply with those laws and the need

to amend the Agreement to comply with those laws.

Replacement of Old SCCs with New SCCs Under GDPR & New Swiss and UK Clauses

On June 4, 2021, the European Commission published new standard contractual clauses

(“New SCCs”)

for international transfers of personal data to countries outside of the European Economic Area (“EEA”).

Under the General Data Protection Regulation (“GDPR”), such transfers must meet certain conditions to

be lawful (“Conditions”). The New SCCs are an EEA-approved mechanism to enable companies

transferring personal data outside of the EEA to meet those Conditions. They replace the previous set of

standard contractual clauses (“Old SCCs”), which were deemed inadequate by the Court of Justice of the

European Union. The European Commission requires that all companies relying on the standard

contractual clauses as a mechanism to transfer personal data outside of the EEA implement the New

SCCs by December 27, 2022.

To the extent that our current Agreement with you incorporates the Old SCCs, or requires the addition

of the New SCCs to meet the Conditions, Teradata hereby notifies you that such Agreement is amended:

i) to replace the Old SCCs with, or to add, the New SCCs, where required, for the transfer of

personal data outside of the EEA, and

ii) to include, as applicable, the UK International Data Transfer Agreement VERSION A1.0

, in

force 21 March 2022 for transfers from the UK (“UK Clauses”), and

iii) to include, as applicable, the necessary amendments to the New SCCs for transfers of

personal data from Switzerland (“Swiss Clauses”), all occurring from the Effective Date

below.

All references in the Agreement to the Old SCCs in the Agreement will now correspond to the New SCCs,

UK Clauses, and Swiss Clauses, as applicable.

1. Interpretation. All capitalized terms that are not expressly defined in this Notice shall have the

meanings assigned to them in the Agreement. In the event of any conflict between the Notice

and the Agreement, the provisions of the Notice shall prevail to the extent necessary to comply

with the law.

2. Revised terms for the New SCCs, UK Clauses, and Swiss Clauses:

a. New SCCs:

i. Module: The applicable Module (1, 2, 3 or 4) of the New SCCs will be applied,

depending on the particular roles of the parties under the Agreement, and the

following shall apply:

ii. Clause 7: the Docking clause shall apply.

iii. Clause 9(a) (Modules 2 & 3 Only): Option 1-Specific Prior Authorization

required from Teradata for sub-processors, with 30 days prior notice, shall

apply.

iv. Clause 11(a): The Optional text shall apply.

v. Clause 17: The Governing Law shall be the laws of Ireland.

vi. Clause 18: Forum and Jurisdiction: Any dispute arising from the New SCCs shall

be resolved by the courts of Ireland.

vii. Annex I & II: Details are provided in the Agreement. The period of processing

shall be the duration of the Agreement or as otherwise agreed in writing.

Regarding Annex II: you will implement technical and organizational measures

no less protective of the personal data than those set out here

, as may be

supplemented by those in the Agreement.

viii. Annex I.C. Competent Supervisory Authority: Bayerisches Landesamt für

Datenschutzaufsichtrity.

ix. Annex III (Modules 2 & 3 Only): Details are provided in the Agreement.

b. UK Clauses: The UK Clauses, or updated applicable standard data protection clauses

issued, adopted or permitted under the UK GDPR from time to time, shall be

incorporated by reference, and the annexes, appendices or tables of such clauses shall

be deemed populated with the relevant information set out in the New SCCs and their

Annexes.

c. Switzerland: To the extent that the Swiss Federal Act on Data Protection (25 September

2020) (“FADP”) applies to the data exporter’s processing when transferring personal

data, the New SCCs shall be amended with the following modifications:

i. references to “Regulation (EU) 2016/679” shall be interpreted as references to

the FADP (as applicable);

ii. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced

with the equivalent article or section of the FADP;

iii. references to Regulation (EU) 2018/1725 shall be removed;

iv. references to “EU,” “Union” and “Member State” shall be replaced with

references to “Switzerland”;

v. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory

authority” shall be the Swiss Federal Data Protection Information

Commissioner;

vi. references to the “competent supervisory authority” and “competent courts”

shall be replaced with references to the “Swiss Federal Data Protection

Information Commissioner” and “applicable courts of Switzerland”;

vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of

Switzerland (as applicable); and

viii. to the extent the FADP applies to the Processing, Clause 18 shall be replaced to

state: “Any dispute arising from these Clauses shall be resolved by the

competent courts of Switzerland. The Parties agree to submit themselves to the

jurisdiction of such courts.”

d. Application: The parties shall abide by the terms of the New SCCs, UK Clauses, and Swiss

Clauses in the manner described in this Notice. The New SCCs, UK Clauses, and Swiss

Clauses shall apply to your company in its role as “data importer” and to Teradata in its

role as “data exporter” and, to the extent legally required, all of the parties’ authorized

affiliates established within the European Economic Area, Switzerland, or the UK.

e. In respect of any proposed transfer to a non-Teradata party that relates to the

Agreement, you shall only make such transfers using the New SCCs, the UK Clauses, or

the Swiss Clauses, as the case may be, or other lawful transfer mechanism, and with the

prior written consent of Teradata. Any such transfer must be carried out in accordance

with the conditions stipulated in chapter V of the GDPR, the UK GDPR, and the Swiss

FADP.

Agreement Not to Sell or Share Personal Information under the CPRA

In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (“CPRA”).

The CPRA amends and extends the California Consumer Privacy Act of 2018 and shall become generally

operative on January 1, 2023. The CPRA includes additional contracting requirements for vendors of

Teradata.

To the extent that the CPRA is applicable to the services you provide to Teradata, the Agreement is

amended to state that you shall continue to comply with CPRA requirements, including that you:

• Shall not Sell or Share a consumer’s personal information, as these terms are defined under

California Civil Code Sections 1798.140(ad) and 1798.140(ah);

• Shall obligate any third party, service provider, or contractor authorized by Teradata:

o not to Sell or Share a consumer’s personal information,

o to comply with other applicable obligations under the CPRA, and

o to provide the same level of privacy protection as is required by the CPRA;

• Grant Teradata the right to take reasonable and appropriate steps to help ensure that you and

any authorized third party, service provider, or contractor use the personal information

transferred in a manner consistent with the business’ obligations under the CPRA;

• Shall notify us if you determine that you can no longer meet your obligations under the CPRA;

and

• Grant us the right, upon notice, to take reasonable and appropriate steps to stop and remediate

unauthorized use of personal information.

Conclusion

Except as required to comply with governing law, this Notice in no way alters any terms or conditions

contained in the Agreement. Rather, it amends the Agreement to recognize the parties’ continued

compliance with any applicable laws and adherence to the recent changes described above.

As applicable, the amendments listed above are incorporated into the Agreement from the Effective

Date below. For the avoidance of doubt, receipt of this Notice shall be deemed to constitute acceptance

of the New SCCs, UK Clauses, Swiss Clauses, and the CPRA amendments.

You do not need to take any further action to incorporate the New SCCs, UK Clauses, Swiss Clauses, or

CPRA amendments into your Agreement with Teradata.

Effective Date: Changes regarding New SCCs under GDPR and the New Swiss and UK Clauses will come

into effect on December 27, 2022. The changes regarding CPRA will come into effect on 1

January

2023.

For information on how Teradata collects, uses, and discloses personal data, as well as the choices

available regarding the personal data Teradata collects and processes, please read the

Teradata Privacy

Policy. For questions about our privacy program or practices, please email our Privacy Team at

privacy@teradata.com.