UK Data Protection Addendum

1. Scope and Applicability

1.1

This UK Data Protection Addendum (“UK Addendum”) supplements and forms part of the LeaderCoreAI Data Processing Agreement (“DPA”) between Blue Horizon Training S.R.L. (“Vendor”) and the Customer identified in the relevant order form or subscription arrangement.

1.2

This UK Addendum applies whenever and to the extent that Customer Data includes Personal Data of data subjects located in the United Kingdom (“UK Personal Data”), or the processing of Customer Data is otherwise subject to UK Data Protection Laws.

1.3

In the event of any conflict between this UK Addendum and the DPA with respect to the processing of UK Personal Data, this UK Addendum shall prevail.

1.4

Terms not defined in this UK Addendum have the meanings given in the DPA.

2. Definitions

The following additional definitions apply for the purposes of this UK Addendum:

• “UK Data Protection Laws” means the UK GDPR, the Data Protection Act 2018 (“DPA 2018”), the Privacy and Electronic Communications Regulations 2003 (as amended), and any subordinate legislation made under those enactments, including the Data (Use and Access) Act 2025 to the extent in force, in each case as amended, superseded or replaced from time to time.
• “UK GDPR” means the retained version of Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended).
• “ICO” means the Information Commissioner’s Office, the UK’s independent supervisory authority for data protection.
• “UK IDTA” means the International Data Transfer Agreement issued by the ICO under section 119A of the DPA 2018.
• “UK Addendum to EU SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the ICO under section 119A of the DPA 2018.
• “Transfer Risk Assessment” or “TRA” means the assessment required by the ICO to evaluate whether a restricted transfer of UK Personal Data provides an adequate level of data protection in the destination country, as described in the ICO’s guidance on international transfers (also referred to as a “data protection test” under the Data (Use and Access) Act 2025).
• “Restricted Transfer” means a transfer of UK Personal Data to a separate legal entity located outside the United Kingdom, where the transfer is subject to the international transfer provisions of Chapter V of the UK GDPR.

3. Legal Framework

3.1

For the purposes of UK Personal Data, all references in the DPA to “GDPR”, “Regulation (EU) 2016/679”, or “EU data protection law” shall be read as references to the UK GDPR and the DPA 2018 (and any other UK Data Protection Laws), as applicable.

3.2

All references in the DPA to “Supervisory Authority” shall, in respect of UK Personal Data, include the ICO.

3.3

All references in the DPA to the rights of Data Subjects under “Chapter III GDPR” shall, in respect of UK Personal Data, include the equivalent data subject rights under the UK GDPR and the DPA 2018.

3.4

All references in the DPA to “EU or Member State law” shall, in respect of UK Personal Data, include the laws of England and Wales, Scotland, and Northern Ireland.

4. International Transfers of UK Personal Data

4.1 General

Vendor shall not make a Restricted Transfer of UK Personal Data unless it has ensured that an appropriate transfer mechanism is in place as required by Chapter V of the UK GDPR.

4.2 Permitted Transfer Mechanisms

For Restricted Transfers of UK Personal Data, the following transfer mechanisms may be used (in order of preference):

• (a) UK adequacy regulations – where the destination country is the subject of UK adequacy regulations made by the Secretary of State under section 17A of the DPA 2018;
• (b) UK IDTA – the International Data Transfer Agreement issued by the ICO;
• (c) UK Addendum to EU SCCs – the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the ICO; or
• (d) other safeguards permitted under Article 46 of the UK GDPR, or derogations under Article 49 of the UK GDPR where no other mechanism is available.

4.3 Transfer Risk Assessments

Where Vendor relies on a transfer mechanism under Clause 4.2(b), (c) or (d), Vendor shall conduct and maintain a Transfer Risk Assessment for each Restricted Transfer, evaluating whether the laws and practices of the destination country materially undermine the protections provided by the transfer mechanism. Vendor shall make the results of relevant TRAs available to Customer upon reasonable request.

4.4 Sub-processor Transfers

Vendor shall ensure that each Sub-processor that processes UK Personal Data in a country not covered by UK adequacy regulations has entered into an appropriate transfer mechanism with Vendor (or directly with Customer where applicable), such as the UK IDTA or UK Addendum to EU SCCs, and that a TRA has been completed for that transfer.

4.5 Current Transfer Position

As of the date of this UK Addendum, Vendor’s primary data processing infrastructure (Google Cloud Platform, including Vertex AI for generative AI processing) is located in europe-central2 (Poland, EEA). The EEA is covered by UK adequacy regulations. The Sub-processor-specific transfer safeguards for UK Personal Data are set out in the UK Sub-processor Schedule (Annex A to this UK Addendum).

5. Personal Data Breach Notification

5.1

For breaches involving UK Personal Data, Vendor shall notify Customer within twenty-four (24) hours of becoming aware of the Personal Data Breach. This is to ensure that Customer has sufficient time to assess the breach and, where required, notify the ICO within the seventy-two (72) hour deadline under Article 33 of the UK GDPR.

5.2

The content of the breach notification shall be as described in Clause 10 of the DPA.

6. UK Representative

6.1

Vendor is not established in the United Kingdom. In accordance with Article 27 of the UK GDPR, Vendor shall designate in writing a representative in the United Kingdom (“UK Representative”) who shall be mandated to be addressed by the ICO and by data subjects in the UK on all issues related to the processing of UK Personal Data.

6.2

Vendor’s UK Representative is:

Data Protection Representative Limited (trading as ‘DataRep’), a company registered in the Republic of Ireland with registered number 616588, whose registered address is at 77 Camden Street Lower, Dublin, D02 XE80, Ireland

6.3

Vendor shall maintain the UK Representative appointment for as long as it processes UK Personal Data. If the identity or contact details of the UK Representative change, Vendor shall promptly notify Customer and update its Privacy Policy accordingly.

6.4

The designation of the UK Representative does not affect Vendor’s own responsibility or liability under the UK GDPR or this UK Addendum.

7. Supervisory Authority Co-operation

7.1

Vendor shall co-operate with the ICO (and, where applicable, with Customer in connection with ICO inquiries or investigations) to the extent required by UK Data Protection Laws and this UK Addendum.

7.2

Vendor shall inform Customer without undue delay if it receives any inquiry, request, complaint or order from the ICO relating to the processing of UK Personal Data, unless prohibited by law from doing so.

8. Special Category Data

If UK Personal Data incidentally submitted by users through free-text fields includes special category data within the meaning of Article 9 of the UK GDPR (or criminal offence data under Article 10), Vendor shall take reasonable steps to delete such data upon becoming aware of its presence. Vendor shall not intentionally process special category UK Personal Data for profiling or any other purpose, and shall notify Customer if it becomes aware that special category data has been systematically submitted through the Platform.

9. Governing Law

9.1

This UK Addendum and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) relating to the processing of UK Personal Data shall be governed by the laws of England and Wales.

9.2

The courts of England and Wales shall have non-exclusive jurisdiction in respect of any dispute arising under this UK Addendum relating to UK Personal Data. This is without prejudice to the rights of data subjects and the ICO under UK Data Protection Laws.

10. Amendments

Vendor may update this UK Addendum to reflect changes in UK Data Protection Laws or ICO guidance. Material updates affecting Customer’s data protection rights or Vendor’s data protection obligations will be communicated at least 30 days before taking effect. If Customer objects to a material update, Customer may terminate the affected subscription(s) by written notice within that 30-day period, with a pro-rated refund for any prepaid unused Subscription Term.

11. General

11.1

Except as modified by this UK Addendum, all terms and conditions of the DPA remain in full force and effect.

11.2

This UK Addendum shall remain in effect for as long as Vendor processes UK Personal Data on behalf of Customer, including any post-termination retention periods.

Annex A – UK Sub-processor Schedule

The following table sets out the transfer mechanisms and TRA status for each Sub-processor in respect of UK Personal Data:

Vendor will keep this Annex up to date. Any changes to Sub-processors will be communicated in accordance with Clause 7 of the DPA.