Exhibit A: Transfers to Third Countries

I. Standard Contractual Clauses (EU SCCs)

1. Optional Provisions and Annexes

a. Clause 7

The optional docking clause will not apply.

b. Clause 9

Not applicable to Module I (Controller to Controller).

c. Clause 11

In Clause 11, the optional language will not apply.

d. Clause 17

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Netherlands.

e. Clause 18

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that such disputes shall be brought before the Netherlands Commercial Court, Amsterdam, and proceedings shall be in English.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

2. Appendix to the Standard Contractual Clauses

ANNEX I

A. LIST OF PARTIES

Data exporter:

Name: The Enphase entity as specified in the API License Agreement.
Address: As specified in the API License Agreement for the applicable Enphase entity.

Contact person’s name, position and contact details: As specified in the API License Agreement.

Activities relevant to the data transferred under these Clauses: In accordance with the activities of the data exporter under the API License Agreement.

Signature and date: By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Role: Controller.

Data importer:

Address: As specified in the API License Agreement and/or in the associated API Developer Portal account.

Contact person’s name, position and contact details: As specified in the API License Agreement and/or associated in the API Developer Portal account.

Activities relevant to the data transferred under these Clauses:: In accordance with the activities of the data importer under the API License Agreement.

Signature and date: By entering into the Agreement, data importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Role: Controller.

The API License Agreement referred to throughout this document is located here: https://enphase.com/api-license-agreement-v4.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The personal data transferred concern the following categories of data subjects (including legal entities, in the case of Switzerland data subjects):

  • Enphase customers who have ordered products from Enphase, have set up an Enphase App or my.enphase.com account, and/or who have an internet-connected Enphase Energy System.

Categories of personal data transferred.

The personal data transferred concern the following categories of data.

  • Enphase customer data. This data is related to Enphase Energy Systems, and includes the following:

  1. Customer identifiers: name, email, phone, address, and other contact information provided by the customer.
  2. System information: pseudonymized site ID, system hardware model numbers and serial numbers, energy production information, energy consumption information, IP address, internet connectivity status, and other information about the home’s electrical system and Enphase Energy System.
  3. Additional information related to a customer’s ownership and use of an Enphase Energy System.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • For both Enphase customer data and system data, it is transferred on a continuous basis as determined by the frequency of the API calls.

Nature of the processing.

  • Processing under and as described in the Agreement.

Purpose(s) of the data transfer and further processing.

  • Enphase customer data and system data is processed as necessary to provide the data importer with the data obtained via the API as further described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

  • The period for which the Personal Data will be retained will be determined by the importing data importer in accordance with its data privacy and data retention policies.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

  • Not applicable.

All of the above sub-processors (if any) process at the direction of Enphase according to a Data Processing Agreement compliant with GDPR expectations, for a duration restricted as defined by Enphase’s Record Retention/Destruction Policy.

C. COMPETENT SUPERVISORY AUTHORITY

Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”).

Contact details:

       1. Postal address

           Autoriteit Persoonsgegevens

           PO Box 93374

           2509 AJ DEN HAAG

      2. Telephone

           Telephone number: (+31) - (0)70 - 888 85 00

            Fax: (+31) - (0)70 - 888 85 01
 

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Technical and organizational safeguards include:

Technical safeguards:

  1. Data transferred is minimized and we collect and process only the minimum necessary to carry out the monitoring and warranty/service/firmware upgrade functions.
  2. Encryption is used where possible, including for data in transit and at rest.
  3. Data importer provides consumers notice at the time of collection and the right to opt-out, subject to certain legal requirements to keep data for warranty or contractual purposes, legal requirements, or otherwise.
  4. Data importer’s retention schedule is specific and appropriate to the nature of the data and reasonably limited to the time required for the purposes for which it collects and transfers the data.
  5. Ongoing Enphase Energy System data in transit is pseudonymized because only an Enphase-designed “site ID” is transmitted with energy and system information – the site ID is unique to a particular site but does not have any meaning to the broader world outside of Enphase.

Organizational safeguards:

  1. Privacy training.
  2. Privacy-by-design (designing product to minimize collection and retention, providing disclosure at collection and customer choice on an ongoing basis).
  3. Executive-staff oversight (through hierarchical reporting of key issues according to materiality).

Sub-processors also implement technical and organizational measures appropriate to the nature of the data being shared, their location, and other factors. Data Processing Agreements with those sub-processors are available to authorities upon request.

II. UK SCCs

In relation to Personal Data that is protected by the UK Data Protection Laws (as amended or replaced), the UK SCCs, shall apply to transfers of such Personal Data, except that:

  1. In Table 1 (Parties): the relevant information is set out above in Annex I, “List of Parties,” of Section I, “Standard Contractual Clauses (EU SCCs).”
  2. In Table 2 (Selected SCCs, Modules and Selected Clauses): only Module 1 (Controller to Controller) shall apply and the relevant information relating to the selected clauses/optional provisions is set out above in Section 1, “Optional Provisions and Annexes,” under Section I, “Standard Contractual Clauses (EU SCCs).”
  3. In Table 3 (Appendix Information):
    1. The list of Parties is set out above in Annex I, Section A, “List of Parties,” of Section I, “Standard Contractual Clauses (EU SCCs).”
    2. The description of the transfer is set out in Annex I, Section B, “Description of Transfer,” of Section I, “Standard Contractual Clauses (EU SCCs).”
    3. The relevant information is set out in Annex II, “Technical and Organisational Measures Including Technical and Organisational Measures to Ensure The Security Of The Data,” of Section I, “Standard Contractual Clauses (EU SCCs).”
    4. The list of Sub-processors is not applicable to Module.
  4. In Table 4: both the Importer and/or the Exporter may end the UK SCC in accordance with the terms set out in the UK SCCs.

III. Swiss SCCs

In relation to Personal Data that is protected by the Swiss DPA (as amended or replaced), the EU SCCs, completed as set out about above, shall apply to transfers of such Personal Data, except that:

  1. References to the “General Data Protection Regulation”, “Regulation 2016/679” or “GDPR” in the EU SCCs shall be understood to be references to the Swiss DPA (as amended or replaced).
  2. References to “Member State(s)” in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland.
  3. The competent supervisory authority in respect of such Personal Data shall be the Swiss Federal Data Protection and Information Commissioner.
  4. In Clause 17, the governing law shall be the laws of Switzerland.
  5. In Clause 18(b), disputes shall be resolved before the courts of Switzerland.
Questions? Contact us. We’ll help you build your system, today.
Get Enphase