GDPR Data Protection Addendum

Last Updated: December 3, 2025 · Effective Date: December 3, 2025

1. Scope

This Addendum applies to processing of Personal Data of EU/EEA residents under GDPR (Regulation 2016/679).

2. Roles and Responsibilities

• Controller: Customer determines purposes and means of processing
• Processor: Milenial Procurments Inc. processes data on Controller's behalf

3. Lawful Basis for Processing

Processing is conducted under:

• Contract performance (Article 6(1)(b))
• Legitimate interests (Article 6(1)(f))
• Consent where required (Article 6(1)(a))

4. Data Subject Rights

We assist Controllers in responding to:

• Access: Right to obtain copy of Personal Data
• Rectification: Right to correct inaccurate data
• Erasure: Right to deletion ("right to be forgotten")
• Portability: Right to receive data in portable format
• Restriction: Right to limit processing
• Objection: Right to object to processing
• Response timeline: 30 days from verified request

5. International Data Transfers

Transfers outside EEA use:

• EU Standard Contractual Clauses (SCCs)
• Supplementary measures as required
• Transfer Impact Assessments

6. Data Protection Impact Assessments

We assist Controllers with DPIAs for high-risk processing activities.

7. Records of Processing

We maintain records per Article 30 including:

• Categories of processing activities
• Data categories and recipients
• Transfer mechanisms
• Retention periods
• Security measures

8. EU Representative

For EU inquiries: eu-representative@milenialinc.com

9. Contact

Data Protection Officer: dpo@milenialinc.com