US DPA Attachment 2: DOJ Rule on Preventing Access to Americans’ Bulk Sensitive Personal Data

Last updated: July 22, 2025

  1. The DOJ Rule is available at: https://www.justice.gov/nsd/media/1382521/dl?inline 
  2. Each Party acknowledges that the term “Sensitive Personal Data” under the DOJ Rule has a different meaning than the definition of “Sensitive Personal Data” under the DPA. For purposes of this Attachment 2, the term “Sensitive Personal Data” has the meaning in the DOJ Rule.  
  3. The Disclosing Party (a US entity) provides the Receiving Party (a non-US entity) access to Sensitive Personal Data for the purposes set forth in the Agreement, including the US DPA. 
  4. The Receiving Party is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in the following: (a) selling, licensing of access to, or other similar commercial transactions, such as reselling, sub-licensing, leasing, or transferring in return for valuable consideration, the Sensitive Personal Data or any part thereof, to countries of concern or covered persons, as defined in 28 CFR part 202.
  5. Where the Receiving Party knows or suspects that a country of concern or covered person has gained access to Sensitive Personal Data through a data brokerage transaction, the Receiving Party will immediately inform the Disclosing Party. Failure to comply with the above will constitute a breach of the Agreement and may constitute a violation of 28 CFR part 202.