US DPA Attachment 2: DOJ Rule on Preventing Access to Americans’ Bulk Sensitive Personal Data
Last updated: July 22, 2025
- The DOJ Rule is available at: https://www.justice.gov/nsd/media/1382521/dl?inline
- Each Party acknowledges that the term “Sensitive Personal Data” under the DOJ Rule has a different meaning than the definition of “Sensitive Personal Data” under the DPA. For purposes of this Attachment 2, the term “Sensitive Personal Data” has the meaning in the DOJ Rule.
- The Disclosing Party (a US entity) provides the Receiving Party (a non-US entity) access to Sensitive Personal Data for the purposes set forth in the Agreement, including the US DPA.
- The Receiving Party is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in the following: (a) selling, licensing of access to, or other similar commercial transactions, such as reselling, sub-licensing, leasing, or transferring in return for valuable consideration, the Sensitive Personal Data or any part thereof, to countries of concern or covered persons, as defined in 28 CFR part 202.
- Where the Receiving Party knows or suspects that a country of concern or covered person has gained access to Sensitive Personal Data through a data brokerage transaction, the Receiving Party will immediately inform the Disclosing Party. Failure to comply with the above will constitute a breach of the Agreement and may constitute a violation of 28 CFR part 202.