Effective Date: 1st March 2026

  1. INTRODUCTION
    1. The purpose of this International Data Transfer Agreements Repository (“Repository”) is to identify the International Data Transfer Agreements that apply when a Counterparty Processes Personal Information subject to Privacy Laws requiring specific cross-border data transfer mechanisms. Each International Data Transfer Agreement reflects the jurisdiction-specific contractual terms mandated or recognized by the relevant data protection authority and applies only where required under that jurisdiction’s laws. Without limiting the Counterparty’s obligations under the Privacy and Data Protection Schedule, the Counterparty shall comply with the applicable International Data Transfer Agreement whenever its Processing activities trigger a cross-border transfer requirement. For clarity, all jurisdiction-specific transfer mechanisms referenced in this Repository are deemed International Data Transfer Agreements.
  2. INCORPORATION BY REFERENCE
    1. These International Data Transfer Agreements are incorporated by reference via Amgen’s Privacy and Data Protection Schedule. By Processing Personal Information for Amgen, Counterparty agrees to the latest version of the applicable International Data Transfer Agreement(s) made available in this Repository, unless otherwise agreed in writing.
  3. MAINTENANCE AND UPDATES
    1. This Repository is maintained by Amgen’s Privacy Compliance team and updated as needed. Counterparty is responsible for reviewing this Repository to comply with the current applicable version.
  4. USE OF UPDATED INTERNATIONAL DATA TRANSFER AGREEMENTS
    1. The International Data Transfer Agreements made available in this Repository constitute the current versions required by Amgen for the Processing of Personal Information. To the extent an earlier version of an International Data Transfer Agreement was previously incorporated by reference into the Agreement or the Privacy Schedule, the version made available in this Repository replaces such earlier version on a going-forward basis and applies to all Processing from the date it is posted, unless otherwise agreed in writing by Amgen. For clarity, this section does not modify or supersede the terms of any International Data Transfer Agreement itself, including any Standard Contractual Clauses or regulator-issued addenda, which remain in effect as mandated by applicable Privacy Laws.
  5. CONFLICTS
    1. In the event of any conflict between this Repository and the Privacy Schedule, the Privacy Schedule controls. In the event of any conflict between this Repository and an applicable International Data Transfer Agreement, the International Data Transfer Agreement controls to the extent required under applicable Privacy Laws.
  6. DEFINITIONS

    Any terms not defined in this Repository have the meanings assigned to them in the Privacy Schedule.

    1. “Adequate Jurisdiction” has the meaning assigned in the applicable International Data Transfer Agreement or in the Privacy Schedule, as relevant.
    2. “Agreement” means the governing agreement (including any amendments thereto) between Amgen and the Counterparty for the provision of goods or services, under which the Counterparty Processes Personal Information on behalf of Amgen.
    3. “International Data Transfer Agreement” means the jurisdiction-specific contractual instrument mandated or recognized by the applicable data protection authority for cross-border transfers of Personal Information, including without limitation Standard Contractual Clauses, International Data Transfer Agreements or Addenda, national model clauses, or other mandatory transfer mechanisms. All jurisdiction-specific contractual instruments referenced in this Repository constitute International Data Transfer Instruments for purposes of the Agreement, whether identified by title, reference, or citation.
    4. “Personal Information,” “Process,” “Processing,” “Company,” and “Counterparty” have the meanings assigned in the Privacy Schedule.
    5. “Privacy Schedule” means the data protection terms and conditions incorporated into the Agreement between Amgen and Counterparty involving the Processing of Personal Information on behalf of Amgen, including without limitation the Privacy and Data Protection Schedule.
    6. “Standard Contractual Clauses” means the model contractual clauses or standard contractual terms that are pre-approved, issued, or otherwise formally recognized by a competent data protection authority or governmental body under applicable Privacy Laws for purposes of establishing appropriate safeguards for cross-border Processing or international transfers of Personal Information. Standard Contractual Clauses may be issued by supranational, national, or regional authorities and may apply on a standalone basis or in combination with jurisdiction-specific addenda, supplements, or modifications, as required by applicable law.
      1. Standard Contractual Clauses, as applicable, are incorporated herein by reference. For purposes of this Repository, Standard Contractual Clauses include any jurisdiction-specific supplements, addenda, or mandatory modifications expressly identified herein and incorporated by reference. The applicable Standard Contractual Clauses shall apply when Personal Information is transferred or otherwise Processed in a manner that requires such safeguards under the Agreement and applicable Privacy Laws.
  7. INTERNATIONAL DATA TRANSFER AGREEMENTS BY JURISDICTION

    Each of the following sections applies only when Processing involves Personal Information subject to that jurisdiction’s Privacy Laws.

    1. European, United Kingdom and Swiss Personal Data
      1. European Personal Data. If Personal Information originating from or Processed in the European Economic Area, the United Kingdom, or Switzerland (“European Personal Data”) is Processed by or on behalf of Counterparty outside of an Adequate Jurisdiction, then Company and Counterparty shall comply with the terms and conditions of the Standard Contractual Clauses (Module Two: Transfer controller to processor) available at: EU Standard Contractual Clauses as completed through the selection of applicable optional clauses and bracketed choices and as supplemented as expressly identified therein, with Company acting as the data exporter and Counterparty acting as the data importer, throughout the period that Counterparty Processes European Personal Data under the Agreement.
        1. For purposes of this Section 7.1 (European, United Kingdom and Swiss Personal Data), Standard Contractual Clauses refers to the model contract clauses that have been "pre-approved" and adopted (and may be amended from time to time) by the European Commission and, in the case of Processing activities outside of the United Kingdom, the Information Commissioner's Office, and in case of Processing activities outside of Switzerland, the Federal Data Protection and Information Commissioner, to ensure appropriate data protection safeguards for Processing activities, including without limitation, data transfers of European Personal Data from the European Union (EU) to third countries. The Standard Contractual Clauses, as applicable, are incorporated herein by reference and shall apply when European Personal Data is transferred or otherwise Processed as described in the Agreement.
        2. For the avoidance of doubt, all references in the Standard Contractual Clauses to 'data exporter' shall refer and apply to Company; all references to 'data importer' shall refer and apply to Counterparty; and all references to "personal data" in the Standard Contractual Clauses shall refer to European Personal Data as defined herein.
      2. Swiss Personal Data. "Swiss Personal Data" means the subset of European Personal Data that originates from or is Processed in Switzerland. If Swiss Personal Data is Processed by or on behalf of Counterparty under the Agreement, Company and Counterparty will comply with the Standard Contractual Clauses, as supplemented by the Swiss Addendum available at: Swiss Addendum (the “Swiss Addendum”). The Swiss Addendum modifies and supplements the Standard Contractual Clauses for purposes of Swiss Personal Data and is hereby incorporated herein by reference.
      3. United Kingdom Personal Data. "United Kingdom Personal Data" means the subset of European Personal Data that originates from or is Processed in the United Kingdom. If United Kingdom Personal Data is Processed by or on behalf of Counterparty under the Agreement, Company and Counterparty will comply with the Standard Contractual Clauses, as supplemented by the United Kingdom's International Data Transfer Addendum to the EU Standard Contractual Clauses, in force 21 March 2022, available at: UK Addendum (as the same may be amended from time to time, "UK Addendum"). The UK Addendum modifies and supplements the Standard Contractual Clauses for purposes of United Kingdom Personal Data and is hereby incorporated herein by reference. Notwithstanding anything in Privacy Schedule to the contrary, where the Standard Contractual Clauses must be governed by the laws of the United Kingdom, the Standard Contractual Clauses shall be governed by and construed in accordance with the laws of England and Wales, to the extent required to satisfy such laws.
    2. Saudi Personal Data
      1. With respect to Personal Information Processed by or on behalf of the Counterparty that originates from or is Processed in the Kingdom of Saudi Arabia, and is subject to the Personal Data Protection Law issued by Royal Decree No. M/19 and its implementing regulations, as enforced by the Saudi Data and Artificial Intelligence Authority or any successor authority (“Saudi Personal Data”), Counterparty shall comply with the Standard Contractual Clauses for International Data Transfers (Module 2: Controller to Processor) issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) as made available at: KSA SCCs (the “KSA SCCs”). The KSA SCCs , as issued or amended by SDAIA, are incorporated herein by reference. For interpretive purposes, the term “Saudi Personal Data” shall be construed consistently with the term used to describe personal data in the applicable Saudi SCCs, now or as amended, and any such term used in the Saudi SCCs shall be deemed incorporated by reference.
      2. Notwithstanding anything to the contrary in the Privacy Schedule, where required to comply with the applicable legislation, the KSA SCCs shall be governed by, and construed in accordance with, the laws of the Kingdom of Saudi Arabia.
    3. Brazilian Personal Data
      1. With respect to Personal Information Processed by or on behalf of the Counterparty that originates from or is Processed in the Federative Republic of Brazil, and is subject to the Lei Geral de Proteção de Dados Pessoais (General Personal Data Protection Law), Law No. 13,709/2018, as amended and regulated by the Brazilian National Data Protection Authority (“Brazilian Personal Data”) under the Agreement, Counterparty shall comply with the Standard Contractual Clauses approved by the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados – “ANPD”), as made available at: Brazilian SCCs (the “Brazilian SCCs”). The Brazilian SCCs, as issued or amended by the ANPD, are incorporated herein by reference. For interpretive purposes, the term “Brazilian Personal Data” shall be construed consistently with the term used to describe personal data in the applicable Brazilian SCCs, now or as amended, and any such term used in the Brazilian SCCs shall be deemed incorporated by reference.
      2. Notwithstanding anything to the contrary in the Privacy Schedule, where required to comply with Brazilian data protection law, the Brazilian SCCs shall be governed by, and construed in accordance with, the laws of the Federative Republic of Brazil.
    4. Turkish Personal Data
      1. With respect to Personal Information Processed by or on behalf of the Counterparty that originates from or is Processed in the Republic of Türkiye, and is subject to Law No. 6698 on the Protection of Personal Data and any applicable regulations or decisions issued by the Turkish Personal Data Protection Authority (“Turkish Personal Data”), Counterparty shall comply with the Model Clauses for Cross-Border Data Transfers (Module 2 Controller- Processor) issued by the Turkish Personal Data Protection Authority (KVKK) available at: Turkish SCCs (the “Turkish SCCs”). The Turkish SCCs, as issued or amended by the KVKK, are incorporated herein by reference. For interpretive purposes, the term “Turkish Personal Data” shall be construed consistently with the term used to describe personal data in the applicable Turkish SCCs, now or as amended, and any such term used in the Turkish SCCs shall be deemed incorporated by reference.
      2. Notwithstanding anything to the contrary in the Privacy Schedule, where required to comply with Turkish data protection law, the Turkish SCCs shall be governed by, and construed in accordance with, the laws of the Republic of Türkiye.
    5. Chinese Personal Data
      1. With respect to Personal Information Processed by or on behalf of the Counterparty that originates from or is Processed in the People’s Republic of China, and is subject to the Personal Information Protection Law of the People’s Republic of China (entered into force on 1 November 2021), including any applicable implementing regulations, measures, and enforcement rules as issued by the Cyberspace Administration of China or any successor authority (“Chinese Personal Data”), Counterparty shall comply with the Standard Contract for Cross-Border Transfer of Personal Information as issued by the Cyberspace Administration of China on 24 February 2023 available at: Chinese Standard Contract (the “Chinese Standard Contract”). The Chinese Standard Contract, as amended from time to time, is incorporated herein by reference. For interpretive purposes, the term “Chinese Personal Data” shall be construed consistently with the term used to describe personal data in the applicable Chinese Standard Contract, now or as amended, and any such term used in the Chinese Standard Contract shall be deemed incorporated by reference.
      2. Only where all applicable requirements under relevant laws and regulations are met, may the Standard Contract for Cross-Border Transfer of Personal Information (“Chinese Standard Contract”) be applied. Notwithstanding anything to the contrary in the Privacy Schedule, where required to comply with Chinese data protection law, the Chinese Standard Contract shall be governed by, and construed in accordance with, the laws of the People’s Republic of China.