Data Processing Addendum
1. DEFINITIONS AND INTERPRETATION
Terms defined in the Agreement(s) shall have the same meaning in these Terms & Conditions unless defined below. Where a term is defined in both the Agreement(s) and these Terms & Conditions, the meaning as defined in these Terms & Conditions shall have precedence.
“Agreement(s)” means the Agreement(s) between the Parties referred to in the Amendment Letter to which these Terms & Conditions are attached;
“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of Personal Data outside the EEA (and from the GDPR Date to any international organisation) as may be permitted under Data Protection Legislation from time to time;
“Complaint” means a complaint or request relating to either party’s obligations under Data Protection Legislation relevant to the Agreement(s) including any complaint by a Data Subject or any notice, investigation or other action by a Supervisory Authority;
“Customer” means the KYOCERA Customer named in the Amendment Letter to which these Terms & Conditions are attached;
“Data Controller” has the meaning given to that term (or to the term ‘controller’) in Data Protection Legislation;
“Data Processor” has the meaning given to that term (or to the term ‘processor’) in Data Protection Legislation;
“Data Protection Legislation” means any applicable law, statute, regulation or sub-ordinate legislation and all policies, codes of conduct, direction, policy rule or order issued by any regulatory body having jurisdiction over a party that is from time to time in force including the Information Commissioner’s Office, relating to data protection, privacy and the processing of Personal Data, including:
(a) the Data Protection Act 1998;
(b) Privacy and Electronic Communications (EC Directive) Regulations 2003;
(c) the (EU) General Data Protection Regulation 2016/679 ("GDPR") from the GDPR Date; and
(d) any corresponding or equivalent national laws or regulations to any of the above and any applicable laws replacing, amending, extending, re-enacting or consolidating any of the above from time to time.
“Data Subject” has the meaning given to that term in Data Protection Legislation;
"GDPR Date" means the date from when the GDPR applies being 25th May 2018
“Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation;
“Parties” means KYOCERA and the addressee of the Amendment Letter to which these Terms & Conditions are attached;
“Personal Data” has the meaning given to that term in Data Protection Legislation;
“Personal Data Breach” has the meaning given to that term in Data Protection Legislation and includes any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data on systems managed by or otherwise controlled by KYOCERA excluding unsuccessful attempts or activities that do not compromise the security of Protected Data;
“processing” has the meaning given to that term in Data Protection Legislation (and related terms such as process have corresponding meanings);
“Processing Instructions” has the meaning given to that term in clause 3.1.1;
“Protected Data” means any Personal Data received by KYOCERA from or on behalf of the Customer and processed by KYOCERA in connection with the provision of Services and/or performance of KYOCERA’s obligations under the Agreement(s);
“Services” means the services and/or other activities to be provided by KYOCERA as set out in the Agreement(s);
“Sub-Processor” means another Data Processor engaged by KYOCERA for carrying out processing activities in respect of the Protected Data on behalf of the Customer; and
“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation including the Information Commissioner’s Office.
2. DATA PROCESSOR AND DATA CONTROLLER
2.1 The Parties agree that, in relation to the Protected Data, the Customer shall be the Data Controller and KYOCERA shall be the Data Processor.
2.2 KYOCERA shall process Protected Data in compliance with:
2.2.1 the obligations of Data Processors under Data Protection Legislation in respect of the performance of its obligations under the Agreement(s); and
2.2.2 the terms of the Agreement(s).
2.3 The Customer shall comply with:
2.3.1 all Data Protection Legislation in connection with the processing of Protected Data and the exercise and performance of its respective rights and obligations under the Agreement(s), including maintaining all relevant regulatory registrations and notifications and paying all fees for Data Controllers as required under Data Protection Legislation; and
2.3.2 the terms of the Agreement(s).
2.4 The Customer warrants that:
2.4.1 all data sourced by the Customer and/or provided by or on behalf of the Customer to KYOCERA for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Legislation;
2.4.2 all its instructions to KYOCERA in respect of Personal Data shall at all times be in accordance with Data Protection Legislation; and
2.4.3 it has undertaken due diligence in relation to KYOCERA's processing operations, and it is satisfied that:
(a) KYOCERA’s processing operations are suitable for the purposes for which the Customer uses the Services and engages KYOCERA to process the Protected Data; and
(b) KYOCERA has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Legislation.
2.5 The Customer shall not withhold, delay or condition its agreement to any change in the Services requested by KYOCERA in order to ensure that the Services and KYOCERA (and each Sub-Processor) can comply with Data Protection Legislation.
3. INSTRUCTIONS AND DETAILS OF PROCESSING
3.1 Insofar as KYOCERA processes Protected Data on behalf of the Customer, KYOCERA:
3.1.1 unless required to do otherwise by applicable law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this clause 3 and Exhibit 1 (“Data processing details”), as updated from time to time by written agreement between the Parties and/or as further specified via the Customer’s use of the Services (“Processing Instructions”); and
3.1.2 if applicable law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless applicable law prohibits such information on important grounds of public interest).
3.2 If the Customer uses any third party applications in connection with or alongside the Services, these Terms & Conditions do not apply to the processing of any Personal Data in connection with the provision of that third party application and any responsibility for the processing of such Personal Data is as between the Customer and the relevant third party provider.
4. TECHNICAL AND ORGANISATIONAL MEASURES
4.1 KYOCERA shall implement and maintain, at its cost and expense, appropriate technical and organisational measures to:
4.1.1 ensure the security, integrity, availability and confidentiality of the Protected Data and protect against accidental loss or destruction of, or damage to Protected Data, such measures to be appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected having regard to the state of technological development and the cost of implementing any measures; and
4.1.2 from the GDPR Date, taking into account the nature of the processing, assist the Customer to respond to Data Subject Requests relating to Protected Data (but subject to clause 6.1 below).
5. USING STAFF AND OTHER PROCESSORS
5.1 The Customer acknowledges and agrees that KYOCERA engages Sub-Processors to provide some of its services. The Customer consents to KYOCERA engaging such Sub-Processors provided that KYOCERA:
5.1.1 provides to the Customer details of any new Sub-Processor appointed after the date of the Agreement(s); and
5.1.2 notifies the Customer in advance of any change in a Sub-Processor. The Customer may object to any change in the Sub-Processor where it has reasonable grounds for doing so and in such circumstances, KYOCERA shall be entitled to address the objection through one of the following options at its sole discretion:
(a)cease to use the relevant Sub-Processor;
(b)take steps suggested by the Customer to address the objection; and
(c)cease to provide the particular Services which involves the relevant Sub-Processor.
5.2 KYOCERA shall, prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing obligations which offer materially the same level of protection for the Protected Data as those set out in these Terms & Conditions and meet the requirements of Article 28(3) of the GDPR. The Customer acknowledges and agrees that it has no right to audit and inspect a Sub-Processor’s facilities and premises and that KYOCERA shall not be obliged to include such rights in its agreement with its Sub-Processors.
5.3 From the GDPR Date, KYOCERA shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with applicable law, in which case KYOCERA shall, where practicable and legally permissible, notify the Customer of any such requirement before such disclosure).
6. ASSISTANCE WITH THE CUSTOMER’S COMPLIANCE AND DATA SUBJECT RIGHTS
6.1 KYOCERA shall promptly refer all Data Subject Requests it receives to the Customer upon receipt of the request, and shall, at KYOCERA’s standard rates in force at the time, assist the Customer with Data Subject Requests.
6.2 From the GDPR Date, KYOCERA shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to KYOCERA) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Legislation with respect to:
6.2.1 security of processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection Legislation);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach and any remedial action required for a Personal Data Breach, provided the Customer shall pay KYOCERA’s charges for providing the assistance in this clause 6.2, at KYOCERA’s standard rates in force at the time.
8. RECORDS, INFORMATION AND AUDIT
8.1 KYOCERA shall maintain, in accordance with Data Protection Legislation binding on KYOCERA, written records of all categories of processing activities carried out on behalf of the Customer.
8.2 KYOCERA shall, in accordance with Data Protection Legislation, make available to the Customer such information as is reasonably necessary to demonstrate KYOCERA's compliance with the obligations of Data Processors under Data Protection Legislation, and allow for and contribute to audits, including inspections, by the Customer (or an auditor mandated by the Customer) for this purpose, subject to clause 5.2 and subject to the Customer:
8.2.1 giving KYOCERA reasonable prior notice of such information request, audit and/or inspection;
8.2.2 carrying out no more than one audit or inspection in any calendar year except where the Customer reasonably believes it necessary due to genuine concerns as to KYOCERA’s compliance with these Terms & Conditions or where the Customer is required or requested to carry out such an audit or inspection by Data Protection Legislation and/or a Supervisory Authority;
8.2.3 ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by applicable law);
8.2.4 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to KYOCERA's business and the business of other customers of KYOCERA; and
8.2.5 paying KYOCERA's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
8.3 Information and audit rights under this clause 8 only arise to the extent that the Agreement(s) do not otherwise give the Customer information and audit rights meeting the relevant requirements of Data Protection Legislation.
9. BREACH NOTIFICATION
9.1 In respect of any Personal Data Breach involving Protected Data, KYOCERA shall, without undue delay notify the Customer of the Personal Data Breach and provide the Customer with details of the Personal Data Breach.
9.2 In the event that the Customer becomes aware of a Personal Data Breach by KYOCERA or otherwise in connection with the Services, it shall without undue delay notify KYOCERA of the Personal Data Breach and provide KYOCERA with details of the Personal Data Breach.
9.3 As the Data Controller, the Customer is solely responsible for complying with its notification obligations for Personal Data Breaches under Data Protection Legislation, including providing notification to the relevant Supervisory Authority and Data Subjects (where required).
10. DELETION OR RETURN OF PROTECTED DATA AND COPIES
10.1 KYOCERA shall, at the Customer’s written request, either delete or return all the Protected Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the end of the provision of the relevant Services and delete existing copies (unless storage of any data is required by applicable law and, if so, KYOCERA shall inform the Customer of any such requirement).
10.2 KYOCERA shall be entitled to delete the Protected Data at the end of the term of the Agreement(s) or as otherwise provided in the Agreement(s).
EXHIBIT 1: DATA PROCESSING DETAILS
This Exhibit 1 includes certain details of the processing of personal data as required by Article 28(3) GDPR.
1. Subject matter and duration of the processing of personal data
The subject matter and duration of the processing of the personal data are set out in the Agreement and these Data Processing Terms and Conditions.
2. Nature of the processing of personal data
A. KYOCERA Fleet Services (KFS) is a powerful, web-based service to perform device management and remote maintenance on a company’s fleet. Hosted in the cloud, KYOCERA Fleet Services enables companies and their service staff to view device status, quickly and easily identify and respond to issues and undertake key maintenance task, all from any location.
B. Management Print and Full Equipment Maintenance Services of Equipment in accordance with the terms and conditions of our service agreements.
3. Types of personal data to be processed
KYOCERA will process the following categories of personal data from Customer exclusively in the context of the Agreement:
- Device IP-address;
- Counter information of the applicable devices;
- Log files of the applicable devices;
- Identification data. Only in the event of remote maintenance as the service engineer may need to access the device and come across the device’s address book. This data shall not be stored by KYOCERA.
- Location address
- Contact details
4. Categories of data subjects to whom the personal data relates
- Devices of Customer connected to KYOCERA’s KFS server;
- Persons included in Customer’s devices’ address book.
- Customer’s employees’ details.
5. Purpose of processing
- Billing and supply management;
- Device management, maintenance and remote maintenance;
- Sale of KYOCERA Products (which include but not limited to; toners, maintenance kits, hardware and software.)
6. Obligations and rights of Customer and KYOCERA
The obligations and rights of Customer and KYOCERA Affiliates are set out in the Agreement and these Data Processing Terms and Conditions.