This Data Processing Agreement (“DPA”), made and entered into by and between Kogniz, Inc. (“Kogniz”) and the entity identified as “Client” in the signature block below (“Client”), supplements and amends the following between Kogniz and Client: order(s) placed for Kogniz products and services and, as applicable, a master services agreement (collectively, the “GoverningAgreement”). The parties have agreed to amend the Governing Agreement to ensure that the data protection provisions contained therein continue to comply with all applicable legislation, in particular the EU General Data Protection Regulation 2016/679 (“GDPR”).
In the event of a conflict between any provision of the Governing Agreement and any provision of this DPA, the provision of this DPA will prevail.
This DPA applies when personal data provided by Client to Kogniz under the Governing Agreement, as more particularly described in Appendix 1 of this DPA (“Client Personal Data”), is processed on Client’s behalf by Kogniz as Client’s data processor. For the avoidance of doubt, Client is the data controller as defined by the GDPR.
Kogniz agrees to:
Process the Client Personal Data only according to documented instructions from Client, including with regard to transfers of personal data to a third country or international organization, unless required to do so by Union or Member State law to which Kogniz is subject; in such a case, Kogniz shall inform Client of the legal requirement before processing, unless such law prohibits such information on important grounds of public interest.
Notify Client immediately where Kogniz considers that any instructions from Client relating to processing of Client Personal Data may put Kogniz in breach of the GDPR or other applicable data protection laws.
Not engage another processor (“Sub-Processor”) without prior specific or general written authorization from Client (an “Authorized Sub-Processor”). Client hereby provides a general written authorization to Kogniz to engage Sub-Processors in order to allow Kogniz to fulfill Kogniz’s contractual obligations under the Governing Agreement and to provide support services on Kogniz’s behalf, subject to compliance with the requirements of this Section 3. Client understands that information regarding Kogniz’s current Sub-Processors, including their location and services provided, will be provided to Client upon request, and Client agrees that such Sub-Processors are deemed to be Authorized Sub-Processors. Kogniz shall inform Client of any intended changes concerning the addition or replacement of other Sub-Processors, thereby giving Client the opportunity to object to such changes. Kogniz will provide Client with advance notice before a new Sub-Processor processes any Client Personal Data. Client may object to the new Sub-Processor within fifteen (15) days of such notice on reasonable grounds relating to the protection of Client Personal Data. If Client so objects and the parties are unable to resolve such objection, either party may terminate the Governing Agreement for cause without a refund of any pre-paid fees. Such termination right is Client’s sole and exclusive remedy if Client objects to any new Sub-Processor. Additionally, if Kogniz engages another Sub-Processor to carry out specific processing activities on behalf of Client, the same data protection obligations set out in this DPA shall be imposed on that other Sub-Processor by way of a written contract.
Ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Take all measures required pursuant to Article 32 of the GDPR, such as by implementing technical and organizational measures as set out in the Governing Agreement (as applicable) and this DPA, or in any event, implement technical and organizational measures to ensure a level of security appropriate to the risk presented by processing the Client Personal Data, in particular from breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed (“a Data Security Incident”);
Taking into account the nature of processing, provide reasonable assistance to Client in:
i. complying with its obligations under the GDPR relating to the security of processing Client Personal Data;
ii. responding to requests for exercising data subjects’ rights under the GDPR, including by appropriate technical and organizational measures, insofar as this is possible;
iii. documenting any Data Security Incidents and reporting any Data Security Incidents to any supervisory authority and/or data subjects; and
iv. conducting privacy impact assessments of any processing operations and consulting with supervisory authorities, data subjects and their representatives accordingly.
Where Client gives its prior written consent to a transfer to a country outside the European Economic Area (as it is made up from time to time) of Client Personal Data which is undergoing processing or which is intended to be processed after transfer (an “International Transfer”), appropriate safeguards for that International Transfer must be implemented in accordance with GDPR requirements. Such appropriate safeguards may include:
i. There is in force a European Commission decision that the country or territory to which the International Transfer is to be made ensures an adequate level of protection for processing of personal data;
ii. Kogniz or the relevant Authorized Sub-Processor enters into an agreement with Client in the form of the standard contractual clauses approved by the European Commission decision for the transfer of personal data to processors established in third countries from time to time, completed with such information as Client may reasonably require; or
iii. the International Transfer is to the United States of America and Kogniz or the relevant Authorized Sub-Processor has and maintains for the duration of the processing a current registration under the EU-U.S. Privacy Shield.
If Kogniz or an Authorized Sub-Processor is required to make an International Transfer to comply with the laws of the United Kingdom, European Union (as it is made up from time to time), or European Union member states (collectively, “Regions”), Kogniz will notify Client of such legal requirement prior to such International Transfer unless such applicable laws prohibit notice to Client on public interest grounds. Section 7(i)-7(iii) requirements will not apply if Kogniz makes an International Transfer to comply with Regions’ laws.
Comply with all applicable data protection laws.
At Client’s choice, delete or return all Client Personal Data to Client after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Client Personal Data.
Make available to Client all information necessary to demonstrate compliance with Kogniz’s obligations as set out in this DPA, and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client in accordance with the following requirements: (i) such an audit may be performed no more than once per year during Kogniz’s normal business hours, unless otherwise agreed to in writing by the parties or required under applicable law; (ii) the auditor will conduct such audit subject to any appropriate and reasonable confidentiality restrictions requested by Kogniz; (iii) prior to the start of such an audit, the parties will agree to reasonable scope, time, duration, place and conditions for the audit, and a reasonable reimbursement rate payable by Client to Kogniz for Kogniz’s audit expenses; and (iv) Client will promptly notify and provide Kogniz with full details regarding any perceived non-compliance or security concerns discovered during the course of such an audit.
Assist Client to ensure compliance with obligations pursuant to Articles 30 and 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the processor.
Notify Client without undue delay upon becoming aware of a data breach affecting Client Personal Data.
Kogniz agrees to:
Any liability associated with failure to comply with this DPA will be subject to the limitations of liability provisions in the Governing Agreement.