What is Kokomo24/7's Data Protection Policy and How do you handle breach should it occur?
This Data Protection Exhibit ("Exhibit") forms part of the agreement Kokomo MSA by June 17, 2020 or other contractual terms ("Agreement") governing the provision of services by the undersigned vendor ("Vendor") acting on its own behalf and as agent for each Vendor Affiliate and KOKOMO_CLIENT LLP ("KOKOMO_CLIENT"). Except as modified below, the terms of the Agreement shall remain in full force and effect.
In this Exhibit, the following terms have the meanings set out below:
- "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party hereto, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- "KOKOMO_CLIENT Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of KOKOMO_CLIENT pursuant to or in connection with the Agreement;
- "Contracted Processor" means Vendor or a Sub-processor;
- "Data Protection Laws" means the laws and regulations applicable to the Processing of KOKOMO_CLIENT Personal Data, including, without limitation, GDPR and related laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom;
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation);
- "Personal Data" shall have the same meaning set forth in Data Protection Laws;
- "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- "Restricted Transfer" means a transfer of KOKOMO_CLIENT Personal Data from (a) KOKOMO_CLIENT to a Contracted Processor; or (b) an onward transfer of KOKOMO_CLIENT Personal Data from a Contracted Processor to another Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses or other compliance mechanism under the Data Protection Laws;
- "Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for KOKOMO_CLIENT pursuant to the Agreement;
- "Standard Contractual Clauses" means the contractual clauses set out in Attachment 1;
- "Sub-processor" means any third party appointed by or on behalf of Vendor to Process Personal Data on behalf of KOKOMO_CLIENT in connection with the Agreement.
The terms, "Data Subject", "Member State", "Personal Data Breach", "Controller" and "Processor" shall have the same meaning as found in the Data Protection Laws.
- Processing of KOKOMO_CLIENT Personal Data
- Vendor shall (a) comply with all applicable Data Protection Laws in the Processing of KOKOMO_CLIENT Personal Data; (b) not Process KOKOMO_CLIENT Personal Data other than on KOKOMO_CLIENT's documented instructions unless Processing is required by applicable laws, in which case Vendor shall to the extent permitted by applicable laws inform KOKOMO_CLIENT of that legal requirement before the Processing of KOKOMO_CLIENT Personal Data; and (c) treat KOKOMO_CLIENT Personal Data as confidential.
- KOKOMO_CLIENT's instructions for the Processing of KOKOMO_CLIENT Personal Data shall comply with Data Protection Laws.
- The parties acknowledge that for the purposes of the Data Protection Laws, KOKOMO_CLIENT is the Controller and Vendor is the Processor in respect of the processing of KOKOMO_CLIENT Personal Data by the Vendor pursuant to or in connection with the Agreement. Attachment 2 sets out the subject matter, nature and purpose of processing by the Vendor, the duration of the processing and the types of Personal Data and categories of Data Subjects.
- Vendor Personnel
Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to KOKOMO_CLIENT Personal Data, ensuring in each case that access is strictly limited to only those individuals who require access to the relevant KOKOMO_CLIENT Personal Data, as strictly necessary for the purposes of the Agreement. In each case, the Vendor must ensure that such individuals will comply with applicable laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the KOKOMO_CLIENT Personal Data implement appropriate technical and organizational measures as set out in Attachment 3 to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to Data Protection Laws. In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
- KOKOMO_CLIENT authorizes Vendor to appoint (and permit each Sub-processor appointed in accordance with this section 5 to appoint) Sub-processors in accordance with this section 5 and any restrictions in the Agreement.
- Vendor may continue to use those Sub-processors already engaged by Vendor as of the date of this Exhibit, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
- Vendor shall give KOKOMO_CLIENT prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 30 days of receipt of that notice, KOKOMO_CLIENT notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment:
- Vendor shall work with KOKOMO_CLIENT in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and
- where such a change cannot be made within 30 days from Vendor's receipt of KOKOMO_CLIENT's notice, notwithstanding anything in the Agreement, KOKOMO_CLIENT may by written notice to Vendor with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor.
- With respect to each Sub-processor, Vendor shall:
- before the Sub-processor first Processes KOKOMO_CLIENT Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for KOKOMO_CLIENT Personal Data required by the Agreement;
- ensure that the arrangement between Vendor and the Sub-processor is governed by a written contract including terms which offer at least the same level of protection for KOKOMO_CLIENT Personal Data as those set out in this Exhibit, meet the requirements of article 28(3) of the GDPR and ensure that the relevant obligations (including, without limitation, the audit rights set forth in Section 10) can be directly enforced by KOKOMO_CLIENT against the Sub-processors;
- if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between the Vendor and the Sub-processor, or before the Sub-processor first Processes KOKOMO_CLIENT Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with KOKOMO_CLIENT;
- provide to KOKOMO_CLIENT for review such copies of Vendor’s agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Exhibit) as KOKOMO_CLIENT may request from time to time; and
- remain responsible for its Sub-processors and liable for their acts and omissions, and any reference to the Vendor's obligations in this Exhibit shall be construed as referring also to Vendor's Sub-processors.
- Data Subject Rights
Taking into account the nature of the Processing, Vendor shall assist KOKOMO_CLIENT by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of KOKOMO_CLIENT's obligations, as reasonably understood by KOKOMO_CLIENT, to respond to requests to exercise Data Subject rights under the Data Protection Laws. Vendor shall:
- promptly notify KOKOMO_CLIENT if Vendor or any Sub-processor receives a request from a Data Subject under any Data Protection Law in respect of KOKOMO_CLIENT Personal Data; and
- ensure that Vendor or the Sub-processor does not respond to that request except on the documented instructions of KOKOMO_CLIENT or as required by Applicable Laws to which the Sub-processor is subject.
- Personal Data Breach
Vendor shall notify KOKOMO_CLIENT without undue delay upon Vendor or any Sub-processor becoming aware of a Personal Data Breach affecting KOKOMO_CLIENT Personal Data, providing KOKOMO_CLIENT with sufficient information to allow KOKOMO_CLIENT to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Vendor shall co-operate with KOKOMO_CLIENT and take such reasonable commercial steps as are directed by KOKOMO_CLIENT to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation
Vendor shall provide reasonable assistance to KOKOMO_CLIENT with any data protection impact assessments, and consultations with supervisory authorities or other competent data privacy authorities, which KOKOMO_CLIENT reasonably considers to be required, in each case solely in relation to Processing of KOKOMO_CLIENT Personal Data by, and taking into account the nature of the Processing and information available to the Sub-processors.
- Deletion or return of KOKOMO_CLIENT Personal Data
The parties agree that on the termination of the provision of Services, Vendor and any Sub-processor shall, at the choice of KOKOMO_CLIENT, return all KOKOMO_CLIENT Personal Data transferred and the copies thereof to KOKOMO_CLIENT or shall destroy all the KOKOMO_CLIENT Personal Data and certify to KOKOMO_CLIENT that it has done so, unless legislation imposed upon Vendor or any Sub-processor, as applicable, prevents it from returning or destroying all or part of the KOKOMO_CLIENT Personal Data transferred. In that case, Vendor warrants that it will guarantee the confidentiality of the KOKOMO_CLIENT Personal Data transferred and will not actively process the KOKOMO_CLIENT Personal Data transferred anymore.
- Audit rights
Vendor shall make available to KOKOMO_CLIENT on request all information necessary to demonstrate compliance with this Exhibit, and shall allow for and contribute to audits, including inspections, by KOKOMO_CLIENT or an auditor mandated by KOKOMO_CLIENT in relation to the Processing of the KOKOMO_CLIENT Personal Data.
KOKOMO_CLIENT shall give Vendor reasonable notice of any audit or inspection to be conducted and shall make (and ensure that its auditors make) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Vendor's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
The parties agree that the audit right shall be limited to one audit or inspection in any calendar year, except for any additional audits or inspections which (i) KOKOMO_CLIENT reasonably considers necessary because of genuine concerns as to Vendor's or the relevant Vendor Affiliate’s compliance with this Exhibit, or (ii) KOKOMO_CLIENT is required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory.
- Restricted Transfers
If Vendor is established in a country that is neither a Member State nor considered by the European Commission to have adequate protection, by agreeing to this Exhibit, Vendor (as "data importer") is entering into the Standard Contractual Clauses (as set out in Attachment 1) in respect of any Restricted Transfer from KOKOMO_CLIENT to Vendor. Notwithstanding the law governing the Agreement and this Exhibit, the Standard Contractual Clauses shall be governed by and interpreted pursuant to the laws of England and Wales.
If a Vendor Sub-processor is a data importer, Vendor shall enter into Standard Contractual Clauses with KOKOMO_CLIENT on behalf of such Sub-processor. To the extent the foregoing is not possible, Vendor shall inform KOKOMO_CLIENT and obtain such Sub-processor's agreement to the Standard Contractual Clauses as an additional data importer.
- General Terms
- Nothing in this Exhibit reduces Vendor's obligations under the Agreement in relation to the protection of KOKOMO_CLIENT Personal Data or permits Vendor to Process (or permit the Processing of) KOKOMO_CLIENT Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Exhibit and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Subject to section 12.1, with regard to the subject matter of this Exhibit, in the event of inconsistencies between the provisions of this Exhibit and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Exhibit, the provisions of this Exhibit shall prevail.
- If KOKOMO_CLIENT gives notice that an amendment to this Exhibit is required in order to comply with Applicable Laws or comply with requirements set out by KOKOMO_CLIENT's clients, KOKOMO_CLIENT will provide an amendment and the parties shall negotiate in good faith to address the requirements identified in KOKOMO_CLIENT's notice as soon as is reasonably practicable.
- Neither KOKOMO_CLIENT nor Vendor shall require the consent or approval of any KOKOMO_CLIENT Affiliate or Vendor Affiliate to amend this Exhibit pursuant to this section 12.5 or otherwise.
- Should any provision of this Exhibit be invalid or unenforceable, then the remainder of this Exhibit shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.