In addition, the following definitions shall apply:
“Data Protection Laws” means all laws and regulations that apply to or govern the processing of personal data, including, but not limited to the EU General Data Protection Regulation ((EU) 2016/679) and any national data protection laws and regulations implementing the EU Electronic Communications Privacy Directive (2002/58/EC), as well as any amendments to or replacements of such laws and regulations.
Terms used in this DPA shall have the same meaning as in the Data Protection Laws.
Under the Service Agreement, Kind will be processing personal data on behalf of the Customer. This DPA sets out the details of that processing and the DPA is effective for so long as the Service Agreement is in force.
2.1. In relation to the data subjects, the Customer is responsible for the processing’s compliance with the Data Protection Laws.
2.2. The Customer warrants that the processing is carried out in accordance with the purpose for which the personal data have been collected.
2.3. It is the Customer’s responsibility to ensure that Kind, at any time, is duly informed of the Customer’s written instructions regarding the processing. If the Customer provides additional instructions which deviate from the instructions that follow from the Service Agreement, and such additional instructions entail that the scope of the Services is materially changed, the matter must be handled under the Service Agreement.
2.4. All instructions provided by the Customer must be in writing.
3.1. The processing is described in detail in Appendix A. Kind undertakes to only process personal data necessary for the performance of the Services, in accordance with the Service Agreement, this DPA or according to specific and documented instructions provided by the Customer in connection with the conclusion of the Service Agreement, which have been approved by Kind.
3.2. Upon receipt of written instructions from the Customer regarding the processing, such as provided for in Appendix A or additional written instructions, Kind must, within a reasonable period of time, take appropriate measures to ensure that the processing is carried out in accordance with the instructions.
3.3. Kind undertakes to ensure that any natural person acting under the authority of Kind, and who has access to personal data, is informed of the content of this DPA and processes the personal data only in accordance with the DPA and the Customer’s documented instructions.
3.4. Kind is required to assist the Customer with appropriate technical and organisational measures for the fulfilment of the Customer’s obligation to respond to requests from data subjects regarding access to and rectification or erasure of personal data.
3.5. Kind must, without undue delay, notify the Customer after becoming aware of a personal data breach. Kind shall assist the Customer by providing information necessary for the fulfilment of the Customer’s obligation to notify the competent supervisory authority of a personal data breach and, when applicable, the Customer’s obligation to communicate the personal data breach to the affected data subjects.
3.6. Kind is required to assist the Customer in connection with any data protection impact assessments and prior consultations carried out by the Customer, as well as to assist in any investigations carried out by the competent supervisory authority regarding a personal data breach.
4.1. By accepting this DPA, the Customer approves and acknowledges that Kind may engage subcontractors for the purpose of carrying out the processing (“sub-processors”). Should Kind’s engagement of a sub-processor involve the transfer of personal data to a third country, such sub-processor may only be engaged by Kind if the requirements set forth under section 5.1 are met.
4.2. When engaging a sub-processor for the purpose of carrying out the processing, Kind undertakes to enter into an agreement with the sub-processor regarding the processing activities, pursuant to which the sub-processor shall be bound by the same obligations as is Kind under this DPA.
4.3. Kind undertakes to inform the Customer in writing prior to engaging a sub-processor, and the Customer may, within five (5) days of receipt of Kind’s notice hereof, object to Kind’s choice of sub-processor. Kind may not engage the chosen sub-processor if the Customer has presented reasonable objections. The parties agree that the Customer, by accepting this DPA, is deemed to have been informed of Kind’s intended engagement of the sub-processors listed in Appendix B.
4.4. Any transfer of personal data to the sub-processors is made at Kind’s risk and does not alter the allocation of responsibility between Kind and the Customer.
5.1. Kind undertakes not to transfer personal data to a third country (i.e. a country outside of the EU/EEA), unless the Customer has approved of such transfer in writing, and at least one of the following requirements are met:
(i) the receiving country has an adequate level of security;
(ii) the data subject has given its consent to the transfer;
(iii) the Data Protection Laws provide a legal ground for the transfer; or
(iv) agreements including certain standard contractual clauses issued by the European Commission (2010/87/EU) have been entered into, without any conflicting changes or amendments.
5.2. Provided that at least one of the relevant actions set forth in section 5.1 has been taken, the Customer may not unreasonably withhold its approval regarding the transfer.
6.1. Kind may not disclose any personal data to third parties without the Customer’s prior written consent, unless the disclosure or transfer is required by applicable law or under any court judgments or official orders. Notwithstanding the above, Kind is always entitled to transfer personal data to sub-processors in accordance with section 4.
6.2. Kind shall without undue delay notify the Customer in writing if it is approached by a supervisory authority with any matters regarding, or which may be of relevance for the processing. If Kind by operation of law or injunction is obligated to disclose personal data, section 8.2(iv) shall apply.
7.1. Kind is required to implement appropriate technical and organisational measures in accordance with the Data Protection Laws in order to ensure a level of security appropriate to the risk, including risks relating to unauthorised access, destruction and alteration of personal data covered by the processing. Kind shall determine how such measures are to be implemented in order to reach an appropriate level of security.
7.2. If the Customer makes probable that new security measures are required or that existing security measures must be altered in order to achieve compliance with the legal requirements regarding an appropriate level of security, or in order to achieve compliance with any court judgments or official orders, the parties shall discuss the implementation of such new measures or alterations of existing measures. Any implementation of extended or additional security measures requires that the Parties have agreed on such implementation in writing. Kind is entitled to reasonable compensation for any extended or additional security measures taken.
7.3. If Kind lacks any instructions from the Customer that Kind deems necessary in order to carry out the processing, or if Kind deems the Customer’s instructions, wholly or partly, be in breach of the Data Protection Laws, Kind shall without delay notify the Customer, and await any further instructions that the Customer deems necessary.
8.1. Kind and the persons working under its authority must maintain confidentiality in all respects when carrying out the processing. This means that personal data may not be unduly disclosed to a third party. Kind undertakes to ensure that the individuals working under its authority and who will process personal data observe and comply with Kind’s confidentiality undertaking according to this section 8.
8.2. Kind undertakes not to disclose to any third party such information which Kind, in its capacity as data processor, has received from the Customer or any other such information which Kind processes in its capacity as data processor under this DPA. Kind undertakes to ensure that all persons acting under its authority have undertaken to observe confidentiality in accordance with this section 8. However, this confidentiality obligation shall not apply to:
(i) information which is generally known or becomes generally known other than as a result of a breach of the Service Agreement or this DPA;
(ii) information which Kind can prove was in Kind’s possession prior to being provided to Kind under the Agreement;
(iii) information which Kind, lawfully and without restrictions regarding the right to transfer such information, receives from any third party outside the scope of the Service Agreement or this DPA; or
(iv) information which Kind is obligated to disclose under law or any court judgment or public authority decision. In such a case, Kind must without undue delay inform the Customer in writing about the disclosure and request that the personal data are kept confidential by the recipient.
8.3. This confidentiality undertaking shall survive the termination of this DPA.
Instructions regarding the processing
Kind shall, in addition to complying with the provisions in this DPA and the Service Agreement, carry out the processing in accordance with the instructions below.
Sub-Processors approved by the Customer
The Customer accepts and recognizes that Kind engages the following sub-processors in accordance with section 4.3 of the Agreement.
Amazon Web Service, AWS (Sweden/EU, https://aws.amazon.com/compliance/gdpr-center), for the operation and maintenance of the platform, including storage of encrypted data.