This Data Processing Agreement (“DPA“) is incorporated into and forms part of the agreement entered into between you (“you” or “Customer”) and KX Systems, Inc or FD Technologies Plc (“Supplier”) pursuant to which you have licensed certain Supplier software product(s) and/or purchased certain professional services (“Agreement”).  This DPA shall apply to all Processing of Customer Personal Data (as defined below) by Supplier in order to provide the software and/or services under the Agreement (“Services”). Terms not defined in the Agreement, shall have the meaning given to them in clause 1 below. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations relating to Customer Personal Data.

1. Definitions

“Data Protection Laws” means:

1. to the extent the UK data protection law applies, all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) as defined in the Data Protection Act 2018 (“DPA 2018”); the DPA 2018 (and regulations made thereunder) and the EU Privacy & Electronic Communications Directive 2002/58/EC as amended;
2. to the extent the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) applies, the GDPR as it has effect in EU law, the law of the European Union or any member state of the European Union to which Supplier is subject, which relates to the protection of personal data.
3. and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.

“Personal Data”, “special categories of data”, “process/processing”, “Controller”, “Processor”, “Data Subject” and “supervisory authority” shall have the same meaning as in the Data Protection Laws.

“Standard Contractual Clauses” means as the circumstances require:

1. the clauses set out in the Commission Implementing Decision dated 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as may be amended or replaced from time to time in accordance with the European Commission’s requirements, under the Data Protection Laws (“EU Standard Contractual Clauses”) , and/or
2. the ICO International Data Transfer Addendum to the EU Standard Contractual Clauses which applies in the UK laid before Parliament in accordance with section 119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 from time to time in accordance with the Data Protection Laws (“UK Standard Contractual Clauses”).

“Subprocessor” means any third party Processor engaged by Supplier or engaged by any subprocessor of Supplier. For the avoidance of doubt, Subprocessor shall include a Supplier Affiliate.

2. RELATIONSHIP BETWEEN THE PARTIES

2.1 Supplier shall be the Processor regarding any Personal Data that is made available to Supplier pursuant to the Agreement, whether hosted by the Supplier or otherwise (“Customer Personal Data“) and you shall be either the Controller or the Processor of the Customer Personal Data under this DPA.

3. PERSONAL DATA PROCESSING INSTRUCTIONS

3.1 Supplier shall only process the Customer Personal Data on your behalf for the sole purpose of carrying out the Services under the Agreement and 1) in accordance with the Agreement, this DPA and your documented instructions as set out in Section 3.2 below (unless otherwise required by the Data Protections Laws) and 2) in accordance with its obligations as a Processor under the Data Protection Laws. If your instructions to Supplier change in relation to Processing the Customer Personal Data, such change shall be subject to agreement in writing between you and Supplier.

3.2 Details of the Personal Data processing under this DPA;

3.2.1 Subject matter of the Processing. The subject matter of the processing under this DPA is Customer Personal Data.

3.2.2 Duration of the Processing. The duration of the Processing corresponds to the duration of the Agreement.

3.2.3 Purpose of Processing. The purpose of the Customer Personal Data processing under this DPA, is the provision of the Services under the Agreement.

3.2.4 Nature of the Processing. The nature of the processing is accessing Customer Personal Data in order to provide the Services as described in the Agreement.

3.2.5 Types of Personal Data. The types of Customer Personal Data processed under this DPA include any Customer Personal Data to which Supplier is provided access in order to provide the Services.

3.2.6 Data Subjects. The data subjects may include your customers, employees, suppliers, and end users, or any other individual whose personal data you make available to Supplier.

3.3 Supplier shall notify you of any instruction which, in Supplier’s opinion, infringes the Data Protection Laws. You acknowledge and agree that Supplier is not obliged on an ongoing basis to monitor and assess the lawfulness of instructions and Supplier has no obligation to provide or procure legal advice to you.

3.4 Except to the extent expressly provided otherwise in this DPA, you have sole responsibility for the lawfulness of your written and other instructions in relation to Processing, the legal basis for such Processing and the notification obligations to data subjects in relation to such Processing.

3.5 If Supplier is legally required to process or disclose Customer Personal Data otherwise than as instructed by you, Supplier shall notify you immediately and before such processing occurs unless prohibitied by law, in which case it shall notify you as soon as it is permitted to do so.

4. PERSONAL DATA CONFIDENTIALITY

4.1 Supplier shall treat all Customer Personal Data as confidential information and not disclose such confidential information to any third party without Client’s prior written consent except 1) to Supplier Affiliates and Subprocessors or 2) where it is required by a court order or there is a statutory obligation to do so, but only to the minimum extent necessary to comply with such order or obligation. Where Supplier is required to disclose Customer Personal Data under court order or statutory obligation, section 3.5 shall apply.

4.2 Supplier shall take reasonable steps to ensure that its personnel who have access to the Customer Personal Data are subject to a duty of confidence and and Supplier shall remain responsible for the actions of its personnel under this Agreement as if such actions were carried out by Supplier itself.

5. SECURITY

5.1 Supplier agrees that it has implemented and will maintain appropriate technical and organisational measures as set out in Schedule 1 to ensure the security of the processing.

6. PERSONAL DATA BREACH NOTIFICATION

6.1 Supplier will notify you as soon as reasonably practicable if Supplier becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed (“Personal Data Breach”). Supplier will include in such notification the applicable information required by Data Protection Laws to the extent such information is in the possession of or can reasonably be ascertained by Supplier in the circumstances.  Supplier shall have no obligation to communicate directly with any Data Subject or with any regulator unless otherwise agreed in writing by Supplier or unless Supplier is legally obliged to do so.

7. SUBPROCESSING

7.1 You agree that Supplier may retain the parties listed at Subprocessors as Subprocessors in connection with the provision of the Services under the Agreement. You may register to receive email notifications of any change to the list of Subprocessors which Supplier will update at least 14 days before the addition or replacement of any Subprocessor. If you do not object to the appointment of the Subprocessor(s) within 14 days from the date of such notification, the appointment shall be deemed accepted. In the event you object, 1) Supplier shall work with you to find a commercially reasonable alternative and 2) if Supplier is unable to provide an alternative or you object to the alternative, either party may terminate the Agreement (without any refund of any amounts and without prejudice to Supplier’s right to be paid fees for any remainder of the term where you terminate the Agreement).

7.2 Supplier shall require all Subprocessors (including Supplier Affiliates) to abide by substantially the same obligations as Supplier under this DPA and shall enter into a written agreement with each of the Subprocessors and Standard Contractual Clauses (where applicable). Supplier remains responsible at all times to you for the Subprocessor’s performance of its obligations under its agreement.

8. INTERNATIONAL DATA TRANSFER

8.1 Supplier may be required to transfer Customer Personal Data to a jurisdiction outside the UK or the EEA in connection with providing the Services under the Agreement. Where applicable, the Parties agree that the Standard Contractual Clauses shall form part of this DPA as set out in Schedule 2.

8.2 The Standard Contractual Clauses shall not apply if the transfer of Personal Data is to a country or is carried out in accordance with a framework or agreement, that the European Commission has recognised as providing adequate legal protection in respect of Personal Data and the Standard Contractual Clauses shall automatically terminate with effect from the date of that European Commission decision.

8.5 The Parties agree that in the event of any conflict or inconsistency between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

9. DATA SUBJECT REQUESTS

Where Supplier receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Laws and where the Data subject idenitifes you, Supplier shall promptly notify you of such request. Where you are unable to access the Customer Personal Data yourself and taking into account the nature of the Processing being carried out by Supplier, Supplier will assist you by appropriate technical and organisational measures insofar as is possible, to enable youto respond to such Data Subject requests. You must provide Supplier with a written request  setting out the scope of the assistance required. Supplier shall have no obligation to communicate directly with any Data Subject unless otherwise agreed in writing by Supplier. To the extent legally permitted, you will be responsible for any costs arising from such assistance, including any fees associated with the provision of additional functionality.

10. ASSISTANCE

Supplier agrees to provide reasonable assistance, taking into account the nature of the Processing and the information available to Supplier, and at your cost, within such reasonable timescale as may be specified by you, in order to assist you, on request, in complying with your obligations pursuant to the Data Protection Laws and provided that Supplier shall have no obligation to communicate directly with any Data Subject or with any regulator unless otherwise agreed in writing by Supplier or unless Supplier is legally obliged to do so.

11. AUDIT

Following your reasonable prior written request,  Supplier shall permit you or a third party appointed by you to carry out audits and/or inspections, at your cost, of Supplier’s data processing facilities where Customer Personal Data is processed by Supplier under this DPA. Such requests shall be carried out during Supplier’s normal business hours and shall not unduly interfere with the provision of the Services and/or Supplier’s normal business activities. Supplier shall make available to you upon written request, all information and evidence necessary to demonstrate that the Supplier is complying with its obligations under this DPA. Nothing in this Clause 11, shall oblige Supplier to disclose information which is confidential, commercially sensitive or subject to legal privilege or to breach any confidentiality obligations which Supplier has to its personnel or its other customers, suppliers or partners. Supplier reserves the right to charge you additional fees where compliance with this clause requires the use of resources that are additional or different to those used in the provision of the Services.

12.   TERM AND TERMINATION

12.1 The parties agree that Customer Personal Data will be processed by Supplier for the duration of the Services under the Agreement or as otherwise set out in Section 3.2

12.2 The parties agree that upon the completion of the Services under the Agreement or upon termination or expiry of the Agreement, in so far as they relate to Customer Personal Data, Supplier and all Subprocessors shall, at your option, either return or destroy all Customer Personal Data unless any law, regulation or government or regulatory body to which Supplier or a Subprocessor are subject prevent Supplier or Subprocessor from returning or destroying all or part of the Customer Personal Data. In such a case, the Supplier will keep the Customer Personal Data confidential until the legal obligation to not return or destroy the information is no longer in effect.

Schedule 1

Technical and Organisational Measures can be found here

Schedule 2

Data Transfers

1. EU Standard Contractual Clauses.

For transfer of Customer Personal Data out of the EEA or Switzerland that are subject to Section 8.1 of the DPA, the EU Standard Contractual Clauses are incorporated into this DPA by reference and will apply in the following manner;

1.1 Module Two (Controller to Processor) will apply where you are a Controller of Customer Personal Data and Supplier is a Processor of Customer Personal Data.

1.2 Module Three (Processor to Processor) will apply where you are a processor of Customer Personal Data and Supplier is a Subprocessor of Customer Personal Data.

1.3 For each of the Modules specified above, the a parties agree the following;

(i) Clause 7 will not apply;

(ii) in Clause 9(a), Option 2 will apply, and the time period for notifying you about Subprocessor changes will be 14 days as set out in Section 7.1 of the DPA;

(iii) in Clause 11(a), the optional language will not apply;

(iv) in Clause 17, Option 1 will apply. The parties agree that the governing law shall be the law of the Republic of Ireland;

(v) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;

(vi) Schedule 2 Annex 1, Part A, B and C of this DPA shall serve as Annex I, Part A, B and C of the EU Standard Contractual Clauses

(vii) Schedule 1 of this DPA shall serve as Annex 2 of the EU Standard Contractual Clauses.

2. UK Standard Contractual Clauses

For transfer of Customer Personal Data out of the UK that are subject to Section 8.1 of the DPA, the UK Standard Contractual Clauses are incorporated into this DPA by reference and will apply in the following manner;

1. Schedule 2 Annex 1 Part A of this DPA shall serve as Table 1 of the UK Standard Contractual Clauses
2. For the purposes of Table 2, the EU Standard Contractual Clauses (as defined in the DPA) with only those modules, clauses and optional provisions as set out in paragraph 1 of Schedule 2 of the DPA shall apply.
3. For the purposes of Table 3, Schedule 1, Schedule 2 Annex 1, Part A and B and the list of Subprocessors referenced at Section 7 of the DPA shall apply.
4. For the purposes of Table 4, the Importer may end the UK Standard Contractual Clauses if any provisions are changed by the ICO as set out in Clause 19 of the UK Standard Contractual Clauses.

3. Additional Clauses

To the greatest extent permitted under Data Protection Laws, the following additional terms shall form part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses;

1. Data Exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 of the EU Standard Contractual Clause to which the UK Standard Contractual Clauses are appended, as applicable, by instructing Data Importer to comply with the audit measures described in Section 11 of the DPA.
2. Any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.

Annex 1

A. DESCRIPTION OF PARTIES

Data Exporter

Name: Customer/ you

Address: Your address as set out on any Order Form or otherwise provided to us

Contact persons: Contact details as set out on any Order Form or otherwise provided to us

Activites relevant to the data transferred under these clauses: as set out in Section 3.2 of the DPA

Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed the EU Standard Contractual Clauses configured in accordance with paragraph 1 of this Schedule 2.

Role: as outlined in Section 2.1 of the DPA

Data Importer

Name: The Supplier detailed on the Order Form or otherwise provided to you

Address: as set out on the Order Form or otherwise provided to you

Contact persons: KXLegal@KX.com

Activites relevant to the data transferred under these clauses: as set out in Section 3.2 of the DPA

Signature and date: By entering into the Agreement, Data Importer is deemed to have signed the EU Standard Contractual Clauses configured in accordance with paragraph 1 of this Schedule 2.

Role: as outlined in Section 2.1 of the DPA

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred.

As specified in Section 3.2 of the DPA

Categories of personal data transferred.

As specified in Section 3.2 of the DPA

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.  

None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal data is transferred as required for the purpose as set out in Section 3.2 of the DPA.

Nature of the processing.

As specified in Section 3.2 of the DPA

Purpose(s) of the data transfer and further processing.

As specified in Section 3.2 of the DPA

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

As specified in Section 3.2 and Section 12.2 of the DPA

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

As specified in Section 3.2 of the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.