Kosy Data Processing Agreement

Kosy Data Processing Agreement

Kosy Data Processing Agreement This Data Processing Agreement (“Agreement”) is incorporated into the Kosy Terms and Conditions(“Terms and Conditions”) between Kosy Software Ltd, a company incorporated and registered in England and Wales with company number 12887873 and registered office at 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom (“Kosy”) and the client listed on the Order Form (“Client”). It applies in respect of the performance of Kosy’s obligations under the Terms and Conditions, including the provision of the SaaS-based virtual office platform made available by Kosy on a subscription basis and the Professional Services (together the “Services”) toClient if the Processing of the personal data described under Section 1.1 of this Agreement (“Client Personal Data”) is subject to the GDPR, only to the extent where Client is a Controller of Client Personal Data and Kosy is aProcessor. This Agreement is intended to satisfy the requirements of Article28(3) of the GDPR and shall be effective for the duration of the Terms and Conditions. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions and “Data Subject”, “Personal Data Breach”, “Process”, “Processor” and “Controller” (and their grammatic variants) will each have the meaning given to them in the GDPR.

1. Details of The Processing

1.1. Categories of Data Subjects and types of Personal Data. This Agreement applies to the Processing of Client Personal Data relating to employees and other personnel of Client and the types of Client Personal Data include first name, last name, job title ,email address and telephone number.

1.2.Subject-Matter, Nature and Purpose of the Processing. The subject-matter, nature and purpose of Processing of Client Personal Data by Kosy is the provision of Services to Client in accordance with the Terms andConditions.

1.3. Duration of the Processing. Client Personal Data will be Processed for the duration of theTerms and Conditions, subject to Section 2.9 of this Agreement. 2. Processing of Client Personal Data

2.1. Instructions. The parties agree that: (a) Client is the Controller of Client Personal Data and Kosy is theProcessor of Client Personal Data. Kosy will only Process Client Personal Data as a Processor on behalf of and in accordance with Client’s prior written instructions, including with respect to transfers of Client Personal Data. Kosy is hereby instructed to Process Client Personal Data to the extent necessary to enable Kosy to provide Services; and (b) if Kosy cannot process Client Personal Data in accordance with Client’s instructions due to a legal requirement under applicable law, Kosy will: (a) promptly notify Client of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (b) cease all Processing of the affected Client Personal Data (other than merely storing and maintaining the security of the affected Client Personal Data) until such time as Client issues new instructions with which Kosy is able to comply. If this provision is invoked, Kosy will not be Liable to Client under the Terms and Conditions for failure to provide Services until such time as Client issues new instructions.

2.2. Transfers. Client hereby consents to Kosy transferring Client Personal Data outside of the United Kingdom or European Economic Area, provided such transfers are made in accordance with Data Protection Laws. Where Client Personal Data is transferred by Kosy outside of the United Kingdom or EuropeanEconomic Area, such transfers may be undertaken by Kosy pursuant to theStandard Contractual Clauses (processors) set out in Decision 2010/87/EC(“Standard Contractual Clauses”) and Client hereby appoints Kosy as its agent(and Kosy accepts such appointment) for the purpose of binding Client as a principal to the Standard Contractual Clauses. 

2.3.Confidentiality. Kosy will ensure that any person whom Kosy authorizes toProcess Client Personal Data on its behalf is subject to confidentiality obligations in respect of that Client Personal Data. 

2.4. SecurityMeasures. Kosy will: (a)implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data; and (b) at Client’s request, provideClient with reasonable assistance as necessary for the fulfilment of Client’s obligation to keep Client Personal Data secure. 

2.5.Sub-Processing. Client authorizes Kosy to appoint sub-Processors to perform specific services on Kosy’s behalf which may require such sub-Processors toProcess Client Personal Data. Kosy will inform Client of any intended changes concerning the addition or replacement of any sub-Processors and Client will have an opportunity to object to such changes on reasonable grounds within five(5) days of being notified. If the parties are unable to resolve such objection, either party may terminate the relevant Order Form(s) by providing written notice to the other party. Kosy will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor substantially the same obligations that apply to Kosy under this Agreement (“Sub-Processor Agreement”). Where any of its sub-Processors fails to fulfil its data protection obligations, Kosy will be liable to Client for the performance of such obligations. 

2.6. Data SubjectRights. Kosy will, provideClient with assistance necessary for the fulfilment of Client’s obligation to respond to requests for the exercise of Data Subjects’ rights. Kosy shall not respond to such requests without Client’s prior written consent and written instructions.Client shall be solely responsible for responding to such requests. 

2.7. Personal Data Breaches. Kosy will: (a) notify Client without undue delay after it becomes aware of anyPersonal Data Breach affecting any Client Personal Data; and (b) at Client’s request, Kosy will promptly provide Client with all reasonable assistance necessary to enable Client to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Client is required to do so under the GDPR. Client is solely responsible for complying with Personal Data Breach notification requirements applicable to Client and fulfilling any third-party notification obligations related to any Personal Data Breach. 

2.8. Data Protection Impact Assessment and Prior Consultation. Kosy will provide Client with reasonable assistance to facilitate conducting data protection impact assessments and consultations with data protection authorities, if Client is required to engage in such activities under the GDPR, and solely to the extent that such assistance is necessary and relates to the Processing by Kosy of Client Personal Data, taking into account the nature of the Processing and the information available to Kosy.

2.9. Return or Deletion of Client Personal Data.
 Kosy will delete Client Personal Data after the end of the provision of Services relating to the Processing (or, if requested within five (5) days of end of the provision of Services returnClient Personal Data), and delete existing copies unless applicable law requires storage of such data.

2.10. Information. Kosy will, at Client’s request, provide Client with all information necessary to enableClient to demonstrate compliance with its obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by Client or an auditor mandated by Client, to the extent that such information is within Kosy’s control and Kosy is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with advanced written notice of at least sixty (60) days, during regular business hours, not more often than once per calendar year and subject to Kosy’s then-current security and confidentiality policies. Kosy will immediately inform Client if, in its opinion, an instruction from Client infringes Data Protection Laws. 3. Client Obligations

3.1. Compliance and Costs. Client will: (a) comply with its obligations under Data Protection Laws (including any guidance issued by the European Data Protection Board or relevant supervisory authority) which arise in relation to this Agreement and its receipt of Services; (b) not do or omit to do anything which causes Kosy to breach any of its obligations underData Protection Laws; and (c) reimburse Kosy for its costs incurred in performing its obligations under Sections 2.4(b), 2.6, 2.7(b), 2.8, 2.9 and2.10.3.2. Right to Process. Client represents, warrants and undertakes to Kosy that: (a) Client (and any other sub-contractor of Client) has obtained ClientPersonal Data in accordance with Data Protection Laws and has provided (or will provide) all necessary notices to Data Subjects whose personal data comprises part of Client Personal Data; and (b) it has (or will at the required time have) one or more valid grounds for Kosy’s (and any sub-Processors) Processing of Client Personal Data in accordance with this Agreement, in each case so that Kosy (and any sub-Processors) processing of Client Personal Data in accordance with this Agreement complies with Data Protection Laws.

4. General

4.1. Each party’s liability arising under, out of or in connection with this Agreement, whether or not foreseeable or in the contemplation of the parties at any time, in or under contract, tort (including negligence), breach of statutory duty, misrepresentation, indemnity, restitution or otherwise (“Liable”) will be limited in accordance with the provisions of the Terms and Conditions. Client acknowledges that Kosy is reliant on Client for direction as to the extent to which Kosy is entitled to Process Client Personal Data on behalf of Client in performing Services. Consequently, Kosy will not be Liable for any claim brought by a Data Subject arising from any act or omission by Kosy, to the extent that such act or omission resulted from Client’s instructions, Client’s failure to comply with its obligations under Data Protection Laws or Client’s breach of this Agreement.

4.2. This Agreement may be amended from time to time by Kosy posting an updated version on its website. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement, the Terms andConditions and any Sub-Processor Agreement, the provisions of the Sub-ProcessorAgreement shall prevail, followed by this Agreement and then the Terms andConditions.