Personal Data Protection Policy – K2Y Group
Introduction, Scope, and Purpose
This Personal Data Protection Policy (“Policy“) describes the privacy practices of K2Y regarding the Processing of Personal Data of the directors, officers, and employees and – to the extent applicable – the customers of the Client and/or the relevant Client Affiliates, as part of the provision of K2Y Services to its Clients. This Personal Data can be stored on K2Y systems, Client systems, or third-party systems to which K2Y is provided access to for the provision of Services. Where K2Y provides Services to its Clients and Processes Personal Data on Clients’ behalf, K2Y will be acting as Processor and the Client will be acting as Controller.
This Policy applies globally to any and all Services provided by K2Y to its Clients under the Service Agreements where K2Y is acting as Processor, executed on or after the effective date of this Policy.
K2Y Processes Personal Data on behalf of the Client in accordance with Data Protection Laws. Insofar necessary, the Service Agreement will be supplemented with an Addendum to set out any additional matters that are specific to the Client and cannot be regulated in this Policy.
Notwithstanding the foregoing, the version of the Policy that applies and will continue to apply to a particular Service Agreement will be the version of the Policy that is in effect at the time of the effective date of such Service Agreement, unless amendments are required to comply with Data Protection Laws in which case the most recent version of the Policy published on the website shall apply.
Personal data processed by K2Y
The details of the Personal Data that will be processed by K2Y on behalf of the Client, including the duration, purpose, and types and categories of Personal Data, as well as Subprocesses, if any. Where additional authorizations or consents are requested from the Client Data Subjects by the Data Protection Laws to Process the Personal Data on behalf of the Client, the Client shall collect such authorization or consent from the Client Data Subjects for the respective Processing activity of the Personal Data, as required under the Data Protection Laws.
Use of personal data
K2Y shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:
- as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of the Client, or
- as required to comply with Data Protection Laws or other laws to which K2Y is subject, in which case K2Y shall (to the extent permitted by law) inform the Client of that legal requirement before processing the Personal Data.
In addition, K2Y is allowed to use aggregated data – to the extent this can no longer be considered Personal Data and which is, therefore, not subject to the Data Protection Laws – for analyzing purposes, for the website, and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes, for developing and improving Services and products of K2Y as well as benchmarking.
Sub-processing
K2Y may be required to appoint certain third parties, including K2Y Affiliates, to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers. By signing the Service Agreement, the Client authorizes K2Y to subcontract the Processing of Personal Data to sub-processors. Sub-processors are in each case subject to the terms between K2Y and the Sub-processor which are no less protective than those set out in this Policy and the Service Agreement.
K2Y will inform the Client of the details of such Sub-processor(s) upon written request from the Client. K2Y will inform the Client in advance of any intended changes concerning the addition or replacement of Sub-processors and thereby give the Client the opportunity to object to such changes. If the Client does not provide its contact details on the Sub-processors page and does not object in writing within fifteen (15) calendar days of receipt of the notice, the Client is deemed to have accepted the new Sub-processor. If the Client does object in writing within fifteen (15) calendar days of receipt of the notice, K2Y and the Client will discuss possible resolutions within a reasonable timeframe and without detriment to the Parties and to their compliance with each of their respective obligations set forth in the Services Agreement.
Where the K2Y Affiliate was to appoint another K2Y Affiliate to Process Client Personal Data on behalf of the Client, K2Y Affiliate will inform the Client in advance of such appointment and thereby give the Client an opportunity to object to such change. If the Client does not object in writing within five (5) days of receipt of the notice, the Client has been deemed to have accepted the respective K2Y Affiliate as a new Sub-processor.
Confidentiality and security
K2Y shall keep the Personal Data confidential and will ensure its staff and Sub-processors are bound by the same confidentiality obligation. K2Y shall implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws and, shall take all measures required pursuant to article 32 GDPR (Security of Processing) and any other more protective corresponding requirement under the Data Protection Laws.
In assessing the appropriate level of security, K2Y shall take into account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
Co-operating with requests of the client
K2Y shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of the Client that relate to the Processing of Personal Data. In particular, K2Y shall co-operate with requests that relate to Client Data Subject rights, data protection impact assessments, and Data Protection Audit rights as described below.
Client Data Subject rights: K2Y shall co-operate as requested by the Client to enable the Client to comply with its obligations with any exercise of rights by a Client Data Subject in respect of Personal Data and assist the Client in its compliance with any assessment, inquiry, notice or investigation as required under Data Protection Laws. Provided in each case that the Client shall reimburse K2Y in full for all costs (including for internal resources and any third party costs) reasonably incurred by K2Y performing its obligation to assist the Client in its compliance under this section.
Data protection impact assessment: K2Y shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Data Protection Laws, or other corresponding obligations determined by Data Protection Laws, and with any prior consultations to any Supervisory Authority of the Client which is required under Data Protection Laws, in each case in relation to Processing of Personal Data by K2Y on behalf of the Client and taking into account the nature of the processing and information available to K2Y.
Audit rights: On reasonable request and notice, K2Y will co-operate in the conduct of any Data Protection Audit or inspection, reasonably necessary to demonstrate K2Y’s compliance with the processor obligations laid down in Data Protection Laws and this Policy relating to the Service Agreement, provided always that this requirement will not oblige K2Y to provide or permit access to information concerning (i) K2Y internal pricing information; (ii) information relating to K2Y’s other Clients; (iii) any of K2Y non-public external reports, or (iv) any internal reports prepared by K2Y’s internal audit function. The Client shall avoid causing any damage, injury, or disruption to K2Y’s equipment, personnel, and business in the course of such Data Protection Audit or inspection.
A maximum of one Data Protection Audit may be activated under this section in any twelve (12) month period at no additional cost to the Client, unless (i) the audit is following up on a Personal Data Breach caused by K2Y in the same period, (ii) the Data Protection Audit request made by the Client in the same period would exceed commercially reasonable market audit standard costs and/or (iii) the Data Protection Audit request made by the Client in the same period would require the allocation of K2Y internal resources for more than one (1) business day in order to fulfill the request In the foregoing events, K2Y will promptly notify Client of such additional expected costs in advance, for which Client and K2Y will agree to such costs prior to initiating the referred Data Protection Audit request. Any further Data Protection Audit within the referred twelve (12) month period shall be at the Client’s expense. The Client’s requests provided in this section will be fulfilled in close cooperation with and under the supervision of K2Y’s Chief Security and Resilience Officer, K2Y’s Chief Privacy Officer, or similar K2Y local officials.
Deletion or return of client personal data
K2Y will, at the choice of the Client, delete or return the Personal Data at the end of the provision of the Services relating to Processing, unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice, and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided, or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by K2Y.
Incident management
K2Y shall notify the Client without undue delay after becoming aware of a Personal Data breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a Personal Data breach under Data Protection Laws.
Upon request by the Client, K2Y shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation, and remediation of each Personal Data breach, in order to enable the Client to (i) perform a thorough investigation into the Personal Data breach and provide incident details as required under Data Protection Laws, (ii) formulate a correct response and (iii) take suitable further steps in respect of the Personal Data breach in order to meet any requirement under the Data Protection Laws (“Remediation Measures”).
Liability
The Client warrants that all Personal Data processed by K2Y on behalf of the Client has been and shall be processed by the Client in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Client; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that fair notice is provided to Client Data Subjects which described the Processing to be undertaken by K2Y or its Sub-processors pursuant to the Services agreed upon in the Service Agreement.
K2Y shall be liable for the damage caused by Processing only where it has not complied with obligations of Data Protection Laws specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Client as indicated in the Service Agreement. The client shall be liable for the damage caused by Processing by Client which infringes Data Protection Laws. Client or Processor shall be exempt from liability under this section if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same processing and where they are, under the Service Agreement, responsible for any damage caused to Client Data Subject by Processing, each Controller or Processor shall be held liable for the entire damage in order to ensure effective compensation of the Client Data Subject(s). Where a Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controller(s) or Processor(s) involved in the same Processing that part of the compensation corresponding to their part of the responsibility for the damage, in accordance with the conditions set out in the previous paragraph.
Save for this section third paragraph, the indemnities, liabilities, and exclusions or limitations thereof set out in the Service Agreement, shall also apply to the obligations of the parties pursuant to this Policy and the Service Agreement, and in case of any conflict will prevail.