ANNEX A
Data Processing Agreement
[PARTY 1]
AND
Kivuto Solutions Inc.
THIS DATA PROCESSING AGREEMENT (herein defined as the “DPA”) is dated and entered into between:
- [PARTY 1] having its registered office at [address] (hereinafter “Data Controller”)
-and-
- Kivuto Solutions Inc. having its registered office at 126 York Street, Suite 200, Ottawa, Ontario, K1N 5T5 (hereinafter “Data Processor”)
BACKGROUND:
WHEREAS the Data Controller and the Data Processor are parties to an ongoing agreement [name and date of service agreement goes here] (the “Service Agreement”) for the provision of a [to be defined] (the “Service”) by the Data Processor to the Data Controller;
AND WHEREAS in connection with the Service Agreement, certain Personal Data concerning Data Subjects (both as defined below) may be transferred by the Data Controller to the Data Processor.
AND WHEREAS the parties desire that the terms for the processing by the Data Processor of Personal Data provided by the Data Controller pursuant to the Services Agreement be set out in a written data processing agreement;
NOW THEREFORE, in consideration of the mutual promises set out herein, and for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by each of the parties, the parties hereby agree as follows:
-
DEFINITIONS:
For the purposes of this DPA:
- “Applicable Data Protection Law” means the Personal Information Protection and Electronic Documents Act (Canada), (“PIPEDA”), An Act respecting the protection of personal information in the private sector (Québec), and any applicable laws and regulations of the European Union, including the General Data Protection Regulation 2016/679 (“GDPR”) which may apply to the terms of this DPA, and all as may be amended from time to time;
- “Data Controller” and “Data Processor” shall have the meanings as set out in Article 4(7) and (8) respectively of the GDPR, as may be amended from time to time;
- “Data Subject” means an individual who is the subject of Personal Data;
- “Personal Data” shall have the meaning set out in Article 4(1) of the GDPR;
- “Prompt Notice” shall mean within 24 hours unless otherwise expressly stated in this DPA;
- “Supervisory Authority” shall have the meaning set out in Article 4 of GDPR;
- “Third Country” shall mean a location outside of a Member State of the European Union.
-
GENERAL
- The Data Controller and the Data Processor acknowledge that for the purposes of the Applicable Data Protection Law, [PARTY 1] is the Data Controller and Kivuto Solutions Inc. is the Data Processor in respect of any Personal Data.
- This DPA is an addendum to, and forms part of the, the Service Agreement, and is intended to govern any and all transfers of Personal Data concerning Data Subjects by the Data Controller to the Data Processor.
- In the event of any conflict or inconsistency between the provisions of the Service Agreement and this DPA in respect of the transfer and treatment of Personal Data, the provisions of this DPA shall prevail. For greater certainty, the provisions of the Service Agreement shall prevail in the event of any conflict or inconsistency in respect of all other terms, including, but not limited to, warranty disclaimers, the liability of the parties and the limitations thereof, indemnification, remedies and termination of this DPA.
- All of the terms, provisions and requirements contained in the Service Agreement shall remain in full force and effect and govern this DPA.
- The Data Processor shall process Personal Data only for the purposes of carrying out their obligations arising under the Service Agreement.
- Schedule 1 sets out the Data Controller’s instructions to the Data Processor in respect of the processing of the Personal Data in compliance with this DPA and with Applicable Data Protection Law. Schedule 1 is the Data Controller’s complete and final instructions at the time of execution of this DPA. Any additional or alternate instructions must be agreed upon by both parties.
- The Data Controller shall refrain from providing instructions which are not in accordance with applicable laws, including Applicable Data Protection Law, and, in the event that such instructions are given, the Data Processor is entitled to refuse to carry out such instructions.
- This DPA shall continue in force for the term of the Service Agreement, subject to Section 11.2.
-
REGULATORY COMPLIANCE
To the extent required by law or regulation:
- The Data Processor shall co-operate with the Supervisory Authority in connection with any activities performed by the Data Processor to meet its obligations under this DPA;
- The Data Controller, its auditors and the Supervisory Authority shall have effective access to data related to such activities in respect of the Personal Data transferred by the Data Controller to the Data Processor for the purposes of this DPA, as well as effective access to the Data Processor’s business premise The parties specified in this Subsection 3.2 shall provide 60 days’ notice prior accessing Data Processor’s business premises, which access shall be during regular business hours.
- The Data Processor shall give Prompt Notice to the Data Controller of any development that may have a material impact on the Data Processor’s ability to perform services effectively under this DPA and in compliance with applicable laws and regulatory requirements, including Applicable Data Protection Law.
-
OBLIGATIONS OF THE DATA CONTROLLER
The Data Controller warrants and undertakes that:
- The Personal Data has been collected, processed and transferred in accordance with the GDPR and all Applicable Data Protection Law.
- It has established a procedure for the exercise of the rights of the Data Subjects whose Personal Data has been collected;
- It will only provide to the Data Processor Personal Data for processing that has been lawfully and validly collected and ensure that such data is relevant and proportionate to the Service as set out in the Service Agreement.
- It has used reasonable efforts to determine that the Data Processor is able to satisfy its legal obligations under this DPA.
- It will respond to enquiries from Data Subjects and the Supervisory Authority concerning processing of the Personal Data by the Data Controller, unless the parties have agreed that the Data Processor will so respond, in which case the Data Controller will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Processor is unwilling or unable to re In either case, responses will be made within 30 days as prescribed by GDPR and in accordance with the Applicable Data Protection Law.
-
OBLIGATIONS OF THE DATA PROCESSOR
The Data Processor warrants and undertakes that:
- It will comply with all applicable law, including Applicable Data Protection Law in its performance of this DPA.
- It will only process the Personal Data on the written instructions of the Data Controller.
- Data Controller acknowledges and agrees that the Data Processor may, in the course of fulfilling its obligations under this DPA, use sub-processors to process the Personal Data, and consents to such use of sub-processors. Data Processor warrants that if it uses sub-processors, such relationships will be governed by a data processing agreement which will set out the obligations of the sub-processor.
- Data Controller acknowledges and agrees that the Data Processor may, in the course of fulfilling its obligations under this DPA, transfer Personal Data to a sub-processor in a Third Country, and consents to such transfer. The Data Processor warrants that it will legitimise such sub-processor, and satisfy itself that an adequate Data Protection system exists in such Third Country.
- It will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protecte
- It will obtain guarantees from any sub-processors processing the Personal Data, that they will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protecte
- It will have in place procedures so that any individual party it authorises to have access to the Personal Data, including employees of the Data Processor, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Processor shall be obligated to process the Personal Data only on instructions from the Data Processor and in accordance with this DPA. This provision does not apply to persons authorised or required by law or regulation, including Applicable Data Protection Law, to have access to the Personal Dat
- It will not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such disclosure is necessary in order to fulfil the Data Processor’s obligations of the Service Agreement, or is required by applicable law, including Applicable Data Protection Law.
- It will notify the Data Controller of any request for information by the Supervisory Authority and will not disclose any Personal Data to the Supervisory Authority without the prior consent of the Data Controller.
- It will notify the Data Controller of any complaint, notice or communication received which relates directly or indirectly to the processing of the Personal Data, or other connected activities, or which relates directly or indirectly to the compliance of the Data Processor and/or the Data Controller with relevant applicable law, including Applicable Data Protection Law.
- It will give the Data Controller Prompt Notice of a “Personal Data breach”, within the meaning of Article 4 of the GDPR, that involves Personal Data, once becoming aware of same, and the Data Processor will cooperate with the Data Controller in implementing any appropriate action concerning the breach or the potential breach as the case may be, including corrective actions.
- It will delete from its systems all soft copies of any Personal Data and return all soft and hard copy documentation on the completion of the Service Agreement or on request from the Data Controller and will do so in a timely manner, giving a written confirmation of same having been done, if such written confirmation is requested by the Data Controller. The Data Controller acknowledges and agrees that the only exception to this Subsection 5.12 shall be where the Data Processor is required to maintain data records, as specified in Applicable Data Protection Law or other applicable law.
- It has no reason to believe, at the time of entering into this DPA, of the existence of any reason that would have a substantial adverse effect on the guarantees provided for under this DPA, and it will inform the Data Controller (which will pass such notification on to the Supervisory Authority where required) if it becomes aware of any such rea
- It will identify to the Data Controller a contact person within its organization authorised to respond to enquiries concerning processing of the Personal Data, and will cooperate in good faith with the Data Controller, the Data Subject (subject to subsection 4.5) and the Supervisory Authority concerning all such enquiries within a reasonable time.
- It will continue to comply with the obligations of Applicable Data Protection Law.
-
RIGHT OF AUDIT
Upon reasonable request of the Data Controller, the Data Processor and/or as appropriate, its sub-processors, will provide to the Data Controller (or any independent or impartial inspection agents or auditors, selected by the Data Controller and not objected to by the Data Processor) access to data processing facilities, data files and documentation used for processing to allow such party to ascertain compliance with the warranties and undertakings in this DPA, with reasonable notice and during regular business hours. For greater certainty, the data files and documentation to which access will be given shall be in respect of the Personal Data transferred by the Data Controller to the Data Processor for the purposes of this DPA. The request will be subject to any necessary consent or approval from a regulatory or Supervisory Authority within the country of the Data Controller.
-
DATA SUBJECTS’ RIGHTS
The Data Processor will assist the Data Controller, whenever reasonably required, in so far as possible, to fulfil the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights as provided under Applicable Data Protection Law and the Data Processor will have the appropriate organizational and technical measures in place to deal with Data Subject requests. The Data Processor shall be reimbursed for any time expended, at the Data Processor’s then-current rates, as follows: (a) by the Data Controller where the Data Controller’s requests are deemed by the Data Processor to be outside of the Data Processor’s standard processing activities, and (b) by the Data Subject, where the Data Subject’s requests are deemed onerous by the Data Processor.
-
LIABILITY AND INDEMNITY
- The Data Processor will not be liable for any claim brought by a Data Subject arising from any action by the Data Processor to the extent that such action arose as a result of the Data Processor having followed the Data Controller’s instructions.
- The Data Controller will not be liable for any claim brought by a Data Subject arising from any action by the Data Processor to the extent that such action arose as a result of the Data Processor not having followed the Data Controller’s instructions.
- In the event that a claim for any action or omission is brought against the Data Controller by a Data Subject arising from a breach of any material obligations under this DPA by the Data Processor (or its directors, officers, employees, agents or contractors), to the extent that such action or omission directly resulted from the Data Controller’s instructions, the Data Processor shall indemnify and keep indemnified and defend at its own expense the Data Controller in accordance with the indemnification provisions in the Service Agreement.
- In the event that a claim for any action or omission is brought against the Data Processor by a Data Subject arising from a breach of any material obligations under this DPA by the Data Controller (or its directors, officers, employees, agents or contractors), to the extent that such action or omission directly resulted from the Data Controller’s instructions, the Data Controller shall indemnify and keep indemnified and defend at its own expense the Data Processor in accordance with the indemnification provisions of the Service Agreement.
-
LAW APPLICABLE TO THIS AGREEMENT
Unless specifically prohibited by GDPR, the terms of this DPA shall be governed by and interpreted in accordance with the laws of the Province of Ontario and the laws of Canada applicable therein, without regard to principles of conflicts of laws, and the parties submit to the exclusive jurisdiction of the courts of the Province of Ontario.
-
RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR THE SUPERVISORY AUTHORITY
In the event of a dispute or claim brought by a Data Subject or the Supervisory Authority concerning the processing of the Personal Data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably and in a timely fashion.
-
TERMINATION
- In the event that either the Data Processor or the Data Controller is in breach of its obligations under this DPA, then either (a) the Data Processor may request a temporary suspension of the transfer to it of Personal Data, or (b) the Data Controller may temporarily suspend the transfer of Personal Data to the Data Processor, in either case until the breach is repaired or the Service Agreement is terminated, all in accordance with the provisions of the Service Agreement.
- In the event
- the transfer of Personal Data to the Data Processor has been temporarily suspended by the Data Controller for longer than one month pursuant to Subsection 11.1;
- compliance by the Data Controller or the Data Processor with this DPA would put it in breach of its legal or regulatory obligations in the country of import;
- the Data Processor or Data Controller are in substantial or persistent breach of any warranties or undertakings given by it under this DPA;
- a final decision of a competent court of jurisdiction, against which no further appeal is possible, or of the Supervisory Authority rules that there has been a breach of this DPA by the Data Controller or the Data Processor; or
- a petition is presented for the administration or winding up of the Data Controller, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the Data Controller is an individual; a company voluntary arrangement is commenced by it;or any equivalent event in any jurisdiction occurs,then (a) the Data Controller, without prejudice to any other rights which it may have against the Data Processor, and (b) the Data Processor, without prejudice to any other rights which it may have against the Data Controller, shall be entitled to terminate this DPA, in which case the Supervisory Authority shall be informed where required.
- The parties agree that the termination of this DPA in accordance with the Service Agreement (except for termination under Subsection 11.2 of this DPA) does not exempt them from the obligations and/or conditions under this DPA in respect of the processing of the Personal Data transferred prior to termination, which obligations shall survive the termination of this DPA.
- Upon termination of the Service Agreement, Data Processor shall, within 30 days, initiate the purge process to delete or anonymize the Personal Data. Upon Data Controller’s request and within 90 days of termination of the Service Agreement, the Data Processor shall provide a certificate of deletion to the Data Controller. Such certificate shall be signed by an employee of the Data Processor with direct involvement of such process. The Data Controller acknowledges and agrees that the only exception to this Subsection 10.4 shall be where the Data Processor is required to maintain data records, as specified in any applicable law. To the extent that Data Processor is required by Applicable Data Protection Law and any other applicable law to retain copies of certain Personal Data, Data Processor shall preserve the confidentiality of such Personal Data and then delete same once it is no longer legally required to retain such copies.
-
VARIATION OF THIS AGREEMENT
- This DPA may be modified upon the agreement of both parties, with such modification to be evidenced in writing, but shall not be otherwise modified or amended.
-
MISCELLANEOUS
- If any provision of this DPA is held void or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this DPA shall remain operative and binding on the parties.
- This DPA may be executed in two or more counterparts, each of which when so executed shall be deemed an original and all of which together shall constitute one and the same instrument. Signatures may be exchanged via facsimile or email transmission, each of which shall be effective as an original.
PARTY 1 | KIVUTO SOLUTIONS INC. |
---|---|
Name: _________________________ | Name: _________________________ |
Title: _________________________ | Title: _________________________ |