- GDPR COMPLIANCE: In addition to the terms at https://www.knowland.com/termsandconditions, the following are applicable to Subscribers located in the European Union.
a. Definitions. Capitalized terms used in this section shall have the meaning set forth below.
i. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and to the extent the GDPR may no longer be applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom.
ii. “EU Data Subject” shall have the meaning given to “Data Subject” under the GDPR.
iii. “EU Personal Data” means the personal data (which shall have the meaning given to “Personal Data” under the GDPR) which Subscriber or its employees provide to Knowland pursuant to this Agreement.
iv. “Data Protection Laws” means any data protection, privacy or similar laws or regulations anywhere in the world relating inter alia to the processing or other use of personal data, including the GDPR.
b. Warranty. For Service Orders entered into after May 25, 2018: Subscriber represents, warrants and undertakes that it has complied, and shall comply, with its obligations under Data Protection Laws, including, without limitation, having throughout the term of this Agreement a valid legal basis for the processing of EU Personal Data by envisaged by the terms of this Agreement.
c. Indemnity. For Service Orders entered into after May 25, 2018: Subscriber agrees to indemnify, keep indemnified and defend at its own expense, Knowland against all costs, claims, damages or expenses incurred by Knowland or for which Knowland may become liable (including, without limitation, any claim brought by a EU Data Subject against, or fine imposed by a regulator upon, Knowland) due to: (i) Subscriber’s breach of any representation, warranty or undertaking contained in subsection (b) above; and (ii) any failure by Subscriber, its employees, or its agents to comply with Data Protection Laws.
d. Processing of EU Personal Data.. In respect of EU Personal Data, the Parties acknowledge that Knowland acts as a Data Processor and Subscriber acts as the Data Controller (both as defined in the GDPR). Knowland shall comply with the GDPR when processing EU Personal Data and not process EU Personal Data other than on Subscriber’s instructions and as required by law. Subscriber instructs Knowland to process EU Personal Data as necessary to provide the Services to Subscriber and to perform Knowland’s obligations and exercise Knowland’s rights under this Agreement. The Knowland Privacy and Cookie Policy in section 7 sets out certain information regarding Knowland’s processing of EU Personal Data as required by Article 28(3) of the GDPR. Where Knowland receives an instruction from Subscriber that, in its reasonable opinion, infringes the GDPR, Knowland shall inform Subscriber. Subscriber acknowledges and agrees that any instructions issued by Subscriber with regards to the processing by Knowland of EU Personal Data pursuant to or in connection with this Agreement shall be strictly required for the sole purpose of ensuring compliance with the GDPR and shall not relate to the scope of, or otherwise materially change, the Services to be provided by Knowland under this Agreement. Knowland shall take reasonable steps to ensure the reliability of any Knowland personnel who may process EU Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Knowland shall in relation to EU Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Knowland shall take account in particular of the risks presented by the processing, in particular from a Personal Data Breach (as defined in the GDPR). Further:
i. Subscriber authorizes Knowland to appoint subprocessors in accordance with this section (i). Knowland may continue to use those subprocessors already engaged by Knowland as at the date of this Agreement, subject to Knowland ensuring that the arrangement between Knowland and the subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for EU Personal Data as those set out in this Agreement. Knowland shall give Subscriber prior written notice of the appointment of any new subprocessor, including reasonable details of the processing to be undertaken by the Subprocessor. If, within five business days of receipt of that notice, Subscriber notifies Knowland in writing of any objections (on reasonable grounds) to the proposed appointment, Knowland shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed subprocessor, and where such a change cannot be made within ten business days from Knowland’s receipt of Subscriber’s notice, or no commercially reasonable change is available, or Subscriber declines to bear the cost of the proposed change, notwithstanding anything in this Agreement, either party may by written notice to the other party with immediate effect terminate this Agreement either in whole or to the extent that it relates to the Services which require the use of the proposed subprocessor. With respect to each subprocessor, Knowland shall ensure that the arrangement between Knowland and the subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for EU Personal Data as those set out in this Agreement;
ii. Knowland shall provide Subscriber with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Subscriber in fulfilling its obligation to respond to data subject requests and shall promptly notify Subscriber if Knowland receives such a request and ensure that Knowland does not respond to any such request except on the documented instructions of Subscriber (and in such circumstances, at Subscriber’s cost) or as required by applicable laws;
iii. Knowland shall notify Subscriber without undue delay upon Knowland becoming aware of a Personal Data Breach affecting EU Personal Data, providing Subscriber with sufficient information (insofar as such information is, at such time, within Knowland’s possession) to allow Subscriber to meet any obligations under the GDPR to report or inform the Personal Data Breach to affected data subjects or the relevant supervisory authority(ies) (as may determined in accordance with the GDPR. Knowland shall at Subscriber’s sole cost and expense co-operate with Subscriber and take such reasonable commercial steps as may be directed by Subscriber to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
iv. Knowland shall provide reasonable assistance to Subscriber, at Subscriber’s cost, with any data protection impact assessments, and prior consultations with supervisory authorities, which Subscriber reasonably considers to be required of Subscriber by Article 35 or Article 36 of the GDPR, in each case solely in relation to processing of EU Personal Data by, and taking into account the nature of the processing by, and information available to, Knowland.
v. Upon the date of cessation of any Services involving the processing of EU Personal Data (the “Cessation Date”), Knowland shall immediately cease all processing of EU Personal Data for any purpose other than for storage. Subscriber hereby acknowledges and agrees that, due to the nature of the EU Personal Data Processed by Knowland, return (as opposed to deletion) of EU Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Subscriber agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected deletion, in preference of return, of the EU Personal Data. To the fullest extent technically possible in the circumstances, within 20 business days after the Cessation Date, Knowland shall either (at its option) delete or irreversibly render anonymized all EU Personal Data then within Knowland’s possession. Knowland and any subprocessor may retain EU Personal Data to the extent required by law and only to the extent and for such period as required by law and always provided that Knowland shall ensure the confidentiality of all such EU Personal Data and that such EU Personal Data is only processed as necessary for the purpose(s) specified in the law requiring its storage and for no other purpose.
vi. Knowland shall make available to Subscriber on request such information as Knowland considers reasonably appropriate in the circumstances to demonstrate its compliance with its processing of EU Personal Data pursuant to this Agreement (including any general data protection compliance and/or security audits Knowland may cause to be conducted). In the event that Subscriber (acting reasonably) is able to provide documentary evidence that the information made available by Knowland is not sufficient in the circumstances to demonstrate Knowland’s compliance with this Agreement, Knowland shall allow for and contribute to audits, including (only where strictly and demonstrably necessary in the circumstances) on premise inspections, by Subscriber or an auditor mandated by Subscriber in relation to the processing of EU Personal Data by Knowland. Subscriber shall give Knowland reasonable notice of any audit or inspection to be conducted (which shall in no event be less than 15 business days’ notice unless required by a supervisory authority and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Knowland in respect of, any damage, injury or disruption to Knowland’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Knowland’s other Subscribers or the availability of Knowland’s services to such other Subscribers) while its personnel and/or its auditor’s personnel (if applicable) are on those premises in the course any on premise inspection. Knowland need not give access to its premises for the purposes of such an audit or inspection unless the auditor enters into a non-disclosure agreement with Knowland on terms acceptable to Knowland and where, and to the extent that, Knowland considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Knowland’s other Subscribers or the availability of Knowland’s services to such other Subscribers. The parties shall discuss and agree the costs of any inspection or audit to be carried out by or on behalf of Subscriber in advance of such inspection or audit and, unless otherwise agreed in writing between the parties, Subscriber shall bear any third party costs in connection with such inspection or audit and reimburse Knowland for all costs incurred by Knowland and time spent by Knowland (at Knowland’s then-current professional services rates) in connection with any such inspection or audit;
vii. To the extent that any processing by either Knowland or any subprocessor of EU Personal Data involves a transfer of personal data outside the European Economic Area (“Restricted Transfer”), the parties agree that Subscriber – as “data exporter” – and Knowland or Subprocessor (as applicable) – as “data importer” – hereby enter into the Controller to Processor Standard Contractual Clauses approved by the EU Commission in respect of that Restricted Transfer and the associated processing and that: (a) Clause 9 of such Standard Contractual Clauses shall be populated as follows: “The Clauses shall be governed by the law of the Member State in which the data exporter is established.”; (b) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows: “The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”; (c) Appendix 1 to such Standard Contractual Clauses being deemed to have been populated with the corresponding data processing details set out in section 17 ; and (d) Appendix 2 to such Standard Contractual Clauses shall be populated as follows: “The technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Section 20(d) of Data Importer’s General Terms and Conditions.” The Standard Contractual Clauses shall come into effect automatically upon the commencement of the relevant Restricted Transfer.
viii. Subscriber acknowledges and agrees that Knowland shall be freely able to use and disclose anonymized data for Knowland’s own business purposes without restriction. Subscriber warrants and represents on an ongoing basis, and further undertakes, that it shall not (and shall ensure that its personnel shall not) cause Knowland to process any Special Categories of personal data (referred to in Article 9(1) of the GDPR) or any Personal Data relating to relating to criminal convictions or offences.