Skip to nav Skip to content

KI Data Processor Agreement

1. Terms of Agreement

1.1 This agreement supplements any existing Principal Contract(s) and makes legally binding provisions for compliance with the Data Protection Laws as set forth in this agreement. As per the requirements of relevant Data Protection Law, all processing of personal data by a processor on behalf of a controller, shall be governed by a contract. The terms, obligations and rights set forth in this agreement relate directly to data processing activities. The terms used in this agreement have the meanings as set out in the 'definitions' part of the document

2. Definitions

 2.1 In this Agreement, unless the text specifically notes otherwise, the below words shall have the following meanings: -

2.2 "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

2.3 "Data Protection Laws" means all applicable Data Protection Laws, including the General Data Protection Regulation (GDPR) (EU 2016/679), [Data Protection Bill] and, to the extent applicable, the data protection or privacy laws of any other country

2.4 "EEA" means the European Economic Area

2.5 "Effective Date" means that date that this agreement comes into force

2.6 "Personal Data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

2.7 “GDPR” means the General Data Protection Regulation (GDPR) (EU) (2016/679)

2.8 "Principal Contract" means the main contract between the parties named in this agreement

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

2.10 "Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing

2.11 "Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

"Sub Processor" means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the Controller

"Supervisory authority" means an independent public authority which is established by a Member State pursuant to Article 51 of the “GDPR

3. Obligations and Rights of the Processor

3.1 The Processor shall comply with the relevant Data Protection Laws and must: -

a) only act on the written instructions of the Controller 

b) ensure that people processing the data are subject to a duty of confidence 

c) ensure that any natural person acting under their authority who has access to personal data, does not process that data except on instructions from the Controller 

d) use its best endeavours to safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement 

e) ensure that all processing meets the requirements of the GDPR and related Data Protection Laws and is in accordance with the Data Protection Principles 

f) ensure that where a Sub-Processor is used, they: - 

i. only engage a Sub-Processor with the prior consent of the data controller 

ii. inform the controller of any intended changes concerning the addition or replacement of Sub-Processors 

iii. they implement a written contract containing the same data protection obligations as set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws 

iv. understand that where any Sub-Processor is used on their behalf, that any failure on the part of the sub-processor to comply with the Data Protection Laws or the relevant data processing agreement, the initial processor remains fully liable to the controller for the performance of the Sub-Processor’s obligations        

g) assist the Controller in providing subject access and allowing data subjects to exercise their rights under the Data Protection Laws

h) assist the Controller in meeting its data protection obligations in relation to: - 

i. the security of processing 

ii. data protection impact assessments 

iii. the investigation and notification of personal data breaches 

i) delete or return all personal data to the Controller as requested at the end of the contract

j) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the relevant Data Protection Laws and allow for, and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

k) tell the Controller immediately if they have done something (or are asked to do something) infringing the GDPR or other Data Protection Law of the EU or a member state

l) co-operate with supervisory authorities in accordance with GDPR Article 31

notify the Controller of any personal data breaches in accordance with GDPR Article 33

n) where applicable, employ a Data Protection Officer if required 

o) where applicable, appoint (in writing) a representative within the EU if required in accordance with GDPR Article 27 

3.2 Nothing within this agreement relieves the processor of their own direct responsibilities, obligations and liabilities under the General Data Protection Regulation (GDPR) or other Data Protection Laws

3.3 The Processor is responsible for ensuring that each of its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this agreement

3.4 The Processor shall maintain induction and training programs that adequately reflect the Data Protection Law requirements and regulations, and ensure that all employees are afforded the time, resources and budget to undertake such training on a regular basis

3.5 Any transfers of personal data to a third country or an international organisation shall only be carried out on documented instructions from the controller; unless required to do so by Union or Member State law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing

3.6 The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing: - 

a) the name and contact details of the Processor(s) and of each Controller on behalf of which the Processor is acting, and, where applicable, the data protection officer

b) the categories of processing carried out on behalf of each Controller

transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards 

d) a general description of the technical and organisational security measures referred to in Article 32(1) 

3.7 The Processor shall maintain records of processing activities in writing, including in electronic form and shall make the record available to the supervisory authority on request

3.8 When assessing the appropriate level of security and the subsequent technical and operational measures, the processor shall consider the risks presented by any processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed 

4. Obligations and Rights of the Controller

4.1 The Controller is responsible for verifying the validity and suitability of the Processor before entering into a business relationship

4.2 The Controller shall carry out adequate and appropriate onboarding and due diligence checks for all Processors, with a full assessment of the mandatory Data Protection Law requirements

4.3 The Controller shall verify that the Processor has adequate and documented processes for data breaches, data retention and data transfers in place

4.4 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the controller must verify that similar data protection agreements are in place between the initial Processor and Sub-Processor

5. Penalties & Termination

5.1 By signing this agreement, the Processor confirms that they understand the legal and enforcement actions that they may be subject to should they fail to uphold the agreement terms or breach the Data Protection Laws. If the processor fails to meet their obligations, they may be subject to: - 

a) investigative and corrective powers of supervisory authorities under Article 58 of the GDPR 

b) an administrative fine under Article 83 of the GDPR

c) a penalty under Article 84 of the GDPR

d) pay compensation under Article 82 of the GDPR

5.2 The Controller or Processor can terminate this agreement in writing giving thirty days’ notice. The notice of termination shall be addressed to the undersigned. 

Signed on behalf of the Controller:

Name: Jonathan M. Hindle

Position: Group Managing Director - EMEA

Company: KI (UK) Limited

Company Address: New Fetter Place, 8-10 New Fetter Lane, London EC4A 1AZ

Date: 28 March 2018 

Signed on behalf of the Processor:
Please fill in form:
* - required fields

KI's Privacy Notice

KI Data Processor Agreement

By clicking "Accept All Cookies," you agree to the storing of cookies on your device to enhance site navigation, analyse site usage and assist in marketing efforts. For more information, see our Privacy policy.

Accept All Cookies