KYOCERA Document Solutions
These Data Processing Terms and Conditions (“Data Processing Terms”) apply to the Processing of Personal Data by KYOCERA Document Solutions Europe Management B.V. or its Affiliates, authorized dealers, distributors and resellers (“KYOCERA”) who provide the Cotopat software application (Cotopat).
These Data Processing Terms serve as the binding contract within the meaning of Article 28 (3) GDPR and set out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and Categories of Data Subjects and the obligations and rights of the Controller and are supplemented by the terms and conditions stated in the agreement between KYOCERA and Customer applicable to the Services (“Agreement”).
Customer acts as Controller and KYOCERA as Processor with respect to the Processing of Personal Data under the Agreement and these Data Processing Terms.
Article 1
Definitions
The terms that have been identified in these Data Processing Terms by a capital letter have the following meaning (words in the singular include the plural and vice versa), or, if not stated below, have the meaning given to it in the GDPR:
1.1 “Customer” means the KYOCERA customer as identified in the Agreement.
1.2 “Data Protection Laws” means all laws and regulations, including but not limited to the GDPR, that are applicable to the Processing of Personal Data under the Agreement.
1.3 “GDPR” means General Data Protection Regulation, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
1.4 “KYOCERA Affiliate” means a Sales Company of Kyocera Document Solutions Europe Management B.V. as listed in Annex 2, Kyocera Document Solutions Europe Management B.V.’s authorised dealers and distributors, and Kyocera Document Solutions Inc. with its registered office in Osaka, Japan, which is the parent company of Kyocera Document Solutions Europe Management B.V.
1.5 “Services” means the services to be performed by KYOCERA in accordance with, and as specified in the Agreement.
1.6 “Standard Contractual Clauses” means the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/91 and any subsequent model clauses.
1.7 “Sub-Processor” means any Processor engaged by KYOCERA.
1.8 “TOMs” means the technical and organizational measures required pursuant to Article 32 GDPR.
Article 2
Personal Data Processing
2.1 Instructions. KYOCERA shall only Process Personal Data in accordance with Customer’s written instructions, which are the provision of Services as specified in the Agreement. Customer shall ensure that all instructions provided by Customer to KYOCERA pursuant to these Data Processing Terms and the Agreement will be in accordance with the Data Protection Laws. Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.2 Details of Processing. Annex 1 to these Data Processing Terms sets out certain information regarding the Processing of Personal Data.
2.3 Compliance with Data Protection Laws. KYOCERA shall comply with applicable Data Protection Laws in the Processing of Personal Data.
2.4 Confidentiality. KYOCERA shall keep the Personal Data strictly confidential and shall not transmit, disseminate or otherwise transfer Personal Data to third parties unless agreed to under Section 3, on written instruction of Customer, for the purpose of the performance of the Agreement or unless required to do so by applicable laws to which KYOCERA is subject. In the latter case, KYOCERA shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest, in which case KYOCERA shall inform Customer within 24 hours after KYOCERA knew or should have known of the legal requirement.
Article 3
Sub-Processors
3.1 Appointment. Customer acknowledges and agrees that (a) KYOCERA Affiliates may be retained as Sub-Processors; and (b) KYOCERA and KYOCERA Affiliates respectively may engage third-party Sub-Processors in connection with the provision of Services. A list of appointed Sub-Processors is added in Annex 1 and may be amended from time-to-time at KYOCERA’s sole discretion, but providing at least two (2) weeks’ notice to Customer by publication of the proposed Sub-Processor(s) on the Kyocera website.
3.2 Sub-Processor obligations. For the purpose of sub-processing, KYOCERA shall enter into written agreements with its Sub-Processors, which agreements shall include as a minimum the same obligations as to which KYOCERA is bound to under these Data Processing Terms, and shall in particular include an obligation of the Sub-Processor to implement appropriate TOMs to meet the requirements of applicable Data Protection Laws.
3.3 Right to object new Sub-Processors. Customer may object to KYOCERA’s use of a new Sub-Processor by notifying KYOCERA promptly in writing, but in any case within two (2) weeks after publication of the proposed changes on the KYOCERA website. In the event of a reasonable objection, KYOCERA shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services, which avoids the Processing of Personal data by that proposed Sub-Processor. If KYOCERA is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the Agreement with respect only to those Services, which cannot be provided by KYOCERA without the use of the proposed Sub-Processor by providing written notice to KYOCERA.
3.4 Liability. KYOCERA shall be liable for the acts and omissions of its Sub-Processors to the same extent KYOCERA would be liable if performing the services of each Sub-Processor directly under the term of these Data Processing Terms.
Article 4
KYOCERA personnel
4.1 Confidentiality. KYOCERA ensures that its personnel engaged in the Processing of Personal Data under the Agreement are informed of the confidential nature of the Personal Data. KYOCERA also ensures that it has executed written confidentiality agreements with its personnel engaged in the Processing of Personal Data in regards to the Processing of that Personal Data. KYOCERA ensures that the confidentiality obligations under such written confidentiality agreements survive the termination of the personnel engagement.
4.2 Reliability. KYOCERA shall take all reasonable steps to ensure the reliability of the KYOCERA personnel engaged in the Processing of Personal Data.
4.3 Limitation of access. KYOCERA ensures that KYOCERA’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.4 DPO. KYOCERA appointed a DPO, to the extent that the applicable Data Protection Laws require the appointment of a DPO. The KYOCERA DPO can be reached via the contact details as provided in Annex 2.
Article 5
Data security and inspection
5.1 Security. KYOCERA shall take all technical and organisational security measures which are reasonably required to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons involved. An overview of the technical and organisational security measures is provided in Annex 3. To maintain an appropriate level of security, KYOCERA may regularly update this overview, without prior notice.
5.2 Audit. KYOCERA shall allow Customer to conduct an audit of the technical and organisational security measures utilised by KYOCERA for the Processing of Personal Data (the “Audit”). The Audit may be conducted once per calendar year, or any number of times per year in case of reasonable suspicion of breach of these Data Processing Terms or at the instruction or request of an applicable Supervisory Authority, during the regular business hours of KYOCERA. Customer shall give KYOCERA reasonable notice of any Audit to be conducted under this Section 5.2 and shall ensure that each of its mandated Auditors takes reasonable endeavours to avoid causing or, if it cannot avoid, to minimise any damage, injury or disruption to KYOCERA's premises, equipment, personnel and business while its personnel are on those premises in the course of the Audit. The purpose of the Audit shall be to verify whether Personal Data is Processed by KYOCERA in accordance with these Data Processing Terms and the Agreement (“Purpose”). The Audit will be conducted by an auditor (“Auditor”), who is not a competitor of KYOCERA, selected by Customer who, in the reasonable judgment of Customer, is neutral and possesses the technical knowledge and skills required to conduct the Audit. Customer shall ensure that the auditor is held to maintain confidentiality with respect to its findings. Solely for the Purpose of the Audit, KYOCERA shall grant the Auditor access to its premises, relevant employees, systems and documents.
5.3 Audit costs. Customer shall pay for all costs, remunerations, fees and expenses in relation to the Audit, except for internal costs made by KYOCERA in relation to the Audit. If the Audit reveals any material non-compliance by KYOCERA, KYOCERA shall reimburse all actual and reasonable costs of Customer in relation to the Audit.
5.4 Audit results. Customer shall provide KYOCERA with a copy of the report of the Auditor. In case the report reveals a default by KYOCERA in the performance of its obligations pursuant to this Agreement or a violation of applicable Personal Data Protection Laws, KYOCERA will promptly cure such default and/or omit the violation and provide Customer with confirmation thereof in writing.
Article 6
Data Subject Requests
6.1 TOMs. Taking into account the nature of the Processing, KYOCERA shall assist Customer by appropriate TOMs, insofar as this is reasonably possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under the GDPR or other applicable Data Protection Laws.
6.2 Data Subject Requests. KYOCERA shall, to the extent legally permitted, promptly notify Customer if it receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, KYOCERA shall upon Customer’s request provide reasonable efforts to assist Customer in responding to such Data Subject Request to the extent KYOCERA is legally permitted to do so and the response to such Data Subject Request is required under the GDPR or other Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from KYOCERA’s provision of such assistance.
Article 7
Personal Data Breach
7.1 Notification. To the extent as permitted by law, KYOCERA shall promptly, after it becomes aware, notify Customer of any actual or reasonably suspected Personal Data Breach by KYOCERA or its Sub-Processor(s). The notification shall as a minimum include the information as stipulated in Article 28(3) of the GDPR.
7.2 Remedy. To the extent the Personal Data Breach is caused by a violation by KYOCERA or its Sub-Processors of the requirements of these Data Processing Terms, the Agreement or applicable Data Protection Laws, KYOCERA shall, taking into account the nature of the Personal Data Breach and the risk of varying likelihood and severity for the rights and freedoms of natural persons involved, at the instruction of Customer make all efforts to identify and remediate the cause of the Personal Data Breach, to mitigate the risks to the rights and freedoms of natural persons involved and to further assist Customer with any reasonable request in its compliance with Data Protection Laws on Personal Data Breaches.
7.3 Further assistance. To the extent that the Personal Data Breach is not caused by a violation by KYOCERA or its Sub-Processors of the requirements of these Data Processing Terms, the Agreement or applicable Data Protection Laws, KYOCERA shall provide all reasonable assistance, taking into account the nature of the Personal Data Breach and the risk of varying likelihood and severity for the rights and freedoms of natural persons involved, to Customer in Customer’s handling of the Personal Data Breach. Customer shall be responsible for any costs arising from KYOCERA’s provision of such assistance.
Article 8
Data Protection Impact Assessments and Prior Consultation
KYOCERA shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory authorities, which Customer reasonably considers to be required of KYOCERA by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, KYOCERA.
Article 9
Standard Contractual Clauses
9.1 Applicability. Where KYOCERA transfers personal data to Sub-Processors located outside the EU and where such transfers are not based on an adequacy decision pursuant to Article 45 GDPR, KYOCERA has ensured the conclusion Standard Contractual Clauses and, where necessary, supplementary measures to ensure an adequate level of data protection. Where the Sub-Processor that is subject to Standard Contractual Clauses has engaged other Sub-Processors, the Sub-Processor as indicated in the Standard Contractual Clauses has concluded Standard Contractual Clauses with such Sub-Processors where required. A copy of the applicable Standard Contractual Clauses may be retrieved using the contact details stated in Annex 2.
9.2 Conflict. In the event of any conflict or inconsistency between these Data Processing Terms and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
9.3 Amendment. In the event that a change in Sub-Processor takes place pursuant to section 3 of these Data Processing Terms, the Standard Contractual Clauses may be updated accordingly at KYOCERA’s sole discretion.
Article 10
Deletion and return
At the choice of Customer, KYOCERA shall delete or return the Personal Data to Customer after the provisioning of Services under the Agreement related to the Processing of Personal Data has ended.
Article 11
Liability
Each Party and its Affiliates’ liability arising out of or related to these Data Processing Terms whether in contract, tort or under any other theory of liability, is subject to the liability limitations as agreed in the Agreement.
Article 12
Preference over Agreement
Except as amended by these Data Processing Terms, the Agreement remains in full force and effect. If there is a conflict between the Agreement and these Data Processing Terms, the terms and conditions of these Data Processing Terms shall prevail.
Article 13
Prevailing Language
The English version of this Data Processing Terms and Conditions represents the understanding of both Parties. In the event any translation of this document is prepared for convenience or any other purpose, the provisions of English version shall prevail.
ANNEX 1:
Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Name of the Service: Cotopat | ||||||||||||
Subject Matter of the Processing: Processing of audio data for the purpose of real-time transcription, translation, and summarization of conversations. | ||||||||||||
Nature and Purpose of the Processing: KYOCERA processes Personal Data in the course of providing Cotopat. The provision of Cotopat includes that KYOCERA is hosting Customer’s Personal Data in the cloud, this is only when customers wish to record the conversation for its summarization. In case Customer issues a support request, KYOCERA may have remote access to Customer’s Personal Data when providing requested support services. Further, for real-time transcription, translation, and summarization of conversations KYOCERA provides Customer’s with Google APIs (Speech-to-Text API, Vertex AI API and Google Translation API). | ||||||||||||
Types of Personal Data to be Processed: 1. To provide Customers with Cotopat account KYOCERA process an email address of the account administrator. 2. To convert conversation to text KYOCERA uses Google Speech-to-Text*, the following types of personal data are processed: · Audio data: may contain voices, names, or other spoken identifiers. · Transcriptions: text output of the spoken content, which may include: o Names o Contact details o Personal opinions o Sensitive information (e.g., health, financial, legal) · Metadata: such as the time the request was received and the size of the request * Google processes audio data in memory and does not store any Customer data. 3. For the provision of the translation of both transcription and conversation summary KYOCERA uses Google Translation API*, the following types of personal data are processed: · Conversational text to be translated: may include personal or sensitive information if present in the transcription. · Translated output: may also contain personal data if it was present in the original text. * Translation API processes data in memory only and does not store the text or translations by default. 4. For the provision of conversation summarization KYOCERA uses Google Vertex AI*, the following types of personal data are processed: · Input text: transcribed and translated text passed to the model for summarization. · Generated summaries: may contain condensed personal or sensitive information. *Input data is cached for up to 24 hours by default. KYOCERA does not use grounding with Google Search. | ||||||||||||
Category of Affected Data Subjects: · Data Controller’s (Customers’) employees and persons who interact using the Cotopat. | ||||||||||||
Sub-Processors: KYOCERA Document Solutions Europe Management B.V. and KYOCERA Affiliates engage both KYOCERA Affiliates and third parties as sub-processors to deliver the Services. Here you find a list of sub-processors who may process Personal Data to deliver the Services. By agreeing to this Data Processing Terms and Conditions you agree that all of these Sub-Processors may have access to Personal Data as set out below.
* Personal Data is not automatically transferred to these sub-processors. In many cases the local service engineer can service the KYOCERA device without further assistance from sub-processors. Depending on the service request, the Personal Data may be sent to one or more of these sub-processors. |
Annex 2: KYOCERA Document Solutions Europe B.V. Sales Companies
If KYOCERA Sales Company is not located in the country where Customer is located, then these Data Processing Terms apply to KYOCERA Document Solutions Europe Management B.V.
KYOCERA Document Solutions Europe Management B.V.
Attn.: Data Protection Officer
Beechavenue 27
1119 RA Schiphol-Rijk
The Netherlands
1) KYOCERA Document Solutions Belgium N.V., Sint-Martinusweg 199-201, 1930 Zaventem, Belgium,
2) KYOCERA Document Solutions Danmark A/S, Ejby Industrivej 60, 2600 Glostrup, Danmark,
3) KYOCERA Document Solutions Finland Oy, Atomitie 5, 00370 Helsinki, Finland,
4) KYOCERA Document Solutions France S.A.S., Espace Technologique de Saint Aubin, Route de l’Orme, 91195 Gif sur Yvette Cedex, France, e: privacy@dfr.kyocera.com
5) KYOCERA Document Solutions Deutschland GmbH, Otto-Hahn-Str. 12, 40670 Meerbusch, Germany, e: datenschutz@dde.kyocera.com
6) AKI GmbH, Berliner Pl. 9, 97080 Würzburg, Germany, e: datenschutz@dde.kyocera.com
7) KYOCERA Document Solutions Austria GmbH, Wienerbergstr. 11, Tower A/18th floor, 1100 Vienna, Austria, e: datenschutz@dat.kyocera.com
8) KYOCERA Document Solutions Italia S.p.A., Via Monfalcone, 15, 20132 Milano (MI), Italy,
9) KYOCERA Document Solutions Nederland B.V., Beechavenue 25, 1119 RA Schiphol-Rijk,
The Netherlands, e: privacy@dnl.kyocera.com
10) KYOCERA Document Solutions Portugal Lda., Rua do Centro Cultural, 41 (Alvalade),
1700-106 Lisboa, Portugal, e: privacy@dpt.kyocera.com
11) KYOCERA Document Solutions Russia L.L.C., Building 2, 51/4, Schepkina St., 129110 Moscow, Russian Federation, e: privacy@deu.kyocera.com
12) KYOCERA Document Solutions South Africa Holdings (Pty) Ltd., KYOCERA House, Hertford Office Park, 90 Bekker Road CNR, Allandale, Vorna Valley, 1682, Midrand, South Africa,
13) KYOCERA Document Solutions South Africa (Pty) Ltd., KYOCERA House, Hertford Office Park, 90 Bekker Road CNR, Allandale, Vorna Valley, 1682, Midrand, South Africa,
14) KYOCERA Document Solutions España S.A., Edificio Kyocera, Avda. de Manacor No.2, 28290 Las Matas (Madrid), Spain, e: privacy@des.kyocera.com
15) KYOCERA Document Solutions Nordic AB, Esbogatan 16B, 164 75 Kista, Sweden,
16) KYOCERA Document Solutions Europe B.V. - Swiss Branch Office, Hohlstrasse 614, 8048 CH Zürich, Switzerland, e: privacy@deu.kyocera.com
17) KYOCERA Document Solutions (U.K.) Ltd., Eldon Court, 75-77 London Road, Reading, Berkshire RG1 5BS, United Kingdom, e: privacy@duk.kyocera.com
18) Midshire Communications Limited, Eldon Court, 75-77 London Road, Reading, Berkshire, England, RG1 5BS, e: privacy@duk.kyocera.com
19) KYOCERA Bilgitaş Turkey Doküman Çözümleri A.Şeldon , Gülbahar Mah. Otello Kamil Sok. No:6 34394 ŞİŞLİ, Istanbul, Turkey, e: privacy@deu.kyocera.com
20) Annodata Ltd., The Maylands Building, Maylands Avenue, Hemel Hempstead Industrial Estate, Hemel Hempstead, Hertfordshire HP2 7TG, e: privacy@duk.kyocera.com
21) ALOS Handels GmbH, Dieselstraße 17, 50859 Köln, Germany, e: datenschutz@dde.kyocera.com
22) ALOS Solution AG, Bachstrasse 29, 8912 Obfelden, Switzerland, e: datenschutz@dde.kyocera.com
23) KYOCERA Document Solutions Czech , s.r.o., Harfa Office Park Českomoravská 2420/15, 9, 190 00, Prague, Czech Republic, e: privacy@deu.kyocera.com
24) KYOCERA Document Solutions Czech – Slovak Branch Office, Rybnicna 40, Bratislava 831 06, Slovakia, e: privacy@deu.kyocera.com
KYOCERA Document Solutions Middle East, Office 157, Building 17 behind Gloria Hotel, P.O. Box 500817, Dubai, UAE, e: privacy@deu.kyocera.com
Annex 3: KYOCERA Document Solutions Europe B.V. Technical and Organisational Measures
If your organization requires a review of Technical and Organizational Measures, please contact the Kyocera representative in your region.