These Data Processing Terms and Conditions (“Data Processing Terms”) apply to the Processing of Personal Data by KYOCERA Document Solutions Europe Management B.V. or its Sales Companies, authorized dealers, distributors and resellers (“KYOCERA”) who provide the Kyocera Cloud Capture (“KCC”, “Services”).
These Data Processing Terms serve as the binding contract within the meaning of Article 28 (3) GDPR and set out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and Categories of Data Subjects and the obligations and rights of the Controller and is supplemented by the terms and conditions stated in the agreement between KYOCERA and Customer applicable to the Services (“Agreement”).
Customer acts as Controller and KYOCERA as Processor with respect to the
Processing of Personal Data under the Agreement and these Data Processing Terms, or, as the case may be, Customer acts as a Processor for its end-customers and KYOCERA acts as sub-Processor of Customer acting on instruction of Customer vis-à-vis its end-customers.
Article 1 : Definitions
The terms that have been identified in these Data Processing Terms by a capital letter have the following meaning (words in the singular include the plural and vice versa), or, if not stated below, have the meaning given to it in the GDPR:
1.1 “Customer” means the KYOCERA customer, on its own behalf and as required, in the name and on behalf of its affiliated companies, as named in the Agreement.
1.2 “Data Protection Laws” means all laws and regulations, including but not limited to the GDPR, that are applicable to the Processing of Personal Data under the Agreement.
1.3 “GDPR” means General Data Protection Regulation, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
1.4 “KYOCERA Affiliate” means a Sales Company of Kyocera Document Solutions Europe Management B.V. as listed in Annex 2 and a Sales Company’s and Kyocera Document Solutions Europe Management B.V.’s authorised dealers and distributors.
1.5 “Services” means the services to be performed by KYOCERA in accordance with, and as specified in the Agreement.
1.6 “Standard Contractual Clauses” means , the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 and any subsequent model clauses.
1.7 “Sub-Processor” means any Processor engaged by KYOCERA.
1.8 “TOMs” means the technical and organizational measures required pursuant to Article 32 GDPR.
Article 2 : Personal Data Processing
2.1 Instructions. KYOCERA shall only Process Personal Data in accordance with Customer’s written instructions, which are the provision of Services as specified in the Agreement. Customer shall ensure that all instructions provided by Customer to KYOCERA pursuant to these Data Processing Terms and the Agreement will be in accordance with the Data Protection Laws. Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired
Personal Data.
2.2 Details of Processing. Annex 1 to these Data Processing Terms sets out certain information regarding the Processing of Personal Data.
2.3 Compliance with Data Protection Laws. KYOCERA shall comply with applicable Data Protection Laws in the Processing of Personal Data.
2.4 Confidentiality. KYOCERA shall keep the Personal Data strictly confidential and shall not transmit, disseminate or otherwise transfer Personal Data to third parties unless agreed to under Section 3, on written instruction of Customer, for the purpose of the performance of the Agreement or unless required to do so by applicable laws to which KYOCERA is subject. In the latter case, KYOCERA shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest, in which case KYOCERA shall inform Customer within 24 hours after KYOCERA knew or should have known of the legal requirement.
Article 3: Sub-Processors
3.1 Appointment. Customer acknowledges and agrees that (a) KYOCERA Affiliates may be retained as Sub-Processors; and (b) KYOCERA and KYOCERA Affiliates respectively may engage third-party Sub-Processors in connection with the provision of Services. A list of appointed Sub-Processors is added in Annex 1 and may be amended from time-to-time at KYOCERA’s sole discretion, but providing at least two (2) weeks’ notice to Customer by publication of the proposed Sub-Processor(s) on the Kyocera website.
3.2 Sub-Processor obligations. For the purpose of sub-processing, KYOCERA shall enter into written agreements with its Sub-Processors, which agreements shall include as a minimum the same obligations as to which KYOCERA is bound to under these Data Processing Terms, and shall in particular include an obligation of the Sub-Processor to implement appropriate TOMs to meet the requirements of applicable Data Protection Laws.
3.3 Right to object new Sub-Processors. Customer may object to KYOCERA’s use of a new Sub-Processor by notifying KYOCERA promptly in writing, but in any case within two (2) weeks after publication of the proposed changes on the KYOCERA website. In the event of a reasonable objection, KYOCERA shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services, which avoids the Processing of Personal data by that proposed Sub-Processor. If KYOCERA is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the Agreement with respect only to those Services, which cannot be provided by KYOCERA without the use of the proposed Sub-Processor by providing written notice to KYOCERA.
3.4 Liability. KYOCERA shall be liable for the acts and omissions of its Sub-Processors to the same extent KYOCERA would be liable if performing the services of each Sub-Processor directly under the term of these Data Processing Terms.
Article 4: KYOCERA personnel
4.1 Confidentiality. KYOCERA ensures that its personnel engaged in the Processing of Personal Data under the Agreement are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities. KYOCERA also ensures that it has executed written confidentiality agreements with its personnel engaged in the Processing of Personal Data in regards to the Processing of that Personal Data. KYOCERA ensures that the confidentiality obligations under such written confidentiality agreements survive the termination of the personnel engagement.
4.2 Reliability. KYOCERA shall take all reasonable steps to ensure the reliability of the KYOCERA personnel engaged in the Processing of Personal Data.
4.3 Limitation of access. KYOCERA ensures that KYOCERA’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.4 DPO. KYOCERA appointed a DPO, to the extent that the applicable Data Protection Laws require the appointment of a DPO. The KYOCERA DPO can be reached via the contact details as provided in Annex 2.
Article 5 : Data security and inspection
5.1 Security. KYOCERA shall take all technical and organisational security measures which are reasonably required to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons involved. An overview of the technical and organisational security measures is provided in Annex 3. To maintain an appropriate level of security, KYOCERA may regularly update this overview,
without prior notice.
5.2 Audit. KYOCERA shall allow Customer to conduct an audit of the technical and organisational security measures utilised by KYOCERA for the Processing of Personal Data (the “Audit”). The Audit may be conducted once per calendar year, or any number of times per year in case of reasonable suspicion of breach of these Data Processing Terms or at the instruction or request of an applicable Supervisory Authority, during the regular business hours of KYOCERA. Customer shall give KYOCERA reasonable notice of any Audit to be conducted under this Section 5.2 and shall ensure that each of its mandated Auditors takes reasonable endeavours to avoid causing or, if it cannot avoid, to minimise any damage, injury or disruption to KYOCERA's premises, equipment, personnel and business while its personnel are on those premises in the course of the Audit. The purpose of the Audit shall be to verify whether Personal Data is Processed by KYOCERA in accordance with these Data Processing Terms and the Agreement (“Purpose”). The Audit will be conducted by an auditor (“Auditor”), who is not a competitor of KYOCERA, selected by Customer who, in the reasonable judgment of Customer, is neutral and possesses the technical knowledge and skills required to conduct the Audit. Customer shall ensure that the auditor is held to maintain confidentiality with respect to its findings. Solely for the Purpose of the Audit, KYOCERA shall grant the Auditor access to its premises, relevant employees, systems and documents.
5.3 Audit costs. Customer shall pay for all costs, remunerations, fees and expenses in relation to the Audit, except for internal costs made by KYOCERA in relation to the Audit. If the Audit reveals any material non-compliance by KYOCERA, KYOCERA shall reimburse all actual and reasonable costs of Customer in relation to the Audit.
5.4 Audit results. Customer shall provide KYOCERA with a copy of the report of the Auditor. In case the report reveals a default by KYOCERA in the performance of its obligations pursuant to this Agreement or a violation of applicable Personal Data Protection Laws, KYOCERA will promptly cure such default and/or omit the violation and provide Customer with confirmation thereof in writing.
Article 6 : Data Subject Requests
6.1 TOMs. Taking into account the nature of the Processing, KYOCERA shall assist Customer by appropriate TOMs, insofar as this is reasonably possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under the GDPR or other applicable Data Protection Laws.
6.2 Data Subject Requests. KYOCERA shall, to the extent legally permitted, promptly notify Customer if it receives a Data Subject Request. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, KYOCERA shall upon Customer’s request provide reasonable efforts to assist Customer in responding to such Data Subject Request to the extent KYOCERA is legally permitted to do so and the response to such Data Subject Request is required under the GDPR or other Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from KYOCERA’s provision of such
assistance.
Article 7 : Personal Data Breach
7.1 Notification. To the extent as permitted by law, KYOCERA shall promptly, after it becomes aware, notify Customer of any actual or reasonably suspected Personal Data Breach by KYOCERA or its Sub-Processor(s). The notification shall as a minimum include the information as stipulated in Article 28(3) of the GDPR.
7.2 Remedy. To the extent the Personal Data Breach is caused by a violation by KYOCERA or its Sub-Processors of the requirements of these Data Processing Terms, the Agreement or applicable Data Protection Laws, KYOCERA shall, taking into account the nature of the Personal Data Breach and the risk of varying likelihood and severity for the rights and freedoms of natural persons involved, at the instruction of Customer make all efforts to identify and remediate the cause of the Personal Data Breach, to mitigate the risks to the rights and freedoms of natural persons involved and to further assist Customer with any reasonable request in its compliance with Data Protection Laws on Personal Data Breaches.
7.3 Further assistance. To the extent that the Personal Data Breach is not caused by a violation by KYOCERA or its Sub-Processors of the requirements of these Data Processing Terms, the Agreement or applicable
Data Protection Laws, KYOCERA shall provide all reasonable assistance, taking into account the nature of the Personal Data Breach and the risk of varying likelihood and severity for the rights and freedoms of natural persons involved, to Customer in Customer’s handling of the Personal Data Breach. Customer shall be responsible for any costs arising from KYOCERA’s provision of such assistance.
Article 8 : Data Protection Impact Assessments and Prior Consultation
KYOCERA shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory authorities, which Customer reasonably considers to be required of KYOCERA by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, KYOCERA.
Article 9 : Standard Contractual Clauses
9.1 Applicability. Where KYOCERA transfers personal data to Sub-Processors located outside the EU and where such transfers are not based on an adequacy decision pursuant to Article 45 GDPR, KYOCERA has ensured the conclusion Standard Contractual Clauses and, where necessary, supplementary measures to ensure an adequate level of data protection. The Standard Contractual Clauses with the Sub-Processor are concluded for and on behalf of Customer, or as the case may be, Customer’s end-customer and Customer, as the case may be, represents and warrants that it has been duly and effectively authorized by the end-customer to represent him. Where the Sub-Processor that is subject to Standard Contractual Clauses has engaged other Sub-Processors, the Sub-Processor as indicated in the Standard Contractual Clauses has concluded Standard Contractual Clauses with such Sub-Processors where required. A copy of the applicable Standard Contractual Clauses may be retrieved using the contact details stated in Annex 2.
9.2 Amendment. In the event that a change in Sub-Processor takes place pursuant to section 3 of these Data Processing Terms, the Standard Contractual Clauses may be updated accordingly at KYOCERA’s sole discretion.
9.3 Conflict. In the event of any conflict or inconsistency between these Data Processing Terms and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
9.4 Duration. The Standard Contractual Clauses with the various Sub-Processors remain in effect until a positive adequacy decision between the EU and the relevant country pursuant to Article 45(3) GDPR, after which the concluded Standard Contractual Clauses pursuant to section 9.1 of these Data Processing Terms become null and void.
Article 10 : Deletion and return
At the choice of Customer, KYOCERA shall delete or return the Personal Data to Customer after the provisioning of Services under the Agreement related to the Processing of Personal Data has ended.
Article 11 : Liability
Each Party and its Affiliates’ liability arising out of or related to these Data Processing Terms (whether in contract, tort or under any other theory of liability), is subject to the liability limitations as agreed in the Agreement.
Article 12 : Preference over Agreement
Except as amended by these Data Processing Terms, the Agreement remains in full force and effect. If there is a conflict between the Agreement and these Data Processing Terms, the terms and conditions of these Data Processing Terms shall prevail.
Article 13 : Prevailing Language
The English version of this Data Processing Terms and Conditions represents the understanding of both Parties. In the event any translation of this document is prepared for convenience or any other purpose, the provisions of English version shall prevail.
ANNEX 1:
Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Name of the Service: Kyocera Cloud Capture
Subject Matter of the Processing:
Kyocera Cloud Capture (KCC) is a cloud-based web application that allows users to easily scan, clean, classify, index and convert scanned jobs in order to reduce the manual process involved in document classification. KDEM processes Personal Data in the course of providing KCC.
The duration of the Processing of the Personal Data is set out in the Agreement and this Data Processing Agreement.
Nature and Purpose of the Processing:
Customers are Data Controllers within the meaning of Article 4.7 GDPR. KDEM, as Data Processor within the meaning of Article 4.8 GDPR, provides support services and may have access to personal data inserted by KCC’s users. KDC provides the hosting services of KCC on Google Cloud servers located in Belgium. Further, KDC answers customers’ support requests and, on a case-by-case basis, transfers customers’ support requests to KDDA, located in California, USA
Types of Personal Data to be Processed:
- Users/User profiles: User name and password
- Devices: IP addresses, serial number, hostname, Admin pin code
- Organization events: Organization email address
- Uploaded files/scanned jobs: folder name, filename, document/image itself
- Proxy information
- Metadata of uploaded files/scanned jobs:
- Attributes (may include first name, last name, address, phone number and email address)
- File name
- Creator/Editor (first name, last name, user name)
Category of Affected Data Subjects:
- Data Controller’s (Customers’) employees
Sub-Processors:
KYOCERA Document Solutions Europe Management B.V. and its EU subsidiaries engage both KYOCERA entities and third parties as sub-processors to deliver the Services. Here you find a list of sub-processors who may process personal data to deliver the Services. By agreeing to this Data Processing Terms and Conditions you agree all of these Sub-Processors may have access to Customer Data as set out below.
