Log in  

Data Protection Schedule

1. DEFINITIONS AND INTERPRETATION
1.1. In this Data Protection Schedule, both the definitions in the User Agreement and the following definitions shall apply:
1.1.1. Controller shall have the meaning given in Article 4 of the UK GDPR and includes any equivalent role under the Personal Data (Privacy) Ordinance (PDPO) in Hong Kong.
1.1.2. Data Subject means an identified or identifiable natural person who is the subject of any Personal Data.
1.1.3. Data Protection Laws means: - The Data Protection Act 2018; - The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the Data Protection Regulations); - The General Data Protection Regulation (EU) 2016/679 (as applicable); - The UK GDPR (as defined in the Data Protection Regulations) (and any respective local implementing laws); - The Privacy and Electronic Communications Directive 2002/58/EC (and any respective local implementing laws); - The Personal Data (Privacy) Ordinance (Cap. 486 of the laws of Hong Kong) (PDPO); - Any amended, replaced, or superseded laws and regulations from time to time, to the extent that these are applicable to the processing of Personal Data by either Party.
1.1.4. Inadequate Country means a country that is (i) outside the UK, (ii) outside the European Economic Area, and (iii) not designated by the European Commission, UK Government, or Hong Kong authorities as ensuring an appropriate level of protection for the purposes of Article 45 of the GDPR or equivalent laws in Hong Kong.
1.1.5. Personal Data shall have the meaning given in Article 4 of the UK GDPR and section 2(1) of the PDPO.
1.1.6. Processor shall have the meaning given in Article 4 of the UK GDPR and the PDPO where applicable.
1.1.7. Provided Personal Data means, in relation to either Party, Personal Data provided to it by the other Party.
1.1.8. Sub-processor means a natural or legal person, public authority, agency, or any other body contracted by KYCIC or its data provider to process Provided Personal Data.
1.1.9. Supervisory Authority shall have the meaning given in Article 4 of the UK GDPR and, where applicable, includes the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong. 

2. WHERE A PARTY IS A CONTROLLER
2.1. Where the Data Protection Laws determine that a party is a Controller in relation to any Provided Personal Data, the party undertakes to:
2.1.1. comply with Data Protection Laws when processing Provided Personal Data, including both the UK GDPR and PDPO as applicable;
2.1.2. rely on a valid legal ground under Data Protection Laws for its processing, including obtaining Data Subjects’ appropriate consent if required or appropriate under Data Protection Laws;
2.1.3. take reasonable steps to ensure that Provided Personal Data is (i) accurate, complete, and current and limited to what is necessary in relation to the processing; and (ii) kept in a form which permits identification of Data Subjects for no longer than is necessary for the processing (unless a longer retention is required or allowed under applicable law);
2.1.4. implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of Provided Personal Data is performed in accordance with Data Protection Laws;
2.1.5. not transfer any Provided Personal Data to any Inadequate Country, unless such Party ensures (i) that the transfer is at all times subject to one of the appropriate safeguards permitted by Article 46 of GDPR or equivalent provisions under the PDPO (such as Standard Contractual Clauses or Binding Corporate Rules), and (ii) that in all other respects the transfer complies with the UK GDPR and/or PDPO;
2.1.6. respond to Data Subject requests to exercise their rights of (i) access, (ii) rectification, (iii) erasure, (iv) data portability, (v) restriction of processing, (vi) objection to the processing, and (vii) the rights related to automated decision-making and profiling, within one month, as required under Data Protection Laws;
2.1.7. cooperate with the other Party to fulfil their respective data protection compliance obligations under Data Protection Laws;
2.1.8. ensure that the processing, collection, retention, and use of Provided Personal Data complies with the data protection principles set out under both the GDPR and PDPO.
2.1.9. in the case of the Client:
2.1.9.1. where it transfers any Provided Personal Data to a third party, provide details of the transferee and the relevant Provided Personal Data to KYCIC promptly upon KYCIC’s reasonable request therefor; and
2.1.9.2. ensure that Provided Personal Data is only made available to Client for the purpose of mitigating the relevant Client’s risks and meeting that Client’s regulatory requirements from time to time applying;
2.1.9.3. ensure that Provided Personal Data is not used to determine a person’s suitability for any benefit or employment in breach of any Data Protection Laws.

3. WHERE THE CLIENT AND/OR KYCIC ARE PROCESSORS
3.1. Where, in relation to any Provided Personal Data, the Data Protection Laws determine that KYCIC is a Processor and/or a Sub-processor, the provisions of paragraphs 3 to 7 apply.
3.2. For the purposes of Article 28.3 of GDPR and equivalent requirements under the PDPO, the subject matter of the processing, duration of the processing, and nature and purpose of the processing are as stated in the Schedule.
3.3. KYCIC shall:
3.3.1. process the Provided Personal Data only in accordance with the Client’s documented instructions, including where relevant for transfers of Provided Personal Data outside the United Kingdom, European Economic Area (EEA), or Hong Kong, unless required to do so by UK, EU, or Hong Kong law, in which case KYCIC shall inform the Client of that legal requirement before processing, unless prohibited by that law;
3.3.2. ensure that persons authorised to process Provided Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.3.3. take all measures required pursuant to Article 32 of the GDPR and equivalent provisions under PDPO, including ensuring the security and protection of Personal Data;
3.3.4. appoint Sub-processors only in accordance with paragraph 5 below;
3.3.5. taking into account the nature of the processing, assist the Client by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising a Data Subject’s rights laid down in Chapter III of the GDPR and Part 5 of the PDPO;
3.3.6. taking into account the nature of the processing and the information available to KYCIC, assist the Client in ensuring compliance with obligations to:
3.3.6.1. keep Provided Personal Data secure (Article 32 GDPR, Section 27 PDPO);
3.3.6.2. notify Provided Personal Data breaches to the Supervisory Authority (Article 33 GDPR, or equivalent provisions in Hong Kong);
3.3.6.3. advise Data Subjects when there has been a Provided Personal Data breach (Article 34 GDPR, or equivalent provisions under PDPO);
3.3.6.4. carry out data protection impact assessments (Article 35 GDPR, and where relevant under PDPO); and
3.3.6.5. consult with the Supervisory Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR, or equivalent requirements in Hong Kong);
3.3.7. at the choice of KYCIC, delete or return all Provided Personal Data to the Client upon termination of this Agreement, save to the extent that UK, EU, or Hong Kong law requires retention of the Provided Personal Data;
3.3.8. make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Schedule and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client as set out in paragraph 4 below(and immediately inform the Client if, in its opinion, an instruction infringes Data Protection Laws);
3.3.9. comply with Article 30 of the GDPR and section 27 of the PDPO by maintaining a record of all categories of processing activities carried out on behalf of the Client;
3.3.10. co-operate, upon request, with the Information Commissioner’s Office (or any successor body) and the Office of the Privacy Commissioner for Personal Data in Hong Kong in the performance of their tasks; and
3.3.11. notify the Client without undue delay after becoming aware of a Provided Personal Data breach, and in no event more than 48 hours from becoming aware of such a breach, providing relevant details of the breach and mitigation measures taken.

4. AUDIT RIGHTS
4.1. Upon the Client’s reasonable request, KYCIC agrees to provide the Client with any documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of this Data Processing Schedule) which will enable it to verify and monitor KYCIC’s compliance with this Data Processing Schedule within 14 days of receipt of such request.
4.2. Where, in the reasonable opinion of the Client, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR or the equivalent obligations under PDPO, the Client will be entitled, upon reasonable prior written notice to KYCIC and upon reasonable grounds, to conduct an on-site audit of KYCIC’s premises used in connection with the Service. Any audit carried out by the Client will be conducted in a manner that does not disrupt, delay or interfere with KYCIC’s day-to-day business. The Client shall ensure that the individuals carrying out the audit are under the same confidentiality obligations as set out in this Agreement.
4.3. Any audit conducted by the Client pursuant to paragraph 4.2 shall be at the Client’s expense.

5. SUB-PROCESSORS
5.1. The Client provides its consent for KYCIC to use Sub-processors as listed in paragraph 5.2 below in the performance of its obligations under this Agreement . Where KYCIC uses any other third-party KYCIC shall:
5.1.1. ensure that each Sub-processor complies with the obligations set out in this Schedule;
5.1.2. remain fully liable to the Client for the acts and omissions of any Sub-processor;
5.1.3. provide the Client with prior written notice of any new or changed Sub-processors and the opportunity to object to such changes within reasonable time before the Sub-processor processes any Provided Personal Data.
5.2. The current list of KYCIC’s Sub-processors handling Provided Personal Data in relation to which KYCIC acts as Processor under the terms of this Agreement and/or any Agreement is: 
5.2.1  Supplier Name: Amazon Web Services; Purpose: Database Hosting; Processing Country/Location: Ireland/Singapore;
5.2.2  Supplier Name: Powergate (Equinix (EMEA) Acquisition Enterprises B.V.); Purpose: Server hosting content management system: data centre for KYCIC products & services; Processing Country/Location: UK;
5.2.3  Supplier Name: Interxion HeadQuarters B.V.; Purpose: Server hosting content management system: data centre for KYCIC products & services; Processing Country/Location: UK;
5.2.4 Supplier Name: ALM Services; Purpose: Contracting agency providing development resources; Processing Country/Location: Poland;
5.2.5 Supplier Name: PRK Global Kft.; Purpose: Contracting agency providing research and administrative resources; Processing Country/Location: Hungary.

6. TRANSFERS OF PERSONAL DATA TO NON-EEA AND NON-HONG KONG COUNTRIES
6.1. The Parties will not transfer any Provided Personal Data outside the United Kingdom, EEA, or Hong Kong unless:
6.1.1. the transfer is to a country that has been designated by the European Commission, UK Government, or Hong Kong authorities as providing an adequate level of protection for personal data (Article 45 GDPR or equivalent PDPO provisions); or
6.1.2. the transfer is subject to appropriate safeguards permitted under Article 46 of GDPR or equivalent PDPO provisions (such as Standard Contractual Clauses or Binding Corporate Rules), and the transfer complies with all other requirements of the UK GDPR, GDPR, and PDPO; and
6.1.3. regular reviews and updates of the safeguards are conducted to ensure compliance with changing legal requirements, such as those arising from case law, regulatory guidance, or legislative changes.

7. CLIENT OBLIGATIONS
7.1. The Client undertakes to KYCIC that:
7.1.1. that any instructions it issues to KYCIC shall comply with Data Protection Laws;
7.1.2. to take steps to ensure that any Personal Data it provides to KYCIC is sourced lawfully, accurate and up to date, and that it is solely responsible for determining the purpose for which Provided Personal Data may be processed by KYCIC;
7.1.3. to notify KYCIC without undue delay after becoming aware of any actual or potential breach of this Schedule or Data Protection Laws, or any claim relating to such a breach; and
7.1.4. to indemnify KYCIC against any claims resulting from the Client’s non-compliance with Data Protection Laws or unlawful instructions.