GDPR COMPLIANCE: In addition to the terms at https://www.knowland.com/termsandconditions, the following are applicable to Subscribers located in the European Union.
a. Definitions. Capitalized terms used in this section shall have the meaning set forth below.
i. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and to the extent the GDPR may no longer be applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom.
ii. “EU Data Subject” shall have the meaning given to “Data Subject” under the GDPR.
iii. “EU Personal Data” means the personal data (which shall have the meaning given to “Personal Data” under the GDPR) which Subscriber or its employees provide to Knowland pursuant to this Agreement.
i. Subscriber authorizes Knowland to appoint subprocessors in accordance with this section (i). Knowland may continue to use those subprocessors already engaged by Knowland as at the date of this Agreement, subject to Knowland ensuring that the arrangement between Knowland and the subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for EU Personal Data as those set out in this Agreement. Knowland shall give Subscriber prior written notice of the appointment of any new subprocessor, including reasonable details of the processing to be undertaken by the Subprocessor. If, within five business days of receipt of that notice, Subscriber notifies Knowland in writing of any objections (on reasonable grounds) to the proposed appointment, Knowland shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed subprocessor, and where such a change cannot be made within ten business days from Knowland’s receipt of Subscriber’s notice, or no commercially reasonable change is available, or Subscriber declines to bear the cost of the proposed change, notwithstanding anything in this Agreement, either party may by written notice to the other party with immediate effect terminate this Agreement either in whole or to the extent that it relates to the Services which require the use of the proposed subprocessor. With respect to each subprocessor, Knowland shall ensure that the arrangement between Knowland and the subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for EU Personal Data as those set out in this Agreement;
ii. Knowland shall provide Subscriber with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Subscriber in fulfilling its obligation to respond to data subject requests and shall promptly notify Subscriber if Knowland receives such a request and ensure that Knowland does not respond to any such request except on the documented instructions of Subscriber (and in such circumstances, at Subscriber’s cost) or as required by applicable laws;
iii. Knowland shall notify Subscriber without undue delay upon Knowland becoming aware of a Personal Data Breach affecting EU Personal Data, providing Subscriber with sufficient information (insofar as such information is, at such time, within Knowland’s possession) to allow Subscriber to meet any obligations under the GDPR to report or inform the Personal Data Breach to affected data subjects or the relevant supervisory authority(ies) (as may determined in accordance with the GDPR. Knowland shall at Subscriber’s sole cost and expense co-operate with Subscriber and take such reasonable commercial steps as may be directed by Subscriber to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
iv. Knowland shall provide reasonable assistance to Subscriber, at Subscriber’s cost, with any data protection impact assessments, and prior consultations with supervisory authorities, which Subscriber reasonably considers to be required of Subscriber by Article 35 or Article 36 of the GDPR, in each case solely in relation to processing of EU Personal Data by, and taking into account the nature of the processing by, and information available to, Knowland.
v. Upon the date of cessation of any Services involving the processing of EU Personal Data (the “Cessation Date”), Knowland shall immediately cease all processing of EU Personal Data for any purpose other than for storage. Subscriber hereby acknowledges and agrees that, due to the nature of the EU Personal Data Processed by Knowland, return (as opposed to deletion) of EU Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Subscriber agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected deletion, in preference of return, of the EU Personal Data. To the fullest extent technically possible in the circumstances, within 20 business days after the Cessation Date, Knowland shall either (at its option) delete or irreversibly render anonymized all EU Personal Data then within Knowland’s possession. Knowland and any subprocessor may retain EU Personal Data to the extent required by law and only to the extent and for such period as required by law and always provided that Knowland shall ensure the confidentiality of all such EU Personal Data and that such EU Personal Data is only processed as necessary for the purpose(s) specified in the law requiring its storage and for no other purpose.
vi. Knowland shall make available to Subscriber on request such information as Knowland considers reasonably appropriate in the circumstances to demonstrate its compliance with its processing of EU Personal Data pursuant to this Agreement (including any general data protection compliance and/or security audits Knowland may cause to be conducted). In the event that Subscriber (acting reasonably) is able to provide documentary evidence that the information made available by Knowland is not sufficient in the circumstances to demonstrate Knowland’s compliance with this Agreement, Knowland shall allow for and contribute to audits, including (only where strictly and demonstrably necessary in the circumstances) on premise inspections, by Subscriber or an auditor mandated by Subscriber in relation to the processing of EU Personal Data by Knowland. Subscriber shall give Knowland reasonable notice of any audit or inspection to be conducted (which shall in no event be less than 15 business days’ notice unless required by a supervisory authority and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Knowland in respect of, any damage, injury or disruption to Knowland’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Knowland’s other Subscribers or the availability of Knowland’s services to such other Subscribers) while its personnel and/or its auditor’s personnel (if applicable) are on those premises in the course any on premise inspection. Knowland need not give access to its premises for the purposes of such an audit or inspection unless the auditor enters into a non-disclosure agreement with Knowland on terms acceptable to Knowland and where, and to the extent that, Knowland considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Knowland’s other Subscribers or the availability of Knowland’s services to such other Subscribers. The parties shall discuss and agree the costs of any inspection or audit to be carried out by or on behalf of Subscriber in advance of such inspection or audit and, unless otherwise agreed in writing between the parties, Subscriber shall bear any third party costs in connection with such inspection or audit and reimburse Knowland for all costs incurred by Knowland and time spent by Knowland (at Knowland’s then-current professional services rates) in connection with any such inspection or audit;
vii. To the extent that any processing by either Knowland or any subprocessor of EU Personal Data involves a transfer of personal data outside the European Economic Area (“Restricted Transfer”), the parties agree that Subscriber – as “data exporter” – and Knowland or Subprocessor (as applicable) – as “data importer” – hereby enter into the Controller to Processor Standard Contractual Clauses approved by the EU Commission in respect of that Restricted Transfer and the associated processing and that: (a) Clause 9 of such Standard Contractual Clauses shall be populated as follows: “The Clauses shall be governed by the law of the Member State in which the data exporter is established.”; (b) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows: “The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”; (c) Appendix 1 to such Standard Contractual Clauses being deemed to have been populated with the corresponding data processing details set out in section 17 ; and (d) Appendix 2 to such Standard Contractual Clauses shall be populated as follows: “The technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Section 20(d) of Data Importer’s General Terms and Conditions.” The Standard Contractual Clauses shall come into effect automatically upon the commencement of the relevant Restricted Transfer.
viii. Subscriber acknowledges and agrees that Knowland shall be freely able to use and disclose anonymized data for Knowland’s own business purposes without restriction. Subscriber warrants and represents on an ongoing basis, and further undertakes, that it shall not (and shall ensure that its personnel shall not) cause Knowland to process any Special Categories of personal data (referred to in Article 9(1) of the GDPR) or any Personal Data relating to relating to criminal convictions or offences.