Last Updated: October, 2020
This data processing agreement (the "Agreement") is entered between:
- The Data Controller; and
- Konch, a company incorporated in the UK under the register no. SC609589 (the "Supplier")
The Data Controller and the Supplier hereinafter collectively referred to as the "Parties" and separately as a "Party"
1.1 The Supplier acts as a data processor for the Data Controller, as the Supplier processes personal data for the Data Controller as set out in. Annex 1.
1.2 The personal data to be processed by the Supplier concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1.
1.3 "Personal data" means any information relating to an identified or identifiable natural person. If other confidential information than personal data is processed for the purpose of fulfilling the Agreement, any reference to "personal data" shall include the other confidential information.
2.1 Instructions: The Supplier is instructed to process the personal data only for the purposes of providing the data processing tasks set out in Annex 1. The Supplier may not process or use the Data Controller' personal data for any other purpose than provided in the instructions, including the transfer of personal data to any third country or an international organisation, unless the Supplier is required to do so according to Union or member state law. In that case, the Supplier shall inform the Data Controller in writing of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.2 If the Data Controller in the instructions in Annex 1 or otherwise has given permission to a transfer of personal data to a third country or to international organisations, the Supplier must ensure that there is a legal basis for the transfer, e.g. the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries.
2.3 If the Supplier considers an instruction from the Data Controller to be in violation of the GDPR, or other Union or member state data protection provisions, the Supplier shall immediately inform the Data Controller in writing about this.
2.4 If the Supplier is subject to legislation of a third country, the Supplier declares not to be aware of the mentioned legislation preventing the Supplier from fulfilling the Agreement, and that the Supplier will notify the Data Controller in writing without undue delay, if the Supplier becomes aware of that such hindrance is present or will occur.
3.1 The Supplier must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 The Supplier shall implement appropriate technical and organisational measures to prevent that the personal data processed is
(i) accidentally or unlawfully destroyed, lost or altered,
(ii) disclosed or made available without authorisation, or
(iii) otherwise processed in violation of applicable laws, including the GDPR.
3.3 The Supplier must also comply with the special data security requirements that apply to the Data Controller, see Annex 1, and with any other applicable data security requirements that are directly incumbent on the Supplier; including the data security requirements in the country of establishment of the Supplier, or in the country where the data processing will be performed.
3.4 The appropriate technical and organisational security measures must be determined with due regard for
(i) the current state of the art,
(ii) the cost of their implementation, and
(iii) the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5 The Supplier shall upon request provide the Data Controller with sufficient information to enable the Data Controller to ensure that the Supplier's obligations under the Agreement are complied with, including ensuring that the appropriate technical and organisational security measures have been implemented.
3.6 Furthermore, the Data Controller is entitled at its own cost to appoint an independent expert who shall have access to the Supplier's data processing facilities and receive the necessary information in order to be able to audit whether the Supplier has implemented and maintained said technical and organisational security measures. The expert shall upon the Supplier's request to sign a customary non-disclosure agreement, and treat all information obtained or received from the Supplier confidentially, and may only pass on the information to the Data Controller.
3.7 The Supplier must provide information related to the provision of the services to authorities or the Data Controller' external advisors, including auditors, if this is necessary for the performance of their duties in accordance with Union or member state law.
3.8 The Supplier must give authorities who by Union or member state law have a right to enter the Data Controller' or the Data Controller' supplier's facilities, or representatives of the authorities, access to the Supplier's physical facilities against proper proof of identity.
3.9 The Supplier must without undue delay after becoming aware of the facts in writing notify the Data Controller about:
(i) any request for disclosure of personal data processed under the Agreement by authorities, unless expressly prohibited under Union or member state law,
(ii) any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the Supplier under the Agreement, or (b) other failure to comply with the Supplier's obligations under Clause 3.2 and 3.3, or any request for access to the personal data received directly from the data subjects or from third parties.
(iii) any request for access to the personal data received directly from the data subjects or from third parties.
3.10 The Supplier must promptly assist the Data Controller with the handling of any requests from data subjects, including requests for access, rectification, blocking or deletion. The Supplier must also assist the Data Controller by implementing appropriate technical and organisational measures, for the fulfilment of the Data Controller' obligation to respond to such requests.
3.11 The Supplier must assist the Data Controller with meeting the other obligations that may be incumbent on the Data Controller according to Union or member state law where the assistance of the Supplier is implied, and where the assistance of the Supplier is necessary for the Data Controller to comply with its obligations. This includes, but is not limited to, at the request to provide the Data Controller with all necessary information about an incident under Clause 3.10 (ii), and all necessary information for an impact assessment.
3.12 In Annex 1, the Supplier has stated the physical location of the servers, service centres etc. used to provide the data processing services. The Supplier undertakes to keep the information about the physical location updated by providing a prior written notice of two months to the Data Controller. This does not require a formal amendment of Annex 1, prior written notice by mail or email suffices.
4.1 The Supplier shall not engage a sub supplier for the processing of personal data under this Agreement without prior, written authorisation of the Data Controller. the Data Controller may object to the use of a sub supplier without cause. The Supplier must inform the Data Controller in writing of the discontinued use of a sub supplier.
4.2 Prior to the engagement of a sub supplier, the Supplier shall conclude a written agreement with the sub supplier, in which at least the same data protection obligations as set out in the Agreement shall be imposed on the sub supplier, including an obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.The Supplier shall implement appropriate technical and organisational measures to prevent that the personal data processed is
4.3 the Data Controller has the right to receive a copy of the Supplier's agreement with the sub supplier as regards the provisions related to data protection obligations. The Supplier shall remain fully liable to the Data Controller for the performance of the sub supplier's obligations. The fact that the Data Controller has given consent to the Supplier's use of a sub-supplier is without prejudice for the Supplier's duty to comply with the Agreement.try of establishment of the Supplier, or in the country where the data processing will be performed.
5.1. The Supplier shall keep personal data confidential.
5.2 The Supplier shall not disclose the personal data to third parties or take copies of personal data unless strictly necessary for the performance of the Supplier's obligations towards the Data Controller according to the Agreement, and on the condition that whoever personal data is disclosed to is familiar with the confidential nature of the data and has accepted to keep the personal data confidential in accordance with this Agreement.
5.3 If the Supplier is a legal entity all terms of the Agreement apply to any of the Supplier's employees and the Supplier must ensure that its employees comply with the Agreement.
5.4 The Supplier must limit the access to personal data to employees for whom access to said data is necessary to fulfil the Supplier's obligations towards the Data Controller.
5.5 The obligations of the Supplier under Clause 5 persist without time limitation and regardless of whether the cooperation of the Parties has been terminated.
5.6 the Data Controller shall treat confidential information received from the Supplier confidentially and may not unlawfully use or disclose the confidential information.
6.1. The Parties may at any time agree to amend this Agreement. Amendments must be in writing.
7.1. The Agreement enters into force when signed by both Parties and remains in force until terminated by one of the Parties.
7.2. Each party may terminate the Agreement upon 1 month notice.
7.3. Regardless of the term of the Agreement, the Agreement is in force as long as the Supplier process the personal data, for which the Data Controller is data controller.
7.4. In case of termination of the Agreement, regardless of the legal grounds therefore, the Supplier must provide the necessary transition services to the Data Controller. The Supplier is obliged to assist in a loyal way and as fast as possible with transferring the personal data to another supplier or return them to the Data Controller.
7.5. On the Data Controller' request the Supplier shall immediately transfer or delete personal data, which the Supplier is processing for the Data Controller, unless Union or member state law requires storage of the personal data.
7.6. The Supplier is under no circumstances entitled to condition the full and unlimited compliance with the Data Controller' instructions on the Data Controller' payment of outstanding invoices etc., and the Supplier has no right of retention in the personal data.
8.1 If any of the provisions of the Agreement conflicts with the provisions of any other written or oral agreement concluded between the Parties, then the provisions of the Agreement shall prevail. However, the requirements in Clause 3 do not apply to the extent that the Parties in another agreement have set out stricter obligations for the Supplier. Furthermore the Agreement shall not apply if and to the extend the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries are concluded and such clauses set out stricter obligations for the Supplier and or for sup-suppliers.
8.2. This Agreement does not determine the Data Controller' remuneration of the Supplier for the Supplier's services according to the Agreement.The Agreement enters into force when signed by both Parties and remains in force until terminated by one of the Parties.
For, and on behalf of the Supplier
Konch, Data Processor
For, and on behalf of the Data Controller
This Annex constitutes the Data Controller' instruction to the Supplier in connection with the Supplier's data processing for the Data Controller, and is an integrated part of the Agreement.
A) Purpose and nature of the processing operations
Konch processes the data it receives from the Data Controller for the purposes of transcribing audio and video files.
B) Categories of data subjects
(i) Interviewed person
(II) Person interviewing (the Data Controller affiliated)
C) Categories of personal data
(i) Interviewed person: Name, email, personal opinions, voice, picture, video recordings of the person speaking, speak transcribed to text.
(ii) Person interviewing (the Data Controller affiliated): Name, email, voice, picture, person speaking, speak transcribed to text
D) Special categories of data
(i) Interviewed person: Special categories of personal data under GDPR article 9 e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health etc.
(ii) Person interviewing (the Data Controller affiliated): Special categories of personal data under GDPR article 9 e.g. racial or ethnic origin, data concerning health etc.
E) Processing locations
Firebase Authentication and Real time DB, US - Google LLC
Amazon AWS, Ireland - Amazon Web Services, Inc.
Speechmatics, UK - Cantab Research Labs Ltd.
Below is a list of all sub suppliers and data processing details.
Amazon Web Services, Inc. - Ireland (eu-west-1)
Process: API management, workflow management, transcription and supporting file storage
Data: transcripts, audio/video files, duration, links, processing status, API-User IDs, log data.
Google (Firebase) - Frankfurt (europe-west-3)
Process: Firebase’s authentication, Firebase Real Time DB.
Data: email, password, name, organisation.
Speechmatics (Cantab Research Labs) - Amsterdam (Azure, West Europe).
Process: Speech-to-Text engine.