Part A – Client Data Protection Terms

1. These Client Data Protection Terms apply to the extent that KPMG is a Data Processor of the Client’s Personal Information, provided to or obtained or accessed by KPMG in the course of providing all or part of the Services to the Client.

2. The scope of the Processing carried out by KPMG under the Engagement Letter is set out in the table at Part B.

3.  When and where KPMG is Processing Personal Information on behalf of the Client, it shall:

  •  act on and comply with the documented lawful instructions of the Client, which instructions are set out exhaustively in the Engagement Letter;
  • only Process the Personal Information on behalf of the Client as the Client’s agent, and to the extent necessary to comply with its obligations under the Engagement Letter save to the extent required by the Applicable Data Protection Legislation or the professional standards and ethical codes to which KPMG is subject, in which case KPMG will to the extent permitted by the professional standards and ethical codes or the applicable law, inform the Client;
  • implement, maintain and operate appropriate technical and organisational measures that meet the requirements of the Applicable Data Protection Legislation;
  • provide such assistance and cooperation as the Client reasonably requires in order to enable the Client to comply with the following obligations in relation to Personal Information under the Applicable Data Protection Legislation (and KPMG reserves the right to charge the Client its reasonable costs in providing this assistance and cooperation):

                - requests of Data Subjects to access, rectify, delete, erase, receive or restrict the Processing of their Personal Information

                - security of Processing and notification of Personal Information Breaches;

                -  data protection impact assessments and any related prior consultations with a  regulatory authority;

  •  notify the Client in writing of, and provide the Client with reasonable cooperation and assistance in relation to:

                -  any Data Subject request which relates directly to Personal Information; or

                -  without undue delay, about a Personal Information Breach relating to,

                Personal Information Processed by KPMG under the Engagement Letter;

  • ensure that all transfers of the Personal Information outside of New Zealand are subject to such data transfer mechanisms or protections as are approved and accepted by the Applicable Data Protection Legislation from time to time;
  • not transfer any Personal Information, where such Personal Information relates to individuals who reside in the European Economic Area (EEA) or the United Kingdom and whose Personal Information is in scope of GDPR or UK GDPR, to any country outside of the EEA or the United Kingdom unless the transfer is made: (i) to any country considered as a place giving an appropriate level of protection by the EU Commission; or (ii) in compliance with the Standard Contractual Clauses (which are hereby incorporated into these Client Data Protection Terms) or the UK International Data Transfer Addendum (which is hereby incorporated into these Client Data Protection Terms); and
  • upon written request, delete or return all the Personal Information to the Client after the end of the provision of Services relating to Processing under the Engagement Letter unless applicable law, regulation, professional standards or internal policies requires retention of the Personal Information or as instructed by you.

4.  Upon written request (but not more than once per year), KPMG shall provide to the Client a summary report or certificate issued by an auditor (which auditor may be KPMG or a third party selected by KPMG) in respect of the Processing of Personal Information on behalf of the Client at KPMG’s facilities, premises, equipment and systems in order to evidence that the Processing of Personal Information is in compliance with these Client Data Protection Terms.  Where the Client has exercised the rights in the previous sentence and remains unsatisfied that KPMG has evidenced its compliance with these Client Data Protection Terms, not more than once per year, the Client may require KPMG to commission an audit by an independent third party, the identity of which shall be agreed between the parties, to conduct an audit of whether the Processing of Personal Information on behalf of the Client at KPMG’s facilities, premises, equipment and systems is in compliance with these Client Data Protection Terms, such audit to be at the Client’s cost (including the costs of KPMG, charged to the Client at KPMG’s ordinary rates).

5. The Client hereby permits KPMG to appoint sub-processors for the Processing of Personal Information provided that such sub-processors are subject to contractual terms not materially less onerous than those set out in these Client Data Protection Terms and otherwise in compliance with Applicable Data Protection Legislation.  A list of KPMG’s sub-processors is available for inspection by the Client from time to time upon request by emailing infosec@kpmg.co.nz.

6.  The Client shall comply with all of its respective obligations under the Applicable Data Protection Legislation in relation to the Processing and collection of Personal Information.

7.  Clauses 2 to 6 inclusive shall remain in full force and effect at all times when KPMG (or a sub-processor on its behalf) Processes Personal Information provided to KPMG or obtained or accessed by KPMG in the course of KPMG's provision of Services to the Client, notwithstanding the termination or expiry of the Engagement Letter.

8. These Client Data Protection Terms are in addition to, and not substitution for any other provisions relating to the Processing of Personal Information in the Engagement Letter.  In the event of any conflict between the provisions of these Client Data Protection Terms and the other provisions of the Engagement Letter, the terms of these Client Data Protection Terms shall prevail.

9. Definitions:

  • Applicable Data Protection Legislation means to the extent KPMG or any Personal Information or the Client is subject to, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Information and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), the UK GDPR (as such term is defined under the UK Data Protection Act 2018), the New Zealand Privacy Act 2020, and all other applicable laws and regulations relating to or impacting KPMG’s Processing of Personal Information.
  • Client, you, your means the client the Engagement Letter is addressed to.
  • Engagement Letter means the engagement letter between the Client and KPMG relating to the Services.
  • KPMG, we, us, our means the New Zealand partnership of KPMG.
  • Personal Information Breach means:

                -   a breach of security leading to the unauthorised, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access or prevention of access to, Personal Information transmitted, stored or otherwise Processed; or

                -  such breach that it is reasonable to believe has caused or likely to cause serious harm to one or more Data Subjects.

  • Services means the Services provided under the Engagement Letter.
  • Standard Contractual Clauses means the Standard Contractual Clauses for the transfer of Personal Information which is approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • UK International Data Transfer Addendum means the addendum to the Standard Contractual Clauses issued under S119A9(1) of the United Kingdom’s Data Protection Act 2018, as amended in these Client Data Protection Terms.
  • The terms Data Controller, Data Processor, Data Subject, Personal Information and Process or Processing shall each have the meaning given to such term under Applicable Data Protection Legislation.

Part B - Scope of Data processing

 

Details of Processing

Data Exporter

The data exporter is the Client who has appointed KPMG as its outsourced service provider.

Data Importer

The data importer is KPMG who may, where appropriate, Process Personal Information in performing the Services.

Scope of processing

 KPMG may provide the following activities which are relevant to the Processing of Personal Information:
  • general technology services;
  • software licensing, development and design, implementation, support and implementation services;
  • software-as-a-service;
  • managed services; and
  • professional advisory services (excluding audit and tax services).

Nature and purpose of Processing

As described in the Engagement Letter and otherwise in order to perform our contractual obligations.

Duration of Processing

The duration of Processing is the term of the Engagement Letter.

Categories of Personal Information

User account information and other Personal Information that will be Processed by IT systems, platforms and tools and unstructured Personal Information that will be accessed while providing other Services as defined by the Data Exporter.

Data Subjects

The Personal Information may concern Data Subjects arising out of prospective, historic, or existing relationships between KPMG and the Client.

Sensitive Data

The Client may submit (or KPMG may collect on behalf of the Client) sensitive Personal Information about individuals, the extent of which is determined and controlled by the Client in its sole discretion and which may include sensitive Personal Information such as data revealing racial and ethnic origin, biometric data or any other category of sensitive Personal Information uploaded or supplied by (or on behalf of) the Client or agreed upon between the parties.

Part C - Standard Contractual Clauses

1.  The parties' choices with respect to various clauses of the Standard Contractual Clauses are as follows:

  • For the purposes of clause 17 of the Standard Contractual Clauses, the parties agree that the governing law shall be the law of the Republic of Ireland;
  • For the purposes of clause 18(b) of the Standard Contractual Clauses, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.

2.  Optional clauses:

  • For the purposes of clause 9(a) of the Standard Contractual Clauses, the parties agree to select Option 2 of clause 9(a) of the Standard Contractual Clauses;
  • For the purposes of clause 9(a) of the Standard Contractual Clauses, the parties specify the time period as follows: 21 business days;
  • For the purposes of clause 11 of the Standard Contractual Clauses, the parties agree that the optional clause under clause 11(a) of the Standard Contractual Clauses shall not apply;
  • For the purposes of clause 13(a) of the Standard Contractual Clauses, the competent Supervisory Authority shall be the competent Supervisory Authority that has supervision over the relevant Data Exporter;
  • For the purposes of clause 17 of the Standard Contractual Clauses, the parties agree to select Option 1 of clause 17 of the Standard Contractual Clauses.

Part D – UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

1.  In relation to transfers of Personal Data protected by UK GDPR, the Standard Contractual Clauses:

  • apply as completed in accordance with Part C above; and
  • are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of these Client Data Protection Terms.

2.  In addition, Table 1 is deemed completed respectively with the information set out at Part B of these Client Data Protection Terms; Table 2 is deemed completed by selecting “the Approved EU SCCs”; Table 3 is deemed completed with the information contained in the Engagement Letter, Part B, clause 3, bullet 3 and clause 5 of these Client Data Protection Terms; Table 4 is deemed completed by selecting both “importer” and “exporter”.  Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with section 10 and section 11 of the UK Addendum.