Part A – Client Data Protection Terms (CDP Terms)
1. These CDP Terms apply to the extent that KPMG is a Data Processor of the Client’s Personal Data, provided to or obtained or accessed by KPMG in the course of providing all or part of the Services to the Client.
2. The scope of Processing carried out by KPMG under the Engagement Letter is set out in below.
3. When KPMG is Processing Personal Data on behalf of the Client, it shall:
- comply with the Client’s lawful instructions, which are set out in the Engagement Letter;
- only Process Personal Data on behalf of the Client as the Client’s agent, to the extent necessary to comply with its obligations under the Engagement Letter and as required by the Applicable Data Protection Legislation and the professional standards and ethical codes to which KPMG is subject (in which case KPMG will inform the Client, to the extent permitted by applicable laws, professional standards and ethical codes);
- implement, maintain and operate appropriate technical and organisational measures that meet the requirements of the Applicable Data Protection Legislation;
- provide such assistance and cooperation as the Client reasonably requires, to enable the Client to comply with the following obligations under the Applicable Data Protection Legislation (and KPMG reserves the right to charge the Client its reasonable costs in providing this assistance):
- requests of Data Subjects to access, rectify, delete, erase, receive or restrict the Processing of their Personal Data;
- security of Processing and notification of Personal Data Breaches; and
- data protection impact assessments and any related prior consultations with a regulatory authority;
- notify the Client in writing of, and provide the Client with reasonable cooperation and assistance in relation to, any Data Subject request or a Personal Data Breach relating to Personal Data Processed by KPMG under the Engagement Letter;
- ensure that all transfers of Personal Data outside New Zealand are subject to data transfer mechanisms or protections that are approved and accepted by the Applicable Data Protection Legislation from time to time;
- not transfer any Personal Data, where such Personal Data relates to individuals who reside in the European Economic Area (EEA) or the United Kingdom and whose Personal Data is in scope of GDPR or UK GDPR, to any country outside of the EEA or the United Kingdom unless the transfer is made: (i) to any country considered as a place giving an appropriate level of protection by the EU Commission; or (ii) in compliance with the Standard Contractual Clauses (which are hereby incorporated into these CDP Terms and are deemed executed by the parties upon execution of the Engagement Letter) or the UK International Data Transfer Addendum (which is hereby incorporated into these CDP Terms); and
- upon written request, delete or return all Personal Data to the Client after the end of the provision of Services relating to Processing under the Engagement Letter unless applicable law, regulation, professional standards or internal policies require retention of the Personal Data or as instructed by you.
4. Upon written request (but not more than once per year), KPMG shall provide to the Client a summary report or certificate issued by an auditor (which may be KPMG or a third party selected by KPMG) in respect of KPMG’s Processing of Client Personal Data at KPMG’s facilities, premises, equipment and systems in order to evidence that such Processing complies with these CDP Terms. Where the Client has exercised the rights in the previous sentence and remains unsatisfied that KPMG has evidenced its compliance with these CDP Terms, not more than once per year, the Client may require KPMG to commission an audit by an independent third party, the identity of which shall be agreed between the parties, to conduct an audit of whether KPMG’s Processing of Client Personal Data complies with these CDP Terms, such audit to be at the Client’s cost (including KPMG’s cost, charged to the Client at KPMG’s ordinary rates).
5. The Client hereby permits KPMG to use its existing sub-processors at the date of these CDP Terms and appoint new sub-processors for the Processing of Personal Data provided that such sub-processors are subject to contractual terms not materially less onerous than those set out in these CDP Terms and otherwise in compliance with Applicable Data Protection Legislation. A list of KPMG’s sub-processors is available for inspection by the Client upon request by emailing infosec@kpmg.co.nz.
6. The Client shall comply with all of its respective obligations under the Applicable Data Protection Legislation in relation to the Processing and collection of Personal Data.
7. KPMG may use artificial intelligence tools (AI Tools) to Process Personal Data in the course of providing the Services to the Client. Where KPMG Processes Sensitive Data using AI Tools, KPMG will: (a) do so in accordance with the Client’s instructions; and (b) not, and will use all reasonable efforts to ensure that the providers of those AI tools do not, use the Sensitive Data to train or improve the relevant AI tools, without the Client’s prior consent.
8. These CDP Terms shall remain in full force and effect at all times when KPMG (or a sub-processor on its behalf) Processes Personal Data provided to KPMG or obtained or accessed by KPMG in the course of KPMG's provision of Services to the Client, notwithstanding the termination or expiry of the Engagement Letter.
9. These CDP Terms are in addition to, and not substitution for any other provisions relating to the Processing of Personal Data in the Engagement Letter. In the event of any conflict between the provisions of these CDP Terms and the other provisions of the Engagement Letter, these CDP Terms shall prevail.
10. Definitions:
- Applicable Data Protection Legislation means to the extent KPMG or any Personal Data is subject to such legislation, the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (GDPR), the UK Data Protection Legislation, the New Zealand Privacy Act 2020, and all other applicable laws and regulations relating to or impacting KPMG’s Processing of Personal Data.
- Client, you, your means the client the Engagement Letter is addressed to.
- Engagement Letter means the engagement letter between the Client and KPMG relating to the Services.
- KPMG, we, us, our means the New Zealand partnership of KPMG.
- Personal Data Breach means:
- a breach of security leading to the unauthorised, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access or prevention of access to, Personal Data transmitted, stored or otherwise Processed; or
- such breach that it is reasonable to believe has caused or likely to cause serious harm to one or more Data Subjects.
- Services means the services provided under the Engagement Letter.
- Standard Contractual Clauses means the Standard Contractual Clauses for the transfer of Personal Data which is approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended in these CDP Terms.
- UK Data Protection Legislation means to the extent KPMG or any Personal Data is subject to such legislation, all laws, relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the United Kingdom General Data Protection Regulation (as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR) and the UK Data Protection Act 2018.
- UK International Data Transfer Addendum means the addendum to the Standard Contractual Clauses issued under S119A9(1) of the United Kingdom’s Data Protection Act 2018, as amended in these CDP Terms.
- The terms Data Controller, Data Processor, Data Subject, Personal Data and Process or Processing shall each have the meaning given to such term under Applicable Data Protection Legislation and Personal Data shall include “personal information” as defined in the New Zealand Privacy Act 2020.
Part B – Scope of Data Processing
|
Details of Processing |
Data Exporter |
The data exporter is the Client who has appointed KPMG to provide the Services as its outsourced service provider. |
Data Importer |
The data importer is KPMG who may, where appropriate, Process Personal Data in performing the Services. |
Scope of Processing |
KPMG may provide the following activities which are relevant to the Processing of Personal Data: • general technology services; • software licensing, development and design, implementation, support and implementation services; • software-as-a-service; • managed services; and • professional advisory services (excluding audit and tax services). |
Nature and purpose of Processing |
As described in the Engagement Letter and otherwise in order to perform our contractual obligations. |
Duration of Processing |
The duration of Processing is the term of the Engagement Letter. |
Categories of Personal Data |
User account information and other Personal Data that will be Processed by IT systems, platforms and tools (including AI tools), and unstructured Personal Data that will be accessed while providing other Services as defined by the Data Exporter. |
Data Subjects |
The Personal Data may concern Data Subjects arising out of prospective, historic, or existing relationships between KPMG and the Client. |
Sensitive Data |
The Client may submit (or KPMG may collect on behalf of the Client) sensitive Personal Data about individuals, the extent of which is determined and controlled by the Client in its sole discretion and which may include sensitive Personal Data such as data revealing racial and ethnic origin, biometric data or any other category of sensitive Personal Data uploaded or supplied by (or on behalf of) the Client or agreed upon between the parties. |
Part C – Standard Contractual Clauses
1. The parties' choices with respect to various clauses of the Standard Contractual Clauses are as follows:
- For the purposes of clause 17 of the Standard Contractual Clauses, the parties agree that the governing law shall be the law of the Republic of Ireland;
- For the purposes of clause 18(b) of the Standard Contractual Clauses, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
2. Optional clauses:
- For the purposes of clause 9(a) of the Standard Contractual Clauses, the parties agree to select Option 2 of clause 9(a) of the Standard Contractual Clauses;
- For the purposes of clause 9(a) of the Standard Contractual Clauses, the parties specify the time period as follows: 21 business days;
- For the purposes of clause 11 of the Standard Contractual Clauses, the parties agree that the optional clause under clause 11(a) of the Standard Contractual Clauses shall not apply;
- For the purposes of clause 13(a) of the Standard Contractual Clauses, the competent Supervisory Authority shall be the competent Supervisory Authority that has supervision over the relevant Data Exporter;
- For the purposes of clause 17 of the Standard Contractual Clauses, the parties agree to select Option 1 of clause 17 of the Standard Contractual Clauses.
Part D – UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
1. In relation to transfers of Personal Data protected by UK GDPR, the Standard Contractual Clauses:
- apply as completed in accordance with above; and
- are deemed amended as specified by the UK International Data Transfer Addendum, which is deemed executed by the parties and incorporated into these CDP Terms.
2. In addition, Table 1 is deemed completed respectively with the information set out at Part B of these CDP Terms; Table 2 is deemed completed by selecting “the Approved Standard Contractual Clauses”; Table 3 is deemed completed with the information contained in Part 3 and clauses 3(c) and 5 of these CDP Terms; Table 4 is deemed completed by selecting both “importer” and “exporter”. Any conflict between the terms of the Standard Contractual Clauses and the UK International Data Transfer Addendum will be resolved in accordance with section 10 and section 11 of the UK International Data Transfer Addendum.