Data processing agreemeent
Back to support centreData Processing Agreement
VERSION BPL: 27.02.2024
Section 1 Purpose of the Agreement
-
The Processor provides services to the Customer (hereinafter referred to as the “Customer”) agreement to rent/purchase multifunction copiers with associated maintenance services (hereinafter referred to as the “Principal Agreement”). To the extent that the provision of these services involves the processing of personal data on behalf of the Controller, as referred to in the General Data Protection Regulation which entered into force on 25 May 2018 (hereinafter: GDPR), the Parties hereby lay down their respective rights and obligations in the present data processing agreement (hereinafter: “Data Processing Agreement” or “DPA”).
-
The processed personal data may be data that originate from the Controller or controllers or processors associated with the Controller under Article 26 or Article 28 of the GDPR, or personal data that were collected by the Processor on behalf of the aforementioned (all personal data will hereinafter jointly be referred to as “Controller's personal data”).
-
The type of Controller’s personal data and categories of personal data subjects affected by the processing as well as the nature and purpose of the processing are specified in annex 1 of this DPA.
-
The duration of the processing and the term of this DPA shall depend on the term of the Principal Agreement(s) unless for the provisions which impose obligations or rights of termination that go beyond this.
Section 2 Right to issue instructions
-
The Processor may only collect, process or use data within the scope of the Principal Agreement(s) and in accordance with the instructions of the Controller.
-
The instructions of the Controller are initially set out in this DPA and may subsequently be amended, supplemented or replaced by individual instructions in writing or in text form (individual instructions). Verbal instructions are confirmed by the Controller without delay (at least in the text form). The Controller is entitled to issue instructions at any time. This includes instructions regarding the erasure, rectification and restriction of processing of data. For products whose use requires it, persons authorised to give or receive instructions are defined in the respective annex 1 to this DPA.
-
If the Processor is of the opinion that an instruction of the Controller violates data protection regulations, the Controller must be informed as soon as possible. The Processor shall be entitled to suspend the execution of the instruction in question until it is confirmed or amended by the Controller. The Processor may refuse to carry out an instruction which is manifestly unlawful.
-
Instructions of the Controller which go beyond the services owed under the Principal Agreement(s) and the data processing required for this, could be subject to separate remuneration to the Controller.
Section 3 Security measures of the Processor
-
The Processor is committed to comply with GDPR. Within its area of responsibility, the Processor shall design the organisation in such a way that it meets the special requirements of data protection. The Processor shall take all necessary technical and organisational measures for the appropriate protection of the personal data of the Controller in accordance with Article 32 GDPR, in particular at least the measures specified in annex 1. The Processor reserves the right to modify the security measures taken, while ensuring that they do not fall below the level of protection as agreed in annex 1 to this DPA.
-
The Processor appointed a company Data Protection Officer. The contact details of the Data Protection Officer are published on the Processor’s website.
-
The Processor shall impose an obligation of confidentiality (Article 28(3)(b) GDPR) on its entire personnel entrusted with the processing and fulfilment of this DPA (hereinafter referred to as “employees”) and shall ensure compliance with this obligation with due care.
Section 4 Obligations of the Processor
-
In the event of a breach of personal data of the Controller, the Processor shall immediately inform the Controller about it in writing or in text form. The notification of a personal data breach shall at least contain a description of:
(a) the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned,
(b) the name and contact details of the data protection officer or other contact point where more information can be obtained,
(c) the likely consequences of the personal data breach,
(d) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
-
The Processor shall immediately take the necessary measures to secure the personal data and to mitigate any adverse consequences for the data subjects, shall inform the Controller thereof and request further instructions.
-
In addition, the Processor shall be obliged to provide information to the Controller at any time in so far as personal data are affected by a breach as referred to in paragraph 1.
-
If the personal data of the Controller stored at the Processor’s premises are at risk of attachment or confiscation, through insolvency or settlement proceedings or through other events or measures of third parties, the Processor shall inform the Controller immediately, unless this is prohibited by court or official order. In this context, the Processor shall without delay inform all jurisdictional authorities that the power of ultimate decision over the data lies exclusively with the Controller in its capacity as “Controller” within the meaning of the GDPR.
-
The Processor shall keep a record of processing activities carried out on behalf of the Controller, containing all the information required by Article 30(2) GDPR.
-
The Controller and the Processor shall, if requested to do so, assist the data protection supervisory authorities in the fulfilment of their duties.
Section 5 Rights of the Controller
-
The Controller will prior to the commencement of data processing, and regularly thereafter, establish the adequacy of the technical and organisational measures taken by the Processor. For this purpose, the Controller may, for example, obtain information from the Processor, present certifications or attestations available from experts or, after timely coordination (at least three weeks in advance), inspect the technical and organisational measures of the Processor. Inspections may be performed during normal business hours personally or by a competent third party. Inspections by third parties must be performed in agreement with the Processor, whereas third parties in a competitive relationship against the Processor may be rejected by the Processor. The Controller shall carry out inspections only to the extent necessary and shall not disrupt the operations of the Processor disproportionately. Each party shall bear its own costs for audits and inspections.
-
The Processor undertakes to provide the Controller, at the latter’s written request and within a reasonable period of time, with all the information and evidence necessary to carry out an audit or inspection on the technical and organisational measures taken by the Processor.
-
The Controller shall document the result of the audit or inspection and provide it to the Processor. In the event of errors or irregularities which the Controller discovers, in particular in the results of data processing commissioned, the Processor shall be informed of it without delay. If the audit or inspection reveals issues the future avoidance of which requires changes to the processing commissioned, the Controller shall inform the Processor of the findings and requested changes in writing or in text form.
Section 6 Engagement of Sub-Processors
-
By signing this Agreement, the Processor receives a general authorisation to appoint Sub-Processors for the performance of the Principal Agreement. The appointed Sub-processors are listed in annex 1.
-
The Processor shall be authorised to modify existing subcontractor relationships or to establish new ones. The Processor shall as soon as possible inform the Controller thereof. The Controller may object to the engagement of new subcontractors The Controller must raise any objection immediately; objections may not be based on extraneous considerations.
-
The Processor is obliged to carefully select subcontractors according to their suitability and reliability. If subcontractors in a third country are to be involved, the Processor shall ensure that an appropriate level of data protection is guaranteed for the respective subcontractor (e.g. by agreeing on the EU standard contractual clauses).
-
A subcontracting relationship within the meaning of these provisions shall not exist if the Processor commissions third parties with services which are to be regarded as purely ancillary ones. These include, for example, postal, transport and dispatch services, cleaning services, telecommunications services without any specific reference to services which the Processor provides for the Controller, and security services.
Section 7 Queries and Rights of Data Subjects
-
Where possible, the Processor shall support the Controller with suitable technical and organisational measures to help fulfil the Controller’s obligations under Articles 12 to 22 and 32 to 36 GDPR.
-
Should a data subject contact the Processor directly in order to enforce their rights as data subject, for example to obtain information, rectification or erasure of their data, the Processor will not react independently. If the responsible Controller can be identified based on the request of a data subject, the Processor shall inform the Controller and await the instructions of the latter.
Section 8 Liability
-
The Controller assumes complete responsibility, within the limits of the Principal Agreement, for any claims brought against the Processor by reason of any damage suffered by a data subject as a result of data processing or the use of data in the course of processing that is prohibited or incorrect pursuant to data protection regulations, in so far as the prohibited or incorrect data processing or use of data is based on instructions issued by the Controller.
-
Each of the Parties will indemnify the respective other Party if that other Party can prove that it was in no way responsible for the circumstances leading to the damage suffered by the data subject.
Section 9 Termination of the Principal Agreement
-
After termination of the Principal Agreement or at any time at the request of the respective party, the Processor shall return to the respective party all documents, data and data carriers provided by the Controller or – at the request of the Controller, unless there is an obligation to store personal data under applicable law – erase or overwrite them. This also applies to any data backup copies at the Processor’s premises. The Processor is entitled to invoice the Controller for deletion or overwriting of the personal data stored on the hard drive of a multifunction copier.
-
The Processor shall be obliged to treat confidentially the data that has become known to them in connection with the Principal Agreement during and following the expiry of the term of the Principal Agreement. This Personal Data Processing Agreement shall remain in force after the termination of the Principal Agreement for as long as the Processor has personal data at its disposal which have been provided by the Controller or which have been collected by the Processor on behalf of the Controller.
Section 10 General Provisions
-
Changes and amendments to this DPA must be made in writing.
-
This DPA forms an integral part of the Principal Agreement. All rights and obligations under the Agreement, including limitations of liability, shall also apply to this DPA. In the case of contradiction, inconsistency or doubt between the terms and conditions of this DPA and the terms and conditions of the Principal Agreement, the terms and conditions of the Principal Agreement shall take precedence over the terms and conditions of this DPA.
-
Should individually provisions of this DPA be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions.
-
This DPA shall be governed by the Polish law and, in the case of any dispute, a court having jurisdiction over Konica Minolta shall be the competent court.
Annex to the Konica Minolta Data Processing Agreement
Description of the technical and organisational security measures
Konica Minolta Multifunctional and/or Production Printing Systems process paper and electronic documents for the purposes of printing, scanning, copying and faxing.
The processing of personal data of the Controller or third parties (hereinafter jointly referred to as “personal data of the Controller”) by Konica Minolta is exclusively carried out within the scope of providing services and carrying out maintenance of Konica Minolta Systems. The personal data will only be processed with the purpose of performing services and carrying out maintenance. Further collection or use of the personal data of the Controller by Konica Minolta does not take place. The specific nature of processing will depend on the service options and remote services described in this Annex that have been chosen by the Controller.
The processing of personal data of the Controller might occur in the course of delivery and setting up Konica Minolta Systems (especially in the context of a network connection) and in the course of physical service and maintenance work on the equipment.
Konica Minolta Multifunctional and Production Printing Systems are able to record technical processes in encrypted log files. Konica Minolta does not initiate the creation of log files until error analysis becomes necessary. The log files might be accessed by a Konica Minolta technician on site, however in standard procedure log files are transferred to servers owned and operated by Konica Minolta Europe (server location: Germany) as part of the Konica Minolta remote services (Konica Minolta “Remote Service Platform” – “RSP”).
Furthermore, remote services can be used to create backup copies of the equipment configuration, which can be stored in a password-protected and encrypted form on either the Controller’s own servers or Konica Minolta Europe servers (server location: Germany).
Both log files and backup copies of the equipment configuration do not contain any contents of printing, scanning, copying or similar operations performed on the systems.
Remote services and maintenance of Konica Minolta Systems will be carried out according to the service options chosen by the Controller. For this purpose, Konica Minolta operates the “Konica Minolta Remote Service Platform” (RSP), Remote Panel connections, the “Konica Minolta Remote Support Tool” solution or functionally comparable solutions. When carrying out remote maintenance, it is not possible to completely eliminate the possibility of viewing and thereby processing personal data of the Controller.
In the event of a possible return of Konica Minolta Systems after the end of the term of the Principal Agreement, the personal data on the hard drive of the equipment and in the internal memory will be either destroyed, erased, overwritten or handed over to the Controller.
2. Types of personal data
General: data of Data Subjects to which Konica Minolta will have access under the Main Agreement concluded with the Customer.
Types of personal data that may be included in backup copies of the equipment configuration: internal address book of the equipment (IT user names and email addresses), IP addresses, MAC addresses, serial number.
Categories of personal data possibly contained in log files: IT user names (e.g. Windows user names of device users), user e-mail addresses, IP addresses, MAC addresses, serial number, history of the device’s internet browser (accessed URLs), history of the device power status, print job history of the last 150 print jobs (owner of the print job, time stamp, document name).
All data recorded in log files are only collected from the moment of initiation of event logging.
Personal data that might be processed during on-site service and maintenance:
[The type of personal data possibly accessible to Konica Minolta technicians depend on the data processed on the Systems. These contents can only be assessed by the Controller.]
☐ Personal master data (e.g. name and surname)
☐ Contact details (e.g. telephone/e-mail)
☐ Contract master data (e.g. contractual relationship, product/contractual interest)
☐ Customer history (e.g. CRM data)
☐ Contract billing and payment data
☐ Credit card data and bank data (bank account numbers)
☐ Planning and controlling data
☐ Information obtained from third parties (e.g. credit rating agencies, public directories)
☐IP addresses, MAC addresses
4. Categories of data subjects affected by the processing:
The following categories of data subjects whose data can be processed listed under 2.1 can only be indicated by the Controller.
☐ Employees (Article 88 GDPR)
☐ Customers:
☐ Prospective Customers
☐ Subscribers
☐ Suppliers
☐ Business contacts
☐ Minors (in particular: apprentices, interns)
☐ Other:
5. Subprocessors
Konica Minolta Business Solutions Europe GmbH
Europaallee 17
30855 Langenhagen
Germany
Description of the commissioned processing:
IT services provider for Konica Minolta Business Solutions Polska Sp. z o.o. (including operation of Konica Minolta remote services and backup servers).
2nd Level Support for Konica Minolta Business Solutions Polska Sp. z o.o.
DB Schenker Sp. zo.o.
Al. Katowicka 66
05-830 Nadarzyn
Description of the commissioned processing:
Logistic service provider (delivery and installation of the MFPs, hard disk erasure after termination of the Principal Agreement)
6. Technical and organisational measures
Confidentiality
a) Physical access control:
Definition of persons authorised to enter by means of organisational specification
Documentation of the allocation and withdrawal of entry rights
Regular inspection of access rights allocated
Access control with personalised photographic ID and entry card with PIN code
Documentation of presence in server rooms
Access regulations for outsiders
b) System access control:
The following measures have been taken to prevent the intrusion of unauthorised persons into the data processing systems:
Access to the systems is possible after authentication with an individual user name and password
Use of complex passwords with at least eight characters that fulfil at least three of four criteria (upper case letter, lower case letter, numeral, special character) and a mandatory change of password every 90 days
Ban on password disclosure
Logging of access rights allocations
Limitation of administration access to the minimum
Protection of data processing systems against unauthorised access by means of appropriate firewall systems
Automatic locking of systems after defined period out of use
c) Data access control:
Unauthorised activities in data processing systems outside the scope of allocated rights will be prohibited by means of access rights and an authorisation concept with a needs-based design and by means of their inspection:
Limitation of access rights to areas of activity
Separation of (organisational) authorisations from allocated (technical) rights
Logging of changes in access rights
Checks on unauthorised access attempts
d) Separation control:
Specification of different user profiles (controller/user levels)
Specific access rights corresponding to data access requirements
Separation of productive and test environments by technical measures (virtual servers, separated systems, IP-address segmentation)
Integrity
a) Transmission control:
Encryption of data transfer, particularly when transferring over public networks (e.g. SSL, TLS)
Data protection-compliant erasure and/or destruction of data, data storage devices and printed copies in accordance with a protection class concept
Encryption of data storage devices
Remote data removal option for mobile devices
b) Data input control:
Regular inspection and updating of access rights
Logging of data processing enables future inspection and determination of whether and by whom personal data have been entered, altered or removed (e.g. data amendment logs in central ERP systems)
Recording and needs-based retainment of corresponding actions carried out on systems (e.g. log files)
Unique identification and tagging of data storage of MFP/PP devices for return
Availability and recoverability: Control of availability and recoverability:
Use of two certified IT centres that are located apart from each other, thereby preventing service interruption by mirroring (i.e. by retention of redundant data)
Technical precautions in the form of early warning systems for protection against disruptions caused by fire/heat, water or overheating
Measures to protect against loss of power and current overload, e.g. uninterruptible power supply (UPS) systems
Scheduled performance of data backup copies and additional use of mirroring procedures
Multi-layered antivirus/firewall architecture
Established process for central procurement of hardware and software
Rapid restoration ability (Article 32(1)(c) GDPR) via global system-related backup copy concept
Order control:
Appointment of a data protection officer
Service-level agreements with external service providers compliant with GDPR
Training employees in personal data processing
Mandatory observance of data secrecy by employees
Technical safeguarding through measures for access, separation and input control
Control of organisation (verification, valuation and evaluation):
Continuous processes for verification and, if necessary, adjustment of data protection measures are established
Processes for dealing with data protection cases in place
company guidelines on personal data processing as well as usage of IT systems in place
Training courses for employees in the field of IT security and GDPR
Incident response management