GDPR Personal Data Addendum
ADDENDUM ON THE PROTECTION OF PERSONAL DATA
This Data Protection Addendum ("Addendum") forms part of the Agreement between: Vendor acting on its own behalf and as agent for each vendor affiliate; and (ii) Kemin Industries ("Kemin") acting on its own behalf and as agent for each of its affiliates.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
The following clauses of the Addendum are incorporated, attached to and deemed part of the Agreement. In the event of a conflict between the Agreement and this Addendum, this Addendum shall prevail. Vendor’s failure to comply with any of the provisions of this Addendum shall be deemed a material breach of the Agreement.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
"Kemin Industries Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Kemin Industries, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
“Kemin Personal Data" means any Personal Data Processed by Vendor on behalf of a Kemin Industries Affiliate pursuant to or in connection with the Agreement;
“Contracted Processor" means Vendor or a Sub-processor;
"Data Protection Laws" means all applicable regional, national, and international (including the EU) laws, orders, regulations, and regulatory guidance in relation to the Processing or protection of Personal Data, as amended from time-to-time, including but not limited to, Regulation (EU) 2016/679 of 27 April 2016, General Data Protection Regulation (“GDPR”);
"EEA" means the European Economic Area;
"Restricted Transfer" means:
- a transfer of Kemin Personal Data from any Kemin Industries Affiliate to Vendor; or
- an onward transfer of Kemin Personal Data from Vendor to a Sub-processor, or between two establishments of Vendor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established below;
"Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Kemin Industries Affiliates pursuant to the Agreement;
"Standard Contractual Clauses" means the contractual clauses set out in Annex 1, amended as indicated in that Annex;
"Sub-processor" means any person (including any third party and any Vendor Affiliate, but excluding an employee of Vendor or any of its sub-contractors) appointed by or on behalf of Vendor or any Vendor Affiliate to Process Personal Data on behalf of any Kemin Industries Affiliate in connection with the Agreement; and
"Vendor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
Vendor warrants and represents that, before any Vendor Affiliate Processes any Kemin Personal Data on behalf of any Kemin Industries Affiliate, Vendor's entry into this Addendum as agent for and on behalf of that Vendor Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Vendor Affiliate.
- Vendor’s obligation
3.1 Vendor acknowledges that in the course of performing the Agreement, it may Process Kemin Personal Data.
3.2 Vendor represents and warrants continuously throughout the Term that it and each Vendor Affiliate will: (a) only Process Kemin Personal Data in accordance with the instructions provided by Kemin, for the purposes set out in the Agreement and only to the extent necessary to perform its obligations hereunder, (b) not disclose, distribute, sell, assign, lease, commercially exploit (or allow to be exploited), or otherwise dispose of or make available any Kemin Personal Data to third parties, (c) not copy, modify, or create derivative works of any Kemin Personal Data (including, without limitation, aggregated and/or anonymized data) except with Kemin’s prior consent or as may be permitted by any applicable law which is incapable of exclusion by contract, (d) implement and maintain organizational, administrative, physical and technical safeguards meeting the highest standards of good industry practice to prevent the unauthorized Processing, destruction or loss of Kemin Personal Data in Vendor’s possession, custody or control, (e) implement and maintain an appropriate network security program that includes encryption of all sensitive data and Personal Data, (f) ensure its compliance with Data Protection Laws, (g) take all reasonable precautions with respect to the employment of and access given to Vendor and its Affiliates, and (h) at Kemin’s request at any time during the Term, provide Kemin with a complete copy of or full access to any and all Kemin Personal Data that may be in Vendor’s possession.
3.3 Vendor shall (a) provide, at Vendor’s own cost, reasonable cooperation, assistance, and information to Kemin in relation to queries, complaints and other correspondence with any Data Subject or regulatory body (including Data Subject access requests) and as may reasonably be required to enable Kemin to comply with its obligations under applicable Data Protection Laws, and (b) amend, update, supplement, return or delete any Personal Data as soon as reasonably practicable at Kemin’s request.
- Processing of Personal Data
4.1The Parties acknowledge and agree that with regard to the Processing of Personal Data in the context of the Agreement, Kemin Industries and/or its Affiliates is/are the Data Controller, Vendor is a Data Processor and that Vendor may engage Sub-Processors pursuant to the requirements set forth in Section 7 (Sub-Processors) below.
4.2All verbal instructions are to be confirmed in writing or by email without undue delay. Vendor shall inform Kemin immediately if it considers that an instruction violates Data Protection Laws or if it is required to process Personal Data outside the scope of Kemin’s instructions.
4.3The nature and purpose of Processing Personal Data by the Vendor is the performance of the Agreement. The duration of the Processing shall be for the Term designated under the Agreement and the rights and obligations under this Addendum shall remain in force after termination of the Agreement until all Personal Data Processed under this Addendum is deleted on the systems of the Vendor and its sub-processors.
The types of Personal Data Processed and the categories of Data Subjects under this Agreement may include: first and last name, employer contact details, professional email address, personal email address, private phone number, professional postal address, private postal address, professional phone number, date of birth, nationality, place of birth, gender, title, position, job description, details or terms of employment, information about work performance, dietary requirements, and personal life data.
The Processing may take place in the following jurisdiction(s): The United States
- Vendor and Vendor Affiliate Personnel
5.1 Vendor and each Vendor Affiliate shall ensure that access to Kemin Personal Data is limited to those Vendor employees and contractors (“Personnel”) and agents who have a need to know or need to access to enable the Vendor to perform its obligations under the Agreement. Vendor shall ensure that its Personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality obligations and such obligations survive the termination of that persons’ engagement with Vendor. Vendor has appointed, where required by applicable Data Protection Laws, a data protection officer who meets the requirements under such laws for the performance of his or her duties. The appointed person may be reached at the address and phone number listed in the Agreement.
6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor and each Vendor Affiliate shall in relation to the Kemin Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
6.2 In assessing the appropriate level of security, Vendor and each Vendor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
7.1 Each Kemin Industries Affiliate authorizes Vendor and each Vendor Affiliate to appoint (and permit each Sub-processor appointed in accordance with this section 7 to appoint) Sub-processors in accordance with this section 7 and any restrictions in the Agreement.
7.2 Vendor and each Vendor Affiliate may continue to use those Sub-processors already engaged by Vendor or any Vendor Affiliate as at the date of this Addendum, subject to Vendor and each Vendor Affiliate in each case as soon as practicable meeting the obligations set out in section 7.4.
7.3 Vendor shall give Kemin prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor and assurances put in place to meet the requirements of this Addendum.
If, within 21 days of receipt of that notice, Kemin notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment, neither Vendor nor any Vendor Affiliate shall appoint (or disclose any Kemin Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by any Kemin Industries Affiliate and Kemin has been provided with a reasonable written explanation of the steps taken
7.4 With respect to each Sub-processor, Vendor or the relevant Vendor Affiliate shall:
7.4.1 before the Sub-processor first Processes Kemin Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Kemin Personal Data required by the Agreement;
7.4.2 ensure that the arrangement between on the one hand (a) Vendor, or (b) the relevant Vendor Affiliate, or (c) the relevant intermediate Sub-processor; and on the other hand the Sub-processor, is governed by a written contract including terms which offer at least the same level of protection for Kemin Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR;
7.4.3 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand (a) Vendor, or (b) the relevant Vendor Affiliate, or (c) the relevant intermediate Sub-processor; and on the other hand the Sub-processor, or before the Sub-processor first Processes Kemin Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with the relevant Kemin Industries Affiliate (and Kemin shall procure that each Kemin Industries Affiliate party to any such Standard Contractual Clauses co-operates with their population and execution); and
7.4.4 provide to Kemin for review such copies of the Vendor agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Kemin may request from time to time.
7.5 Vendor and each Vendor Affiliate shall ensure that each Sub-processor performs the obligations under sections 3.1, 4, 6, 8.1, 9.2, 10 and 12.1, as they apply to Processing of Kemin Personal Data carried out by that Sub-processor, as if it were party to this Addendum in place of Vendor.
- Data Subject Rights
8.1 Taking into account the nature of the Processing, Vendor and each Vendor Affiliate shall assist each Kemin Industries Affiliate by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Kemin Industries Affiliate obligations, as reasonably understood by Kemin, to respond to requests to exercise Data Subject rights under the Data Protection Laws .
8.2 Vendor shall:
8.2.1 promptly notify Kemin if it or any Vendor Affiliate or Sub-processor receives a request from a Data Subject under any Data Protection Law in respect of Kemin Personal Data; and
8.2.2 ensure that it or any Vendor Affiliate or Sub-processor does not respond to that request except on the documented instructions of Kemin or the relevant i Kemin Industries Affiliate or as required by Applicable Laws to which the Vendor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform Kemin of that legal requirement before the responding to the request.
- Personal Data Breach
9.1 Vendor shall notify Kemin without undue delay upon Vendor or any Sub-processor becoming aware of a Personal Data Breach affecting Kemin Personal Data, providing Kemin with sufficient information to allow each Kemin Industries Affiliate to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
9.2 Vendor shall co-operate with Kemin and each Kemin Industries Affiliate and take such reasonable commercial steps as are directed by Kemin to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation
Vendor and each Vendor Affiliate shall provide reasonable assistance to each Kemin Industries Affiliate with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Kemin reasonably considers to be required of any Kemin Industries Affiliate by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Kemin Personal Data by, and taking into account the nature of the Processing and information available to, the Vendor.
- Deletion or return of Kemin Personal Data
11.1 Subject to sections 11.2 and 11.3 Vendor and each Vendor Affiliate shall promptly and in any event within 21 days of the date of cessation of any Services involving the Processing of Kemin Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Kemin Personal Data.
11.2 Subject to section 11.3, Kemin may in its absolute discretion by written notice to Vendor require Vendor and each Vendor Affiliate to (a) return a complete copy of all Kemin Personal Data to Kemin by secure file transfer in such format as is reasonably notified by Kemin to Vendor; and (b) delete and procure the deletion of all other copies of Kemin Personal Data Processed by Vendor. Vendor and each Vendor Affiliate shall comply with any such written request promptly and at least within 21 working days of the Cessation Date.
11.3 Vendor may retain Kemin Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Vendor and each Vendor Affiliate shall ensure the confidentiality of all such Kemin Personal Data and shall ensure that such Kemin Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
11.4 Vendor shall provide written certification to Kemin that it and each Vendor Affiliate has fully complied with this section 11 within 21 days of the Cessation Date.
- Audit rights
12.1 Subject to sections 12.2 to 12.4, Vendor and each Vendor Affiliate shall make available to each Kemin Industries Affiliate on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by any Kemin Industries Affiliate or an auditor mandated by any Kemin Industries Affiliate in relation to the Processing of Kemin Personal Data by Vendor.
12.2 Information and audit rights of the Kemin Industries Affiliate only arise under section 12.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
12.3 Kemin or the relevant Kemin Industries Affiliate undertaking an audit shall give Vendor or the relevant Vendor Affiliate reasonable notice of any audit or inspection to be conducted under section 12 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Vendor premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Vendor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Kemin or the relevant Kemin Industries Affiliate undertaking an audit has given notice to Vendor or the relevant Vendor Affiliate that this is the case before attendance outside those hours begins; or
- for the purposes of more than one audit or inspection, in respect of Vendor, in any calendar year, except for any additional audits or inspections which:
- Kemin or the relevant Kemin Industries Affiliate undertaking an audit reasonably considers necessary because of genuine concerns as to Vendor's or the relevant Vendor Affiliate’s compliance with this Addendum; or
- A Kemin Industries Affiliate is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Kemin or the relevant Kemin Industries Affiliate undertaking an audit has identified its concerns or the relevant requirement or request in its notice to Vendor or the relevant Vendor Affiliate of the audit or inspection.
- Restricted Transfers
13.1 Subject to section 13.3, each Kemin Industries Affiliate (as "data exporter") and the Vendor, (as "data importer") hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Kemin Industries Affiliate to the Vendor.
13.2 The Standard Contractual Clauses shall come into effect under section 13.1 on the later of:
- the data exporter becoming a party to them;
- the data importer becoming a party to them, and
- commencement of the relevant Restricted Transfer.
13.3 Section 13.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
13.4 Vendor warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor which is not a Vendor Affiliate , Vendor's or the relevant Vendor Affiliate’s entry into the Standard Contractual Clauses under section 13.1, and agreement to variations to those Standard Contractual Clauses made under section 14.4.1, as agent for and on behalf of that Sub-processor will have been duly and effectively authorized (or subsequently ratified) by that Sub-processor.
- General Terms
Governing law and jurisdiction
14.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
14.1.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
14.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of precedence
14.2 Nothing in this Addendum reduces Vendor's or any Vendor Affiliate’s obligations under the Agreement in relation to the protection of Personal Data or permits Vendor or any Vendor Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
14.3 Subject to section 14.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Changes in Data Protection Laws, etc.
14.4 Kemin may:
14.4.1 by at least 30 (thirty) calendar days' written notice to Vendor from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 13.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
14.4.2 propose any other variations to this Addendum which Kemin reasonably considers to be necessary to address the requirements of any Data Protection Law.
14.5 If Kemin gives notice under section 14.4.1:
14.5.1 Vendor and each Vendor Affiliate shall promptly co-operate (and ensure that any affected Sub-processors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 7.4.3; and
14.5.2 Kemin shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Vendor to protect itself or Vendor’s Affiliate against additional risks associated with the variations made under section 14.4.1 and/or 14.5.1.
14.6 If Kemin gives notice under section 14.4.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Kemin’s notice as soon as is reasonably practicable.
14.7 Neither Kemin nor Vendor shall require the consent or approval of any Kemin Industries Affiliate or Vendor Affiliate to amend this Addendum pursuant to this section 14.5 or otherwise.
14.8 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.