Customer has entered into a contract (the “Agreement”) with Komatsu Forest
regarding
Customer’s use of one or several digital services provided by Komatsu Forest as part of its
Smart Forestry offering (the “Service”) to Customer. Unless otherwise agreed in
writing, the
Agreement regarding the Service consist of the Smart Forestry General Terms (including any
referenced ordering document), this Data Processing Agreement (including its annex and
referenced documents) (the “DPA”) and applicable service-specific terms and
conditions (if any)
for the Service ordered by Customer.
Data processed by Komatsu Forest as part of the Service may include personal data, as
defined in the General Data Protection Regulation ((EU) 2016/679) (“GDPR”).
Personal data will
be processed by Komatsu Forest (as a ‘data processor’) on behalf of Customer (as the sole ‘data
controller’) subject to the terms of this DPA.
Where an affiliate of Customer is the data controller for Personal Data hereunder, Customer
warrants and represents that it has been instructed by and obtained all necessary mandate and
authorization to enter into this DPA with Komatsu Forest on behalf of such Customer
affiliate(s).
The DPA consists of this document as well as Annex 1 (“Specification”) and the
technical
and organizational security measures described at smartforestry.komatsuforest.com/legal. The
content of the aforementioned documents is hereby incorporated into the DPA and the Agreement
by reference. In the event of inconsistencies between other Agreement documents and this DPA in
regard to Komatsu Forest’s processing of personal data, this DPA shall prevail and apply in
lieu of such inconsistent clause(s) in other documents.
For the avoidance of doubt, personal data collected and processed by Komatsu Forest as a data
controller is not subject to this DPA. Please see the Smart Forestry Privacy Policy for further
information.
DEFINITIONS
Terms defined in the Smart Forestry General Terms shall have the same meaning when used in this
DPA with an initial capital letter.
Terms defined in the GDPR, such as “controller", "data subject", "processor", "processing",
“personal data”, "personal data breach” and “third country”, shall have the same meaning when
used in this DPA.
INSTRUCTIONS TO KOMATSU FOREST
Customer hereby instructs Komatsu Forest to process personal data in accordance with the
Specification in Annex 1. For avoidance of doubt, Komatsu Forest, its subcontractors if
relevant, and persons acting under the authority of Komatsu Forest may only process Personal
Data in accordance with Customer’s written instructions. Customer’s instructions upon entering
into this DPA follows from this DPA and the Agreement.
Customer may provide additional, documented instructions to Komatsu Forest to process
personal data; provided, however, that in the event Customer provides additional documented
instructions regarding processing of personal data, which goes beyond the scope of this DPA or
the Agreement, or which requires Komatsu Forest to take measures outside standard measures
taken by Komatsu Forest to protect personal data, Komatsu Forest is entitled to remuneration for
any incurred costs or expenses as a result of such additional instructions. If Komatsu Forest
notifies Customer that an additional instruction is not technically or commercially feasible,
Customer may terminate, wholly or partly (if possible), the relevant Service with one (1) month
written notice. Komatsu Forest will refund a prorated portion of any prepaid charges for the
period after such termination date.
This DPA will not prevent or limit Komatsu Forest from processing personal data to the extent
necessary in order to comply with legal requirements under the GDPR and/or other laws to which
Komatsu Forest is subject.
Customer hereby instructs and authorizes Komatsu Forest to share and make available personal
data to a designated Principal or other third party instructed by Customer.
Customer is solely responsible to ensure that the Service is used in compliance with the
GDPR and any other applicable privacy laws or regulations in Customer’s jurisdiction, including
but not limited to any obligation(s) to obtain consent and/or provide information to data
subjects. Customer hereby acknowledges and approves that Komatsu Forest will provide a
standardized privacy notice to data subjects regarding the processing of personal data carried
out as part of the Service. Such standardized information is provided in the Smart Forestry
Privacy Policy. If and to the extent Customer decides to process personal data in any other way
than what follows from the Smart Forestry Privacy Policy, Customer is solely liable and
responsible to provide additional information regarding such processing to relevant data
subjects. Komatsu Forest hereby explicitly disclaims any and all liability or responsibility to
ensure that Customer’s use of the Service complies with the GDPR and any other applicable
privacy laws or regulations in Customer’s jurisdiction.
Customer may at any time, using the functionality in the Service or by sending an email to
gdpr@komatsuforest.com, instruct Komatsu Forest to stop any data sharing and restrict data
access for any particular recipient referred to in Section 3.4. Upon receipt of such request,
Komatsu Forest shall take appropriate actions (such as confirmation from management within
Customer’s organization, if deemed relevant by Komatsu Forest) without unnecessary delay.
SECURITY MEASURES AND ASSISTANCE
Komatsu Forest shall implement appropriate technical and organizational measures as set
forth in the TOMs to ensure a level of security appropriate to the risks involved. The TOMs are
subject to technical progress and further development. Accordingly, Komatsu Forest reserves the
right to modify the TOMs, provided that the functionality and security of the Service is not
significantly degraded. Customer hereby discharges Komatsu Forest of any obligation to notify
and/or obtain prior approval from Customer of such changes. Upon Customer’s request, Komatsu
Forest shall provide a copy of up-to-date and current TOMs.
Komatsu Forest shall, upon the Customer's request and taking into account the nature of the
processing and the information available to Komatsu Forest, provide information to the Customer
in order to allow the Customer to fulfil its obligations to, where applicable, carry out data
protection impact assessments (DPIAs) and prior consultations with the relevant supervisory
authority under the GDPR in relation to the processing of personal data covered by the Service.
Komatsu Forest is entitled to compensation from the Customer for any costs and expenses
relating to Komatsu Forest's assistance in accordance with the Customer's request pursuant to
this section 4.2.
Each party shall take measures to ensure that access to personal data is limited to such
individuals who need access to the personal data in order to fulfil its obligations under the
Agreement and the DPA.
Each party shall ensure that all employees and other individuals authorized to access and
process personal data observes confidentiality not less restrictive than the confidentiality
undertaking set out in the Agreement.
PERSONAL DATA BREACHES
In the event of a personal data breach attributable to Komatsu Forest or its subcontractors,
Komatsu Forest shall notify Customer, in email or otherwise in writing without undue delay,
after becoming aware of the personal data breach.
Komatsu Forest’s notification to the Customer shall include the following information:
a description of the nature of the personal data breach including the cat¬egories and
approximate number of data subjects concerned and the categories and approximate number
of personal data records con¬cerned; and
a description of the measures taken or proposed to be taken by Komatsu Forest to address
the personal data breach, including, where ap¬propriate, measures to mitigate its
possible adverse effects.
Where, and insofar as it is not possible for Komatsu Forest to provide the information set out
in section 5.2 above at the same time, Komatsu Forest may provide the information in phases
without any unnecessary delay.
If a personal data breach is attributable to the Customer, Komatsu Forest shall only be
responsible for notifying Customer about the personal data breach and await written instructions
from Customer about whether Customer wishes that Komatsu Forest shall investigate the personal
data breach on behalf of Customer (at Customer’s sole cost).
USE OF SUBCONTRACTORS
Customer hereby agrees that Komatsu Forest or a Komatsu Forest affiliate may engage service
providers as subcontractors to process Personal Data on behalf of Customer in accordance with
this DPA. Komatsu Forest or the relevant Komatsu Forest affiliate, as applicable, shall ensure
the subcontractor has entered into a data processing agreement with obligations no less
restrictive than those set out in this DPA.
Komatsu Forest may replace or add new subcontractors at any time, provided that Customer is
notified in advance without undue delay. A list of subcontractors including geographical
location is
available at smartforestry.komatsuforest.com/legal.
Customer may object to a subcontractor processing Customer’s personal data, provided that such
objection is reasonable and based on data protection grounds. If Komatsu Forest is unable to
accommodate Customer’s objection, Customer may terminate, wholly or partly (if possible), the
Agreement including this DPA by providing Komatsu Forest written notice within one (1) month
of Komatsu Forest’s initial notice. Komatsu Forest will refund a prorated portion of any
pre-paid
charges for the period after such termination date.
Komatsu Forest shall be liable for the acts and omissions of any subcontractor to the same
extent as if the acts or omissions were performed by Komatsu Forest.
ACCESS TO INFORMATION AND AUDIT
Komatsu Forest, its affiliates and/or its subcontractor(s) may maintain certifications or
audit reports capturing the Service. Upon Customer’s request, Komatsu Forest shall provide (i)
relevant extracts of audit reports, and/or (ii) information and documentation regards the
applicable certifications available for the Service. Such reports, information and documentation
shall constitute Confidential Information of Komatsu Forest.
Only in case the certifications and audit reports provided do not suffice for Customer to
comply
with applicable audit requirements and obligations under applicable law, Customer may at
Customer’s
sole cost and expense (i) request additional information and documentation about Komatsu
Forest’s
control environment and security practices relevant to Personal Data processed hereunder.
To the extent it is not possible to otherwise satisfy an audit obligation mandated by
applicable law, only the legally mandated entity (such as a governmental regulatory authority
having oversight of Customer’s operations) may conduct an onsite inspection of the technical
and organizational measures that Komatsu Forest or its subcontractor(s) has implemented to
fulfil its obligations under this DPA; such inspection to be performed subject to reasonable
confidentiality undertakings and in a manner that minimizes any risk of disruption to Komatsu
Forest’s, its affiliates’ or subcontractors’ business and clients, and in accordance with
applicable Komatsu Forest practices and policies.
An on-site inspection as per section 7.3 shall (i) be subject to at least sixty (60) days’
prior written notice, (ii) be strictly limited to what is required to verify that Komatsu
Forest’s technical and organizational measures comply with the TOMs. Any and all costs and
expenses related to Customer’s inspections shall be borne by the Customer, including any
potential costs and expenses in¬curred by Komatsu Forest due to Komatsu Forest's or its
subcontractor(s)’ participation in such inspection.
RIGHTS OF THE DATA SUBJECT
As the data controller, Customer shall act as the single-point-of-contact in relation to
end-users (data subjects) on all matters and issues related to the processing activities
carried out under this DPA.
If a data subject directs a request to Komatsu Forest to exercise its rights under the
GDPR, Komatsu Forest shall endeavor to refer the data subject to Customer. If a data subject’s
personal data is not accessible to Customer through the Service, Komatsu Forest will, as
necessary to enable Customer to meet its obligations under the GDPR, provide reasonable
assistance to make such personal data available to Customer. Komatsu Forest is entitled to
compensation from the Customer for any costs and expenses relating to Komatsu Forest's
assistance in accordance with the Customer's request pursuant to this section.
If a data subject pursuant to mandatory law is entitled to exercise its rights directly
vis-à-vis Komatsu Forest, Komatsu Forest shall take relevant measures and shall be discharged of
any obligation to inform or notify Customer.
INTERNATIONAL DATA TRANSFERS
Komatsu Forest is entitled to transfer personal data to any location worldwide (including
so-called third countries) provided that:
the third country, ac¬cording to a decision issued by the EU Commission, provides an
adequate level of protection for personal data;
Komatsu Forest ensures that there are appropriate safeguards in place for the transfer
in accordance with the GDPR, such as the standard data protection clauses adopted by the
EU Commission under Data Protection Legislation together with adequate supplementary
measures (if necessary); or
Komatsu Forest is able to apply other legal mechanisms under Data Protection
Legislation for the transfer of the Personal Data.
For the purposes of section 9.1b) above, the Customer hereby grants, to the extent
permissible by applicable law, a right for Komatsu Forest to execute any standard data
protection clauses adopted by the EU Commission with any subcontractor that will process
Personal Data on behalf of Customer. For the purposes of transfer of personal data from Komatsu
Forest to the Customer, see Annex II.
CONFIDENTIALITY
Without prejudice to any confidentiality undertakings in the Agreement, Komatsu Forest
shall keep and maintain all personal data strictly confidential and shall not disclose personal
data to any third party, unless otherwise authorized in advance in writing by the Customer or
oth¬erwise required by applicable laws or for the performance of this DPA and/or the Agreement.
LIABILITY
Komatsu Forest’s total liability under this DPA shall be limited in accordance with the
provisions and liability caps in the Smart Forestry General Terms.
TERM AND TERMINATION
This DPA shall enter into force when the Agreement has been agreed by both parties and shall
continue to apply during the term of the Agreement or the longer period during which Komatsu
Forest or a subcontractor processes personal data on behalf of Customer.
Upon termination of the Agreement, Komatsu Forest will during a reasonable data retention period
provide Customer with a possibility to download and retrieve any personal data in Komatsu
Forest’s or its subcontractors’ possession in accordance with Komatsu Forest’s standard
procedures for the Service. Upon expiry of the data retention period, Komatsu Forest shall
delete or de-identify any personal data, unless Komatsu Forest is obligated under applicable law
to continue to store identifiable information.
MISCELLANEOUS
Neither the rights nor the obligations of either Party under this DPA may be assigned in whole
or in part without the prior written consent of the other Party. Komatsu Forest may however
assign its rights and obligations under this DPA to a Komatsu Forest affiliate, provided that
such affiliate can provide sufficient guarantees that the company will be able to comply with
the provisions of this DPA.
Additions and amendments to this DPA shall be in writing and duly signed by both Parties to be
valid.
Without prejudice to the Agreement, this DPA constitutes the entire agreement between the
Parties on all issues to which the DPA relates. The contents of this DPA and its annexes
supersede all previous written or oral commitments and undertakings between the Parties on the
issues to which this DPA relates.
Nothing in this DPA shall limit Komatsu Forest or its subcontractors from complying with
applicable laws and/or orders from governmental agencies or regulatory bodies.
The division of this DPA into separate sections and the insertion of headings are for
convenience only and shall not affect the interpretation of this DPA.