Arrow button to navigate back

Data Processing Agreement

  1. SUBJECT MATTER AND SCOPE
    1. Customer has entered into a contract (the “Agreement”) with Komatsu Forest regarding Customer’s use of one or several digital services provided by Komatsu Forest as part of its Smart Forestry offering (the “Service”) to Customer. Unless otherwise agreed in writing, the Agreement regarding the Service consist of the Smart Forestry General Terms (including any referenced ordering document), this Data Processing Agreement (including its annex and referenced documents) (the “DPA”) and applicable service-specific terms and conditions (if any) for the Service ordered by Customer.
    2. Data processed by Komatsu Forest as part of the Service may include personal data, as defined in the General Data Protection Regulation ((EU) 2016/679) (“GDPR”). Personal data will be processed by Komatsu Forest (as a ‘data processor’) on behalf of Customer (as the sole ‘data controller’) subject to the terms of this DPA.
    3. Where an affiliate of Customer is the data controller for Personal Data hereunder, Customer warrants and represents that it has been instructed by and obtained all necessary mandate and authorization to enter into this DPA with Komatsu Forest on behalf of such Customer affiliate(s).
    4. The DPA consists of this document as well as Annex 1 (“Specification”) and the technical and organizational security measures described at smartforestry.komatsuforest.com/legal. The content of the aforementioned documents is hereby incorporated into the DPA and the Agreement by reference. In the event of inconsistencies between other Agreement documents and this DPA in regard to Komatsu Forest’s processing of personal data, this DPA shall prevail and apply in lieu of such inconsistent clause(s) in other documents.
    5. For the avoidance of doubt, personal data collected and processed by Komatsu Forest as a data controller is not subject to this DPA. Please see the Smart Forestry Privacy Policy for further information.
  2. DEFINITIONS
    1. Terms defined in the Smart Forestry General Terms shall have the same meaning when used in this DPA with an initial capital letter.
    2. Terms defined in the GDPR, such as “controller", "data subject", "processor", "processing", “personal data”, "personal data breach” and “third country”, shall have the same meaning when used in this DPA.
  3. INSTRUCTIONS TO KOMATSU FOREST
    1. Customer hereby instructs Komatsu Forest to process personal data in accordance with the Specification in Annex 1. For avoidance of doubt, Komatsu Forest, its subcontractors if relevant, and persons acting under the authority of Komatsu Forest may only process Personal Data in accordance with Customer’s written instructions. Customer’s instructions upon entering into this DPA follows from this DPA and the Agreement.
    2. Customer may provide additional, documented instructions to Komatsu Forest to process personal data; provided, however, that in the event Customer provides additional documented instructions regarding processing of personal data, which goes beyond the scope of this DPA or the Agreement, or which requires Komatsu Forest to take measures outside standard measures taken by Komatsu Forest to protect personal data, Komatsu Forest is entitled to remuneration for any incurred costs or expenses as a result of such additional instructions. If Komatsu Forest notifies Customer that an additional instruction is not technically or commercially feasible, Customer may terminate, wholly or partly (if possible), the relevant Service with one (1) month written notice. Komatsu Forest will refund a prorated portion of any prepaid charges for the period after such termination date.
    3. This DPA will not prevent or limit Komatsu Forest from processing personal data to the extent necessary in order to comply with legal requirements under the GDPR and/or other laws to which Komatsu Forest is subject.
    4. Customer hereby instructs and authorizes Komatsu Forest to share and make available personal data to a designated Principal or other third party instructed by Customer.
    5. Customer is solely responsible to ensure that the Service is used in compliance with the GDPR and any other applicable privacy laws or regulations in Customer’s jurisdiction, including but not limited to any obligation(s) to obtain consent and/or provide information to data subjects. Customer hereby acknowledges and approves that Komatsu Forest will provide a standardized privacy notice to data subjects regarding the processing of personal data carried out as part of the Service. Such standardized information is provided in the Smart Forestry Privacy Policy. If and to the extent Customer decides to process personal data in any other way than what follows from the Smart Forestry Privacy Policy, Customer is solely liable and responsible to provide additional information regarding such processing to relevant data subjects. Komatsu Forest hereby explicitly disclaims any and all liability or responsibility to ensure that Customer’s use of the Service complies with the GDPR and any other applicable privacy laws or regulations in Customer’s jurisdiction.
    6. Customer may at any time, using the functionality in the Service or by sending an email to gdpr@komatsuforest.com, instruct Komatsu Forest to stop any data sharing and restrict data access for any particular recipient referred to in Section 3.4. Upon receipt of such request, Komatsu Forest shall take appropriate actions (such as confirmation from management within Customer’s organization, if deemed relevant by Komatsu Forest) without unnecessary delay.
  4. SECURITY MEASURES AND ASSISTANCE
    1. Komatsu Forest shall implement appropriate technical and organizational measures as set forth in the TOMs to ensure a level of security appropriate to the risks involved. The TOMs are subject to technical progress and further development. Accordingly, Komatsu Forest reserves the right to modify the TOMs, provided that the functionality and security of the Service is not significantly degraded. Customer hereby discharges Komatsu Forest of any obligation to notify and/or obtain prior approval from Customer of such changes. Upon Customer’s request, Komatsu Forest shall provide a copy of up-to-date and current TOMs.
    2. Komatsu Forest shall, upon the Customer's request and taking into account the nature of the processing and the information available to Komatsu Forest, provide information to the Customer in order to allow the Customer to fulfil its obligations to, where applicable, carry out data protection impact assessments (DPIAs) and prior consultations with the relevant supervisory authority under the GDPR in relation to the processing of personal data covered by the Service. Komatsu Forest is entitled to compensation from the Customer for any costs and expenses relating to Komatsu Forest's assistance in accordance with the Customer's request pursuant to this section 4.2.
    3. Each party shall take measures to ensure that access to personal data is limited to such individuals who need access to the personal data in order to fulfil its obligations under the Agreement and the DPA.
    4. Each party shall ensure that all employees and other individuals authorized to access and process personal data observes confidentiality not less restrictive than the confidentiality undertaking set out in the Agreement.
  5. PERSONAL DATA BREACHES
    1. In the event of a personal data breach attributable to Komatsu Forest or its subcontractors, Komatsu Forest shall notify Customer, in email or otherwise in writing without undue delay, after becoming aware of the personal data breach.
    2. Komatsu Forest’s notification to the Customer shall include the following information:
      1. a description of the nature of the personal data breach including the cat¬egories and approximate number of data subjects concerned and the categories and approximate number of personal data records con¬cerned; and
      2. a description of the measures taken or proposed to be taken by Komatsu Forest to address the personal data breach, including, where ap¬propriate, measures to mitigate its possible adverse effects.
    3. Where, and insofar as it is not possible for Komatsu Forest to provide the information set out in section 5.2 above at the same time, Komatsu Forest may provide the information in phases without any unnecessary delay.
    4. If a personal data breach is attributable to the Customer, Komatsu Forest shall only be responsible for notifying Customer about the personal data breach and await written instructions from Customer about whether Customer wishes that Komatsu Forest shall investigate the personal data breach on behalf of Customer (at Customer’s sole cost).
  6. USE OF SUBCONTRACTORS
    1. Customer hereby agrees that Komatsu Forest or a Komatsu Forest affiliate may engage service providers as subcontractors to process Personal Data on behalf of Customer in accordance with this DPA. Komatsu Forest or the relevant Komatsu Forest affiliate, as applicable, shall ensure the subcontractor has entered into a data processing agreement with obligations no less restrictive than those set out in this DPA.
    2. Komatsu Forest may replace or add new subcontractors at any time, provided that Customer is notified in advance without undue delay. A list of subcontractors including geographical location is available at smartforestry.komatsuforest.com/legal.
    3. Customer may object to a subcontractor processing Customer’s personal data, provided that such objection is reasonable and based on data protection grounds. If Komatsu Forest is unable to accommodate Customer’s objection, Customer may terminate, wholly or partly (if possible), the Agreement including this DPA by providing Komatsu Forest written notice within one (1) month of Komatsu Forest’s initial notice. Komatsu Forest will refund a prorated portion of any pre-paid charges for the period after such termination date.
    4. Komatsu Forest shall be liable for the acts and omissions of any subcontractor to the same extent as if the acts or omissions were performed by Komatsu Forest.
  7. ACCESS TO INFORMATION AND AUDIT
    1. Komatsu Forest, its affiliates and/or its subcontractor(s) may maintain certifications or audit reports capturing the Service. Upon Customer’s request, Komatsu Forest shall provide (i) relevant extracts of audit reports, and/or (ii) information and documentation regards the applicable certifications available for the Service. Such reports, information and documentation shall constitute Confidential Information of Komatsu Forest.
    2. Only in case the certifications and audit reports provided do not suffice for Customer to comply with applicable audit requirements and obligations under applicable law, Customer may at Customer’s sole cost and expense (i) request additional information and documentation about Komatsu Forest’s control environment and security practices relevant to Personal Data processed hereunder.
    3. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, only the legally mandated entity (such as a governmental regulatory authority having oversight of Customer’s operations) may conduct an onsite inspection of the technical and organizational measures that Komatsu Forest or its subcontractor(s) has implemented to fulfil its obligations under this DPA; such inspection to be performed subject to reasonable confidentiality undertakings and in a manner that minimizes any risk of disruption to Komatsu Forest’s, its affiliates’ or subcontractors’ business and clients, and in accordance with applicable Komatsu Forest practices and policies.
    4. An on-site inspection as per section 7.3 shall (i) be subject to at least sixty (60) days’ prior written notice, (ii) be strictly limited to what is required to verify that Komatsu Forest’s technical and organizational measures comply with the TOMs. Any and all costs and expenses related to Customer’s inspections shall be borne by the Customer, including any potential costs and expenses in¬curred by Komatsu Forest due to Komatsu Forest's or its subcontractor(s)’ participation in such inspection.
  8. RIGHTS OF THE DATA SUBJECT
    1. As the data controller, Customer shall act as the single-point-of-contact in relation to end-users (data subjects) on all matters and issues related to the processing activities carried out under this DPA.
    2. If a data subject directs a request to Komatsu Forest to exercise its rights under the GDPR, Komatsu Forest shall endeavor to refer the data subject to Customer. If a data subject’s personal data is not accessible to Customer through the Service, Komatsu Forest will, as necessary to enable Customer to meet its obligations under the GDPR, provide reasonable assistance to make such personal data available to Customer. Komatsu Forest is entitled to compensation from the Customer for any costs and expenses relating to Komatsu Forest's assistance in accordance with the Customer's request pursuant to this section.
    3. If a data subject pursuant to mandatory law is entitled to exercise its rights directly vis-à-vis Komatsu Forest, Komatsu Forest shall take relevant measures and shall be discharged of any obligation to inform or notify Customer.
  9. INTERNATIONAL DATA TRANSFERS
    1. Komatsu Forest is entitled to transfer personal data to any location worldwide (including so-called third countries) provided that:
      1. the third country, ac¬cording to a decision issued by the EU Commission, provides an adequate level of protection for personal data;
      2. Komatsu Forest ensures that there are appropriate safeguards in place for the transfer in accordance with the GDPR, such as the standard data protection clauses adopted by the EU Commission under Data Protection Legislation together with adequate supplementary measures (if necessary); or
      3. Komatsu Forest is able to apply other legal mechanisms under Data Protection Legislation for the transfer of the Personal Data.
    2. For the purposes of section 9.1b) above, the Customer hereby grants, to the extent permissible by applicable law, a right for Komatsu Forest to execute any standard data protection clauses adopted by the EU Commission with any subcontractor that will process Personal Data on behalf of Customer. For the purposes of transfer of personal data from Komatsu Forest to the Customer, see Annex II.
  10. CONFIDENTIALITY
    1. Without prejudice to any confidentiality undertakings in the Agreement, Komatsu Forest shall keep and maintain all personal data strictly confidential and shall not disclose personal data to any third party, unless otherwise authorized in advance in writing by the Customer or oth¬erwise required by applicable laws or for the performance of this DPA and/or the Agreement.
  11. LIABILITY
    1. Komatsu Forest’s total liability under this DPA shall be limited in accordance with the provisions and liability caps in the Smart Forestry General Terms.
  12. TERM AND TERMINATION
    1. This DPA shall enter into force when the Agreement has been agreed by both parties and shall continue to apply during the term of the Agreement or the longer period during which Komatsu Forest or a subcontractor processes personal data on behalf of Customer.
    2. Upon termination of the Agreement, Komatsu Forest will during a reasonable data retention period provide Customer with a possibility to download and retrieve any personal data in Komatsu Forest’s or its subcontractors’ possession in accordance with Komatsu Forest’s standard procedures for the Service. Upon expiry of the data retention period, Komatsu Forest shall delete or de-identify any personal data, unless Komatsu Forest is obligated under applicable law to continue to store identifiable information.
  13. MISCELLANEOUS
    1. Neither the rights nor the obligations of either Party under this DPA may be assigned in whole or in part without the prior written consent of the other Party. Komatsu Forest may however assign its rights and obligations under this DPA to a Komatsu Forest affiliate, provided that such affiliate can provide sufficient guarantees that the company will be able to comply with the provisions of this DPA.
    2. Additions and amendments to this DPA shall be in writing and duly signed by both Parties to be valid.
    3. Without prejudice to the Agreement, this DPA constitutes the entire agreement between the Parties on all issues to which the DPA relates. The contents of this DPA and its annexes supersede all previous written or oral commitments and undertakings between the Parties on the issues to which this DPA relates.
    4. Nothing in this DPA shall limit Komatsu Forest or its subcontractors from complying with applicable laws and/or orders from governmental agencies or regulatory bodies.
    5. The division of this DPA into separate sections and the insertion of headings are for convenience only and shall not affect the interpretation of this DPA.