1. INTRODUCTION

1.1            This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations which arise from King Sound Reinforcement (‘Data Processor’) processing of Personal Data on behalf of Customer (‘Data Collector’) under the order form, service agreement or other agreement between the Parties (“the Agreement”). All capitalised terms not defined in this DPA shall have the meaning set forth in the Agreement.

1.2            The DPA is adopted as an appendix to any additional Agreement signed by the parties. In the event that any provision of this DPA is inconsistent with any term of the Agreement, the DPA will prevail.

1.3            If UK GDPR (‘Applicable Data Protection Law’) is amended, replaced or repealed, the parties shall, where necessary, negotiate in good faith a solution to enable the processing of Personal Data to be conducted in compliance with Applicable Data Protection Law.

2. PURPOSE, SCOPE AND RESPONSIBILITIES

2.1            King Sound Reinforcement shall only process personal data in accordance with the terms of this DPA.

2.2            The parties agree Customer is the Data Controller of Customer Personal Data. King Sound Reinforcement is the Data Processor of Customer Personal Data, except where King Sound Reinforcement acts as a Data Controller processing Customer Personal Data in accordance with Section 2.9.

2.3            King Sound Reinforcement shall process Customer Personal Data for the limited purpose of performing the obligations set out under the Agreement and only in accordance with Customer's lawful instructions or otherwise necessary to comply with UK GDPR. Data may, for that purpose, be processed by any of King Sound Reinforcement’s entities in accordance with Section 7.

2.4            Customer shall ensure that its instructions to King Sound Reinforcement comply with all laws and regulations applicable to Customer Personal Data, and that the processing of Customer Personal Data following Customer's instructions will not cause King Sound Reinforcement to be in breach of UK GDPR. Customer is solely responsible for the accuracy, quality and legality of Customer Personal Data provided to King Sound Reinforcement in accordance with this DPA.

2.5            Personal Data processed by King Sound Reinforcement shall include such actions as may be specified in the Agreement. Further data processing outside the scope set out in this Section 2 shall require mutual written agreement of the parties.

2.6            If King Sound Reinforcement becomes aware that any instruction given by Customer breaches Applicable Data Protection Law, King Sound Reinforcement shall immediately inform Customer of this, giving details of the breach or potential breach.

2.7           The term of this DPA shall continue until the later of the following: the termination of the Agreement or the date at which King Sound Reinforcement ceases to process Personal Data for Customer. 

2.8            In no event will the data processed by King Sound Reinforcement include financial data or Sensitive Data.

2.9            The parties acknowledge and agree that King Sound Reinforcement may process Customer Personal Data for its own legitimate business operations as independent Data Controller, provided the data processing is limited to one of the following purposes: i) billing and account management; ii) internal reporting; iii) fraud and cyber-attacks prevention pertaining to the provision of the Services; iv) optimisation and maintenance of the Services; and v) compliance with legal and tax requirements.

2.10            The types and categories of Customer Personal Data processed by King Sound Reinforcement, and the purpose of such processing is set out in Section 16 of the Agreement.

3. OBLIGATIONS OF KING SOUND REINFORCEMENT AS DATA PROCESSOR

3.1            King Sound Reinforcement warrants that it will: 

​i) comply with Applicable Data Protection Law relevant to King Sound Reinforcement’s obligations under the Agreement;  

​ii) implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the data subjects; and 

​iii) make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA; and reasonably cooperate with any audits performed by Customer or its independent auditor, at Customer’s own expense and no more than once a year, of facilities under the control of King Sound Reinforcement, in accordance with Section 10.2 of the Agreement. 

4.  TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

​4.1            King Sound Reinforcement will implement and maintain throughout the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, damage or alteration and against unauthorised disclosure, abuse or other processing in violation of the requirements of Data Protection Law. 

​4.2            King Sound Reinforcement will ensure that it and its Sub-processors will at all times comply with the minimum data security requirements set out separately which may, from time to time, be updated, provided that such updates and modifications do not degrade or diminish the overall security of the Services. 

​4.3            Customer has evaluated the security measures implemented by King Sound Reinforcement and agrees that they provide an appropriate level of protection for Customer Personal Data.  

5.  PERSONNEL

​5.1            King Sound Reinforcement shall ensure that any personnel required to access Customer Personal Data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality. 

​5.2            King Sound Reinforcement shall ensure that its personnel required to access Customer Personal Data are informed of the confidential nature of Customer Personal Data and the security procedures applicable to the processing of or access to Customer Personal Data. 

​5.3            King Sound Reinforcement’s personnel’s confidentiality obligations will survive the termination of the personnel engagement and the term of this DPA. 

6.  ASSISTANCE TO THE CUSTOMER AS DATA CONTROLLER

​6.1            King Sound Reinforcement shall provide reasonable and timely assistance, by appropriate technical and organisational measures to Customer to enable them to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, Regulator or other third party in connection with the processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to King Sound Reinforcement, King Sound Reinforcement shall promptly inform Customer providing full details of the same, unless prohibited by the applicable law. 

​6.2            King Sound Reinforcement shall reasonably assist Customer with its obligation to conduct any data protection impact assessment required by Applicable Data Protection Law. 

7.  SUB-PROCESSORS

​7.1            The Sub-processors have to be approved by Customer separately. Customer hereby gives a general authorisation for the engagement of additional Sub-processors for the purpose of performing its obligations under the Agreement, provided King Sound Reinforcement shall: 

• maintain an up-to-date list of its Sub-processors on at www.kingsr.com/data-processing-agreement (or any future website used by King Sound Reinforcement);  

• provide at least 30 days prior notice (except to the extent a 30 days’ notice is not possible due to an emergency concerning Service availability or security) to Customer of any change to its Sub-processors via King Sound Reinforcement’s usual e-mail notification process; 

• execute a written agreement that obligates the Sub-processor to (i) protect Customer Personal Data to the same extent required of King Sound Reinforcement by the Agreement; and (ii) comply with Applicable Data Protection Law.  

​7.2            If Customer objects to such new Sub-processor on reasonable grounds within 30 days of receiving notice, the parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and King Sound Reinforcement decides to proceed with such Sub-processor, Customer may terminate the Agreement with 30 days prior written notice. Neither of the Parties shall be considered in breach of contract in the event of such termination. Customer acknowledges that King Sound Reinforcement provides a standardised service to all customers which does not allow using different Sub-processors for different customers and, therefore, that the inability to use a particular new or replacement Sub-processor for the Services to the Customer may result in delay in performing the Services, inability to perform the Services or increased fees. King Sound Reinforcement will notify Customer in writing of any change to Services or fees that would result from King Sound Reinforcement’s inability to use a new or replacement Sub-processor to which Customer has reasonably objected. If Customer does not object to a new Sub-processor's engagement within 30 days, that new Sub-processor shall be deemed accepted. 

​7.3            King Sound Reinforcement shall be liable for the acts or omissions of its Sub-processors to the same extent that King Sound Reinforcement would be liable if performing the Services of each Sub-processor directly under the terms of this DPA. 

8.  TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

​8.1            Customer acknowledges and agrees that King Sound Reinforcement may transfer and process Customer Personal Data to its authorised Sub-processors in third countries for the provision of the Services. Any transfer of Personal Data to third countries or international organisations by King Sound Reinforcement shall always take place in compliance with EU Data Protection Law, UK GDPR and this DPA. 

​8.2            Any transfer of Customer Personal Data made from EEA, Switzerland or United Kingdom to a Restricted Country will be subject to the Standard Contractual Clauses (together with the UK Addendum, where UK GDPR applies) and any other supplementary measures required to enable the lawful transfer of Customer Personal Data. The Parties agree to promptly undertake to amend this DPA if necessary to incorporate an updated data transfer mechanism to maintain compliance with EU Data Protection Law and UK GDPR. 

8.3            If any Customer Personal Data originates from any country (other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and Customer has informed King Sound Reinforcement of such data transfer restrictions or prohibitions, Customer and King Sound Reinforcement shall ensure an appropriate transfer mechanism (satisfying the country’s data transfer requirements) is in place, as reasonably requested by Customer and mutually agreed upon by both Parties, before transferring or accessing Customer’s Data outside of such country.

9.  OBLIGATIONS OF THE CUSTOMER

​9.1            Customer and King Sound Reinforcement will be separately responsible for conforming with Applicable Data Protection Law, as applicable to each. 

​9.2            Customer will inform King Sound Reinforcement in writing without undue delay following Customer’s discovery of a failure to comply with Applicable Data Protection Law with respect to processing of Personal Data in accordance with this DPA. 

​9.3            Customer shall be responsible for providing accurate and relevant contact details at the time of entering into the Agreement and thereafter to assist with King Sound Reinforcement’s notification obligations. 

​9.4            Customer represents and warrants it has provided and will continue to provide all notices and has obtained and will continue to obtain all consents and rights required under Applicable Data Protection Law for King Sound Reinforcement to process Customer Personal Data for the purposes of this Agreement. 

10.  NOTIFICATION OF DATA BREACH

​10.1            King Sound Reinforcement shall without undue delay, and no later than 48 hours, notify Customer in writing of any identified Data Breach. The Data Breach Reporting Form is provided in Appendix 1.

​10.2            The notification referred to in section 10.1. will, to the extent possible: 

a) describe the nature of the Data Breach including the categories and approximate number of data subjects concerned and the categories and approximate amount of Personal Data impacted, 

b) provide the King Sound Reinforcement contact details   where more information can be obtained, 

​c) describe the likely consequences of the Data Breach, and 

​d) describe the measures taken or proposed to be taken by King Sound Reinforcement to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. 

11.  ADDITIONAL ASSIGNMENTS

​11.1            In respect of tasks assigned to King Sound Reinforcement, that are not an obligation under this DPA and go beyond King Sound Reinforcement’s statutory obligations, King Sound Reinforcement shall be entitled to charge Customer for the additional resources, time and material necessary to fulfill the required task(s), unless such services are already included in the Services provided under the Agreement. 

​11.2            King Sound Reinforcement will notify Customer in advance of such additional charges and, to the extent possible, provide Customer with a quote of the expected costs. 

​11.3            If Customer does not agree to the costs,  King Sound Reinforcement is not required to perform the additional assignment. 

12.  DELETION AND RETURN OF PERSONAL DATA

12.1. This DPA will take effect on the effective date and remain in the fact until, and automatically expire upon, deletion of all Personal Date by King Sound Reinforcement as described in the Section 12.2 below.

​12.2            Following the expiration or earlier termination of the Agreement, if agreed King Sound Reinforcement will retain Customer Data in a limited function account, securely isolated and protected from any further processing, for 90 days. Once the 90-day retention period ends, King Sound Reinforcement shall disable Customer’s account and delete all Customer Personal Data associated with it, or irreversibly anonymise them in such a manner that the data subject is not identifiable, unless  King Sound Reinforcement is permitted or required by applicable law, or authorised under this DPA, to retain such data. At all times during the term of the Agreement, Customer will have the ability to access, extract and delete Customer Personal Data stored in its tenant. 

​12.3            Upon Customer’s request, King Sound Reinforcement shall certify in writing the destruction or complete anonymisation of Customer Personal Data. 

13.  LAW ENFORCEMENT REQUESTS

​13.1            If a court, law enforcement authority or intelligence agency contacts King Sound Reinforcement with a demand for Customer Personal Data, King Sound Reinforcement will first assess if it is a legitimate order. If compelled to disclose or provide access to any Customer Personal Data to law enforcement, King Sound Reinforcement will promptly notify Customer and provide a copy of the request, unless legally prohibited from doing so. 

​13.2            King Sound Reinforcement shall only cooperate with the issued request or order if legally obliged to do so and, where possible, King Sound Reinforcement shall judicially object to the request or order or the prohibition to inform Customer about this or to follow the instructions of Customer. King Sound Reinforcement shall not provide more Customer Personal Data than is strictly necessary for complying with the request or order. 

14.  LIABILITY

​14.1            Each party's liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.  

14.2. Data Collector will indemnify, keep indemnified and hold harmless King Sound Reinforcement, its clients, officers, directors, employees, agents, representatives and Affiliates (each an ‘‘Indemnified Party’’) from and against all third party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Customer’s non compliance with the requirements of this DPA.

15.  LEGAL VENUE AND APPLICABLE LAW

15.1            This DPA shall be governed by Law of the United Kingdom (England). 

15.2            Any claim or dispute arising from or in connection with this DPA must be settled by the Bristol Circuit Commercial Court as first instance. 

16.  DEFINITIONS

​The terms “Data Controller”, “Data Processor”, “Data Subject”, “Processing”, ‘‘Processed’’ and “Process” shall have the meaning given in UK GDPR:

‘‘Data Controller’’ means the party that determines the purposes and means of processing personal data, decides the how and why of a data processing operation. Data Controller bears the most responsibility to Data Subjects and remains liable to Data Subject even if a Data Processor fails to do what is required under a DPA. A data controller can be a legal person (e.g. a business, a public authority, an agency or other body);

‘‘Data Processor’’ means the party that acts under the instructions of the Controller only, by processing personal data on behalf of the controller. Similar to a Data Controller, or Joint Controller, a Data Processor can be a legal person, for example a business, a public authority, an agency or other body. While the overall responsibility lies with the Data Controller, Data Processors also have certain responsibilities under the UK GDPR. Processors have to carry out the processing operations with the appropriate technical and organisational measures instructed by the Data Controller or joint controller. In doing so, the processor assists the Controller in complying with the UK GDPR;

‘‘Data Subject’’ means the individual to whom Personal Data relates (as may be further defined by applicable Data Protection Laws, whether defined under the same term or as an equivalent term);

‘‘Data Subject Request’’ means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

​“Personal Data” means any information defined under Applicable Data Protection Law as “personal data”, “personal information”, “personally identifiable information” or any other similar term relating to an identified Data Subjects (e.g. name, email address, phone number, job title, office location as well as documents, images and other content or data in electronic form;

“Processing’’ means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording (including live streaming), organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning);

​“UK Data Protection Law” means all data protection laws and regulation applicable to the United Kingdom, including the United Kingdom's Data Protection Act 2018 and the GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”), each as amended, supplemented or replaced from time to time. 

​“Regulator” means ICO (Information Commissioner’s Office) — the national agency that has legal authority for administering, providing guidance on, supervising and enforcing UK GDPR. 

​“Customer Personal Data” means the Personal Data that is generated by or provided to King Sound Reinforcement by, or on behalf of, Customer through use of the Services. 

​“Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data processed by King Sound Reinforcement. 

​“EU Data Protection Laws” means all data protection laws and regulation applicable to the European Economic Area (“EEA”) and Switzerland, including the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national law implementing the Directive and the Swiss Federal Data Protection Act (“Swiss DPA”). 

​“Sub-processor” mean any King Sound Reinforcement Affiliate and any sub-contractor engaged by King Sound Reinforcement in the processing of Customer Personal Data under the terms of the Agreement and this DPA. 

​“Sensitive data” means any (i) special categories of Personal Data defined under EU Data Protection Law and UK Data Protection Law, (ii) data relating to criminal convictions and offences defined under EU Data Protection Law and UK Data Protection Law or (iii) within the definition of ’sensitive personal information” under the CCPA.  

​“Standard Contractual Clauses” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries (“EU SCCs”) and (ii)  where the Swiss DPA applies, the standard data protection clauses issued, approved or otherwise recognised by the Swiss Regulator (“Swiss SCCs”), each as amended, supplemented or replaced from time to time.

 ​“UK Addendum” mean the UK Addendum issued by the United Kingdom Regulator under section 119A(1) of the Data Protection Act 2018, being an addendum to the Standard Contractual Clauses.