Welcome Koch Vendors and Partners

ACTION REQUIRED:

Koch Industries and its Affiliates are in the process of updating the data transfer mechanism in our Data Processing Agreements (DPAs) to the new SCCs where required by updates in applicable laws.  You have been identified as a vendor or partner that provides products or services involving the processing of personal data to Koch and/or one of its Affiliates.

We request that you download, sign and return the applicable DPA (links below) in order to comply with these updated requirements.

WHY:

The General Data Protection Regulation (GDPR) requires that personal data transferred out of Europe (which includes the remote access to personal data located within Europe) must be protected by a legal and valid transfer mechanism. In July 2020, the Privacy Shield, which was a data transfer mechanism permitting personal data transfers from the EU to the US, was invalidated, resulting in a shift from the Privacy Shield to the Standard Contractual Clauses. In June 2021, the EU Commission published a new set of Standard Contractual Clauses (SCCs), replacing the prior ones, to support personal data transfers out of the EU to third countries. The former SCCs will be invalid as of December 27, 2022. We have determined that your DPA with us contains one of these invalidated or soon to be invalid data transfer mechanisms and must be replaced.

WHEN:  

While the deadline to have the new SCCs in place is late 2022, we are taking a proactive approach so as to have the enhanced SCCs in line with GDPR’s requirements in place as soon as possible. We appreciate your prompt action and response.

HOW:

Please take the following steps:

• Download the applicable DPA below (there are separate ones for Infor Vendors/Partners and other Koch Company Vendors/Partners)
• Review and ensure that you have: 
  • Inserted the Effective Date
  • Inserted your Vendor/Partner name in the Preamble
  • Inserted your Name, address and contact person details in Annex I.A
  • Provide any additional security terms in supplement to Annex II 
  • Inserted your Subprocessor names and information and/or a link to your list into Annex III
• Countersign either by wet signature, electronically or by attaching your e-signature along with the fully executed copy.
• Return fully executed copy to: privacy@kochind.com

PRIVACY AND SECURITY ASSESSMENT:

Please also confirm that you have completed our Privacy and Security Risk Assessment.  If you have not completed this task then you will likely be receiving - in parallel to this process - a request to update that information.  Please be as accurate and as thorough as possible in responding to the Assessment.  We use your responses to the Assessment to complete any necessary Transfer Impact Assessment associated with our data transfer to you to ensure that we can continue to use your service or products.  If you have questions related to the Assessment, please reach out to privacy@kochind.com.

FREQUENTLY ASKED QUESTIONS

Koch Company (Non-Infor) Vendors and Partners

Please select the Data Processing Agreement in your preferred language:

English    German    French  Italian

Polish   Portuguese    Spanish    Dutch

Infor Vendors and Partners

Please select the Data Processing Agreement in your preferred language:

English  German   French    Italian 

Polish   Portuguese    Spanish    Dutch

 

 

FREQUENTLY ASKED QUESTIONS

• How can I be sure that this is a request from the Koch Company that I work with?
  • Please feel free to verify with your relationship partner at the Koch company that you work with, however this is a valid request. Given the volume of vendor and partner contracts that require revision we have centralized this process to one internal team, which is why you are not hearing from your regular contact.
• In our role as Vendor/Partner we do not transfer/process/access any of your EU personal data outside of the EU. Do we have to sign a DPA?
  • You received this request because you were identified as someone who in your role provides products or services to Koch or a Koch Company’s customer that involves processing EU personal data in a way where a data transfer mechanism is required in your DPA. If you believe this was in error, please provide your reasoning to privacy@kochind.com.
• We have our own DPA that we want you to sign. Is that an option?
  • We request that you review our DPA. Our DPA is drafted to comply with law and to account for any customer flow down requirements that we have committed to where applicable. It is rare that we would consider a vendor’s DPA.
• Why is the DPA signed by Koch Business Services, LP? My contract is with another Koch company.
  • This is not an error. We have decided to enter standalone DPAs with you in this manner so that you only have to enter into one DPA with Koch instead of with each Koch company individually. 
• Why is the DPA signed by Infor (US) LLC? My contract is with another Infor company?
  • This is not an error. We have decided to enter standalone DPAs with you in this manner so that you only have to enter into one DPA with Infor instead of with each Infor company individually. 
• The DPA I downloaded includes Modules that are not applicable to my company, what should I do?
  • You received the DPA applicable to the role and the products or services that you provide to Koch and/or Koch’s affiliate and potentially an ultimate customer.  While multiple Modules may be listed in the Standard Contractual Clauses, those applicable to you are outlined in Section 9.2 of the DPA. If you believe you have received the incorrect version please reach out to privacy@kochind.com with your explanation.
• I already signed an updated DPA containing the new SCCs with a Koch Company post September 2021, OR, my company has Binding Corporate Rules in place to govern personal data transfers out of the EU, what should I do?
  • Please provide information on the DPA that was recently executed so we can confirm internally, or provide a copy of the BCRs you have in place that would govern our data transfers to you for our review. Please send to: privacy@kochind.com.
• Where can I obtain an editable version of this document?
  • Although this should not be necessary given the DPA was drafted with an aim of only including legally required terms or terms that must flow down for an ultimate customer, there may be a rare circumstance where a change is required. Please provide your reasoning in making a request for an editable version to: privacy@kochind.com. 
• Can I take this opportunity to renegotiate other contractual terms?
  • No. This is only meant to address the legal obligation that we have a valid data transfer mechanism in our DPA. We are not negotiating other commercial contract terms at this time. 
• Is this an amendment to our Master Services Agreement?
  • No. This Data Processing Agreement is meant to be a standalone agreement that addresses how you as Vendor/Partner process personal data under any existing agreements with a Koch Company.  While this DPA would replace any existing DPA, it should not affect any existing Master Services Agreement.
• Where can I obtain a DPA in a language that is not listed?
  • These are the only languages we have available at this time. If none of these work for you please reach out to privacy@kochind.com and we will discuss next steps.