DATA PROCESSING ADDENDUM
This Data Protection Agreement (“Agreement”) is effective since the Customer contracts VacationsPal’ Services (“Addendum Effective Date”) and forms part of the Terms of Services of VacationsPal’ Services available at https://www.vacationspal.com/terms.html (“Principal Agreement”) between:
– CUSTOMER (hereinafter also referred as the “Controller”) acting on its own behalf.
The term “Customer” refers to either: a) the person who registers for a Customer Account on his/her own behalf; or b) the organisation, where the person registers for a Customer account on behalf of an organisation.
– VacationsPal (hereinafter also referred as the “Processor”) acting on its own behalf.
Hereinafter referred individually as the “Party” or jointly as the “Parties”.
BOTH PARTIES EXPOSE
I. The CUSTOMER has signed up for a Customer Account on VacationsPal.com and has contracted VacationsPal’ Services.
II. According to the aforementioned, the CUSTOMER has accepted the “Terms of Services” (hereinafter also referred as “Principal Agreement”) set out on VacationsPal.com regarding the Services provided by VacationsPal.
III. The CUSTOMER is the Data Controller of the personal data regarding Guests and VacationsPal is the Data Processor of such data. Additionally, in case where the CUSTOMER displays and markets properties from third parties, the CUSTOMER is the Data Controller of data regarding the Property Owners and VacationsPal is the Data Processor of such data.
IV. In the course of the performance of the aforementioned Services, VacationsPal will have access and will process personal data regarding the CUSTOMER (Guest and Property Owners aforementioned). Therefore, the Parties wish to regulate such data processing according to the EU Data Protection Law.
In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Sub-processor” means any Data Processor (including any third party) appointed by the Processor to process Controller Personal Data on behalf of the Controller.
“Process/Processing/Processed”, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Special Categories of Personal Data” and any further definition not included under this Agreement or the Principal Agreement shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”).
“Data Protection Laws” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) as well as any local data protection laws.
“Erasure” means the removal or destruction of Personal Data such that it cannot be recovered or reconstructed.
“EEA” means the European Economic Area.
“Third country” means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.
“Controller Personal Data” means the data described in article 3 of this Addendum and any other Personal Data processed by Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement.
“Personal Data Breach” means a breach of leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.
“Services”, -according to section 1 c) of the Terms of Services (Principal Agreement) located on VacationsPal.com-, the term “Services” refers to all services provided by VacationsPal from time to time including but not limited to creating, maintaining and hosting a website, receiving booking information via our booking and payment system, managing reservations and payments and responding to Customer clients via our reservation system and managing content on third party channels via our channel manager.
“Guest”, means any individual person who rents a vacation rental property.
“Property Owner”, for this agreement Property Owner means any person or organization who -is not VacationsPal’s customer- and owns or manages any form of accommodation, building, house boat, apartment, room, apartment blocks, houses or any other dwellings or rental space that is displayed by the Customer on the Customer Website or a third-party channel and offered for rent using VacationsPal vacation rental software and the services offered through www.VacationsPal.com.
2. DATA PROCESSING TERMS
2.1 The Controller is responsible for providing any necessary notices to, and obtaining any necessary consents from, Data Subjects whose Personal Data is provided by the Controller to the Processor for Processing pursuant to this Addendum. The Controller acknowledges that the Service are not intended or designed for the Processing of Sensitive Information, and the Controller agrees not to provide any Sensitive Information through the Service.
2.2 In the course of providing the Services, the Processor will process Controller personal data on behalf of the Controller as per the terms of this Addendum. The Processor agrees to comply with the following provisions with respect to any Controller personal data.
2.3 The Processor shall maintain all the technical and organizational measures to comply with the requirements set forth in the Addendum.
3. PROCESSING OF CONTROLLER PERSONAL DATA
3.1 The categories of Personal Data, the types of Data Subjects, and purposes for which the Personal Data are being processed are the following:
a) Controller Personal data that will be processed:
• Guest: Personal and Transactional Data collected
• Property Owner that are not VacationsPal’s Customers: Personal and Transactional Data collected
b) Purposes: The Processor shall only process Controller Personal Data for the purposes of the Principal Agreement, namely:
• to provide VacationsPal’ Services to the Controller
• to allow the Controller the management of Guests which rent properties
• to allow the Controller the management of Property Owners (in case where such owners are not VacationsPal’s Customers).
3.2 For the purposes set out in section above, the Controller hereby authorizes the Processor to transfer Controller Personal Data to the appropriate recipients in the Third Countries which ensure an adequate level of Data Protection. The Controller may request, at any time, a list of the aforementioned recipients.
4. RELIABILITY AND NON–DISCLOSURE
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller personal data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Controller Personal Data.
5. PERSONAL DATA SECURITY
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of Controller Personal Data security appropriate to the risk, including but not limited to:
5.1.1. Pseudonymization or encryption, where appropriate;
5.1.2. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5.2. In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.
5.3. Upon the request of the Controller, the Processor shall provide the Controller with a written description of the security measures being taken.
6.1. As of the Addendum Effective Date, the Controller hereby authorises the Processor to engage with Sub-Processors to ensure the optimal provision of VacationsPal’ Services.
6.2. The Data Controller may request, at any time, information regarding the identity of the aforementioned Sub-Processors. In case where the Data Controller express his or her disagreement regarding the Sub-Processors engaged with the Processor, the Data Controller may stop using VacationsPal’ Services.
6.3. The Processor shall use only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.
7. DATA SUBJECT RIGHTS
7.1. The Controller is responsible for handling any requests or complaints from Data Subjects with respect to their Personal Data processed by the Processor under this Addendum.
7.2. Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights as laid down in EU GDPR.
7.3. The Processor shall promptly notify the Controller if it receives a request from a Data Subject, the Supervisory Authority and/or other competent authority under any applicable Data Protection Laws with respect to Controller Personal Data.
7.4. The Processor shall cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a Data Subject under any Data Protection Laws.
8. PERSONAL DATA BREACH
8.1. The Processor shall notify the Controller without undue delay and, in any case, within forty-eight (48) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. The Processor will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
8.1.1. Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2. Communicate the name and contact details of the Processor’s Data Protection Officer, Privacy Officer or other relevant contact from whom more information may be obtained;
8.1.3. Describe the estimated risk and the likely consequences of the Personal Data Breach; and
8.1.4. Describe the measures taken or proposed to be taken to address the Personal Data Breach.
At Controller’s request, Processor will provide reasonable assistance and cooperation with respect to any notifications that Controller is legally required to send to affected Data Subjects and regulators. Controller may charge a reasonable fee for such requested assistance.
9. ERASURE OF CONTROLLER PERSONAL DATA
9.1. Upon termination of the Controller Customer Account, the Processor will return or destroy Personal Data at the Controller request.
9.2. The Processor may retain Controller Personal Data to the extent required by Union or Member State law, and only to the extent and for such period as required by Union or Member State law.
10. INTERNATIONAL TRANSFERS OF CONTROLLER PERSONAL DATA
10.1. For the provision of the Services, the Data Processor has engaged with Sub-Processors who process and store personal data outside the EEA. A list of the aforementioned Sub-Processors may be requested, at any moment, by the Data Controller. In case where the Data Controller express his or her disagreement regarding the aforementioned Sub-Processors, the Data Controller may stop using VacationsPal’ Services.
10.2. The Processor shall use only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.
11. GENERAL TERMS
11.1. Subject to this section, the parties agree that this Addendum shall terminate automatically upon termination of the Principal Agreement or expiry or termination of all service contracts entered into by the Processor with the Controller, pursuant to the Principal Agreement, whichever is later.
11.2. Any obligation imposed on the Processor under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum, if this is applicable.
11.3. This Addendum shall be governed by the governing law of the Principal Agreement for so long as that governing law is the law of a Member State of the European Union.
11.4. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including but not limited to the Principal Agreement, the provisions of this Addendum shall prevail with regard to the parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union.
11.5. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the Addendum Effective Date first set out above.