DPA

Data Processing Agreement (DPA)

Case in which an instruction to the Data Processor is held in violation of the Privacy ReguCase in which an instruction to the Data Processor is held in violation of the Privacy ReguBetween RateBoard GmbH with registered office in Fallmerayerstraße 6 6020, Innsbruck,
hereafter defined as Customer/Data Controller

and

the Customer, hereafter defined as Provider/Data Processor

Whereas

1. There is a service contract between the parties, of which this is an integral part;

2. in this Data Processing Agreement, the parties agree to define:
"Privacy Regulation" means all the provisions of the laws relating to the protection of personal data applicable to the parties (e.g. including but not limited to Regulation EU 2016/679 (GDPR), Swiss Federal Act on Data Protection, Brazilian General Data Protection Law, Mexican Federal Law on Protection of Personal Data Held by Private Parties, UK Data Protection Act 2018) and their free circulation as well as all the rules agreed between the parties for the processing of data;

3.
in the performance of the service (hereinafter “Service”) object of the contract entered into by the parties, the personal Data Controller (meaning the Customer) is liable for all the acts required by the Privacy Law for personal data processing meaning the information, the collection of consent, the adoption of all authorization, management and conservation measures and other measures to implement the security system including the related measures;

4. This Data Processing Agreement defines the roles of the parties and regulates the rights and obligations of the parties pursuant to the relevant Privacy Regulations

Now, therefore, the parties agree as follow

 

  1. Designation of Data Processor
    1. For tasks that, according to the Contract for the Service, remain entrusted to the Provider, the latter, is designated as Data Processor.
    2. The Data Processor specifies that it is able to offer sufficient guarantees to put in place appropriate technical and organizational measures in such a way that processing meets the good practices requirements and guarantees the protection of the rights of the data subjects.
  1. Nature of this regulation
    1. The nature of this Data Processing Agreement is to define the conditions under which the Data Processor agrees to process personal data on behalf of the Data Controller in the performance of the Services and the technical measures implemented by the Data Processor are specified in the technical document named Record of processing activities.
    2. Within the framework of their contractual relations, the parties agree to comply with current regulations applicable to personal data processing (personal data) and, in particular, the Privacy Regulation.
  1. Agreement duration
    1. This Data Processing Agreement will have the duration of the service contract to which it refers.
  1. Type of personal data
    1. RateBoard processes reservations from the last 5 years as well as all current and future reservations. It is expressly stated that neither the names of the guests nor email addresses are processed by RateBoard. The data that RateBoard uses from the hotel software is Reservation ID, creation date, arrival date, departure date, booking channel, guest segment, room type, room number, booking status, number of adults/children/infants, rate plan code, price after tax, price before tax, currency, country of main guest, age of main guest.
  1. Description of the Data Processor's Services
    1. RateBoard supports the customer with an innovative software solution in digital sales. Important sales figures are analyzed by RateBoard and linked intelligently. Competitive environment, local market data and online reputation are monitored. Ultimately, RateBoard allows the customer to keep track of its business success, control it and make better decisions based on data. All this data is compiled in intelligent algorithms and leads to professional demand forecasts and intelligent price recommendations.
    2. The Data Processor is authorized to process, on behalf of the Data Controller, personal data necessary to provide the Service(s) as provided for in the contract. The data subjects' consent will have been already acquired for the data that the Data Controller has already provided and that will be provided unless processing is permitted even in the absence of consent.
    3. The Data Controller guarantees the Data Processor that it legitimately has all information (text, data, news, signs, pictures, sounds, and so on) that will be entrusted to the Data Controller for their processing, and to ensure that such information will not violate the rights of others in any way
    4. The Data Controller retains ownership of the information that will be communicated to the Data Processor for the Service and is expressly liable for the contents of personal data and holds the Data Processor harmless from any direct or indirect obligation and/or audit and/or control liability.
    5. The nature of the operations performed on data is the specific Service provided by the Data Processor to the Data Controller according to the contract entered into by the parties;
    6. The purpose of processing is to provide maintenance and support service to the Data Controller;
    7. To the extent of its responsibility, the Data Processor, in processing the data for the provision of the Service, will process the data respecting the principle of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.
    8. The nature of the data processed by the Data Processor varies according to the Service purchased by the Data Controller. The nature and type of data processed is outlined in the document Record of processing activities.
    9. The categories of persons concerned are identified in the Record of processing activities.
    10. To perform the duties under this Data Processing Agreement, the Data Controller provides the Data Processor with the information required to provide the service and maintenance tasks and addressed to the appropriate use of the information system.
    11. Each party guarantee to appoints its employees that hold processing position according to the applicable data protection legislation in force.
    12. The appointment will be made in writing and will identify the scope of permitted and authorized processing.
    13. The Data Processor declares to be informed that anyone acting under its authority and to have access to personal information, cannot process this data if not instructed to do so.
  1. Obligations of the Data Processor
    Regarding the personal data processing, the Data Processor specifically assumes the following commitments:
    1. Observance of the instructions given by the Data Controller
      1. The Data Processor must only process the data for the purposes specified above and for the performance of the contractual Services.
      2. The Data Processor must process the data in accordance with the provisions the Record of processing activities and the Data Controller considers the security measures provided therein to be adequate;
    2. Guarantee confidentiality
      1. The Data Processor ensures the observance of the confidentiality of personal data processed under this Data Processing Agreement.
      2. The Data Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or have an adequate legal obligation of confidentiality and that they receive and that they are given the necessary training on personal data processing and personal data protection.
    3. Adoption of security measures for the processing
      1. The Data Processor must process personal data adopting all the adequate technical and organizational measures: the security measures adopted are those declared in the Record of processing activities;
      2. The Data Controller acknowledges that in some cases the Data Processor will proceed to the processing through tools provided and configured by the Data Processor and therefore it is a duty of the Data Processor to take every necessary precaution and security measures.
      3. If the Data Processor has adhered to a code of conduct, or has exhibited a certification, it must operate in the presence of the security measures provided for by the code of conduct or by the protocols referred to in the certification. In this case the Data Controller will accept the certification as proof of the fact that the Data Processor has taken appropriate measures with respect to the processing performed. In this case, the Data Controller refuses to carry out audit activities on the Data Processor's systems and procedures.
      4. If the Data Processor has appointed a data security manager (hereinafter D.P.O.) the Data Processor communicates the name and the contact data of the designated D.P.O. to the Data Controller.
      5. The Data Processor, where applicable, must keep a record of all the categories of activities relating to the processing carried out on behalf of the Data Controller. Such records must be kept in writing, including information in electronic format and will be provided on request.
    4. Appointment of a Sub processor by the Data Processor
      1. The Data Processor may entrust processing service management to third parties at any time, upon written notice to the Data Controller, who may object within 15 days of receipt of such communication. In this case, since the choice to entrust the service is strategic to the Data Processor’s business, the Data Controller customer can choose whether to cancel the contract or change the provision of the Service in on-premise mode, if possible.
      2. The Data Processor represents and warrants that such additional processors have sufficient guarantees to implement appropriate technical and organizational measures to ensure compliance with the provisions of applicable Privacy Regulation and undertakes to contractually require to further additional processors to observe the same data protection obligations entered into by the Data Processor with the Data Controller.
      3. The Data Processor must assure that any additional Sub processors provide the same guarantees, sufficient to implement appropriate technical and organizational measures so that processing meets the requirements of the Privacy Regulation.
      4. If the Sub processor fails to fulfill its obligations with regard to data protection, the Data Processor remains fully liable with the Data Controller for the fulfillment of the obligations of the additional processor.
    5. Data Controller assistance for the exercise of the rights of the data subjects
      1. As far as possible, the Data Processor, considering the nature of the processing, must assist the Data Controller for the purpose of fulfilling the obligation of the Data Controller to follow up the requests for the exercise of the rights of the data subjects such as the rights of access, rectification, cancellation and objection, the limitation of processing, to transport data, not to be the subject of an automated individual decision (including the profile).
      2. The Data Processor, to the extent that this is possible, will assist the Data Controller with appropriate technical and organizational measures.
      3. Regarding the data subject's right to be informed, the Data Controller must provide the necessary information to the data subjects for processing operations at the time of data collection.
    6. Assistance to the Data Controller
      1. The Data Processor, considering the nature of the processing and the information available to the Data Processor, must assist the Data Controller in ensuring compliance with the following obligations:
          • Security of processing;
          • Notification of a personal data breach to the supervisory authority;
          • Communication of a personal data breach to the data subject;
          • Data protection impact assessment;
          • Prior consultation.
      2. Assistance for “Security of processing” - The Data Processor must assist the Data Controller in the implementation of security of processing.
      3.  In case of anomalous situations or emergencies, the Data Processor will upon request send report on the security measures adopted - also through possible questionnaires and checklists - and immediately inform the Data Controller.
      4. Special security measures of the Data Processor already in place - The Data Controller acknowledges that, for the Service, the Data Processor has adequate security measures in compliance with the best practice.
      5. For personal data processed in the IT infrastructure of the Data Processor, it remains the obligation, for the same, to characterize the data processing system in compliance with the security prerequisites and, at the request of the Data Controller.
      6. In the event the Services object of the contact between the parties include the storage of personal data and system activities aimed at network maintenance and updating of the related database and operating systems, the Data Processor's operators may have the function of system administrators.
      7. When the Data Processor is the system administrator it will assess the subjective characteristics of its collaborators, make individually appoint as system administrator, verify the activities performed by them and provide for the log of the related accesses. If requested by law, the Data Processor will communicate the updated list of its collaborators appointed as system administrators to the Data Controller.
      8. Assistance for obligation of “Notification of a violation of personal data to the supervisory authority” - The Data Processor must assist the Data Controller in fulfilling the obligations of "Notification of a violation of personal data to the supervisory authority". The Data Processor notifies the Data Controller of any violation of personal data by email/ticketing tool within a maximum time of 36 hours after being learning of the violation. This notification shall at least: (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
      9. Assistance for obligation of “Communication of a violation of personal data to the data subject” - The Data Processor must assist the Data Controller in fulfilling the obligations of “Communication of a violation of personal data to the data subject”; this communication must always be made by the Data Controller.
    7. Data Processor’s assistance to the Data Controller for the compliance with the obligation of the "Data protection impact assessment"
      The Data Processor shall assist the Data Controller in fulfilling the obligations of “Data protection impact assessment”, providing the Data Controller with all useful information in its possession through the Record of processing activities.

    8. Data Processor’s assistance to the Data Controller in the fulfillment of the obligation related to "Prior-consultation"
      The Data Processor shall assist the Data Controller in the supervisory authority's prior-consultation, providing the Data Controller with all useful information in its possession through of the Record of processing activities.

    9. Return of all personal data at the end of the contract
      1. When the contract between the parties to which this data processing agreement refers to is terminated, the Data Processor, at the choice of the Data Controller, must return or delete all personal data and delete existing copies.
        At the termination of the relationship, any further copies of the same backup data, unless otherwise agreed between the Data Controller and the Data Processor, must be destroyed by the Data Processor within times compatible with the additional needs that may arise even at the termination of the Service and in any case for a period not exceeding the timeframe specified in the Record of processing activities. In the interim period between the end of the relationship and the timeframe specified in the Record of processing activities, data will be stored by the Data Processor for security purposes only and not intended for communication and dissemination
      2. Notwithstanding that indicated in the points above, the Data Processor will have to retain such data, in the event a mandatory law applicable to the same provides for the retention of data and will have to retain them until the deadline imposed by that legislation or by such measures.
    10. Providing the Data Controller with all information necessary to demonstrate compliance with the Privacy Regulation
      The Data Processor will provide the Data Controller with all information necessary to demonstrate compliance with the above obligations and must allow and contribute to review activities, including inspections, carried out by the Data Controller or by another person appointed by them or by the authorities. When those activities entail a cost for the Data Processor, such activities will be valued at the project level by defining an economic evaluation.

    11. Case in which an instruction to the Data Processor is held in violation of the Privacy Regulation
      If, in the Data Processor's opinion, a statement of Data Controller violates the Privacy Regulation or other provisions on data protection, the Data Controller must be immediately informed

    12. Observance of the principles of "privacy by design" and "privacy by default"
      In carrying out the assignment, the Data Processor must operate in compliance with the data protection principles starting from when they are designed (privacy by design) and by default.
  1. Obligations of the Data Controller
    The Data Controller must:
    1. provide the Data Processor with the data required by art. 4 and 5 above;
    2. document all instructions regarding data processing of data by the Data Processor in writing;
    3. monitor, in advance and during the duration of all processing, compliance with the obligations set by the Privacy Regulation by the Data Processor;
    4. supervise processing, carrying out audits and inspections.
  1. Places where data are and will be stored
    The data will be processed by the Data Processor in the territories specified in the Record of processing activities. If in the future, processing needs to be carried out in countries not listed in the Record of processing activities, the Data Processor shall immediately inform the Data Controller to agree on guarantees that it will take according to the place where the processing will be carried out.
  1. Controls
    The Data Controller, also through periodic checks, reserves the right to monitor the timely observance of legal provisions on data processing and compliance with the instructions indicated in this document. The Data Processor shall allow the Data Controller, providing full cooperation, to conduct periodic audits on the adequacy of security measures and observance of Privacy Regulation and provisions of the Data Controller itself.
    Each audit activity requested by the Data Controller shall be notified within at least 10 Business Days advance written notice to the Data Processor. For the purpose of this article “Business Days” means form Monday to Friday excluding bank holidays in the country where the Data Processor has its registered office.
    It is further agreed by the parties that in the event activities requested involve charges and expenses not provided for in this contract, all requests from the Data Controller must be managed at project level with an estimate of the costs necessary for their implementation (whether these are penetration tests, vulnerability assessments, etc.).

  2. Technical and organizational measures according to Art. 32 GDPR
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
          1. the pseudonymisation and encryption of personal data;
          2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
          3. the ability to restore the availability an access to personal data in a timely manner in the event of a physical or technical incident;
          4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
    2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

    3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

    4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.