DATA PROCESSING AGREEMENT
(according to the EE regulation 3016/679).
According to EE 2016/679 regulation for the protection of data of individuals from unauthorised processing and circulation (and about termination of the Directive 95/46/EE), which applies mandatorily as of May 25th, 2018 for all data controllers and processors based in all EU members states and non EU states if they process data of EU based individuals, WebHotelier Technologies Ltd concludes with its clients Data Processing Agreements (DPA’s), which in addition to the explicit declaration of WebHotelier Technologies Ltd that it is in compliance with the standardised terms and conditions of EE 2016/679 regulation, include a framework of WebHotelier Technologies Ltd scope of responsibility as opposed to the framework of responsibility of the Subscriber and also the third subcontractor parties the latter is using to their operations as a hotel business. Such framework of responsibility is set in order for WebHotelier Technologies Ltd to further safeguard the personal data of individuals, which are subject to process by both itself and the Subscriber as regards the licensed provision of WebHotelier service by WebHotelier Technologies Ltd. The following data processing agreement (DPA) has therefore been drafted in accordance with EE 2016/679 regulation and is attached to the Agreement as continuous part of it.
DATA PROCESSING AGREEMENT (DPA)
Between WebHotelier Technologies Ltd and the Subscriber the following terms and conditions of processing of personal data are mutually agreed having first taken into account the following:
- For this present DPA purposes, WebHotelier Technologies Ltd and any third party which may carry out on its behalf individuals’ data processing it will be referred below as Data Processor, whereas the Subscriber and any third party which may carry out on behalf of the latter individuals’ data processing (e.g. on the basis of a subcontract, commission agreement etc) shall be referred below as Data Controller.
- This present DPA shall consist an agreement about identification of the spectrum of GDPR parties liability according to EE 2016/679 regulation resulting from the necessary personal data processing for the use of the WebHotelier Service as such is described in the Agreement and in GDPR.
- Any term which is not defined in this present DPA it will be defined according to the Agreement.
This DPA includes also:
EXHIBIT 1 which includes a list of third parties and their registered premises, which carry out individuals’ data processing on behalf of the Data Processor on the basis of an agreement with the latter.
EXHIBIT 2 which includes a list of third parties which carry out individuals data processing on behalf of the Data Controller.
“Personal Data” consists any information which is connected to an individual and can be used either directly or indirectly to identify them. In accordance to the Agreement, personal data is the name and surname, ID or passport number, e-mail, phone number, CVs, and other individuals’ identification data via social media (Facebook, LinkedIn, etc), country of origin of the Data Controller’s clients Personal data also include data identifying clients, employees of the Data Controller and employees of latter’s subcontractors, with whom the Data Controller is in cooperation.
“Data Subject” This is the individual providing consent to the Data Controller to collect and process his/her Personal Data.
“Processing” means any activity via automated, digital or manual means which is related to Personal Data. In accordance to the Agreement terms, processing is the necessary collection, recording, structure, keeping, saving, total or partial correction, update, variation, export, use, transmission, correlation, interconnection, blocking, deletion and/or destruction of Personal Data which is carried out by the Data Processor on behalf of the Data Controller which is necessary in order for the Data Processor to provide their services according to the Agreement.
“Processing Purpose” means the Processing of Personal Data by the Data Processor solely for the purposes of the Agreement and only to the extent required for the fulfilment of those purposes. Therefore, the Data Processor will not further carry out the Processing in a manner inconsistent to these purposes.
“Instructions” means the written instructions provided by the Data Controller to the Data Processor, which require that the Data Subject has given prior explicit consent to the Data Controller to instruct the Data Processor to perform a specific of Processing related to Personal Data (such as depersonalisation, encryption, blocking, deletion, free access, etc.), which may be varied, expanded or replaced by the Controller in writing.
“Data Controller” is the Subscriber (and any third party which acts on the Data Controller’s behalf on the basis of an agreement with them) that collects the Personal Data from the Data Subject and determines the purpose, conditions and the way of Processing.
“Data Processor” is WebHotelier Technologies Ltd (and any third party which effects Processing on its behalf) that performs Personal Data Processing on behalf of the Data Controller according to the Instructions of the latter and for the Processing Purpose.
“Agreement” is the written contract for the use of “WebHotelier” service provided by WebHotelier Technologies Ltd, which has been signed between the Data Controller referred to in the contractual context as Subscriber and the Data Processor referred to in the contractual context as WebHotelier Technologies Ltd.
“Personal Data Protection Legislation” is the Greek legislation for the protection of personal data which is relevant to the Agreement and is included primarily to the EU Regulation 2016/679 and Law 2472/1997, Law 3471/2006, Law 3917/2011, Law 2070/2012, and Law 4624/2019 as they are in force.
“Data Protection Officer” is the person who is associated to the Data Controller under a project or employment contract and their role is to monitor the continuous and sufficient compliance of the Data Controller with the EU Regulation 2016/679 and at the same time to liaise the Data Controller with competent data protection supervisory authority.
2. Scope and Responsibility
The Data Processor processes Personal Data of Data Subjects on behalf of the Data Controller. The Processing includes the operations necessary for the Processing Purpose in order for the Data Processor to be able to provide the services described in the Agreement. The Data Controller shall be, within the framework of the Agreement, solely responsible for complying with the requirements of the GDPR, in particular as regards the prior receipt of the explicit consent to the Processing of Personal Data by the Data Subject, part of which is the transfer of the Personal Data and/or access to such by the Data Processor. On the basis of this responsibility the Data Controller, will be entitled to request the correction, deletion, blocking and availability of Personal Data during or after the termination of the Agreement. The Data Processor’s access to Personal Data cannot be excluded by the Data Controller to the extend that it is necessary for the Data Processor’s works of control or system maintenance. The Data Processor shall enable the Data Controller to delete, correct, block, as well as transmit the Personal Data through its system. Such Processing requires the prior explicit consent of the Data Subject for obtaining of which, solely responsible is the Data Controller The Data Processor performs Processing only on the instructions of the Data Controller.
3. Data Processor’s obligations/responsibilities
- The Data Processor shall collect, process and use Personal Data within the framework of the Instructions of the Data Controller exclusively and only for the Processing Purpose. Data Processor shall be responsible for its compliance with the EE regulation 2016/679 and in general the Personal Data Protection Legislation within the framework of the Instructions of the Data Controller.
- In case where the Data Processor believes that an instruction of the Data Controller consists infringement of the EE regulation 2016/679 or of other regulations related to the protection of Personal Data, Data Processor shall immediately notify the competent employee or the so appointed Data Protection Officer.
Within the framework of responsibility of the Data Processor as such is
aforementioned described under 1., the Data Processor shall adjust its
internal procedures in order to safeguard compliance with the terms of
EE regulation 2016/679 and in general the EE legislation about Data
Protection in force and they shall take the necessary technical and
organisational measures to sufficiently protect the Personal Data
received by the Data Controller in order to prevent their misuse or any
loss of them. Such measures are the following:
a) prevention to the systems of Personal Data Processing of unauthorised individuals (physical access control),
b) prevention of unauthorised use of the Personal Data Processing systems (logical access control),
c) to safeguard that the persons who have the right to use a Personal Data Processing system, have access only to those Personal Data to which they are authorised to have access and that during the Processing or use after storage, the Personal Data can not be read, copied, amended, or deleted without prior related authorisation (data access control),
d) to safeguard that the Personal Data cannot be read, copied, amended, or deleted without prior related authorisation during their electronic transmission, transfer or saving in electronic storage means and that the Data Processor suppliers for any transfer of Personal Data by means of data transfer systems can be controlled for their compliance with the Personal Data Protection Legislation (data transfer control),
e) to safeguard a procedure of control which shall reflect if and by whom the Personal Data have been entered, varied or deleted from the Personal Data Processing System (entry control),
f) to safeguard that the Personal Data are processed according to the Instructions of the Data Protection Officer (control of instructions),
g) to safeguard that the Personal Data are protected by accidental destruction or loss (availability control),
h) to safeguard that the Personal Data collected for different purposes can be separately processed (separation control). The Data Processor has the right to attach to the present DPA a further analysis of the above under 3. a-h as an appendix.
- The Data Processor shall appoint a Data Protection Officer should for an appointment is mandatory by law and following a related request by the Data Controller they shall notify their contact details to the latter.
- The Data Processor shall notify as soon as possible and according to what is implied by the prevailing legislation in force the Data Controller about any serious breakdown of operations for instance by force majeure or a random event (indicatively if their supplier’s platform suffers from interruption) or infringement of the terms of this presents by the Data Processor or any employee of it. In such a case the Data Controller shall apply the necessary measures to secure the Personal Data in order to mitigate the potential damage to the Data Subjects.
- The Data Processor following related request by the Data Controller, shall provide to the latter any information about Personal Data which relates to the activities as per the Agreement.
- The Data Processor is obliged to safely delete any trial or useless material according to the Instructions of the Data Controller on a per case basis. Following related decision of the Data Controller, the Data Processor shall deliver such material to the Data Controller or they shall store it on the Data Controller’s behalf.
- The Data Processor shall establish control and compliance mechanisms in addition to retaining sufficient records evidencing existence of such mechanisms.
- The Data Processor shall train its staff daily on how they shall apply the data protection policy and shall oblige its employees not to collect, not to process, or not to use the Personal Data without authorisation (data secrecy). Such obligation shall survive the termination date of their employment.
4. Obligations of the Data Controller
- The Data Controller shall be responsible independently from the Data Processor for the compliance with EE regulation 2016/679 and in general to the EE data protection legislation in force.
- The Data Controller shall notify in detail as soon as possible (asap) the Data Processor about mistakes or irregularities related to Personal Data Processing regulations which may be allocated during audit of the results of such Processing.
- The Data Processor shall notify the competent authorities, the Data Subjects whose Personal Data are in risk and the Data Processor about any safety infringement related to Personal Data within 72 hours as of the time they become aware.
- The Data Controller upon termination of the Agreement shall order and define within a deadline defined by the Data Processor a reasonable way of return of the means including data or the deletion of the stored data.
- The Data Processor shall appoint a Data Protection Officer should such appointment is mandatory by law and they shall notify to the Data Processor the contact details of such person.
- The Data Controller is obliged to create mechanisms about the receipt of consent by the Data Subjects for the Processing of their Personal Data.
5. Information by the Data Controller to the Data Subjects
- According to the Personal Data Protection Legislation, the Data Controller is obliged to provide to the Data Subjects every information as regards its obligation to request their explicit consent as regards the collection, processing or use of their Personal Data.
- As explicit consent is regarded every indication of intention free, concrete, explicit and in full consciousness via which of the Data Subject expresses that they agree in a positive declaration or a clear positive action to the Processing of their Personal Data. To that end the non reaction of the Data Subject e.g. by passively remaining in the newsletter lists does not consist explicit consent.
- For the Processing of Personal Data of Data Subjects below 16 years of age, the Data Controller must inform them about its legal obligation to request the explicit consent of their parents or custodians.
- The Data Controller is obliged to inform the Data Subjects that he is obliged to correct, delete or block their Personal Data following their related request.
- In case where a Data Subject requests from the Data Processor to correct, erase or block their Personal Data the Data Processor shall refer him/her to the Data Controller.
6. Third party suppliers used by the Data Processor
The Data Processor is entitled to contract with third party’s subcontractors or Processing suppliers for carrying out part of the Personal Data Processing only following a written consent by the Data Controller. The Data Controller with this presents provides their consent to the Data Processor to agree with third party suppliers included in Exhibit 1 to support the Data Processor to their deliverables as such are described in the Agreement. In case where the Data Processor intends to cooperate with third parties not included in Exhibit 1, the Data Processor shall inform the Data Controller in writing (email correspondence is a sufficient correspondence in writing) as well as to allow them to object within 30 days as of such notification date. The related objection must be justified by reasonable grounds (e.g. should the Data Controller proves that the option of the specific third party supplier gives rise to a considerable risk for the Personal Data safety). In case where the Data Controller will not be able to satisfy the objections of the Data Controller any party may terminate the Agreement according to its terms. The Data Processor shall arrange for their third party suppliers supporting them to the Processing to have the same contractual obligations with them towards the Data Controller according to this presents and in particular to safeguard that those third parties shall have access to the Personal Data exclusively only for the purposes of the supplier agreement the Data Processor has concluded with them.
7. Third party suppliers used by the Data Controller
The Data Controller may contract third party suppliers which within the framework of their agreement with the latter may effect Processing or acts of Processing on their behalf, of Personal Data that are also processed by the Data Processor based on the terms of this agreement. In such a case they are responsible towards the Data Processor as Data Controllers for the purposes of EE regulation 2016/679 jointly and severally. Reference of such Data Controller’s suppliers in Exhibit 2 shall consist evidence of Data Controller’s declaration and compliance towards the Data Processor, according which the latter has informed and accordingly has bound those third parties towards their compliance obligations resulting from regulation EU 2016/679 as such is in force today in Greek legislation. Should the Data Controller intends to cooperate with third parties not included in Exhibit 2, the Data Controller shall inform the Data Processor in writing (email correspondence is a sufficient correspondence in writing) as well as to allow them to object within 30 days as of such notification date. The related objection must be justified by reasonable grounds (e.g. should the Data Processor proves that the option of the specific third party supplier gives rise to a considerable risk for the Personal Data safety). In case where the Data Controller will not be able to satisfy the objections of the Data Processor, any party may terminate the Agreement according to its terms.
8. Duration of the Processing
The Processing of a Personal Data shall continue as long as the Agreement is in in force and following its expiry during a reasonable period of 14 months.
9. Obligation to inform, Mandatory written form, choice of law and general terms.
- In case where The Personal Data of the Data Controller shall consist subject of scrutiny or control due to a special legislation in force, blocking and/or seizure because of mandatory administration, bankruptcy, bankruptcy proceedings or similar situations or third parties measures during Processing, the Data Processor shall inform the Data Controller together with all related parties as soon as possible about the aforementioned actions. In such a case the Data Controller declares that any Personal Data which might be affected by the aforementioned actions belongs to the exclusive scope of its responsibility for compliance with EE regulation 2016/679 and the Personal Data Protection Legislation as regards the specific Personal Data.
- In case of conflict between the terms of this presents and the Agreements the terms of this presents supersede. In case where separate terms of this presents are invalid or void the validity of the remaining terms is not affected.
- Applicable law for the interpretation of the terms of this presents is the Greek law and any resulting dispute as regards issues regulated by the terms of this presents shall, be solved by the courts of Athens, Greece. In proof of the aforementioned, this presents is signed by the contracting parties as follows:
10. Contact details
Contact details of the Data Processor are the following:
email: firstname.lastname@example.org telephone: +357 22275170 address: Mnasiadou 9, Demokritos Building, Office 16, 1065 Nicosia, Cyprus
Any correspondence between the parties in order to be valid and binding must be evidenced in addition by email. In case of change of email address or any other contact detail of any party the later shall Inform the other party asap about such change.
Third party suppliers carrying out Processing on behalf of the Data Processor:
Amazon Web Services EMEA SARL
5 rue Plaetis,
Amazon Web Services, Inc.
410 Terry Avenue North,
Seattle, WA 98109-5210
14 Spring Street, 3rd Floor,
Waltham, MA 02451