Hotelchamp Data Processing Agreement
This is the data processing agreement of Hotelchamp B.V., located at Johan Huizingalaan 763, Amsterdam, the Netherlands, 63129132 (hereinafter ‘Hotelchamp’).
Hotelchamp provides a sales and marketing platform to increase direct bookings for providers of accommodations (e.g. hotels). For this purpose, Hotelchamp processes personal data on behalf of its clients, about their (potential) guests.
Under Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR), Hotelchamp’s clients are considered to be ‘controllers’ for the personal data which they process about their (potential) guests, and Hotelchamp is considered to be the ‘processor’ of such personal data. In the remainder of this Data Processing agreement, the client of Hotelchamp is therefore called ‘the Controller’.
This Data Processing Agreement applies to the processing of personal data by Hotelchamp on behalf of the Controller and was specifically created to provide all arrangements required under the GDPR.
In this Data Processing Agreement, 'GDPR' means Regulation (EU) 2016/679, known as the General Data Protection Regulation, as well as all laws and regulations that may replace this regulation in future.
Terms defined in the GDPR have the same meaning in this Data Processing Agreement, unless another definition is given here.
'Personal Data' means personal data (as defined by the GDPR) relating to the Controller, its clients and/or other contacts.
‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
'Subprocessor' means a legal entity or person, not being an employee of Hotelchamp, who is or will be engaged by Hotelchamp for the purpose of providing products or services to the Controller on Hotelchamp’s behalf, for which purpose the engaged person or entity may receive or have access to Personal Data.
Hotelchamp and the Controller shall each ensure compliance with the laws and regulations applicable to them, including in any event the laws and regulations related to the protection of Personal Data, such as the GDPR.
Hotelchamp will only process Personal Data in accordance with the law and the written instructions of the Controller as set out in this Agreement.
Hotelchamp will keep secret all Personal Data which it receives from the Controller, or to which it is given access by the Controller, and Hotelchamp will not disclose or make this data accessible to third parties (other than permitted Subprocessors) without prior written permission from the Controller, unless the Personal Data must be disclosed to a party authorised to receive such data (such as a supervisory authority, investigating officer or court) pursuant to a written obligation.
With respect to all Personal Data and instructions issued by the Controller to Hotelchamp, the Controller guarantees that it has the necessary authority. The Controller will indemnify Hotelchamp against any form of harm and/or third-party claims that may arise from, or be related to or based on, an assertion that the Controller was not authorised to issue certain Personal Data or a certain instruction to Hotelchamp.
This Data Processing Agreement has a number of annexes. Annex A defines the processing operations, the purposes of processing, the processing location and the permitted Subprocessors. Annex B sets out the security measures that have been or will be put in place. Annex C contains a form for reporting Personal Data Breaches (as defined in Article 7). Unless expressly stated otherwise in this Data Processing Agreement, Hotelchamp is entitled to amend the annexes from time to time.
In case of a conflict between the content of this Data Processing Agreement and any of its annexes, the Data Processing Agreement will prevail, unless the annex expressly states that it is derogating from the Data Processing Agreement and specifies the provision from which it derogates.
In case of a conflict between the content of this Data Processing Agreement and the agreement for the supply of products or services, this Data Processing Agreement will prevail.
All subsidiaries, sister companies and parent companies in Hotelchamp’s group have the same rights and associated obligations under this Agreement as Hotelchamp.
If another party rather than the Controller is the controller for the processed Personal Data pursuant to the GDPR, the Controller will be regarded as the processor, Hotelchamp as Subprocessor, and any Subprocessor as Sub-subprocessor.
Hotelchamp will process the Personal Data only to the extent necessary in order to supply the agreed products or services to the Controller, or to fulfil a legal obligation. More details about the processing operations and purposes can be found in Annex A. In case of processing connected to a legal obligation, Hotelchamp will at the Controller’s request specify in writing what processing it will perform in connection with which legal obligation.
Hotelchamp is entitled to amend Annex A from time to time. Hotelchamp will notify the Controller of any material change (normally via e-mail or otherwise electronically). If the Controller does not object to the change within 30 days, the change will be deemed to have been accepted.
Hotelchamp and the Controller will put in place appropriate technical and organisational measures to secure the Personal Data against loss or any form of unlawful processing, including unnecessary collection, disclosure or further processing.
Hotelchamp and the Controller will ensure that the security measures as described in Annex B or otherwise agreed in writing are in place at all times.
Hotelchamp and the Controller will give their staff members and permitted Subprocessors access to the Personal Data only to the extent necessary for the permitted processing purposes. Hotelchamp and the Controller shall ensure that persons authorised by each of them to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Parties acknowledge that effective security requires frequent evaluation and regular improvement of outdated security measures. To this end, Hotelchamp and the Controller will evaluate and strengthen, supplement or improve the measures implemented under this Article 4 and Annex B on a regular basis (at least once per year) in order to ensure that they continue to meet their obligations.
The Controller hereby gives Hotelchamp general permission to engage Subprocessors for the processing of the Personal Data, provided that Hotelchamp abides by the applicable requirements of the GDPR and/or other applicable privacy legislation in doing so. Hotelchamp is accordingly permitted to amend Annex A from time to time to reflect changes in Subprocessors.
Hotelchamp will (i) contractually oblige every Subprocessor to comply with the same or equivalent obligations to processing as those by which Hotelchamp is bound under this Data Processing Agreement, and (ii) remain liable to the Controller for the performance of the Data Processing Agreement by the Subprocessors and all other acts or omissions of the Subprocessors in connection with the processing of the Personal Data.
The processing location is specified in Annex A. Hotelchamp will not personally process or allow any Subprocessors to process Personal Data in countries outside of the European Economic Area ('EEA') without a suitable level of protection of personal, unless appropriate safeguards are in place as required by the GDPR (such as model clauses or binding corporate rules).
Processing operations and purposes
In case of a Personal Data Breach, without unreasonable delay and if possible within twenty-four (24) hours after the discovery, Hotelchamp will complete the form in Annex D as completely and accurately as possible and send it to the Controller.
Furthermore, in case of a Personal Data Breach, Hotelchamp will:
as quickly as possible provide all further information or assistance that is requested by the Controller and that is reasonably needed for the Controller to comply with any of its own obligations, including a notification obligation;
assist in identifying the data subjects who were or may have been affected and what Personal Data were or may have been compromised;
provide facilities to ensure that any requests and/or complaints from data subjects are properly handled;
put in place reasonable measures to undo any negative consequences resulting from an incident as quickly as possible, or at least to minimise any further consequences;
provide adequate assistance to the data subjects who were or may have been affected, as reasonably requested by the Controller or required under applicable laws and regulations, in particular as referred to in Article 33 of the GDPR;
follow all reasonable instructions from the Controller on this matter.
cannot comply with its obligations under the Data Processing Agreement due to a legal obligation;
has received a demand or order to appear in court as a witness or expert, or a request from an authorised public supervisory authority to conduct an inspection or investigation in connection with the processing;
intends to disclose Personal Data to an authorised public authority; or
discovers that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data has occurred (a ‘Personal Data Breach’).
The notification obligation described in Article 7 does not apply if compliance with it would conflict with a legal obligation or prohibition.
Handling requests and complaints from data subjects
If a data subject sends Hotelchamp a request to access, correct, supplement, remove or block their data, or submits a complaint to Hotelchamp, Hotelchamp will forward the request or complaint to the Controller and the Controller will follow up on the request or complaint. Hotelchamp may inform the data subject that it has done so.
At the Controller’s request, when reasonably necessary, Hotelchamp will provide support to (i) allow data subjects access to their own Personal Data, with the approval and on the instructions of the Controller, (ii) delete or correct Personal Data, (iii) show that Personal Data have been deleted or corrected if they were incorrect (or, if the Controller does not agree that the Personal Data were incorrect, record the fact that the data subject considers their Personal Data to be incorrect) and (iv) otherwise make it possible for the Controller to comply with its obligations under the GDPR or other applicable legislation in the area of processing Personal Data.
Compliance check (audit)
The Controller is entitled to arrange that a suitable external party who is acceptable to Hotelchamp performs an audit in order to determine whether Hotelchamp complies fully and correctly with this Data Processing Agreement. This party will be bound by confidentiality towards third parties.
In conducting the audit, it shall be attempted to minimise any impact on Hotelchamp’s business operations. Audits will be performed once per year at most, unless the Controller has specific grounds for suspecting that Hotelchamp is not complying or not complying fully with its obligations and the Controller has communicated these suspicions in writing to Hotelchamp, substantiated with facts. The audit will be announced at least 14 days in advance.
Hotelchamp will cooperate in the audit and will make available any information and employees that may reasonably be relevant to the audit (including supporting information such as system logs) as soon as possible.
If the audit shows that Hotelchamp has materially failed to comply with this Data Processing Agreement, Hotelchamp will put in place at its own expense all measures necessary to remedy any observed breach as quickly as possible.
If the audit shows that Hotelchamp has not failed to comply with this Data Processing Agreement, the Controller will bear the costs of the audit (including the reasonable costs incurred by Hotelchamp through cooperating in the audit).
Hotelchamp may amend this Data Processing Agreement from time to time. The Controller will be informed (normally via e-mail or otherwise electronically) of any substantial changes. The modified version will take effect 30 days from notification, unless the Controller has objected to a change before it has taken effect. Insubstantial changes (such as simple corrections of spelling or grammar) may be implemented at any time without notification.
Duration and termination
This Data Processing Agreement will remain in effect for as long as Hotelchamp possesses or has access to Personal Data in the context of supplying products or services to the Controller. This Data Processing Agreement may only be terminated if Hotelchamp no longer has any of the Controller’s Personal Data in its possession.
In the event that the provision of products or services to the Controller is discontinued, including the processing of Personal Data for any other reason, Hotelchamp will send all Personal Data to the Controller on a durable medium in a common and practical format or otherwise make it available to the Controller. If Hotelchamp is still in possession of any copies of the Personal Data after all Personal Data have been placed in the Controller’s possession, Hotelchamp will immediately destroy the Personal Data, unless the Controller has agreed to continued retention and/or processing. At the Controller’s request, Hotelchamp will provide the Controller with a written confirmation and guarantee of destruction, and Hotelchamp will permit the Controller to verify that the Controller’s Personal Data concerned are no longer being processed by Hotelchamp or by any auxiliary person or third party engaged by Hotelchamp.
Hotelchamp will inform the Controller, without unreasonable delay and if possible within forty eight (48) hours, if Hotelchamp:
© 2018 Hotelchamp. All rights reserved.