Personal data processor agreement

Introduction

  • AvaiBook will need to access personal data which are the owner’s, manager’s, portal’s and/or partner’s responsibility (depending on each case) (the “Client”) in order to deliver the purchased services (“the Contract”). As a result of the new obligations stated in the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the obligations undertaken in the personal data protection contract must be modified.
  • The new legislation comes into force on 25th May 2018, from that day, it is understood that the data protection contract regulation is replaced by this new personal data processor agreement (the “Agreement”) which shall be governed by the requirements outlined in article 28 of the GDPR, specially by the following clauses

Subject matter

The client, as responsible for the personal data processing, makes available to AvaiBook:

  • Travellers identification details (names, surnames, addresses, phone numbers, emails and other data requested to register their clients)
  • Information regarding payment operations processed through AvaiBook (in case the client uses AvaiBook to manage such operations)

Similarly, the delivery of services by AvaiBook involves performing the following activities: collection, recording, structuring, storage, consultation, disclosure by transmission, dissemination, interconnection, erasure or destruction of personal data.

Length

This agreement will come into effect on May 25th 2018 (or on the date of acceptance, if it is later) and it will stay in effect as long as the Contract remains in force.

AvaiBook obligations as a data processor

AvaiBook states that:

  • Has enough technical capacity to fulfill its obligations established in the Contract regarding the personal data protection regulations. Therefore, it can commit to comply with the requirements of the GDPR, as requested in order to deliver the services.
  • It will keep the personal data, which are the client's responsibility, confidential. It will have access to them and it will only process them on behalf of the client.
  • The aforementioned data will only be used in order to deliver the services and they will not be used or applied in any way exceeding the intended purpose. In case a client’s data process request is estimated to exceed the limits of the provision of services, this will be detailed in written following the corresponding instructions.
  • Shall not disclose to third parties, not even for storage purposes, the data to which it has access in order to deliver the services, nor the operations, evaluations or similar processes performed on the data. Similarly, it shall not reproduce or duplicate totally or partially the information, results or relationships of the aforementioned data, unless legally requested.
  • Will make available to the client the necessary information to prove compliance of its obligations and to conduct audits or inspections when such audits are reasonably made by or on behalf of the client.
  • If legally required, there will be a designated data protection delegate, or a person responsible for carrying out this task and complying with the data protection law. Their identity and their contact details will be disclosed to the client.
  • People in AvaiBook who are authorized to process personal data will commit, expressly and in writing, to maintain confidentiality and follow the corresponding security measures. AvaiBook will provide the necessary information regarding personal data protection to the authorized people.
  • It will provide the client with the necessary support in order to conduct impact evaluations and verifications to respond to requests made by authorities, when applicable and reasonably necessary.
  • If AvaiBook has concerns that compliance with a request may result in a violation of the GDPR or any other applicable regulations modifying or supplementing it, AvaiBook will immediately inform the client and will request to withdraw, amend or confirm the request. AvaiBook will be able to hold the application of the request in abeyance while awaiting the client's decision regarding the withdrawal, amendment or confirmation of the request
  • Will, once the services are completed and at the client's request, destroy the personal data to which they have access, as well as the documents or storage media containing any of these data, according to the client’s request, if and so far technically possible. Specially, to be returned: (I) the data included in files for which the client is responsible, that may have been made available to AvaiBook in order to provide the services; (ii) those which, if applicable, could have been generated as a result of AvaiBook processing the data for which the client is responsible; and (iii) all the storage media and document containing any of these data. It will not proceed to the destruction of the data if legally bound to keep them, in which case, AvaiBook will return the data to the client, and the client will ensure its conservation.
  • Will implement the measures to: (i) ensure permanent confidentiality, integrity, availability and resilience of the systems and services related to data processing, (ii) restore availability and access to the data in a timely manner in case of a physical/technical incident; (iii) regularly verify, assess and evaluate the efficiency of the technical and organizational measures implemented to guarantee the security of the processing; and (iv) pseudonymize and encrypt data, when applicable.
  • Will notify by email, as the data processor, without undue delay and in any case within 24 hours, any incident (suspected or actual) regarding data protection, any data processing that may be considered unlawful or unauthorized, any loss, destruction or damage of the personal data, within the limits of AvaiBook accountability (caused by AvaiBook, its staff, its agents or its subcontractors) and any incident that may be considered a data security breach, along with all the relevant information to provide documentation and communicate the incident to the authorities as well as the concerned stakeholders. Will also help the client, in case of a personal data security breach, in order to ensure compliance with the notification obligation of a data security breach according to the GDPR (in particular, articles 33 and 34 of the GDPR) and any other applicable regulations modifying or supplementing it as well as any which may be enacted in the future.
  • Will assist the client whenever he requires it, at reasonable request, providing information and/or documentation in order to exercise his rights of access, rectification, suppression, opposition, limitation of treatment and/or data portability within reasonable time.
  • If AvaiBook receives a direct request of access, rectification, suppression, opposition, limitation of treatment and/or data portability coming from the concerned stakeholder, the data subject, it commits to transfer the request immediately to the client, so he can respond within the legal time frame.
  • Will not outsource services to a third party, unless those services are additional services AvaiBooK needs to appropriately provide its services, such as payment processing through a payment gateway. Should AvaiBook need to outsource data processing, it will inform the client of the services and processes it intends to outsource and will provide the supplier’s identity and their contact details. Such notification must be made in writing by AvaiBook at least two weeks in advance of the signing of the outsourcing agreement.
  • Will not perform international transfers of personal data to which it has access and for which the client is responsible, unless prior and written authorization has been obtained from the client and is duly regularized.
  • Will make available a general description of the technical and organizational measures regarding (i) pseudonymization and encryption of personal data, when applicable; (ii) the capacity to ensure permanent confidentiality, integrity, availability and resilience of the systems and services related to data processing; (iii) the capacity to restore availability and access to the data in a timely manner in case of a physical/technical incident; and (iv) the process of verifying, assessing and evaluating the efficiency of the technical and organizational measures implemented to guarantee the security of the processing.
  • Will implement any technical and organizational security measures applicable according to the stipulations of the GDPR (in particular and without limitation, according to article 32) and any other applicable regulations that may modify, supplement or replace it. The security measures can be updated if required by any future regulation that may be promulgated. If it significantly affects the cost of the contracted services, the parties will agree on appropriate action to be taken in order to resolve the situation.

Prohibition of other uses

Should AvaiBook use the data for another purpose or disclose the data or use them in breach of the stipulations of the Agreement, it will be held responsible for the processing of data and will have to answer for the violations he has personally committed.

Information to the undersigned

AvaiBook will process the personal data related to the undersigned, on grounds of legitimate interest, with the sole purpose of ensuring the contractual relationship and as long as the contract exists. AvaiBook will be able to keep the data blocked for longer, until the end of the prescription of legal actions related to the use of the data. The concerned stakeholders will be able to exercise their rights of access, rectification, suppression, limitation of treatment and opposition at any time, by addressing AvaiBook to this email addressprivacy@avaibook.com. In addition, they will also be able to contact the legal authority to enforce his rights. The undersigned data will not be shared with any third party and suppliers providing services related to AvaiBook technology and systems will be able to access them.

Coming into force

The present Agreement will come into force on May 25th 2018, or upon the date of acceptance if it is later.