Contract for commissioned processing of personal data
between . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(as Data Controller)
and MASTERINSOFT brand of Panther Ambition, Lda – Rua Arq. Cassiano Barbosa 132-A62, 4100-009 Porto, PORTUGAL (as Data Processor):
1. Subject and duration of the agreement
- a) MASTERINSOFT (hereinafter referred to as “Data Processor”) provides Accommodation Providers (hereinafter referred to as “Data Controller”) a Software as a Service under a separate agreement.
The contractually agreed Software as a Service enables Data Controllers to generate and manage bookings by their guests (hereinafter referred to as “guests” or “guest”) via their own website or third-party portals and, if necessary, to further process this data.
In fulfillment of its contractual obligation as a provider of the Software as a Service, the Data Processor processes personal data for Data Controllers in accordance with Art. 4, No. 2 and Art. 28 of the GDPR and in accordance with the following provisions.
- b) This Data Processing Agreement shall commence with the accptance of the Data Processor’s User Agreement. The cancellation or other termination of the Data Processor’s User Agreement shall simultaneously invalidate this Agreement.
2. Nature and purpose of the processing, type of personal data and categories of data subjects:
- a) The contractually agreed data processing is necessary in order to provide Data Controllers with the Software as a Service and to enable their guests to make bookings.
- b) Data is processed from guests who make bookings via Data Controllers or whose bookings Data Controllers create or are created by third parties.
c)Information required to process the bookings includes:
- Inventory data (e.g., names of people traveling, addresses).
- Details of the booking identification (booking number etc.)
- Information about the time of booking.
- Details of the booking contents (arrival and departure date, reservation object etc.).
- Contact information (e.g., E-mail, phone numbers).
- Invoice information.
- Payment information.
- Meta / communication data (e.g., device information, IP addresses).
- Information about preferences that guests might have.
3. Rights, obligations and authority of Data Controllers
- a) The Data Controller alone is responsible for the assessment of the admissibility of the processing in accordance with Art. 6 paragraph 1 of the GDPR as well as for the protection of the rights of the persons concerned according to Articles 12 to 22 of the GDPR. Nevertheless, the Data Prosessor is obligated to immediately forward to the Data Controller all inquiries that the Data Processor receives, provided that such inquiries are clearly directed exclusively to the Data Controller.
- b) Changes to the processing operations and procedural changes shall be coordinated jointly between the Data Controller and the Data Processor and specified in writing or in a documented electronic format. Agreed changes and one-sided instructions by the Data Controller are to be kept for their duration and then for a further three full calendar years.
- c) The Data Controller usually issues all orders, partial orders and instructions in writing or in a documented electronic format. Verbal instructions must be confirmed immediately in writing or in a documented electronic format.
- d) The Data Controller is entitled, as per section 5 of this agreement, before the start of the processing and from then on regularly to be reasonably assured of compliance with the technical and organizational measures taken by the Data Processor and the obligations laid down in this Agreement. Data Controllers shall inform the Data Processor immediately if they detect any errors or irregularities in the processed results.
- e) The Data Controller is obligated to treat confidentially all acquired knowledge of business secrets and data security measures of the Data Processor within the framework of the contractual relationship. This obligation remains valid even after termination of this contract.
4. Data Controller’s authorized persons and Data Processor’s instruction recipients
The Data Processor’s instruction recipients are:
Júlio Ribeiro, c/o of Panther Ambition, Lda – Rua Arq. Cassiano Barbosa 132-A62, 4100-009 Porto, PORTUGAL
Communication channels to be used for instructions:
The Data Controller must always keep information about authorized persons up to date. Unless expressly agreed otherwise, the person indicated by email to email@example.com shall be authorized to give instructions under this Agreement and to receive communications from the Data Processor via the communication channel specified therein.
5. Obligations of the Data Processor
- a) The Data Processor shall process personal data only under the adopted agreement and in accodance with the Data Controllers’s instructions, unless the Data Processor is obliged to otherwise process the data by law of the Union or the Member States to which the Data Processor is subject (eg. in the case of investigations by law enforcement or state protection authorities); in such cases, the Data Processor shall inform the Data Controller of these legal requirements prior to processing, unless the relevant law prohibits such notification because of a significant public interest (Art. 28 paragraph 3 sentence 2 (a) of the GDPR) ).
- b) The Data Processor shall process personal data only in a Member State of the European Union or in a signatory state to the EEA Treaty. Any transfer of the service or partial work to a third country requires the prior consent of the Data Controller and may only take place if the special conditions of Article 44,45 and 46 of the GDPRS are met (eg appropriaatness determination by the Commission, standard data protection clauses, approved codes of conduct).
- c) The Data Processor shall not processes the provided personal data for any purpose other than those contractually agreed, and particularly not for the Data Processor’s own purposes. Copies or duplicates of personal data shall not be created without the knowledge of the Data Controller.
- d) The Data Controller remains solely responsible for the fulfillment of the legal obligations arising from the GDPRS and the BDSG (German Federal Data Protection Law). However, the Data Processor shall as far as can be reasonably expected, assist the Data Controller in particular with:
- the fulfillment of the rights of data subjects by the Data Contoller, in accordance with Articles 12 to 22 of the GDPR,
- the preparation of records of processing activities,
- if necessary, the Data Controllers privacy impact assessments.
- e) The Data Processor will inform the Data Controller without delay if in the Data Processor’s opinion an instruction given by the Data Controller violates statutory provisions (Article 28, paragraph 3, sentence 3 of the GDPRS). The Data Processor is entitled to suspend the execution of the instruction until it has been verified by the authorized person of the Data Controller and confirmed or changed.
- f) The Data Processor shall correct, delete or restrict the processing of personal data if the Data Controller so requests and the legitimate interests of the Data Processor do not conflict with this. The Data Processor may only provide information about personal data from the contractual relationship to third parties or the person concerned after prior instruction or approval by the Data Controller.
- g) The Data Controller or third party commissioned by the Data Controller is entitled to check by appointment compliance with the statutory provisions pertaining to data protection and data security and the contractual agreements between the parties to the appropriate extent, in particular by collecting information and inspecting stored data and data processing programs as well as on-site inspections and inspections (Art. 28, paragraph 3, sentence 2 (h) of the GDPR).
- h) The Data Processor undertakes to maintain confidentiality when processing the Data Controller’s personal data. This obligation continues even after termination of the contract.
- i) The Data Processor guarantees that employees engaged by the Data Processor to process data are acquainted with the legal data protection provisions that are relevant to them before commencing the work and obliges them to maintain confidentiality during their employment as well as after termination of the employment relationship (Art. 28 paragraph 3 sentence 2 letter b and Art. 29 of the GDPR). The Data Processor shall monitor compliance with data protection regulations within his or her company.
6. Subcontracting relationships with subcontractors (Article 28 paragraph 3 sentence 2 (d) of the GPDR)
- a) The commissioning of subcontractors for the processing of data of the Data Controller is permitted to the Data Processor only with the permission of the Data Controller, Art. 28 paragraph 2 of the GDPR. The approval must be on one of the communication channels (section 4 of this agreement) in writing or in an electronic format in accordance with Art. 29 and Art. 32 paragraph 4 of the GDPR.
- b) Contracting subcontractors in third countries may only be carried out if the special conditions of Article 44, 45 and 46 of the GDPR are fulfilled (eg adequacy decision of the Commission, standard data protection clauses, approved codes of conduct).
- c) The contract with the subcontractor must be in writing, which can also be done in an electronic format (Article 28 paragraph 4 and 9 of the GDPR). The forwarding of data to the subcontractor is only permitted if the subcontractor has fulfilled the obligations according to Art. 29 and Art. 32 paragraph 4 of the GDPR with regard to his employees.
- d) Currently working for the Data Processor as a subcontractor:
Hetzner Online GmbH
Registergericht Ansbach, HRB 3204 USt-Id Nr. DE 812871812
The partial service provided by Hetzner Online GmbH is the hosting of the servers at locations in the Federal Republic of Germany.
7. Notification obligations of the Data Processor
The Data Processor shall immediately notify the Data Controller of any disruptions, violations by the Data Processor or persons employed by the Data Processor or his subcontractors against data protection regulations or the stipulations made in this agreement, as well as the suspicion of data breaches or improper processing of personal data. This also applies with regard to possible notification and notification obligations of the Data Controller according to Art. 33 and Art. 34 of the GDPR.
8. Technical and organizational measures according to Art. 32 of the GDPR (Article 28, paragraph 3, sentence 2 (c) of the GDPR)
Within the scope of the agreed data processing, it is necessary to ensure a level of protection appropriate to the risk to the rights and freedoms of natural persons affected by the processing. For this reason, the Data Processor has to carry out a review and evaluation of the effectiveness of the technical and organizational measures to ensure the safety of the processing on a given occasion, at least once a year (Article 32, paragraph 1 (d) of the GDPR).
The result and complete audit report must be communicated to the Data Controller on request. Insofar as the measures taken by the Data Processor do not meet the requirements of the Data Controller, the Data Controller shall inform the Data Processor immediately.
The measures taken by the Data Processor may be adapted to the technical and organizational development in the course of the contract, but must not fall below the agreed standards. Significant changes must be agreed between the Data Processor and the Data Controller in a documented form (written, electronic).
9. Obligations of the Data Processor after termination of the contract, Art. 28, paragraph 3, sentence 2 (g) of the GDPR
After completion of the data processing contract, the Data Processor shall provide the Data Controller with or delete all data, documents and processing or utilization results that have been acquired or submitted to subcontractors in connection with the contractual relationship.
Any liability claims arising out of breach of this agreement will be in accordance with the User Agreement for the Software as a Service of the Data Processor.
Agreements on the technical and organizational measures as well as control and examination documents (also on subcontractors) must be kept by both contracting parties for their validity periods and subsequently for three full calendar years.