DATA PROCESSING AGREEMENT

Effective as of October 1, 2018

AGREEMENT dated on the date when you agree to this agreement

BETWEEN:

(1)        You (hereinafter the “Controller"); and

(2)        Hostelpro OÜ, a private limited company registered under number 12892955 in the Republic of Estonia and whose registered office is at Ahtri 12, Tallinn city, Harju county, 10151 (hereinafter the "Processor").

BACKGROUND

(A)        This Agreement is to ensure there are in place proper arrangements relating to personal data passed from Controller to the Processor.

(B)        This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation.

(C)        The parties wish to record their commitments under this Agreement.

IT IS AGREED AS FOLLOWS: 

1. DEFINITIONS AND INTERPRETATION

In this Agreement:

• "Data Protection Laws" means the any EU national data protection act, together with successor legislation incorporating GDPR;
• "Data" means personal data passed under this Agreement as detailed on the website;
• “GDPR” means the General Data Protection Regulation;
• "Services" means the services indicated and provided on the Processor’s website, applications or hardware.

2. DATA PROCESSING

Controller is the data controller for the Data and the Processor is the data processor for the Data. The Data Processor agrees to process the Data only in accordance with Data Protection Laws and in particular on the following conditions:

1. the Processor shall only process the Data (i) on the written instructions from Controller (ii) only process the Data for completing the Services (Article 28, para 3(a) GDPR);
2. ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement and (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
3. Controller and the Processor have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under the GDPR (Article 28, para 3(c) GDPR);
4. the Processor shall not involve any third party in the processing of the Data without the consent of Controller. Such consent may be withheld without reason. If consent is given a further processing agreement will be required (Article 28, para 3(d) GDPR);
5. taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of Controller` obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc (Article 28, para 3(e) GDPR);
6. assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the national regulator, taking into account the nature of processing and the information available to the Processor (Article 28, para 3(f) GDPR);
7. at Controller’ choice safely delete or return the Data at any time. Where the Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data. Where there is a legal requirement the Processor will prior to entering into this Agreement confirm such an obligation in writing to Controller. Upon request by Controller the Processor shall provide certification of destruction of all Data (Article 28, para 3(g) GDPR);
8. make immediately available to Controller all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for and contribute to any audits, inspections or other verification exercises required by Controller from time to time (Article 28, para 3(h) GDPR);
9. maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and
10. immediately contact Controller if there is any personal data breach or incident where the Data may have been compromised.

3. THE AIM OF THE PROCESSING

The Processor is a hostel/hotel/accommodation management software and service provider and the Controller is a user of the software. The Controller collects some data regarding its clients, visitors, and, consumers. The Processor provides the software which help the Controller to manage its hostel/hotel/accommodation systems.

4. CATEGORIES OF PERSONAL DATA PROCESSED

The Controller collects data necessary for its business. Such data may include name, birthday date, residency, nationality, passport/ID number, age, gender, and credit card information.

5. CATEGORIES OF DATA SUBJECTS

The Controller is a hostel/hotel/accommodation owner which collects personal data of consumers who order services of the hostel/hotel/accommodation.

6. TERMINATION

Controller or Processor may immediately terminate this Agreement on written notice to the other party.

7. GENERAL

This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under Data Protection Laws.