DATA PROTECTION ANNEX
This Data Protection Annex (the “Annex”) forms an integral part of the service agreement, order, or other agreement in force (the “Main Agreement”) between:
Customer: the contracting party or an affiliated company within the same group (the “Customer”), and
Supplier: the service provider (the “Supplier”).
Together referred to as the “Parties”.
1. Purpose and Application
1.1 This Annex governs the processing of Personal Data by the Supplier on behalf of the Customer under the Main Agreement.
1.2 The Customer acts as the Controller and determines the purposes and means of processing Personal Data. The Supplier acts as the Processor and processes Personal Data solely in accordance with the Customer’s documented instructions.
1.3 This Annex constitutes a written agreement on the processing of Personal Data in accordance with Article 28 of the GDPR.
1.4 In the event of any conflict between the Main Agreement and this Annex, the provisions of this Annex shall prevail.
2. Definitions
For the purposes of this Annex:
“Personal Data” means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Legislation.
“Processing” means any operation or set of operations performed on Personal Data, automated or otherwise, as defined in Data Protection Legislation.
“Controller” means the Customer, who determines the purposes and means of the Processing of Personal Data.
“Processor” means the Supplier, who processes Personal Data on behalf of the Controller in accordance with this Annex.
3. Nature and Purpose of Processing
3.1 The Personal Data processed under this Annex consists of data stored in the Customer’s registers and disclosed to the Supplier for purposes including but not limited to: the organization of trips and related services by the Customer; matters concerning participants in trips organized by the Customer.
3.2 The specific subject matter, nature, and purpose of processing are set out in the Main Agreement.
4. Categories of Personal Data
The Personal Data processed by the Supplier may include:
Data stored in the Customer’s registers, including name, date of birth, address, phone number, email, work details (task, profession, position, organizational role), and other necessary contact information.
Content provided by the data subject, including preferences regarding trips and services, satisfaction feedback, interests, and similar information.
5. General Obligations
5.1 Customer’s Obligations
Ensure a valid legal basis for Processing under the Main Agreement, including obtaining necessary consents.
Provide sufficient information to data subjects regarding Processing.
Define the purposes and means of Processing and provide the Supplier with lawful and comprehensive written instructions.
5.2 Supplier’s Obligations
Immediately notify the Customer if it believes the Customer’s instructions violate Data Protection Legislation and request clarified instructions.
Maintain a record of Processing activities as required by the GDPR.
Process Personal Data strictly in accordance with the Customer’s instructions, as part of the services under the Main Agreement.
6. Data Security
6.1 The Supplier shall implement appropriate technical and organizational measures to protect Personal Data against risks such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
6.2 Data transfers between the Customer and Supplier shall follow the transfer methods defined by the Customer.
7. Data Breach Notification
7.1 The Supplier shall notify the Customer without delay and no later than 36 hours after becoming aware of a Personal Data breach. Notification shall be in writing.
7.2 Upon request, the Supplier shall provide all relevant information concerning the breach, including at minimum:
a) description of the breach;
b) categories and approximate numbers of data subjects and Personal Data records affected (where possible);
c) likely consequences of the breach;
d) corrective measures taken or proposed by the Supplier, including steps to mitigate adverse effects.
7.3 The Supplier shall document, investigate, and report the breach and any measures taken. The Customer is responsible for regulatory and data subject notifications.
8. Assistance and Information
The Supplier shall:
promptly inform the Customer of any requests from data subjects, supervisory authorities, or other authorities;
assist the Customer in matters relating to security, breach notifications, and responses to data subject rights requests.
9. Data Retention and Deletion
9.1 The Supplier shall destroy and/or return to the Customer all Personal Data, materials, and data storages created under the Main Agreement no later than three (3) months after the agreed or necessary measures relating to the service have been completed.
9.2 This obligation extends to subcontractors and all backups.
10. Data Transfers Outside the EU/EEA
10.1 The Supplier and its subcontractors may not process Personal Data outside the EU/EEA without the Customer’s prior written consent.
10.2 In such case, both Parties shall ensure compliance with applicable Data Protection Legislation regarding cross-border data transfers.
11. Confidentiality
11.1 Each Party shall keep confidential all materials and information received from the other Party that are marked or reasonably understood as confidential and shall not use them for purposes other than fulfilling the Main Agreement.
11.2 Confidentiality does not apply to information that:
a) is publicly available;
b) is lawfully received from a third party without confidentiality obligations;
c) was already in the receiving Party’s possession without confidentiality obligations;
d) is independently developed without use of the other Party’s confidential information;
e) must be disclosed by law or regulatory order.
11.3 Upon termination of the Main Agreement or when no longer needed, the Supplier shall immediately cease using and, upon request, return or securely destroy all confidential materials (including copies). Retention of copies required by law or regulation is permitted.
11.4 Each Party shall ensure that its employees, affiliates, and subcontractors comply with these confidentiality obligations.
12. Other Provisions
12.1 The Supplier shall notify the Customer in writing of any changes that may affect its ability to comply with this Annex or the Customer’s instructions.
12.2 Obligations concerning confidentiality and other obligations intended by their nature to survive termination shall remain in force after the termination of the Main Agreement and this Annex.