Data processing agreement

Parties

HBMEO B.V., organiser of Hotelnacht, hereinafter referred to as the “Organiser”;

and

The general contact person of the participating hotel, acting in this agreement in the capacity of controller, hereinafter referred to as the “Participant”;

Organiser and Participant hereinafter jointly referred to as the “Parties” and individually as a “Party”.

Recitals

A. Pursuant to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Parties are required to enter into a data processing agreement governing the processing of personal data.
B. This Agreement sets out the rights and obligations of the Parties with respect to such processing.
C. This Agreement shall enter into force upon signature by both Parties and shall not be subject to unilateral termination.

Article 1 – Purpose and Scope of Processing

1.1 The Participant shall process personal data solely on behalf of the Organiser and strictly in accordance with the purposes determined by the Organiser.
1.2 The Participant shall not determine the purposes and means of the processing independently and shall act exclusively on documented instructions from the Organiser.
1.3 Personal data processed under this Agreement shall be provided by the Participant and processed under its responsibility.
1.4 The Participant warrants that any processing of personal data carried out under this Agreement is lawful.
1.5 The Organiser warrants that it shall process personal data lawfully and shall not process such data for its own independent purposes.

Article 2 – Retention of Personal Data

2.1 The Participant shall ensure that personal data are retained no longer than is necessary for the purposes for which they are processed.
2.2 The Organiser shall comply with the retention periods as determined by the Participant.

Article 3 – Return and Deletion of Personal Data

3.1 Upon termination of the Agreement, the Participant shall, at the request of the Organiser, make all personal data available to the Organiser.
3.2 In the absence of such request, the Participant shall delete all personal data without undue delay after termination or once the purpose of processing has been fulfilled.
3.3 The Participant shall, upon request of the Organiser, permanently delete all personal data, unless retention is required by applicable law.

Article 4 – Sub-processors

4.1 The Participant may engage sub-processors for the performance of its obligations under this Agreement.
4.2 The Participant shall ensure that any sub-processor is bound by a written agreement imposing data protection obligations no less stringent than those set out in this Agreement.
4.3 The Participant shall remain fully liable for the acts and omissions of its sub-processors.

Article 5 – Liability

5.1 The Participant’s liability shall be limited to direct damages resulting from its negligence or failure to comply with this Agreement.
5.2 The Participant shall indemnify the Organiser against damages arising from the Participant’s failure to comply with the obligations imposed by the Organiser.
5.3 The Organiser shall not be liable for damages resulting from the Participant’s failure to implement appropriate technical and organisational measures as recommended by the Organiser.
5.4 Where a data subject submits a claim against the Organiser for damages not attributable to the Participant, any compensation paid by the Participant in such context shall be reimbursed by the Organiser.

Article 6 – Security Measures

6.1 The Participant shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
6.2 Such measures shall take into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks to the rights and freedoms of natural persons.
6.3 Risks include, but are not limited to, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
6.4 The Participant shall ensure that any person authorised to process personal data under its authority does so only on documented instructions, unless otherwise required by law.

Article 7 – Personal Data Breaches

7.1 The Participant shall notify the Organiser without undue delay upon becoming aware of a personal data breach.
7.2 Such notification shall include, at a minimum:

• a description of the nature of the breach;
• an estimate of the number of affected data subjects;
• the likely consequences of the breach; and
• the measures taken or proposed to mitigate its effects.

7.3 The Participant shall maintain a record of all personal data breaches, including the information referred to in this Article.

Article 8 – Confidentiality

8.1 The Participant shall ensure that its personnel are adequately trained in data protection and are aware of their obligations under the GDPR.
8.2 The Participant shall ensure that all persons authorised to process personal data are bound by confidentiality obligations.
8.3 Where the Participant is legally required to disclose personal data to a competent authority, it shall inform the Organiser without undue delay, unless prohibited by law.

Article 9 – Data Subject Rights

9.1 The Organiser shall, to the extent reasonably possible, assist the Participant in responding to requests from data subjects exercising their rights under the GDPR.
9.2 The Organiser shall implement appropriate technical and organisational measures, where reasonably feasible, to facilitate compliance with such requests.