Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated by reference into Plusgrade's Terms of Service available at https://www.plusgrade.com/policy/hospitality/generalterms or other agreement governing the use of Plusgrade's services ("Agreement") entered by and between you, the Customer (as defined in the Agreement) (collectively,"you", "your", "Customer", and Ancillary Streams Ltd. or an affiliate ("Plusgrade", "us", "we", "our") to reflect the parties' agreement with regard to the Processing of Personal Data by Plusgrade solely on behalf of the Customer. Both parties shall be referred to as the "Parties" and each, a "Party".

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. By using the Services, Customer accepts this DPA and you represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.

In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.

1
DEFINITIONS
2
PROCESSING OF PERSONAL DATA
3
DATA SUBJECT REQUESTS
4
CONFIDENTIALITY
5
SUB-PROCESSORS
6
SECURITY & AUDITS
7
DATA INCIDENT MANAGEMENT AND NOTIFICATION
7
RETURN AND DELETION OF PERSONAL DATA
7
CROSS-BORDER DATA TRANSFERS
7
AUTHORIZED AFFILIATES
7
OTHER PROVISIONS

SCHEDULE 1 - DETAILS OF THE PROCESSING

Nature and Purpose of Processing
  1. Providing the Services to Customer;
  2. Performing the Agreement, this DPA and/or other contracts executed by the Parties;
  3. Acting upon Customer's instructions, where such instructions are consistent with the terms of the Agreement;
  4. Complying with applicable laws and regulations;
  5. All tasks related with any of the above.
Duration of Processing

Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.

Type of Personal Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. Generally, such Personal Data may include names, email addresses, phone numbers, email data, system usage data, location data (physical address, IP address), purchase information (e.g. details concerning products or services purchased and time of purchase, but excluding payment method details) and other electronic data submitted, stores, sent, or received by the Data Subjects.

Categories of Data Subjects

Data Subjects are Customer's hotels' or otherwise hospitality properties' guests and visitors.

SCHEDULE 2 – CROSS BORDER TRANSFERS

PART 1 – EEA Cross Border Transfers
  1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
  2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data controller of the Personal Data and Plusgrade is the data processor of the Personal Data.
  3. Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data processor of the Personal Data and Plusgrade is a Sub-processor of the Personal Data.
  4. Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
  5. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 5.2 of the DPA.
  6. In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
  7. In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
  8. In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
  9. Annex I.A of the Standard Contractual Clauses shall be completed as follows: Data Exporter: Customer.
    Contact details: As detailed in the Agreement. Data Exporter Role:
             Module Two: The Data Exporter is a data controller. Module Three: The Data Exporter is a data processor.
    Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
    Data Importer: Plusgrade.
    Contact details: As detailed in the Agreement. Data Importer Role:
             Module Two: The Data Importer is a data processor. Module Three: The Data Importer is a sub-processor.
    Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
  10. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
    The categories of data subjects are described in Schedule 1 (Details of Processing) of this DPA. The categories of personal data are described in Schedule 1 (Details of Processing) of this DPA. The Parties do not intend for Sensitive Data to be transferred.
    The frequency of the transfer is a continuous basis for the duration of the Agreement.
    The nature of the processing is described in Schedule 1 (Details of Processing) of this DPA. The purpose of the processing is described in Schedule 1 (Details of Processing) of this DPA. The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
    In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth at the link detailed in Section 5.2 of the DPA.
  11. Annex I.C of the Standard Contractual Clauses shall be completed as follows:
    The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
  12. The Security Documentation referred to in the DPA serves as Annex II of the Standard Contractual Clauses.
  13. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses will prevail.
PART 2 – UK Cross Border Transfers

Table 1: The Parties

as stipulated in Section 9 of Part 1 of this Schedule 2.

Table 2: Selected SCCs, Modules and Selected Clauses

as stipulated in Part 1 of this Schedule 2.

Table 3: Appendix Information

means the information which must be provided for the selected modules as set out in the Appendix of the Standard Contractual Clauses (other than the Parties), and which for this Part 2 is set out in Part 1 to this Schedule 2.

Entering into this Part 2:

Each Party agrees to be bound by the terms and conditions set out in this Part 2, in exchange for the other Party also agreeing to be bound by this Part 2.

Although Annex 1A and Clause 7 of the Standard Contractual Clauses require signatures by the Parties, for the purpose of making UK Transfers, the Parties may enter into this Part 2 in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Part 2. Entering into this Part 2 will have the same effect as signing the Standard Contractual Clauses and any part of the Standard Contractual Clauses.

Interpretation of this Part 2:

Where this Part 2 uses terms that are defined in the Standard Contractual Clauses, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

This Part 2 must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties' obligation to provide the Appropriate Safeguards.

If the provisions included in the Addendum EU SCCs amend the Standard Contractual Clauses in any way which is not permitted under the Standard Contractual Clauses or this Part 2, such amendment(s) will not be incorporated by this Part 2 and the equivalent provision of the Standard Contractual Clauses will take their place.

If there is any inconsistency or conflict between UK Data Protection Laws and this Part 2, UK Data Protection Laws apply.

If the meaning of this Part 2 is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted, and/or replaced after this DPA has been entered into.

Hierarchy:

Although Clause 5 of Standard Contractual Clauses sets out that the Standard Contractual Clauses prevail over all related agreements between the Parties, the Parties agree that, for a UK Transfer, the hierarchy in Section 10 below will prevail.

Where there is any inconsistency or conflict between this Part 2 and the Addendum EU SCCs (as applicable), this Part 2 overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the provisions of this Part 2.

Where this Part 2 incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Part 2 impacts those Addendum EU SCCs.

Incorporation and changes to the Standard Contractual Clauses:

This Part 2 incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

  • together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter's processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
  • Sections 9 to 11 override Clause 5 (Hierarchy) of the Standard Contractual Clauses; and
  • this Part 2 (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

Unless the Parties have agreed on alternative amendments which meet the requirements of Section 12 above, the provisions of Section 15 below will apply.

No amendments to the Standard Contractual Clauses other than to meet the requirements of Section 12 above may be made.

The following amendments to the Addendum EU SCCs (for the purpose of Section 12 above) are made:

  1. References to the "Clauses" mean this Part 2, incorporating the Addendum EU SCCs;
  2. In Clause 2, delete the words: "and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";
  3. Clause 6 (Description of the transfer(s)) is replaced with: "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.";
  4. To the extent applicable, Clause 8.7(i) of Module One is replaced with: "it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";
  5. Clause 8.8(i) of Modules Two and Three is replaced with: "the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;"
  6. References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
  7. References to Regulation (EU) 2018/1725 are removed;
  8. References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all replaced with the "UK";
  9. To the extent applicable, the reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module One, is replaced with "Clause 11(c)(i)";
  10. Clause 13(a) and Part C of Annex I are not used;
  11. The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";
  12. In Clause 16(e), subsection (i) is replaced with: "the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";
  13. Clause 17 is replaced with: "These Clauses are governed by the laws of England and Wales.";
  14. Clause 18 is replaced with: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."; and
  15. The footnotes to the Standard Contractual Clauses do not form part of this Part 2, except for footnotes 8, 9, 10 and 11.

Amendments to this Part 2:

The Parties may agree to change Clause 17 and/or 18 of this Part 2 to refer to the laws and/or courts of Scotland or Northern Ireland.

If the Parties wish to change the format of the information included in Tables 1, 2 or 3 of this Part 2, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

From time to time, the ICO may issue a revised UK Addendum which:

  • makes reasonable and proportionate changes to the UK Addendum, including correcting errors in the UK Addendum; and/or
  • reflects changes to UK Data Protection Laws;

The revised UK Addendum will specify the start date from which the changes to the UK Addendum are effective and whether the Parties need to review this Part 2 including the Appendix Information. This Part 2 is automatically amended as set out in the revised UK Addendum from the start date specified.

If the ICO issues a revised UK Addendum under Section 18, if any Party, will as a direct result of the changes in the UK Addendum have a substantial, disproportionate and demonstrable increase in:

  • its direct costs of performing its obligations under this Part 2; and/or
  • its risk under this Part 2,

and in either case, it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Part 2 at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised UK Addendum.

The Parties do not need the consent of any third party to make changes to this Part 2, but any changes must be made in accordance with its terms.

PART 2 – Swiss Cross Border Transfers

The Parties agree that the Standard Contractual Clauses as detailed in Part 1 of this Schedule 2, shall be adjusted as set out below where the FADP applies to Swiss Transfers:

  1. References to the Standard Contractual Clauses mean the Standard Contractual Clauses as amended by this Part 3;
  2. The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Transfers exclusively subject to the FADP;
  3. The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as utilized in the Standard Contractual Clauses shall be interpreted to include the FADP with respect to Swiss Transfers;
  4. References to Regulation (EU) 2018/1725 are removed;
  5. Swiss Transfers subject to both the FADP and the GDPR, shall be dealt with by the EU Supervisory Authority named in Part 1 of this Schedule 2;
  6. References to the "Union", "EU" and "EU Member State" shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses;
  7. Where Swiss Transfers are exclusively subject to the FADP, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP;
  8. Where Swiss Transfers are subject to both the FDPA and the GDPR, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FDPA insofar as the Swiss Transfers are subject to the FADP;
  9. The Standard Contractual Clauses as amended by this Part 3 also protect the Personal Data of legal entities until the entry into force of the Revised FADP.
PART 4 – Additional Safeguards
  1. In the event of an EEA Transfer, a UK Transfer or a Swiss Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
    1. The Processor shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
    2. The Processor will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act ("FISA");
    3. If the Processor becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
      1. The Processor shall inform the relevant government authority that the Processor is a processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing;
      2. The Processor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Processor's control. Notwithstanding the above, (a) the Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (c)(II) shall not apply. In such event, the Processor shall notify the Controller, as soon as possible, following the access by the government authority, and provide the Controller with relevant details of the same, unless and to the extent legally prohibited to do so.
  2. Once in every 12-month period, the Processor will inform the Controller, at the Controller's written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

The list of sub-processors can be found here https://www.plusgrade.com/policy/processor