DATA PROCESSING REGULATIONS OF HOTELIGA INTERNATIONAL

1. GENERAL PROVISIONS

1.1. Definitions:

“Processor” means hoteliga international Spółka z ograniczoną odpowiedzialnością, with its registered office at Prof. Michała Życzkowskiego Str. 20, 31-864 Kraków, Poland, entered into the register of entrepreneurs of the National Court Register under KRS No.: 0000699940, NIP (Tax Identification Number): 6751621616, REGON (Statistical Number): 368549956;

“Client” means the entity or person that uses the Processor’s Products in accordance with any applicable agreements or regulations;

“Processor’s Products” means products and services supplied by the Processor including without limitation hoteliga “Channel Manager”, hoteliga “Booking engine”, hoteliga “hoteliga PMS”, and hoteliga “API”;

“Data Administrator” means the entity or person, alone or jointly with other persons or entities, which determines the purposes and means of the Processing of Personal Data;

“Data Processor” means the entity or person, other than the Client or Client’s employees or agents, who Processes Personal Data on behalf of the Client and does not Process Personal Data for its own purposes;

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data of the Client by the Data Processor;

“Data Subject” means the individual to whom Personal Data relates;

“Personal Data” means any information relating to an identified or identifiable person where such data is submitted to the Processor as Client’s Data or otherwise Processed by Processor on behalf of Client in the course of supplying the Processor’s Products to the Client;

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Record of Processing Activities” record that contains every activity regarding Processing Personal Data, in particular information specified in Data Protection Laws and Regulations;

“Security Documentation” means Processor documents that set forth the controls implemented by Processor designed to safeguard the security, confidentiality, integrity and availability of the Personal Data;

“Security Incident” means actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Administrator’s Personal Data transmitted, stored or otherwise processed by Processor or its Sub-processors;

“Sub-processor” means any Data Processor engaged by Processor;

“Client’s Data” means any data, including Personal Data, provided by Client to Processor or collected by Processor on Client’s behalf, including data accessed by Processor on Client or third party systems.

1.2 Capitalized terms not defined in this Section 1 shall have the meaning set forth in applicable Data Protection Laws and Regulations. In the event of a conflict or inconsistency between such definitions, Data Protection Laws and Regulations shall take precedence.

1.3 In the course of supplying the Processor’s Products to the Client, Processor may Process Personal Data on behalf of Client. These Data Processing Regulations (“DPR”) establish the procedure and rules for the protection of Client’s Personal Data processed by Processor, in accordance with the requirements of Data Protection Laws and Regulations.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Processor and the Client. With regard to the Processing of Personal Data, Client is the Data Administrator, Processor is a Data Processor and Processor may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.

2.2. Client’s Processing of Personal Data.. Client shall, in the course of using the Processor’s Products, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client shall maintain Record of Processing Activities under its responsibility in accordance to Data Protection Laws and Regulations and this DPR.

2.3. Processor’s Processing of Personal Data.. Processor shall only Process Personal Data on behalf of and in accordance with Client’s instructions, in compliance with Data Protection Laws and Regulations, and shall treat Personal Data as Confidential Information. Client instructs Processor to Process Personal Data for the following purposes: (i) Processing in the course of supplying the Processor’s Products to the Client; (ii) Processing initiated by Data Subjects or entities submitting Personal Data; and (iii) Processing to comply with other reasonable instructions provided by the Client (e.g., via email) where such instructions are consistent with the terms and conditions of supplying the Processor’s Products to the Client. Processor, and where applicable, Sub-processor, shall maintain Record of Processing Activities under its responsibility in accordance to Data Protection Laws and Regulations and this DPR.

2.4. In an appendix to this DPR are specified: the type of Personal Data, categories of Data Subjects, nature, purpose and duration of Processing as well as a list of authorized Sub-processors.

3. RIGHTS OF DATA SUBJECTS

3.1. Execution of Data Subjects’ rights. To the extent Client, in the course of using the Processor’s Products, does not have the ability to correct, amend, block or delete Personal Data or other action of Processing, as required by Data Protection Laws and Regulations, Processor shall comply with any reasonable request by Client to facilitate such actions, within the timelines specified by Client and concordant with the Data Protection Laws and Regulations, to the extent Processor is legally permitted to do so.

3.2. Data Subject Requests. Processor shall, to the extent legally permitted, promptly notify Client if it receives a request from a Data Subject for access to, correction, amendment or deletion or other action regarding that person’s Personal Data. Processor shall not respond to any such Data Subject request without prior consent of the Client. Processor shall provide Client with reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data or other actions to the extent legally permitted and to the extent Client does not have access to such Personal Data through its means.

4. PROCESSOR’S PERSONNEL

4.1. Confidentiality. Processor shall inform its personnel engaged in the Processing of Personal Data of the confidential nature of the Personal Data and provide appropriate training on their responsibilities. Such personnel shall have executed written confidentiality agreements or otherwise be subject to binding confidentiality obligations. Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2. Reliability. Processor shall take reasonable steps to ensure the reliability of any Processor personnel engaged in the Processing of Personal Data.

4.3. Limitation of Access. Processor shall limit Processor’s personnel access to Personal Data to those personnel who require such access in order to supply the Processor’s Products to the Client.

4.4. Data Protection Officer. Processor shall appoint a data protection officer where such appointment is required by Data Protection Laws and Regulations or appropriate for the protection of Client’s Data. Processor shall notify Client of any such appointment and provide Client and Data Subjects with the contact information of the appointed data protection officer. In case a data protection officer is not required Processor shall provide Client with contact details to a person appointed by Processor to be responsible for protection of Personal Data.

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. The Processor shall have the right to sub-entrust the processing of the Personal Data to another entity on the basis of the general consent the Data Controller hereby grants.

5.2 List of current Sub-processors and notification of new Sub-processors. Processor shall make available to Client at all times a current list of Sub-processors with the identities of those Sub-processors (“Sub-processor List”). To view Sub-processor list please visit Sub- processors page.

5.3 Objection right for new Sub-processors. Processor shall inform Client before authorizing any new Sub-processor(s) to Process Client’s Data. If Client has a reasonable basis to object to Processor’s use of a new Sub-processor, Client shall notify Processor of such objections in writing within 10 business days after receipt of Processor’s notice.
In the event Client objects to a new Sub-processor(s) and that objection is not unreasonable Processor will use reasonable efforts to substitute such Sub-processor or to avoid processing of Personal Data in a manner requiring engagement of a Sub-processor without unreasonably burdening the Client.

5.4 Where Processor must provide Client with copies of Sub-processor agreements to comply with Data Protection Laws and Regulations, such agreements may have all commercial information and clauses unrelated to such compliance removed by Processor and that such copies will be provided by Processor only upon Client’s reasonable request.

6. BREACH NOTIFICATION

6.1. Processor shall develop and implement reasonable technical and organizational security measures, including but not limited to such measures specified in its Security Documentation, and controls appropriate to the course of supplying the Processor’s Products to the Client, including but not limited to Processing of Personal Data, to prevent any unauthorized or accidental access, use, collection, disclosure, copying, modification, alteration, loss, destruction, disposal or similar risks, and shall reasonably document such measures and controls as part of its Security Documentation. The security measures and controls to be developed and implemented by Processor in the course of supplying the Processor’s Products to the Client shall include, but not be limited to the following:

(1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;

(2) A written security policy with respect to the processing of Personal Data;

(3) A process for identifying and accessing reasonably foreseeable risks and vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against Security Incidents; and

(4) Regular monitoring for Security Incidents and a process for taking preventive, corrective and mitigating action against Security Incidents.

Upon Client’s written request and at reasonable intervals, Processor shall provide a copy of Processor’s then most recent third-party audits or certifications of its practices, as applicable, or any summaries thereof.

6.2. Processor shall maintain appropriate security incident management policies and procedures, including but not limited to any such policies and procedures specified in the Security Documentation and shall, to the extent permitted by law, promptly notify Client of any Security Incident of which it becomes aware. Processor shall investigate and make all reasonable efforts to identify and remediate the cause of such Security Incident. Upon Client’s reasonable written request, Processor shall provide a written report detailing the Processor’s actions to detect, investigate, contain, mitigate, and remediate the Security Incident, as well as a corrective action plan to prevent recurrence of the Security Incident. Client and Processor shall reasonably cooperate with each other to facilitate compliance with applicable laws, including but not limited to notification of affected individuals and reports to government authorities.

6.3. Processor shall not notify any affected individual, regulator, government authority, or other third party regarding any Security Incident unless such notification is required earlier by law. For avoidance of doubt, this Section 6.3 shall apply only to a Security Incident to the extent it affects Client’s Data.

7. NOTICES

Processor shall immediately notify Client of any legally binding request for disclosure of Client’s Data by any law enforcement or other government authority, including intelligence agencies, unless prohibited by law. To the extent allowed by applicable law, Processor shall withhold the disclosure of Client’s Data pursuant to such requests to enable Client to exercise its legal rights to challenge the request for Client’s Data.

8. RETURN AND DELETION OF ADMINISTRATOR DATA

Upon ending of supplying the Processor’s Products to the Client, or at written request of Client, Processor shall delete Client’s Data stored on other data carriers unless any provision of law binding on the Processor requires storage of the Client’s Data. Processor shall cease to retain any documents containing Personal Data as soon as it is reasonable to assume that (a) the purpose for which that Personal Data was collected is no longer being served by retention of the Personal Data; and (b) retention is no longer necessary for legal or business purposes – provided that in both cases Processor informs Client of the will to delete the Personal Data and Client does not object within 5 working days. A certification of deletion of Personal Data shall be provided by Processor to Client only upon Client’s request.

9. AUDITS AND CERTIFICATIONS

9.1. Client shall have the right to audit Processor’s compliance with the terms of this DPR and Data Protection Laws and Regulations according to the following procedures.

9.2. Upon Client’s request, and subject to the confidentiality obligations applicable in the course of supplying the Processor’s Products to the Client, Processor shall make available to Client (or Client’s independent, third-party auditor that is not a competitor of Processor) information sufficient to establish Processor’s compliance with the obligations set forth in this DPR (“Compliance Obligations”). Such information shall include any documentation reasonably necessary to confirm Processor’s compliance with its Compliance Obligations.

9.3. Audit requests by Client shall be provided to Processor in writing and no more frequently than once in any 12-month period, with the exception that Client may request an audit following any Processor notification of a Security Incident under Section 6.2 of this DPR or as necessary to demonstrate Client’s compliance with Data Protection Laws and Regulations pursuant to a regulatory investigation, inquiry of an authorized entity, or lawsuit.

9.4. Client shall promptly notify Processor of information regarding any non-compliance discovered during the course of an audit.

9.5 Processor shall disclose Records of Processing Activities to Client within a reasonable period of time, not to exceed 30 days, after being notified by Client.

10. LEGAL EFFECT

10.1 These DPR are effective towards the Client from the moment the Client clicks “I agree” on DPR checkbox on the website, accepting these DPR.

10.2 The provisions of this DPR shall survive the ending of supplying the Processor’s Products to the Client perpetually until Processor has returned or deleted all Personal Data in accordance with Section 8.

11. CONFLICT

In the event of any conflict or inconsistency between this DPR and any other agreements or regulations applicable in the course of supplying the Processor’s Products to the Client, this DPR shall prevail.

I read and accept above terms

If you don’t accept above terms please contact us at info@hoteliga.com



Appendix 1

Personal Data

Nature and Purpose of Processing:

In the course of supplying the Processor’s Products to the Client.

Duration of Processing:

The term of Client’s using the Processor’s Products in accordance with any applicable agreements or regulations.

Categories of Data Subjects:

Client hotel quests,

Client employees and contractors (personnel)

Categories of Personal Data:

Identification data,

Contact data,

Data required to check – in,

Data required for payment.