Last update 30/01/2023
Data Processing Agreement
|Parties' relationship||Controller to Processor|
Customer will act as the Controller (as defined in Section 1 of the Terms)
Data Protection Officer
By contracting the Services (as defined below), Customer accepts and agrees to be bound by this DPA, which will form an integral part of the Main Agreement.
|Term||This DPA will commence on the effective date of the Main Agreement and will continue until the end of the Main Agreement.|
|Breach Notification Period||Without undue delay after becoming aware of a personal data breach.|
|Sub-processor Notification Period||14 days before the new sub-processor is granted access to Personal Data.|
|Liability Cap||Each party’s aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement.|
|Governing Law and Jurisdiction||As per the Main Agreement.|
|Data Protection Laws||
All laws, regulations and court orders which apply to the processing of Personal Data in the European Economic Area (EEA). This includes the European Union Regulation (EU) 2016/679, as amended from time to time.
For Customers who are located in the United Kingdom (UK), this will also include all laws, regulations and court orders which apply to the processing of Personal Data in the UK, including the Data Protection Act 2018, as amended from time to time.
For Customers who are located in the United States of America (US), this will also include all laws, regulations and court orders which apply to the processing of Personal Data in the US. This includes the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), each as amended from time to time.
For Customers who are located in Switzerland, this will also include all laws, regulations and court orders which apply to the processing of Personal Data in Switzerland. This includes the Federal Act of 19 June 1992 on Data Protection (FADP), as amended from time to time.
|Services related to processing||Business travel services provided by TravelPerk at Customer’s request, including, if applicable, Premium Services, Pro Services, Invoice Collection Services, FlexiPerk (each as detailed in the Main Agreement) and any other services that may be offered by TravelPerk and hired by Customer from time to time (collectively, the Services).|
|Duration of processing||The personal data shall be processed for the Term, and after the end of this relationship for any reason, for the statutory periods of limitation applicable in each case. After these statutory periods of limitation, the personal data shall be deleted or alternatively anonymised.|
|Nature and purpose of processing||
TravelPerk will collect, store, use, record, structure, consult, modify, transmit, organise and carry out any necessary operation with the purpose of rendering the Services related to processing.
The Services provided by TravelPerk through its platform, which allows companies to search, book, manage, report and control costs of business travels, may include the following activities according to the Services hired by Customer:
The types of personal data processed are:
The individuals whose Personal Data will be processed are:
Special Category Data:
TravelPerk does not require users to disclose personal data concerning health, sex life or orientation, racial or ethnic origin, political views, religious or philosophical beliefs and trade union membership, as well as biometric data processed solely to identify a human being and genetic data (Special Category Data). Customers shall properly inform users so that they only disclose Special Category Data to TravelPerk when strictly necessary for TravelPerk to render the Services.
Where users gave explicit consent to the processing of Special Category Data by voluntarily disclosing it to TravelPerk or uploading it to the Platform for the purpose of TravelPerk handling users' special requests or inquiries (e.g. food allergies, need for adapted rooms, etc.), TravelPerk may process the Special Category Data data solely for such specified purpose.
Travel Service Providers:
To render the Services, TravelPerk will need to communicate personal data to travel-related services provided by third parties such as airlines, train operators, rental car agencies and hotels or accommodation providers (Travel Service Providers). Due to the nature of the activity and processing of personal data by Travel Service Providers, Travel Service Providers and Customer will be independent controllers of the Customer’s personal data while TravelPerk will act as Customer's Processor to intermediate the services of Travel Service Providers as requested by Customer.
We may update this DPA from time to time and will notify you of said changes and updates as required by law. We will share the previous version of this DPA and indicate the revision dates at this page. You can ask TravelPerk for a copy of the previous versions of the DPA.
As an amendment to clause 5.5: “Entire agreement. Unless the parties have executed a data processing agreement, this DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.”
|Transfer Mechanism||Not Applicable|
|Security measures. Technical and organisational measures to ensure the security of Personal Data||https://www.travelperk.com/wp-content/uploads/TravelPerk-Security-Measures-DPA-1.pdf|
|Sub-processors. Current sub-processors||https://www.travelperk.com/wp-content/uploads/TravelPerk-List-of-Sub-Processors-1.pdf|
1. What is this agreement about?
1.1 Purpose. The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data (as defined above).
1.2 Definitions. Under this DPA:
(a) adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data, and
(b) Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws.
(c) Sub-Processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.
2. What are each party’s obligations?
2.1 Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Processor to process Personal Data.
2.2 Processor obligations. Processor will:
(a) only process Personal Data in accordance with this DPA and Controller’s instructions (unless legally required to do otherwise),
(b) not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement,
(c) inform Controller immediately if (in its opinion) any instructions infringe Data Protection Laws,
(d) use the technical and organisational measures described in Annex 1 when processing Personal Data to ensure a level of security appropriate to the risk involved,
(e) notify Controller of a personal data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it,
(f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations,
(g) without undue delay, provide Controller with reasonable assistance with: (i) data protection impact assessments, (ii) responses to data subjects’ requests to exercise their rights under Data Protection Laws, and (iii) engagement with supervisory authorities,
(h) if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,
(i) allow for audits at Controller’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a personal data breach, and
(j) return Personal Data upon Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.
2.3 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.
3.1 Use of sub-processors. Controller authorises Processor engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Annex 2.
3.2 Sub-processor requirements. Processor will:
(a) require its sub-processors to comply with equivalent terms as Processor’s obligations in this DPA,
(b) ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor, and
(c) be liable for any acts, errors or omissions of its sub-processors as if they were a party to this DPA.
3.3 Approvals. Processor may appoint new sub-processors provided that they notify Controller in writing in accordance with the Sub-processor Notification Period.
3.4 Objections. Controller may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.
4. International personal data transfers
4.1 Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.
4.2 Transfer mechanism. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data:
(a) that party will act as the data importer,
(b) the other party is the data exporter, and
(c) the relevant Transfer Mechanism will apply.
4.3 Additionals measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.
4.4 Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):
(a) challenge the request and promptly notify the data exporter about it, and
(b) only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.
5. Other important information
5.1 Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.
5.2 Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:
(a) Transfer Mechanism,
(c) Main Agreement.
5.3 Notices. Formal notices under this DPA must be in writing and sent to the Contact on the DPA’s front page as may be updated by a party to the other in writing.
5.4 Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.
5.5 Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.
5.6 Amendments. Any amendments to this DPA must be agreed in writing.
5.7 Assignment. Neither party can assign this DPA to anyone else without the other party's consent.
5.8 Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.
5.9 Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.
For customers that hired TravelPerk services before January 30th, 2023, and never signed a Data Processing Agreement with us, the previous version of the online Data Processing Agreement available here will apply until February 28th, 2023.