Last update 24/01/2022
Data Processing Agreement
This Data Processing Agreement (“Data Processing Agreement”) defines the conditions under which TravelPerk, S.L.U. (“TravelPerk”), as data processor, processes and secures the personal data necessary for the provision of the Services contracted by the Customer (data controller) under the agreement or agreements between TravelPerk and the Customer (the “Agreement”).
By contracting the Services, the Customer accepts and agrees to be bound by this Data Processing Agreement, which shall form an integral part of the Agreement.
SUMMARY OF THE DATA PROCESSING AGREEMENT:
- ROLES OF THE PARTIES
- SCOPE OF THE SERVICES
- SPECIAL CATEGORIES OF PERSONAL DATA
- DETAILS OF THE PROCESSING
- OBLIGATIONS OF THE CUSTOMERS
- OBLIGATIONS OF TRAVELPERK AND COMMUNICATION OF DATA TO THIRD SUPPLIERS
- QUESTIONS AND COMMENTS ON THIS DATA PROCESSING AGREEMENT
- LEGAL VALIDY OF THIS DATA PROCESSING AGREEMENT
- ENTIRE DATA PROCESSING AGREEMENT AND FUTURE CHANGES
- CALIFORNIA CONSUMER PRIVACY ACT SECTION
- APPLICABLE LEGISLATION AND JURISDICTION
1.1 In this Data Processing Agreement:
a) “Admin” means the employee or employees of TravelPerk’s Customers who act in representation of such Customers and who have administration rights on the TravelPerk’s platform.
b) “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control - where control means the ownership of a majority share of the stock, equity or voting interests of such entity- with Customer, or any party with a direct or indirect shareholding or equity interest in Customer.
c) “Binding Corporate Rules” means personal data protection policies that allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data.
d) “Customer or Customers” means the companies, entities, and/or organizations that retain the Services of TravelPerk.
e) “Data Protection Laws” means the GDPR, the Spanish Royal Decree 3 2018 December, the applicable EEA member state data protection provisions. For Customers based in the United Kingdom, it shall also mean the applicable data protection laws in the United Kingdom from time to time.
f) “EEA” means the European Economic Area.
g) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
h) “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed by TravelPerk in connection with the provision of the Services.
i) “Services” means the services related to business travel offered by TravelPerk to the Customer under the Agreement in where the Customer is a controller of personal data and TravelPerk is a data processor. The scope of the Services is further described in Section 3.
j) “Standard Contractual Clauses” means the European Commission's standard contractual clauses governing the transfer of personal data to processors established in Third Countries, pursuant to Commission Decision 2010/87/EU of 5 February 2010, or, where legally required according to the implementation periods set forth by the EU authorities, to Commission Decision 2021/914/EC of 4 June 2021, or as such clauses are amended or replaced from time to time by the data protection authorities.
k) “Sub-processor” means any natural or legal person engaged by TravelPerk and authorised under this Data Processing Agreement to access and process personal data in order to assist in the provision of the Services.
l) “Subscription Fees” means fees paid by the Customer for the Services. For the sake of clarity, costs of the travel or trips or other disbursements are not considered Subscription Fees.
m) “Third Country” means a country outside the EEA or a country which does not ensure an adequate level of security according to EEA standards.
n) “Traveler” means the employees and, where applicable, contractors of the Customer who have a traveler account on TravelPerk’s platform and who travel for business purposes in trips booked through the platform.
o) “Travel Services” means travel-related services provided by third parties such as airlines, train operators, rental car agencies and hotels or accommodation providers (“Travel Service Providers”).
p) “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.
q) “User” means the Travelers and Admins.
1.2 The terms “personal data”, “special categories of data”, “process/processing”, “data controller”, “data processor”, “data subject” and “supervisory authority” and any other term not expressly defined in this Data Processing Agreement shall have the same meaning as in the GDPR.
2. ROLES OF THE PARTIES
The parties acknowledge and agree that with regard to the processing of personal data under this Data Processing Agreement, the Customer is the Data Controller and TravelPerk is the Data Processor. Each party is responsible for compliance with its respective obligations under Data Protection Laws.
3. SCOPE OF THE SERVICES
3.1 General description
The Services provided by TravelPerk through its platform, which allows companies to search, book, manage, report and control costs of their business travel, may include the following activities according to the Services hired by each Customer:
a) Create, maintain and update User accounts.
b) Manage travel bookings, process orders and payments, provide booking confirmations, change and cancel bookings.
c) Send notices to Users in case of cancellation, modification or no-show.
d) Provide customer support, respond to questions, enquiries and claims and handle special requests.
e) Provide booking recommendations to Users based on their previous bookings and search history.
f) Send notices to remind Users of unfinished booking processes.
g) Inform Customers and Travelers about any updates to the Services, including new features and functionalities.
h) Render all services hired by the Customer from time to time, such as business travel management, Premium, PRO and flexible cancellation services, API access, services related to CO2 compensation, services aimed at giving Customers information on emergency or risk situations in different countries or any other service rendered in the future as hired by Customer from time to time.
Any new service offered by TravelPerk and hired by the Customer in where TravelPerk is a data processor and Customer is a data controller would be deemed to be included in the definition of Services. TravelPerk will process personal data for the purposes indicated above as well as for any purpose which is deemed necessary to render the services hired by the Customer.
3.2 Use of Services by Minors
3.2.1 The Services are not intended for or directed to minors under the age of 18 (“Minor”). Minors shall not be authorized to create an account at TravelPerk or to book the Services. Notwithstanding the above, under exceptional circumstances, authorized Users (Customers’ employees) who need to travel together with their children may also submit the relevant personal data of those Minors, only as strictly necessary for the purpose of retaining the Services, provided that:
(i) as regards Minors under 14 years of age, the relevant authorized Users (adults) must have the legal capacity to provide consent on behalf of them; and
(ii) as regards Minors between 14 and 18 years of age, the relevant authorized Users (adults) must obtain (and be able to provide proof of) the consent given by those Minors.
3.2.2 The Customer undertakes to indemnify, defend and hold TravelPerk harmless against any legal and/or extrajudicial action arising from any unlawful processing of the Minor’s personal data.
4. SPECIAL CATEGORIES OF PERSONAL DATA
4.1 TravelPerk does not ask the User to disclose any special category of data (i.e. personal data concerning health, sex life or orientation, racial or ethnic origin, political views, religious or philosophical beliefs and trade union membership, as well as biometric and genetic data). Customers shall properly train Users so that such Users only disclose special categories of data to TravelPerk when is strictly necessarily for TravelPerk to render the Services.
4.2 TravelPerk incidentally accesses to special categories of data (health) to handle certain enquiries from Users. Where such User disclose special category of data, the disclosing of such data should constitute the affirmative action of consent.
5. DETAILS OF THE PROCESSING
5.1 Appendix 1 sets out the nature, duration and purposes of the processing, the types of personal data TravelPerk processes and the categories of data subjects whose personal data is processed.
6. OBLIGATIONS OF THE CUSTOMER
6.1 Within the scope of the Agreement and in its use of the Services, the Customer shall be responsible for ensuring that the processing of personal data takes place in compliance with the applicable Data Protection Laws and this Data Processing Agreement. The Customer is responsible for ensuring that the processing of personal data is lawful and, if applicable, any necessary consent from data subjects has been obtained.
6.2 In order to permit the provision of the Services, the Customer undertakes to make available to TravelPerk all the personal data necessary for the appropriate operation of the processing activities.
6.3 The Customer warrants the accuracy and quality of the personal data made available to TravelPerk, and that they have been collected in compliance with all necessary transparency and lawfulness requirements under the applicable Data Protection Laws, including obtaining any necessary consents and authorisations.
7. OBLIGATIONS OF TRAVELPERK AND COMMUNICATION OF PERSONAL DATA TO THIRD SUPPLIERS
7.1 Customer’s instructions
7.1.1 TravelPerk shall process the personal data only to carry out the provision of Services and under documented instructions from the Customer (unless required to conduct complementary processing activities by an applicable regulation).
7.1.2 By means of this Data Processing Agreement, the Customer expressly authorises TravelPerk to use the personal data in order to proceed with the bookings, reservations and any modifications, confirmations, cancellations and to render the Services hired by the Customer from time to time.
TravelPerk shall ensure that any personnel authorised to process personal data on TravelPerk’s behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.3 Security of the personal data
7.3.1 Where the personal data are processed in the systems or facilities of TravelPerk, TravelPerk shall guarantee the implementation of appropriate technical and organisational measures in order to achieve a level of security adequate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
In assessing the appropriate level of security, it shall be taken in to account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
7.3.2 In furtherance of its obligations under Section 7.3.1 above, TravelPerk shall implement and maintain the security measures set out in Appendix 2.
7.3.3. TravelPerk shall use only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures in order to achieve a level of security adequate to the risk.
7.4 Personal Data Breaches
7.4.1 TravelPerk shall notify the Customer without undue delay after becoming aware of a Personal Data Breach, and assist the Customer in case the Personal Data Breach needs to be notified to the Spanish Data Protection Agency or other competent supervisory authority and, where applicable, to the affected data subjects.
7.4.2 To the extent possible, TravelPerk shall provide the Customer with the following information:
a) Describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
b) Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
c) Describe the likely consequences of the Personal Data Breach.
d) Describe the measures taken or proposed to be taken by the Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.4.3 Where, and in so far as, it is not possible to provide the information referred to in Section 7.4.2 above at the same time, the information may be provided in phases without undue further delay.
7.4.4 Any notification provided under this Section 7 shall not be interpreted or construed as an admission of fault or liability by TravelPerk.
7.5.1 The Customer hereby grants a general authorisation to TravelPerk for the engagement of Sub-processors in the provision of the Services.
7.5.2 The current list of Sub-processors engaged by TravelPerk can be obtained by sending an email to email@example.com. By contracting the Services, the Customer consents to and authorises the engagement of the Sub-processors included in the mentioned list at that time.
7.5.3 TravelPerk shall inform the Customer of any intended changes concerning the addition or replacement of the Sub-processors, thereby giving the Customer the opportunity to object to such changes. The Customer shall subscribe to receive notifications on new Sub-processors and other data protection matters by filling in this form or by any other mechanism TravelPerk communicates to the Customer from time to time.
7.5.4 When engaging any Sub-processor, TravelPerk shall transfer and communicate to the Sub-processor the obligations assumed by the former under this Data Processing Agreement and, in particular, the application of appropriate technical and organisational measures in such a manner that the processing meets the requirements of applicable regulations.
7.6 International data transfers
7.6.1 TravelPerk or its Sub-processors may store and process the personal data in Third Countries, subject to the TravelPerk’s obligations under Section 7.6.2 below.
7.6.2 If the storage and/or processing of the personal data involves transfers of such data to Third Countries, TravelPerk shall establish as many safeguards as are required under Data Protection Laws for the lawful transfer of personal data to Third Countries, by means of the application of Binding Corporate Rules, Standard Contractual Clauses, or where the relevant transfer has been authorised by the competent supervisory authority or is necessary for the performance of the Agreement.
7.7 Data subject rights
7.7.1 Taking into account the nature of the processing, TravelPerk shall assist the Customer by providing information and appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from data subjects for exercising their rights of access, rectification, erasure, restriction, objection, data portability and not to be subject to automated decision-making (including profiling).
7.7.2 In case a data subject exercises his or her rights directly before TravelPerk and/or authorised Sub-processor, they shall notify the Customer without undue delay. TravelPerk shall not respond to the data subject unless it has obtained the previous authorisation from the Customer. As an exception to this, TravelPerk may respond to data subjects in case TravelPerk did not receive instructions or answer from the Customer within 30 days following TravelPerk notice to the Customer.
7.7.3 For such purpose, Customers shall communicate to TravelPerk a contact email where TravelPerk should forward the data subject requests. The form indicated in clause 7.5.3 shall be used for such purpose. In case the Customer has not provided TravelPerk with the person of contact, TravelPerk will notify the data subject request to an Admin.
7.8 Deletion or return of personal data
Upon termination of the provision of the Services, TravelPerk shall, at the choice of the Customer, delete, return or suitably anonymise all the personal data to the Customer, and delete all existing copies unless storage of the personal data is required or authorised by law.
7.9 Compliance, audits and inspections
TravelPerk shall make available to the Customer all information necessary to demonstrate compliance with the obligations established under this Data Processing Agreement, as well as to allow for and contribute to the performance of audits, including inspections, by the Customer or by a third party authorised by the Customer. Audits and inspections shall be at the Customer’s cost except where those have non-significant impact on TravelPerk’s day to day work.
7.10 Other obligations
TravelPerk undertakes to:
a) Assist the Customer in ensuring compliance with its legal obligations relating to the security of processing, data protection impact assessment and prior consultation.
b) Maintain a record of processing activities carried out on behalf of the Customer.
c) Cooperate, on request, with the Spanish Data Protection Agency or any other data protection authority in the performance of its tasks
8. QUESTIONS AND COMMENTS ON THIS DATA PROCESSING AGREEEMENT
For any questions or comments regarding those Data Processing Agreement, TravelPerk puts the following email address at the Customer’s disposal: firstname.lastname@example.org.
TravelPerk has a data protection officer who can be contacted at email@example.com
9. LEGAL VALIDITY OF THIS DATA PROCESSING AGREEMENT
This Data Processing Agreement constitutes a legal valid act in the sense indicated by art. 28 of the GDPR.
The parties acknowledge and agree that the Customer enters into this Data Processing Agreement which shall also apply to Affiliates registered under the Customer’s account in TravelPerk. The Customer commits to inform Affiliates accordingly.
10. ENTIRE DATA PROCESSING AGREEMENT AND FUTURE CHANGES
This Data Processing Agreement embodies and sets forth the entire agreement and understanding of the parties as to TravelPerk’s role of data processor and, except as otherwise agreed in writing with the Customer, supersedes all prior terms and arrangements included in the previous versions of TravelPerk privacy policies relating to the subject matter of this agreement.
If a Customer does not agree on any terms of this Data Processing Agreement, it may contact firstname.lastname@example.org to expose his concerns or proposal which will be evaluated by TravelPerk. If, after evaluating the situation, TravelPerk concludes that the Customer’s proposal cannot be accepted, the Customer is asked not to use the Services.
We may update this Data Processing Agreement from time to time and will notify you of said changes and updates as required by law. We will indicate the date that revisions were last made to this Data Processing Agreement at the bottom. You can always ask TravelPerk for a copy of the previous versions of Data Processing Agreement.
11. CALIFORNIA CONSUMER PRIVACY ACT SECTION
This section supplements this Data Processing Agreement and applies to California residents only to the extent the California Consumer Privacy Act (CCPA) is applicable to TravelPerk from time to time. For the sake of clarity, TravelPerk will process personal information of Californian residents according to this specific section and to the entire Data Processing Agreement.
“Do Not Sell My Personal Information” TravelPerk does not sell personal data to third parties (as this term is defined in the California Consumer Privacy Act). Californian residents may make a request by sending an email to email@example.com.
California residents are entitled to exercise the following rights:
- Right to request a copy of the personal information TravelPerk has collected about such users or disclosed in the last 12 months (including categories of personal information that TravelPerk has disclosed to third parties for a business purpose and categories of recipients of such personal information). TravelPerk will first verify the identity of such users for such purpose.
- Right to request deletion: California residents have the right to request the deletion of personal information that TravelPerk has collected from them (subject to some exceptions according to the CCPA).
- Right to Opt Out to the sale of personal information: California residents have the right to instruct TravelPerk not to sell personal information collected by TravelPerk about such residents to third parties now or in the future.
You have the right not to receive discriminatory treatment when exercising the rights described above.
To exercise those rights, California residents may send an email to firstname.lastname@example.org with the subject “California Rights Request”.
12. APPLICABLE LEGISLATION AND JURISDICTION
This Data Processing Agreement shall be governed by the Spanish and European regulations in terms of Personal Data Protection, as well as by the resolutions and guidelines of the Spanish Data Protection Agency and other Supervisory Authority competent in this matter. In order to resolve any discrepancy regarding the interpretation and/or the enforcement of the provisions of this Data Processing Agreement, the Customer and TravelPerk submit to the jurisdiction of the Courts and Tribunals of Barcelona (Spain), with express waiver of any other legislation or jurisdiction that may correspond.
APPENDIX 1: DATA PROCESSING INFORMATION
Categories of data subjects:
The personal data processed concern the following categories of data subjects:
Categories of data:
The personal data processed concern the following categories of data:
- Identifying information, such as name and surname, ID or passport details, contact details, date of birth, professional address, country of residence, nationality, professional email address, citizenship.
- Travel affiliation cards.
- Special meals, special necessities if any.
- Means of payment.
- Information on bookings and trips and related requests
- Complaints or requests to customer care
Special categories of data:
See Section 4 above
TravelPerk will collect, store, use, record, structure, consult, modify, transmit, organize and carry out any necessary operation with the purpose to render the Services (the specific purposes are described in section 3 above). The personal data processed will be subjected to the necessary processing activities to properly render the Services.
Duration of processing:
The personal data shall be processed for the term of the contractual relationship between TravelPerk and the Customer, and after the end of this relationship for any reason, for the statutory periods of limitation applicable in each case. After these statutory periods of limitation, the personal data shall be deleted or alternatively anonymised.
APPENDIX 2: SECURITY MEASURES ADOPTED BY TRAVELPERK
|Organisation of Information Security||Security Ownership||TravelPerk has appointed an Information Security Officer responsible for coordinating and leading the security program. TravelPerk’s security program is overseen by the senior leadership team.|
|Data Protection Ownership||TravelPerk has appointed a Data Protection Officer responsible for coordinating and leading data protection compliance. TravelPerk’s data protection program is overseen by the senior leadership team.|
|Information Security Management System (ISMS)||TravelPerk operates an ISMS that sets out policies, procedures and continual improvements to the security program.|
|Security Roles and Responsibilities||TravelPerk has a dedicated team of information security professionals. All employees and relevant contractors have confidentiality obligations within contracts of employment.|
|Risk Management Program||TravelPerk takes a risk-based approach to information security, conducting risk assessments for key company assets.|
|Asset Management||Asset Inventory||TravelPerk maintains an asset inventory of IT equipment and information processing systems. Use of assets is governed by the IT Acceptable Use Policy.|
|Human Resource Security||Confidentiality, Education & Awareness||TravelPerk provides custom information security and data protection awareness training to all employees and relevant contractors on a periodic basis.
Confidentiality clauses are included in all employee and contractor agreements.
|Physical & Environmental Security||Physical Access to Facilities||TravelPerk’s production environment is hosted by ISO 27001 and SOC 2 certified data centers, and as such have stringent controls and extremely limited access.|
|Physical Access to Offices||Access to TravelPerk offices is restricted by means such as keys or key card access, CCTV and similar measures.|
|Operational Security||Anti Malware||TravelPerk maintains anti-malware controls in place for endpoints and its business travel application.|
|Data Loss Prevention||TravelPerk uses mechanisms to detect, control and minimise where personal data is stored. All business and personal data is backed up.|
|Encryption||TravelPerk encrypts personal and confidential data both at rest and during transit to preserve confidentiality.|
|Network Security||Access to corporate network is limited to corporate devices only and protected by password. All changes to network security configuration are subject to change control procedures.|
|Access Control||Access Policy||Access is only provided where necessary for the role.|
|Principle of Least Privilege||The minimum level of privileges are provided to allow authorised personnel to carry out their duties to avoid excessive privileges.|
|Identity & Access Management||TravelPerk adopts an IAM system to centralise, limit and swiftly manage access for employees and contractors.|
|Incident Management||Incident Detection, Reporting & Response||TravelPerk has a defined, repeatable way to respond to incidents according to best practice, taking into account legal obligations. Technical and operational measures have been put in place for timely incident detection and reporting.|
|Third Party Risk Management||Suppliers||TravelPerk suppliers are reviewed by the security and legal teams, with appropriate measures such as contractual requirements and technical monitoring used.|
|Data Sub Processors||TravelPerk performs a security audit of all data sub processors and a final decision about appointing a potential sub processor includes considering any risks identified. TravelPerk monitors the technical security of data sub processors on a continuous basis and engages with the sub processor to remediate any findings of concern.|