- Last update 09/07/2020
Data Processing Agreement
This Data Processing Agreement (“Data Processing Agreement”) defines the conditions under which TravelPerk, S.L.U. (“TravelPerk”), as data processor, processes and secures the personal data necessary for the provision of the Services contracted by the Customer (data controller) under the agreement or agreements between TravelPerk and the Customer (the “Agreement”).
By contracting the Services, the Customer accepts and agrees to be bound by this Data Processing Agreement, which shall form an integral part of the Agreement.
SUMMARY OF THE DATA PROCESSING AGREEMENT:
- ROLES OF THE PARTIES
- SCOPE OF THE SERVICES
- SPECIAL CATEGORIES OF PERSONAL DATA
- DETAILS OF THE PROCESSING
- OBLIGATIONS OF THE CUSTOMERS
- OBLIGATIONS OF TRAVELPERK AND COMMUNICATION OF DATA TO THIRD SUPPLIERS
- QUESTIONS AND COMMENTS ON THIS DATA PROCESSING AGREEMENT
- LEGAL VALIDY OF THIS DATA PROCESSING AGREEMENT
- ENTIRE DATA PROCESSING AGREEMENT AND FUTURE CHANGES
- CALIFORNIA CONSUMER PRIVACY ACT SECTION
- APPLICABLE LEGISLATION AND JURISDICTION
APPENDIX 1: DATA PROCESSING INFORMATION
APPENDIX 2: SECURITY MEASURES ADOPTED BY TRAVELPERK
1.1 In this Data Processing Agreement:
- a) “Admin” means the employee or employees of TravelPerk’s Customers who act in representation of such Customers and who have administration rights on the TravelPerk’s platform.
- b) “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control – where control means the ownership of a majority share of the stock, equity or voting interests of such entity- with Customer, or any party with a direct or indirect shareholding or equity interest in Customer.
- c) “Binding Corporate Rules” means personal data protection policies that allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data
- d) “Customer or Customers” means the companies, entities, and/or organizations that retain the Services of TravelPerk.
- e) “Data Protection Laws” means the GDPR, the Spanish Royal Decree 3 2018 December, the applicable EEA member state data protection provisions. For Customers based in the United Kingdom, it shall also mean the applicable data protection laws in the United Kingdom from time to time.
- f) “EEA” means the European Economic Area.
- g) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- h) “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed by TravelPerk in connection with the provision of the Services.
- i) “Privacy Shield” means the EU-U.S. Privacy Shield legal framework designed by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July 12, 2016 and as amended from time to time.
- j) “Services” means the services related to business travel offered by TravelPerk to the Customer under the Agreement in where the Customer is a controller of personal data and TravelPerk is a data processor. The scope of the Services is further described in Section 3.
- k) “Standard Contractual Clauses” means the standard contractual clauses for processors established outside the EEA approved by the European Commission pursuant to its Decision 2010/87/EU of February 5, 2010.
- l) “Sub-processor” means any natural or legal person engaged by TravelPerk and authorised under this Data Processing Agreement to access and process personal data in order to assist in the provision of the Services.
- m) “Subscription Fees” means fees paid by the Customer for the Services. For the sake of clarity, costs of the travel or trips or other disbursements are not considered Subscription Fees.
- n) “Third Country” means a country outside the EEA or a country which does not ensure an adequate level of security according to EEA standards.
- o) “Traveler” means the employees and, where applicable, contractors of the Customer who have a traveler account on TravelPerk’s platform and who travel for business purposes in trips booked through the platform.
- p) “Travel Services” means travel-related services provided by third parties such as airlines, train operators, rental car agencies and hotels or accommodation providers (“Travel Service Providers”).
- q) “User” means the Travelers and Admins.
1.2 The terms “personal data”, “special categories of data”, “process/processing”, “data controller”, “data processor”, “data subject” and “supervisory authority” and any other term not expressly defined in this Data Processing Agreement shall have the same meaning as in the GDPR.
2. ROLES OF THE PARTIES
The parties acknowledge and agree that with regard to the processing of personal data under this Data Processing Agreement, the Customer is the Data Controller and TravelPerk is the Data Processor. Each party is responsible for compliance with its respective obligations under Data Protection Laws.
3. SCOPE OF THE SERVICES 3.1 General description
The Services provided by TravelPerk through its platform, which allows companies to search, book, manage, report and control costs of their business travel, may include the following activities according to the Services hired by each Customer:
- a) Create, maintain and update User accounts.
- b) Manage travel bookings, process orders and payments, provide booking confirmations, change and cancel bookings.
- c) Send notices to Users in case of cancellation, modification or no-show.
- d) Provide customer support, respond to questions, enquiries and claims, handle special requests, and conduct surveys to understand Customer satisfaction on the services.
- e) Record customer care requests to be able to attend the Customer’s requests.
- f) Provide booking recommendations to Users based on their previous bookings and search history.
- g) Send notices to remind Users of unfinished booking processes.
- h) Improve the Services by collecting metrics and information about how Users interact with and use them.
- i) Detect and prevent fraud or other potentially prohibited or illegal activities.
- j) Issue invoices and costs reports to Customers
- k) Render all services hired by the Customer from time to time (such as FlexiPerk, GreenPerk, services aimed at giving Customers information on emergency or risk situations in different countries or any other service rendered in the future).
Any new service offered by TravelPerk and hired by the Customer in where TravelPerk is a data processor and Customer is a data controller would be deemed to be included in the definition of Services. TravelPerk will process personal data for the purposes indicated above as well as for any purpose which is deemed necessary to render the services hired by the Customer.
3.2 Updates to the Services
As part of the Services, TravelPerk processes personal data of Users to inform them about any updates to the Services, including new features and functionalities. These messages are required to provide the Services, and therefore are not commercial communications. Users cannot opt-out from receiving them.
3.3. Use of Services by Minors
- 3.3.1 The Services are not intended for or directed to minors under the age of 18 (“Minor”), and TravelPerk does not knowingly or intentionally collect or process personal data of Minors.
- 3.3.2 The Customer undertakes to indemnify, defend and hold TravelPerk harmless against any legal and/or extrajudicial action arising from any unlawful processing of the Minor’s personal data.
4. SPECIAL CATEGORIES OF PERSONAL DATA
TravelPerk does not ask the User to disclose any special category of data (i.e. personal data concerning health, sex life or orientation, racial or ethnic origin, political views, religious or philosophical beliefs and trade union membership, as well as biometric and genetic data). Customers shall properly train Users so that such Users only disclose special categories of data to TravelPerk when is strictly necessarily for TravelPerk to render the Services.
5. DETAILS OF THE PROCESSING
TravelPerk incidentally accesses to special categories of data (health) to handle certain enquiries from Users. Where such User disclose special category of data, the disclosing of such data should constitute the affirmative action of consent.
6. DETAILS OF THE PROCESSING
Appendix 1 sets out the nature, duration and purposes of the processing, the types of personal data TravelPerk processes and the categories of data subjects whose personal data is processed.
OBLIGATIONS OF THE CUSTOMER
6.1 Within the scope of the Agreement and in its use of the Services, the Customer shall be responsible for ensuring that the processing of personal data takes place in compliance with the applicable Data Protection Laws and this Data Processing Agreement. The Customer is responsible for ensuring that the processing of personal data is lawful and, if applicable, any necessary consent from data subjects has been obtained.
6.2 In order to permit the provision of the Services, the Customer undertakes to make available to TravelPerk all the personal data necessary for the appropriate operation of the processing activities.
6.3 The Customer warrants the accuracy and quality of the personal data made available to TravelPerk, and that they have been collected in compliance with all necessary transparency and lawfulness requirements under the applicable Data Protection Laws, including obtaining any necessary consents and authorisations.
7. OBLIGATIONS OF TRAVELPERK AND COMMUNICATION OF PERSONAL DATA TO THIRD SUPPLIERS
7.1 The Customer’s instructions
- 7.1.1 TravelPerk shall process the personal data only to carry out the provision of Services and under documented instructions from the Customer (unless required to conduct complementary processing activities by an applicable regulation).
- 7.1.2 By means of this Data Processing Agreement, the Customer expressly authorises TravelPerk to use the personal data in order to proceed with the bookings, reservations and any modifications, confirmations, cancellations and to render the Services hired by the Customer from time to time.
TravelPerk shall ensure that any personnel authorised to process personal data on TravelPerk’s behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.3 Security of the personal data
- 7.3.1 Where the personal data are processed in the systems or facilities of TravelPerk, TravelPerk shall guarantee the implementation of appropriate technical and organisational measures in order to achieve a level of security adequate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing. In assessing the appropriate level of security, it shall be taken in to account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- 7.3.2 In furtherance of its obligations under Section 7.3.1 above, TravelPerk shall implement and maintain the security measures set out in Appendix 2.
- 7.3.3 TravelPerk shall use only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures
7.4 Personal Data Breaches
- 7.4.1 TravelPerk shall notify the Customer without undue delay after becoming aware of a Personal Data Breach, and assist the Customer in case the Personal Data Breach needs to be notified to the Spanish Data Protection Agency or other competent supervisory authority and, where applicable, to the affected data subjects.
- 7.4.2 To the extent possible, TravelPerk shall provide the Customer with the following information:
- a) Describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
- b) Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
- c) Describe the likely consequences of the Personal Data Breach.
- d) Describe the measures taken or proposed to be taken by the Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- 7.4.3 Where, and in so far as, it is not possible to provide the information referred to in Section 7.4.2 above at the same time, the information may be provided in phases without undue further delay.
- 7.5.1 The Customer hereby grants a general authorisation to TravelPerk for the engagement of Sub-processors in the provision of the Services.
- 7.5.2 The current list of Sub-processors engaged by TravelPerk can be obtained by sending an email to email@example.com. By contracting the Services, the Customer consents to and authorises the engagement of the Sub-processors included in the mentioned list at that time.
- 7.5.3 TravelPerk shall inform the Customer of any intended changes concerning the addition or replacement of the Sub-processors, thereby giving the Customer the opportunity to object to such changes. The Customer shall subscribe to receive notifications on new Sub-processors and other data protection matters by filling in this form or by any other mechanism TravelPerk communicates to the Customer from time to time.
- 7.5.4 When engaging any Sub-processor, TravelPerk shall transfer and communicate to the Sub-processor the obligations assumed by the former under this Data Processing Agreement and, in particular, the application of appropriate technical and organisational measures in such a manner that the processing meets the requirements of applicable regulations.
- 7.5.5 TravelPerk shall remain fully liable for the performance of the Sub-processor’s obligations subject to the limited liability set forth in Section 8 below.
7.6 International data transfers
- 7.6.1 TravelPerk or its Sub-processors may store and process the personal data in Third Countries, subject to the TravelPerk’s obligations under Section 7.6.2 below.
- 7.6.2 If the storage and/or processing of the personal data involves transfers of such data to Third Countries, TravelPerk shall establish as many safeguards as are required under Data Protection Laws for the lawful transfer of personal data to Third Countries, by means of the application of Binding Corporate Rules, Standard Contractual Clauses, Privacy Shield, or where the relevant transfer has been authorised by the competent supervisory authority or is necessary for the performance of the Agreement.
7.7 Data subject rights
- 7.7.1 Taking into account the nature of the processing, TravelPerk shall assist the Customer by providing information and appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests from data subjects for exercising their rights of access, rectification, erasure, restriction, objection, data portability and not to be subject to automated decision- making (including profiling).
- 7.7.2 In case a data subject exercises his or her rights directly before TravelPerk and/or authorised Sub-processor, they shall notify the Customer without undue delay. TravelPerk shall not respond to the data subject unless it has obtained the previous authorisation from the Customer. As an exception to this, TravelPerk may respond to data subjects in case TravelPerk did not receive instructions or answer from the Customer within 30 days following TravekPerk notice to the Customer. For such purpose, Customers shall communicate to TravelPerk a contact email where TravelPerk should forward the data subject requests. The form indicated in clause 7.5.3 shall be used for such purpose. In case the Customer has not provided TravelPerk with the person of contact, TravelPerk will notify the data subject request to an Admin.
7.8 Deletion or return of personal data
Upon termination of the provision of the Services, TravelPerk shall, at the choice of the Customer, delete, return or suitably anonymise all the personal data to the Customer, and delete all existing copies unless storage of the personal data is required or authorised by law.
7.9 Audits and inspections
TravelPerk shall make available to the Customer all information necessary to demonstrate compliance with the obligations established under this Data Processing Agreement, as well as to allow for and contribute to the performance of audits, including inspections, by the Customer or by a third party authorised by the Customer. Audits and inspections shall be at the Customer’s cost except where those have non- significant impact on TravelPerk’s day to day work.
7.10 Other obligations
TravelPerk undertakes to:
a) Assist the Customer in ensuring compliance with its legal obligations relating to the security of processing, data protection impact assessment and prior consultation.
b) Maintain a record of processing activities carried out on behalf of the Customer.
c) Cooperate, on request, with the Spanish Data Protection Agency or any other data protection authority in the performance of its tasks.
8.1 A regulatory authority or court of competent jurisdiction may determine that either Party (or both Parties) is liable for breach of GDPR and impose fines or other penalties (including damages to be awarded to a Data Subject) with regard to each Party’s position respectively as Data Controller (Customer) or Data Processor (TravelPerk); in such case each Party shall assume the fines or penalties imposed by the regulatory authority or competent court to such Party which determination shall be unaffected by this sub-clause. Further, nothing in this sub-clause shall be interpreted as placing a limit on either Party’s liability for fraud, fraudulent misrepresentation, death or personal injury caused by gross negligence or any other liability that cannot by law be excluded or limited. However, as between the Parties the maximum aggregate cumulative total liability TravelPerk that may assume due to proven breaches of the obligations of this Data Processing Agreement or for any other obligation related to data protection towards the Customer and, if applicable, Customer affiliates, will be limited as follows:
- a) The liability of TravelPerk shall not exceed either the total Subscription Fees paid by the Customer (and, if applicable, by Customer affiliates) in the twelve-month period preceding the claim or action or ten thousand (10.000) Euro, whichever is higher.
- b) If the Customer is using the platform at no cost, TravelPerk will not pay any compensation to the Customer. In the event TravelPerk is determined to have any liability by a competent authority and to pay a compensation to such Customers, then TravelPerk’s liability shall be limited to a maximum amount of one thousand (1000) Euro.
8.2 TravelPerk will only be liable for proven direct damages and up to the limits indicated in clause 8.1. TravelPerk shall not be liable to the Customer for indirect damages, such as loss of revenue, loss of profits, loss of contracts, loss of anticipated savings, loss of goodwill or third party claims whether such losses are direct or indirect; or any losses or damages that are indirect or secondary consequences of any act or omission of TravelPerk, its employees, representatives, contractors or agents in either case, regardless of whether such losses or damages were reasonably foreseeable or actually foreseen.
9. QUESTIONS AND COMMENTS ON THIS DATA PROCESSING AGREEEMENT
For any questions or comments regarding those Data Processing Agreement, TravelPerk puts the following email address at the Customer’s disposal: firstname.lastname@example.org.
TravelPerk has a data protection officer who can be contacted at email@example.com.
10. LEGAL VALIDITY OF THIS DATA PROCESSING AGREEMENT
This Data Processing Agreement constitutes a legal valid act in the sense indicated by art. 28 of the GDPR.
The parties acknowledge and agree that the Customer enters into this Data Processing Agreement which shall also apply to Affiliates registered under the Customer’s account in TravelPerk. The Customer commits to inform Affiliates accordingly.
11. ENTIRE DATA PROCESSING AGREEMENT AND FUTURE CHANGES
This Data Processing Agreement embodies and sets forth the entire agreement and understanding of the parties as to TravelPerk’s role of data processor and, except as otherwise agreed in writing with the Customer, supersedes all prior terms and arrangements included in the previous versions of TravelPerk privacy policies relating to the subject matter of this agreement.
If a Customer does not agree on any terms of this Data Processing Agreement, it may contact firstname.lastname@example.org to expose his concerns or proposal which will be evaluated by TravelPerk. If, after evaluating the situation, TravelPerk concludes that the Customer’s proposal cannot be accepted, the Customer is asked not to use the Services.
We may update this Data Processing Agreement from time to time and will notify you of said changes and updates as required by law. We will indicate the date that revisions were last made to this Data Processing Agreement at the bottom. You can always ask TravelPerk for a copy of the previous versions of Data Processing Agreement.
12. CALIFORNIA CONSUMER PRIVACY ACT SECTION
This section supplements this Data Processing Agreement and applies to California residents only to the extent the California Consumer Privacy Act (CCPA) is applicable to TravelPerk from
time to time. For the sake of clarity, TravelPerk will process personal information of Californian residents according to this specific section and to the entire Data Processing Agreement.
“Do Not Sell My Personal Information” TravelPerk does not sell personal data to third parties (as this term is defined in the California Consumer Privacy Act). Californian residents may make a request by sending an email to email@example.com.
California residents are entitled to exercise the following rights:
- Right to request a copy of the personal information TravelPerk has collected about such users or disclosed in the last 12 months (including categories of personal information that TravelPerk has disclosed to third parties for a business purpose and categories of recipients of such personal information). TravelPerk will first verify the identity of such users for such purpose.
- Right to request deletion: California residents have the right to request the deletion of personal information that TravelPerk has collected from them (subject to some exceptions according to the CCPA).
- Right to Opt Out to the sale of personal information: California residents have the right to instruct TravelPerk not to sell personal information collected by TravelPerk about such residents to third parties now or in the future. You have the right not to receive discriminatory treatment when exercising the rights described above.
To exercise those rights, California residents may send an email to firstname.lastname@example.org with the subject “California Rights Request”.
13. APPLICABLE LEGISLATION AND JURISDICTION
This Data Processing Agreement shall be governed by the Spanish and European regulations in terms of Personal Data Protection, as well as by the resolutions and guidelines of the Spanish Data Protection Agency and other Supervisory Authority competent in this matter. In order to resolve any discrepancy regarding the interpretation and/or the enforcement of the provisions of this Data Processing Agreement, the Customer and TravelPerk submit to the jurisdiction of the Courts and Tribunals of Barcelona (Spain), with express waiver of any other legislation or jurisdiction that may correspond.
APPENDIX 1: DATA PROCESSING INFORMATION
Categories of data subjects:
The personal data processed concern the following categories of data subjects:
Categories of data:
The personal data processed concern the following categories of data:
- Identifying information, such as name and surname, ID or passport details, contact details, date of birth, professional address, country of residence, nationality, professional email address, citizenship.
- Travel affiliation cards.
- Special meals, special necessities if any.
- Means of payment.
- Information on bookings and trips and related requests
- Complaints or requests to customer care
Special categories of data:
See Section 4 above.
TravelPerk will collect, store, use, record, structure, consult, modify, transmit, organize and carry out any necessary operation with the purpose to render the Services (the specific purposes are described in section 3 above). The personal data processed will be subjected to the necessary processing activities to properly render the Services.
Duration of processing:
The personal data shall be processed for the term of the contractual relationship between TravelPerk and the Customer, and after the end of this relationship for any reason, for the statutory periods of limitation applicable in each case. After these statutory periods of limitation, the personal data shall be deleted or alternatively anonymised.
APPENDIX 2: SECURITY MEASURES ADOPTED BY TRAVELPERK
S1. TravelPerk will ensure that in respect of all personal data it receives from or processes on behalf of the Customer it maintains standard security measures related to:
- S1.1. the harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the personal data;
- S1.2. the nature of the personal data;
S2. In particular, TravelPerk shall, when mandatory according to the applicable data protection law:
- S2.1. have in place and comply with a security policy which:
- S2.1.1. defines security needs based on a risk assessment;
- S2.1.2. allocates responsibility for implementing the policy to a specific individual or members of a team;
- S2.1.3. is provided to the Customer under written request on or before the commencement of the corresponding Services;
- S2.1.4. is disseminated to all relevant members, volunteers and staff; and
- S2.1.5. provides a mechanism for feedback and review.
- S2.2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the personal data in accordance with best industry practice;
- S2.3. prevent unauthorised access to the personal data;
- S2.4. ensure its storage of personal data conforms with best industry practice such that the media on which personal data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to personal data is strictly monitored and controlled;
- S2.5. have secure methods in place for the transfer of personal data whether in physical form or electronic form (for instance, by using encryption);
- S2.6. put password protection on computer systems on which personal data is stored and ensure that only authorised personnel are given details of the password;
- S2.7. take reasonable steps to ensure the reliability of any members, volunteers and employees or other individuals who have access to the personal data;
- S2.8. ensure that any employees or other individuals required to access the personal data are informed of the confidential nature of the personal data;
- S2.9. ensure that none of the employees or other individuals who have access to the personal data publish, disclose or divulge any of the personal data to any third party unless when strictly necessary for the provision of the Services or directed in writing to do so by the Customer;
- S2.10. have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of personal data) including:
- S2.10.1. the ability to identify which individuals have worked with specific personal data;
- S2.10.2. having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the GDPR; and
- S2.10.3. notifying the Customer as soon as any such security breach occurs.
- S2.11. have a secure procedure for backing up and storing back-ups separately from originals;
- S2.12. have a secure method of disposal unwanted personal data including for back- ups, disks, print outs and redundant equipment.