Data Processing Agreement
- Purpose and scope
1.1 This Data Processing Agreement (“DPA”) governs your, the customer’s, the “Data Controller”, relationship with the Bookboost app, the “Service“, operated by Bookboost AB the “Data Processor”, a company limited by shares incorporated in Sweden under company registration number 559091-8974. Data Controller and Data Processor are hereinafter to be referred to as the "Parties".
1.2 The purpose of this DPA is to regulate the personal data processing that the Data Processor will carry out on behalf of the Data Controller, to ensure compliance with Article 28(3) and 28(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
1.3 This DPA is partly based on the standard contractual clauses adopted by the Commission 4th June 2021 (Commission implementing decision (EU) 2021/914), in accordance with Article 28(6) GDPR.
1.4 This DPA is an integral part of the Terms & Conditions, that together with the signed Proposal (“Proposal”) constitutes the contract between the Parties. In the event of contradiction between this DPA and the provisions in the terms & conditions and/or Proposal, and/or other related agreements between the Parties, this DPA shall prevail.
1.5 Annex I-III are integral parts of this DPA.
1.6 The Data Processor also wants to demonstrate how they are providing sufficient guarantees, in particular their expert knowledge, reliability and resources. Please find technical and organisational measures in Annex III.
1.7 For the execution of the “Service", containing a uniﬁed messaging solution to facilitate communication between the Data Controller and its customers, Data Processor will process personal data on behalf of the Data Controller, specified in Annex I.
- Obligations of the parties
2.1.1 The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
2.1.2 The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
2.2 Assistance to the data controller
2.2.1 The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the Data Controller.
2.2.2 The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (2.2.1) and (2.2.2), the processor shall comply with the controller’s instructions.
2.2.3 In addition to the Data Processor’s obligation to assist the controller pursuant to clause 2.2.2, the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
3. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
4. the obligations in Article 32 Regulation (EU) 2016/679.
2.2.4 The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.
2.3 Documentation and compliance
2.3.1 The Parties shall be able to demonstrate compliance with these Clauses.
2.3.2 The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
2.3.3 The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
2.3.4 The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
2.3.5 The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
2.4 Security measures
2.4.1 The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
2.4.2 The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.5 Personal data breach
2.5.1 In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.
2.5.2 In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the Data Controller of the personal data breach.
2.5.3 In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
1. A description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
2. the details of a contact point where more information concerning the personal data breach can be obtained;
3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
2.5.4 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
2.6 Non-compliance with the DPA and termination
2.6.1 This DPA shall become effective on the start date, specified in the signed Proposal between the Parties.
2.6.2 This DPA shall be in force for the duration of the contract, specified in the signed Proposal.
2.6.3 Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under this DPA, the Data Controller may instruct the Data Processor to suspend the processing of personal data until the latter complies with this DPA or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with this DPA, for whatever reason.
2.6.4 Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under this DPA, the Data Controller may instruct the Data Processor to suspend the processing of personal data until the latter complies with this DPA or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with this DPA, for whatever reason.
1. the processing of personal data by the processor has been suspended by the controller pursuant to point (2.6.3) and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
2. the processor is in substantial or persistent breach of this DPA or its obligations under Regulation (EU) 2016/679;
3. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or to Regulation (EU) 2016/679.
2.6.5 The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under this DPA where, after having informed the Data Controller that its instructions infringe applicable legal requirements in accordance with clause 2.1.2, the Data Controller insists on compliance with the instructions.
2.6.6 Following termination of the contract, the processor shall, at the choice of the Data Controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the Data Processor shall continue to ensure compliance with this DPA.
2.6.7 The Data Controller must submit a request to return data to Data Processor within three months after the termination of this DPA. After this period, Data Processors have the right to delete all personal data, including any copies of it, unless Data Processor is legally obliged to store the (personal) data for a longer period.
2.7 Confidentiality and non-disclosure
2.7.1 The Data Processor will treat all personal data and other data received by the Data Controller as confidential. Data Processor will limit the access to this data to persons under the Data Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis.
2.7.2 All (personal) data that the Data Processor receives based on this DPA are subject to a non-disclosure obligation towards third parties. All persons employed by or working for The Data Processor, as well as The Data Processor itself, are required to remain secrecy regarding the (personal) data.
2.8.1 The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list (Appendix II). The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
2.8.2 Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to this DPA and to Regulation (EU) 2016/679.
2.8.3 At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
2.8.4 The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. If a sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations. The processor shall notify the Data Controller of any failure by the sub-processor to fulfil its contractual obligations. The Data Processor may subcontract the processing of the personal data to external parties.
2.9 Transfer of data to third countries
2.9.1 Any transfer of personal data to third countries or international organisations by the data processor shall only be done on the basis of documented instructions from the Data Controller and shall always take place in compliance with Chapter V GDPR.
2.9.2 In case transfers to third countries or international organisations, which the Data Processor has not been instructed to perform by the Data Controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
2.10 Liability and indemnification
2.10.1 The Data Processor is liable for all damage suffered by the Data Controller, if this damage is the result of not following the instructions of the Data Controller, this DPA, the GDPR or any other applicable laws and regulations regarding privacy and the protection of personal data.
2.10.2 The Data Processor is liable for all damage suffered by third parties, if such damages are caused by not complying with the lawful instructions of the Data Controller or directly applicable obligations for the Data Processor under the GDPR.
2.10.3 The Data Processor is not liable for any damage resulting from following the written instructions of the Data Controller, if those instructions do not comply with the GDPR or any other applicable laws and regulations regarding privacy and the protection of personal data.
2.10.4 The Data Processor indemnifies Data Controller against all claims of third parties, insofar as Data Processor is liable for the damage suffered by those third parties.
2.11 Costs and default
2.11.1 The Data Processor must reimburse all costs incurred by the Data Controller to force the Data Processor to comply with this DPA.
2.11.2 If a certain obligation is not fulfilled or a certain period for compliance has expired, Data Processor is automatically in default. In such a case a notice of default is not required.
2.12.1 If a part of this DPA is deemed void or voidable, this does not change the validity of the rest of this DPA. Any invalid provision shall be replaced by a provision that is valid and which interpretation shall be as close as possible to the intent of the invalid provision.
2.13 Final provision
2.13.1 This DPA can only be changed in writing.
2.13.2 This DPA replaces all prior agreements between the parties regarding the processing of personal data.
Last updated 25 October 2022
Annex 1. Description of the processing
Categories of data subjects whose personal data is processed
- Customers; guests who have booked a stay with the Data Controller
- Prospects; potential customers; people who might be interested in the services provided by the Data Controller
- Former customers; previous hotel guests
- Website visitors at the data controllers web page
Categories of personal data processed
- Name; first name and surname
- E-mail address
- Phone number
- Booking reference
- Channel segment
- Market segment
- Number of adults
- Number of children
- Total cost of booking
- Estimated reservation start
- Estimated reservation end
- Reservation status
- Rate plan name
- Room number
- Room floor
- Building number
- Room type
- Booked space type
- Charged space
- Marketing consent
- Marketing preferences
- Engagement with marketing communications (open rates, clicks..)
- Booking comments; potential comments provided by the customer, e.g. special requests or preferences as well as information about health or food allergies (which are special categories of personal data).
- Chat messages
- IP address
1.1 Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
1.2 Since the Service receives data from free text fields and messages, that might include all types of personal data. The Data Processor therefore encourages the Data Controller to inform the data subjects that they should not provide more information than strictly necessary.
1.3 The data processor applies strict access to all personal data processed on behalf of the data controller.
1.4 Nature of the processing (the operations performed as a part of the processing). In order to deliver the very best uniﬁed guest communication platform the following operations are a necessary part of the processing:
- Collection and combination of data from data controller’s PMS, and other communication channels such as FB messenger, WhatsApp, email, SMS and hotel booking sites
- Collect information from cookie (if chat widget triggers are used)
- Organize and structure the data to create guest profiles
- Segment guest based on filters chosen by data controller
- Transfer information to the selected channel(s)
- Delete data upon data controller’s request
- Anonymize personal data
- Create reports to provide meaningful insights on outgoing communication
1.5 Purpose(s) for which the personal data is processed on behalf of the controller. The purpose of the Service is to serve as an online reception and provide a platform, where the Data Controller can administer and communicate with their guests, answer questions from potential guests as well as create, schedule, and send direct marketing. As well as perform requested support.
1.6 Duration of the processing. The Data Controller has full control of the data within the Service and can delete the data at any time. There is also a functionality within the Service to anonymize a guest profile, to keep the anonymized data for statistical purposes.
Categories of data subjects whose personal data is processed
- Data controller’s employees that have access to the Service (except the main administrator, for which Bookboost processes data as data controller)
Categories of personal data processed
- Phone number
- IP address
- Passport information
- Birth date
2.1 Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
2.2 Nature of the processing (the operations performed as a part of the processing). To enable the data controller's employees to administer and use the Service, they need to create a user account. The operations that is necessary to set up and provide the user account is:
- Collect personal data
- Store the data
- Confirm the log-in details (so only authorized users can log in)
2.3 Purpose(s) for which the personal data is processed on behalf of the controller. Purpose is to fulfill the obligation to provide user accounts to the data controller’s employees, so that they can use the Service.
2.4 Duration of the processing. The user accounts and connected personal data will be processed as long as the user is active in the System. The data controller’s admin can delete the data at any time.
Annex 2. Technical and organisational measures including technical and organisational measures to ensure the security of the data
The technical and organizational measures provided below apply to the Service and all personal data processing described in Annex I. Evidence of the measures implemented and maintained by the Data Processor may be presented in the form of up-to-date attestations, reports or extracts from independent bodies upon request from the Data Controller. Certain measures will be further elaborated below.
2.1 Description of technical and organisational security measures implemented by the Data processor.
1. Encryption of digital files containing personal data consisting of passwords
2. Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology
3. Security of the personal data in accordance with the ISO 27001 standard
4. Back-ups of the personal data to restore them in time in case of physical or technical incidents
2.2 The Data Processor will maintain a data breach response plan and follow documented incident response policies including data breach notification to Data Controller without undue delay where a breach is known or reasonably suspected to affect the data processed under this DPA.
2.3 The Data Processor will assess risks related to processing of personal data and create an action plan to mitigate identified risks.
2.4 The Data Processor will maintain and follow IT security policies and practices that are integral to Data Processor’s business and mandatory for all Data Processor’s employees, including supplemental personnel. IT security policies will be reviewed periodically and amend such policies as Data Processor deems reasonable to maintain protection of services and content processed therein.
2.5 The Data Processor will maintain an inventory of Personal Data reflecting the instructions set out in the Data Processing Policy (DPC), including disposal instructions upon contract closure. Computing environments with resources containing Personal Data will be logged and monitored.
2.6 The Data Processor’s employees will complete security and privacy education annually and certify each year that they will comply with Data Processor's ethical business conduct, confidentiality, and security policies, as set out in Data Processor's Business Conduct Guidelines. Additional policy and process training will be provided to persons granted administrative access to security components that are specific to their role within Data Processor’s operation and support of the service, and as required to maintain compliance and certifications.
2.7 The Data Processor will maintain proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data. Only employees with clear business need access to Personal Data located on servers, within applications, databases and/or ability to download data within Data Processor’s network. All access requests will be approved based on individual role-based access and reviewed on a regular basis for continued business need. All systems must meet corporate IT Security Standards and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources (OSRs).
2.8 For Data Controllers with Managed Services, Data Processors will maintain additional controls for user access to Customer Personal Data to prevent unauthorized access to Customer Personal Data. Access to Customer Personal Data is verified daily for continued employment and re-validated annually for continued business need. Data Processor B will limit privileged access to individuals for a limited period of time and usage will be monitored and logged. Any shared access will be for a limited period of time and usage will be monitored and logged as well as revalidated regularly.
2.9 The Data Processor will employ encrypted and authenticated remote connectivity to Data Processor computing environments and Data Controller systems unless otherwise directed by the Customer.
2.10 Availability of data through business continuity and disaster recovery planning support our documented risk management guidelines. Managed Services will have deﬁned, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. Backup data intended for off-site storage will be encrypted prior to transport.
2.11 The Data Processor will maintain policies and procedures designed to manage risks associated with the application of changes to the Data Controller’s systems.
2.12 The Data Processor will implement protections to secure portable storage media from damage, destruction, theft or unauthorized copying and the personal data stored on portable media through encryption and secure removal of data when it is no longer needed. Additional similar measures will be implemented for mobile computing devices to protect personal data.
Annex 3 – List of sub-processors
1. Zendesk Sunshine
- Address: Montreal, Canada
- Description of the processing: Provides the platform that enables us to connect various messaging services (e.g. Whatsapp, Twilio, Mailgun, etc.) to Bookboost service
- Address: Texas USA
- Description of the processing: The email engine used to send out emails
- Address: San Francisco, USA
- Description of the processing: The SMS engine. Used to send and receive SMS
- Address: London, England
- Description of the processing: Used to facilitate the connection between Bookboost and certain PMSs
5. Hapi Cloud
- Address: Florida, USA
- Description of the processing: Used to facilitate the connection between Bookboost and certain PMSs
6. Amazon Web Services
- Address: 410 Terry Avenue North, Seattle, WA 98109-5210
- Description of the processing: database storage
- Address: 415 Mission Street, Suite 300, San Francisco, CA 94105
- Description: a cloud platform as a service (PaaS) supporting several programming languages
- Address: 6 Place de la Madeleine. 75008 Paris. San Francisco
- Description: a web infrastructure and website security company