AvaiBook shall access personal data held by the Owner or manager, Portal and/or Partner (as appropriate in each case) (the "Customer") as part of the services contracted (the "Agreement"). As a result of the new obligations imposed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("RGPD"), it is necessary to amend the obligations assumed in the Data Protection Agreement.
As from 25 May 2018, the data protection regulations of the Contract shall be replaced by this data processor agreement (the "Agreement"), which shall be governed by the provisions of Article 28 of the RGPD, and in particular by the following clauses
2. OBJECT: The Client, as the person responsible for the processing of personal data, makes available to AvaiBook:
Identification data of the registered (names, surnames, addresses, telephone numbers, email addresses or other data that you configure to register)
Information regarding payment transactions processed through AvaiBook (if the customer uses AvaiBook to manage such transactions)
Likewise, the provision of services by AvaiBook implies the following treatments: collection, recording, structuring, conservation, consultation, communication, dissemination, interconnection, suppression, destruction, conservation.
The Agreement shall enter into force on May 25, 2018 (or on the date of its acceptance, if later) and shall remain in force for as long as the Contract remains in force.
4. Obligations of AvaiBook as data processor:
AvaiBook declares that:
- - Has sufficient technical capacity to comply with its obligations under the Contract in relation to the regulations on the protection of personal data, being able to commit, to the extent that the provision of services requires it, to comply with the requirements of the RGPD.
- - It will keep the confidentiality and confidentiality of the personal data of the client to which it will have access and will treat them exclusively on behalf of the Client.
- - It will assign the a for mentioned data only to the provision of the services and not to use them or apply them in any way that exceeds said purpose. In case the client requests some treatment that exceeds the provision of the service, he will detail it in writing through the corresponding instructions.
- - It will not communicate to third parties, even for its conservation, the data to which it has access under the provision of the services, nor the elaborations, evaluations or similar processes that it carries out with said data, nor duplicate or reproduce all or part of the information, results or relations on said data, except for those cases in which it is legally required.
- - He shall make available to the client the information necessary to demonstrate compliance with his obligations, as well as for the performance of audits or inspections reasonably performed by the client, or by another auditor on his behalf.
- - If legally necessary, you will have a data protection officer appointed, or one responsible for the management of this area and compliance with data protection legislation, and will communicate your identity and contact details to the client.
- - Persons authorised to process personal data on AvaiBook shall expressly undertake in writing to respect confidentiality and to comply with the relevant security measures. AvaiBook will provide the necessary training in the protection of personal data to authorized persons.
- - It shall provide the necessary support to the customer in carrying out impact assessments and prior consultations with the supervisory authority, where appropriate and reasonably necessary.
- - In the event that AvaiBook considers that compliance with a particular instruction of the Customer may result in a breach of the RGPD or any other applicable rules that may amend or supplement it, AvaiBook will immediately notify the Customer and request that the Customer withdraw, amend or confirm the relevant instruction. AvaiBook may suspend the application of the relevant instruction pending the decision of the relevant customer regarding the withdrawal, amendment or confirmation of the relevant instruction.
- - At the end of the provision of services, and at the customer's request, it will destroy, according to the customer's instructions and if technically possible, the personal data to which it has had access, as well as the documents or media on which any of this data is stored. Especially to be returned: (i) the data included in files under the responsibility of the customer, which the customer has made available to AvaiBook as a result of the provision of the services; (ii) any data that may have been generated as a result of AvaiBook's processing of the data under the customer's responsibility; and (iii) any media or documents on which any of these data are contained. The data will not be destroyed if there is a legal obligation to store them, in which case AvaiBook will return the data to the customer, who must ensure that they are kept.
- - It will implement the mechanisms for: (i) to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services; (ii) to restore the availability of and access to data in the event of a physical or technical incident; (iii) to verify, evaluate and evaluate, on a regular basis, the effectiveness of the technical and organisational measures implemented to ensure the security of processing; and (iv) to pseudonymise and encrypt the data, where appropriate.
- - As data processor, he shall report without undue delay, and in any event before the 24-hour deadline and by e-mail, any suspected or confirmed data protection incident, any data processing that may be considered unlawful or unauthorised, any loss, destruction of or damage to personal data within the area of responsibility of AvaiBook (caused by AvaiBook, its staff, agents or subcontractors) and any incident that may be considered a breach of data security, together with all relevant information for the documentation and communication of the incident to the authorities or affected stakeholders. It will also assist the customer, in the event of a breach of personal data security, to ensure compliance with the obligations to notify of a breach of personal data security in accordance with the RGPD (in particular, Articles 33 and 34 of the RGPD) and any other applicable rules that may amend, supplement or be enacted in the future.
- - He will assist the Client when requested by means of a reasonable request, providing him with the information and/or documentation he needs for an adequate response to the exercise of the rights of access, rectification, suppression, opposition, limitation of the processing and/or portability of data that he may receive from the interested parties, all within a reasonable period of time.
- - In those cases in which AvaiBook directly receives a request for access, rectification, deletion, opposition, limitation of processing and/or portability by the data subject, owner of the data being processed, it undertakes to forward the request to the customer immediately, so that the customer can respond to it within the legally established deadlines.
- - It will not outsource the services to any third party, unless they are ancillary services that AvaiBook requires to properly deliver its services, such as payment processing via a payment gateway. In the event that AvaiBook needs to sub-contract a treatment, it will inform the customer of the services and treatments it intends to outsource, the identity of the subcontractor and his contact details. This notification must be made in writing by AvaiBook at least two weeks prior to the signing of the subcontract.
- - It will not carry out international transfers of personal data to which the customer has access, unless it has the customer's prior written authorisation or is duly regularised.
- - It shall have at its disposal a general description of the technical and organisational security measures relating to (i) the pseudonymisation and encryption of personal data, where applicable; (ii) the ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability of and access to personal data in the event of a physical or technical incident; and (iv) the process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the security of processing.
- - It shall implement all those technical and organisational measures in the field of security that are applicable in accordance with the provisions of the RGPD (in particular, but not limited to, those of Article 32) and any other applicable regulations that modify, complement or replace it. The security measures may be updated if required by any future regulations that may be enacted, and if this affects the costs of the services contracted in a relevant manner, the parties shall agree on the appropriate measures to resolve the situation.
5. Prohibition of other uses: AvaiBook will be considered responsible for the processing in the event that it uses the data for other purposes, communicates them or uses them in breach of the provisions of the Agreement, and is liable for any infringements incurred personally.
6. Information to the signatories:
AvaiBook will process personal data relating to the person signing the contract on the basis of his or her legitimate interest, and for the sole purpose of ensuring the maintenance of our contractual relationship and for the duration of the same, and may subsequently keep them blocked for the period of time that may result from the prescription of legal action relating to this processing. The interested parties may at any time exercise their rights of access, rectification, suppression, limitation of processing and opposition by contacting AvaiBook at the following email address: email@example.com. In addition, you may also contact the competent authority to claim your rights. The data of the signatories will not be transferred to any third party and may be accessed by service providers in the technology and systems sectors of AvaiBook.
This Agreement shall enter into force on 25 May 2018, or on the date of its acceptance, whichever is the later.