Data Processing Agreement
PART I – General Information
- Introduction
- Definitions
- Data Controller
- Data Processor
- Data Subject
PART II – Data Processing Related to Web Hosted Services
- Scope of Data Processing
- Non-Disclosure Commitment
- Security Measures
- Deleting Data
- Data Related Incidents
- Responsibilities of End User
- Customer’s Requests
- Sub processors
PART III Closing Provisions
- Liability
- Delivery of Notifications
PART I General Information
- Introduction
1.1. In this Data Processing Agreement (“Agreement”) “DIGI Consulting” means DIGI Consulting Limited. registered in England, with a registered office at 21 Regis Place, 10 Llanvanor Road, London NW2 2AP, Company number 10749352.
1.2. DIGI Consulting develops and owns various software products, including software services provided to DIGI Consulting’s customers via Internet (“Web Hosted Services”); DIGI Consulting has created a Digital Hotel Receptionist software (EVA) and is distributing and selling it to hospitality industry (hotels, other accommodation premises, restaurants, etc.). In DIGI Consulting’s General Terms and further in this Agreement DIGI Consulting’s customers are named “End Users”.
1.3. DIGI Consulting is and has always been dedicated to keeping confidential and to protecting the security of any information about End Users and the End Users’ Customers. DIGI Consulting’s top priority is protecting the Personal Data of the individuals who contact DIGI Consulting or End Users via the Services (as defined below). Hence DIGI Consulting has developed its privacy policy and is dedicated to maintain and update this policy in accordance with the applicable legislation and the leading practices in the software industry.
1.4. DIGI Consulting provides the Services to End User under the terms of an agreement made either by signing a specific agreement, or by accepting DIGI Consulting’s General Terms (as defined below) or using the Services by End User (“Main Agreement”). Such Main Agreement, if related to Web Hosted Services, is also named “Subscription” in the General Terms. By entering into Main Agreement End User accepts this Agreement and vice versa. By using the Services or by browsing DIGI Consulting’s Websites End User accepts the Agreement.
- Definitions
In this Agreement:
(a) “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject” and any other terms defined in Article 4 of the Regulation (EU) 2016/679 have the same meaning as in the said Regulation.
(b) “End User”, “Services”, “Software” and any terms defined in the General Terms have the exact same meaning as in the General Terms.
(c) “Customer” means any individual who is either End User’s customer or employee, subcontractor, other servants or other person who collaborates and communicates with End User and transmits data via the Services.
(d) “Sub processor” means any third party authorised by DIGI Consulting to have logical access to and process Customer Personal Data in order to provide parts of the Web Hosted Services or technical support to DIGI Consulting.
(e) “Technical Support” means any and all services, provided by DIGI Consulting or its subcontractors, either electronically or personally, remotely or on-site, to End User in order to assist and ensure the functionality of the Installable Software. These services may include, but are not limited to training, training videos, maintenance, product related articles, remedy of malfunctions, ongoing support, product or feature setup or activation, online issue resolution, knowledge database records, inline assistance resources, etc.
(f) “General Terms” means DIGI Consulting’s General Terms and Conditions for End-Users of DIGI Consulting – Labelled Software available at the Website.
(g) “Website” is DIGI Consulting’s web site at the address www.digieva.net .
- Data Controller
3.1 Controller is the respective End User – business entity which uses Web Hosted Services and/or Installable Software for carrying out its commercial activities (for hotel reservations, payment processing etc.) on the ground of Main Agreement.
3.2 Any and all Customer Personal Data will be processed via the Web Hosted Services and/or the Installable Software for the sole purpose of End User’s business. End User sets all terms and conditions for processing Customer Personal Data (specific categories of data, purpose of processing, duration of storage etc.).
3.3 All Customer Personal Data processed via Services will be property of End User.
- Data Processor
4.1 DIGI Consulting is a Processor for and on behalf of End User who utilizes Web Hosted Services.
4.2 End User who utilizes only Installable Software processes Personal Data on its own.
4.3 DIGI Consulting will process Customer Personal Data submitted, stored, received or sent by End User via the Services solely for provision of the Web Hosted Services and/or the Technical Support to End User in accordance with the Main Agreement.
- Data Subject
The Customer is a Data Subject.
PART II Data Processing related to Web Hosted Services
- Scope of Data Processing
6.1 Categories of Data Customer Personal Data submitted, stored, sent or received by End User or Customer via the Web Hosted Services may include the following categories of data: names, ID number, address, age, email, telephone, documents, credit card details, presentations, images, calendar entries, tasks and other data.
6.2 Duration of the Processing DIGI Consulting swill process Customer Personal Data for the entire duration of the Main Agreement plus the subsequent period of 12 months, unless otherwise agreed between DIGI Consulting and End User or required by the applicable legislation. This Agreement will remain valid until the deletion of all Customer Personal Data.
- Non-Disclosure Commitment
7.1 DIGI Consulting, without End-User’s prior approval in writing, will not: (a) disclose a copy of Customers Personal Data to any third party; (b) use Customers’ Personal Data for purposes different to providing Services to End User; unless such disclosure or use is required by a competent authority in accordance with the applicable legislation.
7.2 Without prejudice to the above Clause 7.1 DIGI Consulting will be entitled to disclose Customer Personal Data to Sub processors, consultants and other service providers. The disclosed Customer Personal Data will be subject to the respective recipients of data protection policy.
- Security Measures
DIGI Consulting will implement and maintain security measures to protect Customer Personal Data against unauthorized access or disclosure, accidental or unlawful destruction, alternation, loss. DIGI Consulting will be continuously monitoring the functionality and the adequacy of the security measures and may from time to time modify and update the security measures.
8.1 Data centres
8.1.1 DIGI Consulting maintains all Customer Personal Data and processing on servers hosted at data centres of DigitalOcean. DigitalOcean’s certifications, Terms of Use, Privacy Policy and Customer Agreement are available at their website: https://www.digitalocean.com/.
8.1.2 All Customer Personal Data based in the European Union are stored and processed on servers in the European Union or in other countries which maintain high standards of data protection.
8.1.3 For the purpose of this Agreement the servers used by DIGI Consulting will be referred to as DIGI Consulting’s servers.
8.1.4 DIGI Consulting monitors its servers to ensure that there is no unauthorised access to any data stored thereon. DIGI Consulting implements various technologies for prevention and detection of any intrusion or intrusion attempt to the servers and data.
8.2 DIGI Consulting’s staff control
8.2.1 DIGI Consulting has created and maintains a data security policy for its staff and provides its staff security training as part of the training package. DIGI Consulting’s employees and partners must conduct themselves in a manner consistent with DIGI Consulting’s guidelines regarding confidentiality, appropriate usage, business ethics and professional standards.
8.2.2 Only authorised staff have access to Customer Personal Data only when related to their direct duties on supporting and operating the Services. Each staff member has signed special data security annex, part of their agreements and undergoes periodic instructions and trainings about data security. DIGI Consulting’s staff will not process Personal Data without authorization. 8.2.3 DIGI Consulting’s security staff is responsible for the ongoing monitoring of DIGI Consulting‘s security infrastructure, the review of the Software and Services, and responding to security incidents.
8.3 On-site control
DIGI Consulting controls and restricts the access to its premises, documentation and hardware. DIGI Consulting’s premises require electronic cod key access and are monitored by TV cameras. Only authorised employees and contractors have access to these premises. Entrants are also required to identify themselves.
8.4 Encryption
8.4.1 All data records in the databases are protected with credentials and all data transmission between End User’s and Customer’s hardware and DIGI Consulting’s servers is encrypted, so that it is only readable through the graphical user interface (“GUI”) or the application programming interface (“API”) and only after a successful submission of valid credentials, e.g. username, PIN, password, multi-factor authentication, API secret key, etc. Open public features may not require customers to submit credentials in order to visualise data intended for public visualisation.
8.4.2 DIGI Consulting applies data encryption that meets the highest requirements for encryption and encrypting keys. The new class of encryption complies with the strict and practice-oriented requirements of Payment Card Industry Data Security Standards (PCI DSS).
8.5 Credit card data security
Credit card data storage and retention is a subject of specific regulations like PCI DSS or End User’s agreement with respective payment acquirer or processor. End User will collect, access, process and destroy credit card data according to all applicable standards, agreements, regulations and guidelines. End User will follow DIGI Consulting’s PCI DSS guidance (available at the Website) and meet its obligations stipulated there.
8.6 End User control
DIGI Consulting will assist the End User in ensuring compliance with the End User’s obligations as to Personal Data protection. In order to assist End User DIGI Consulting will implement and maintain application features which will included as but will not limited to those listed below.
8.6.1 Levels of access DIGI Consulting has redesigned the Software to enable End User precisely to determine the level of access of its employees to Customer Personal Data. For example, the staff having the lowest level of access will be able to work with anonymized (masked) Customer Personal Data only. Generally, the levels of access will be:
(a) Prohibited access. Employees will only see [********] instead of Personal Data.
(b) Basic access. Employees will partially see Customer’s details in order to process Customer’s booking of End User’s services (hotel booking, card payment etc.) but will not be able to identify the Customer.
(c) Operational access. Employees will be able to view full Personal Data of each Customer on the booking, profile and other screens.
(d) Full access. Employees will be able to view, export and copy full Personal Data of each Customer.
8.6.2 Access Control
End User and End User’s administrators are required to authenticate themselves via an authentication system in order to use the Services. Software checks credentials in order to allow the display of data to an authorized End User or authorized End User’s administrator.
8.6.3 Anonymisation
Partially masking or restricting the visible information of each Customer on the screens and in the reports to the minimum. The Customer Personal Details are hidden in the below manner and are only accessible when having additional access rights:
- A first name initial and surname [P Jones].
- The first 4 letters of the email address [ jone********])
- The last 4 digits of the telephone number [ ********6789 ]
8.6.4 Consent to marketing emails or giving information to third parties In the creation of a booking, a field and related consent text will be displayed in the WRS customer self-service portal, customer profiles and any other point where personal data is collected for the first time in relation with the particular booking to ask for the Customers’ permission to send them marketing emails and/or provide their data to third parties. In the Guest Mailer, DIGI Consulting has also added an option to filter Customers who have not agreed to receive marketing emails.
- Deleting Data
9.1 Unless otherwise explicitly agreed in writing between DIGI Consulting and End User, DIGI Consulting will delete all Customer Personal Data from its systems not later than 3 months of expiry of the Main Agreement.
9.2 DIGI Consulting will enable End User to delete Customer Personal Data prior to expiry of the Main Agreement. End User will be able to search for and erase Customer Personal Data from bookings and profiles without deleting the bookings. Furthermore, End User will have the option to forbid automatic deletion for certain profiles (e.g. participants in End User’s client loyalty programmes).
9.3 Upon End User’s explicit request in writing DIGI Consulting will delete Customer Personal Data from DIGI Consulting’s systems prior to expiry of the Main Agreement, not later than 3 months of receipt of the request.
9.4 Without prejudice to the above Clauses DIGI Consulting may store Customers’ Personal Data if such a storage is required by the applicable legislation.
- Data Related Incidents
10.1 If DIGI Consulting becomes aware of a data incident, DIGI Consulting will notify End User promptly and without unreasoned delay; and will promptly take reasonable steps to minimize harm and secure Customer Personal Data.
10.2 End User will be solely responsible for complying with applicable incident notification legislation and fulfilling its notification obligations related to data incidents (incl. notification of the persons concerned the data incident).
10.3 DIGI Consulting’s notification of or response to a data incident will not be construed as an acknowledgement of any fault or liability with respect to the data incident.
- Responsibilities of End User
11.1 DIGI Consulting’s commitments under this Agreement will not release End User from its obligations as Controller. End User undertakes to develop, implement, control update its internal data protection and privacy policies.
11.2 End User undertakes to comply with any requirements of the applicable legislation as well as to follow DIGI Consulting’s data protection instructions. End user will continuously take all reasonable security action, such as but not limited to implementing virus protection software, network security policies or periodic update of passwords, to improve the general system security of your hardware and networks which are in a direct relation with the data protection.
11.3 Customer is solely responsible for its use of the Services, including: (a) setting the character of Customer Personal Data to be processed; (b) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (c) securing the account authentication credentials, systems and devices End User uses to access the Services; and (d) backing up its Customer Personal Data; (e) securing Customer Personal Data that End User elects to transfer or store outside of DIGI Consulting’s systems. (f) evaluating for itself whether the Web Hosted Services, including DIGI Consulting ‘s security measures and control meets End User’s needs and obligations as a Controller.
11.4 DIGI Consulting has no obligation to protect Customer Personal Data that End User elects to store or transfer outside of DIGI Consulting’s systems (for example, offline or on-premise storage).
11.5 End User accepts and agrees that DIGI Consulting will provide a level of security appropriate to the risk in respect of the Customer Personal Data and will meet all requirements of the data protection legislation of the country/region where End User’s business is based. If the said legislation requires from DIGI Consulting any registration, permission or licensing End User will promptly inform DIGI Consulting and DIGI Consulting will be entitled to terminate Main Agreement at its sole discretion without any liability for DIGI Consulting. Failing to inform, End User will indemnify DIGI Consulting against any penalties imposed or damages incurred in relation with any inconformity with the said legislation.
11.6 End User accepts and agrees that despite DIGI Consulting’s reasonable efforts data incidents are possible (for example, as a result of technical malfunction, programming error, or hacker attack etc.) End User will implement all reasonable efforts to protect itself against consequences of such data incidents, which measures will include but will not be limited to: (a) downloading periodically the Software report exports; (b) taking appropriate measures to minimise the impact of data incident to Customers and any third parties.
- Customer’s Requests
If DIGI Consulting receives any request from a Customer in relation to Customer Personal Data, DIGI Consulting will advise the Customer to submit his/her request to End User. End User will be solely responsible for responding to any such request including, where necessary, by using the Services. As far as it is possible and practical DIGI Consulting will assist End User in fulfilling any obligation to respond Customer’s requests.
- Sub processors
13.1 End User specifically authorizes DIGI Consulting to engage any Sub processors. DIGI Consulting will make information about Sub processors, including their functions and locations, available at its Website.
13.2. DIGI Consulting will ensure that any Sub processor has an access and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it.
13.3 If End User disagrees with appointment of a Sub processor End User may terminate main Agreement by a 3- months’ notice in writing, with no liability for DIGI Consulting.
PART III Closing Provisions
- Liability
Liability clauses of main Agreement will apply to DIGI Consulting’s liability under this Agreement.
- Delivery of Notification
Notifications under this Agreement will be delivered to the announced postal address notification email address of the recipient party. Recipient party is solely responsible for ensuring that is notification address/email address is current and valid.