- This Data Processing Addendum (“Addendum”) forms part of the Guesty Software and Service Agreement (“Principal Agreement”) between: (i) Guesty Inc. (“Vendor”) acting on its own behalf and as agent for each Vendor affiliate; and (ii) the customer listed on the Principal Agreement (“Company”).
- In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
- Under the Principal Agreement the nature and purposes of processing Personal Data by the Vendor as data processor shall be limited to those set forth in Schedule 1.
- Definitions
- In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- “Applicable Laws” means (a) European Union or Member State laws with respect to any Company Personal Data in respect of which any Company is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Company Personal Data in respect of which any Company is subject to any other Data Protection Laws;
- “Company Personal Data” means any Personal Data Processed by Vendor on behalf of a Company pursuant to or in connection with the Principal Agreement;
- “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
- “EEA” means the European Economic Area;
- “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- “GDPR” means EU General Data Protection Regulation 2016/679;
- “Restricted Transfer” means:
- a transfer of Company Personal Data from any Company to Vendor; or
- an onward transfer of Company Personal Data from Vendor to a Sub-processor, or between two establishments of Vendor,1.1.1 in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Section 16.1 below;
- “Services” means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Company pursuant to the Principal Agreement;
- “Standard Contractual Clauses” means the contractual clauses set out in Schedule 2, amended as indicated (in square brackets and italics) in that Schedule;
- “Sub-processor” means any person (including any third party and any Vendor affiliate, but excluding an employee of Vendor or any of its sub-contractors) appointed by or on behalf of Vendor to Process Personal Data on behalf of the Company in connection with the Principal Agreement; and
- “Vendor” means Vendor and any entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- “Party”/”Parties” means the Company and the Vendor separately, or jointly, as the case may be;
- “Purpose” means as described in Schedule 1; and
- “Supervisory Authority” means any court, regulatory agency or authority which, according to Applicable Laws and/or regulations, supervises privacy issues and/or the processing of personal data.
- The terms, “commission”, “controller”, “data subject”, “member state”, “personal data”, “personal data breach”, “processing”, “processor” and “supervisory authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- Special undertakings of the Parties
- Roles, ownership of personal data, processing and purpose
- The Company shall be considered the controller of the personal data processed on its behalf and in accordance with its instructions, which concerns its respective data subjects. The Vendor shall be considered a processor of the personal data processed on behalf of the Company.
- The Vendor may only process the Company Personal Data for the Purpose and to the extent it is necessary for the fulfilment of the Vendor’s obligations under this Addendum or the Principal Agreement.
- This Addendum shall apply to the actions of any of Vendor or Company’s affiliates performing tasks and obligations in the context of this Addendum and any such affiliates shall have all rights and obligations set forth in this Addendum as if they were Vendor or Company, as applicable.
- Special undertakings of the Company
- The Company undertakes to:
(a) Ensure that there is a legal ground for processing the personal data covered by this Addendum;(b) Ensure that any disclosure or transfer of Company Personal Data to Vendor confirms to the Applicable Laws.(c) Inform the Vendor about any erroneous, rectified, updated or deleted personal data subject to the Vendor’s processing; and
(d) Fully comply with any request of data subjects and with any data subject rights under Applicable Laws.
(e) Provide the Vendor with documented instructions regarding the Vendor’s processing of the personal data, as may be required from time to time.
- The Company undertakes to:
- Special undertakings of the Vendor
- The Vendor undertakes to:
(a) Only process the Company Personal Data in accordance with Applicable Laws and the Company documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Applicable Laws; in such a case, the Vendor shall inform the Company of that legal requirement before processing the personal data, unless such information is prohibited by the Applicable Laws on important grounds of public interest;(b) Taking into account the nature of the processing, implement appropriate technical and organisational measures to reasonably ensure a level of security appropriate to the risk and reasonably assist the Company by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights or with respect to data breaches in Applicable Laws; and(c) Make available to the Company all information reasonably necessary to demonstrate compliance with the obligations laid down in this Addendum.
- The Vendor undertakes to:
- Roles, ownership of personal data, processing and purpose
- Processing of Company Personal Data
- The Company:
- instructs Vendor (and authorises Vendor to instruct each Sub-processor) to:
- process Company Personal Data; and
- in particular, transfer Company Personal Data to any country or territory,
1.2 as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and
- Schedule 1 to this Addendum sets out certain information regarding the Vendor’s processing of the Company Personal Data. Company shall immediately inform Vendor of any required amendments to Schedule 1 by written notice to Vendor, and the Parties shall negotiate in good-faith the amendment of Schedule 1.
- instructs Vendor (and authorises Vendor to instruct each Sub-processor) to:
- The Company:
- Confidentiality
1.3 Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Vendor who may have access to the Company Personal Data, and to ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. - Data Security
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to reasonably ensure a level of security appropriate to that risk.
- Sub-processing
- Company authorises Vendor to appoint (and permit each Sub-processor appointed in accordance with this Section 9 to appoint) Sub-processors in accordance with this Section 9 and any restrictions in the Principal Agreement.
- Vendor may continue to use those Sub-processors already engaged by Vendor as at the date of this Addendum, as listed on the Vendor’s website, subject to Vendor meeting the obligations set out in Section 9.4.
- Vendor shall give Company prior written notice of the appointment of any new Sub-processor. If, within 7 days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment:
- Vendor shall work with Company in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and
- where such a change cannot be made within 30 days from Vendor’s receipt of Company’s notice, the Company shall be responsible to find an alternative Sub-processor that accepts to provide services to Vendor under similar conditions than the Sub-processors objected by Company. In the event such proposed alternative Sub-processor is not accepted by Vendor, then Company may by written notice to Vendor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor.
- With respect to each Sub-processor, Vendor shall:
- ensure that the arrangement between the Vendor, and the Sub-processor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this Addendum; and
- if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one Vendor and the Sub-processor.
- Vendor shall ensure that each Sub-processor performs the obligations under this Addendum, as they apply to processing of Company Personal Data carried out by that Sub-processor, as if it were party to this Addendum in place of Vendor.
- Data subject rights
- Vendor shall:
- promptly notify Company if Vendor receives a request from a data subject under any Data Protection Law in respect of Company Personal Data; and
- ensure that the Vendor does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Vendor is subject.
- Vendor shall:
- Personal Data Breach
- Vendor shall notify Company without any delay but no later than within 48 hours in writing upon Vendor or any Sub-processor becoming aware or has reasons to believe of a Personal Data Breach affecting Company Personal Data, providing Company with reasonably sufficient information to allow Company to meet its obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- Immediately following Vendor’s notification to Company of a Personal Data Breach, the Parties shall coordinate with each other to investigate the breach. Vendor agrees to reasonably cooperate with Company, at Company’s expense, in Company’s handling of the matter, including, without limitation:
- assisting with any investigation;
- facilitating interviews with Vendor’s employees and others involved in the matter; and
- making available all reasonably necessary records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Company.
- Vendor agrees to assist Company in advising the Supervisory Authority and data subjects about Personal Data Breach. It shall not, however, inform any third party of any Personal Data Breach without first obtaining Company’s prior written consent, other than to inform a complainant (if any) that the matter has been forwarded to Company, or if otherwise required under any Applicable Law.
- Company shall reimburse Vendor for actual reasonable costs incurred by Vendor in responding to, and mitigating damages caused by any security incident or Personal Data Breach, including all costs of notice and/or remediation.
- Data Protection Impact Assessment and Prior Consultation
1.4. Vendor shall provide reasonable assistance to Company, at Company’s expense, with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Vendor.
- Cooperation and Coordination
- Upon reasonable request by Company, Vendor shall as promptly and as reasonably practicable provide Company with a written report containing information reasonably requested by Company relating to: (i) any security event and Personal Data Breach; or (ii) actual or reasonably suspected non-compliance with this Addendum. In addition, Vendor shall provide Company with any documents reasonably requested by Company related to the foregoing, including without limitation, any information security assessment and security control audit reports.
- Deletion or return of Company Personal Data
- Subject to Section 14.2 Vendor shall promptly and in any event within fourteen (14) days of the date of termination or expiration of any Services involving the Processing of Company Personal Data (the “End Date”), or of the date of a written notice by Company, delete and procure the deletion of all copies of those Company Personal Data.
- Vendor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Vendor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- Audit rights
- At the request of Company and on its expense, but not more than once per year, Vendor shall conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under this Addendum. Company shall treat such audit reports as Vendor’s confidential information.
- Company shall have the right to perform audits, not more than once per calendar year and upon prior written notice of at least thirty (30) days to Vendor, of the Vendor’s processing of the Company Personal Data in order to verify the Vendor’s, and any Sub-processor’s, compliance with this Addendum. The audit shall be confined to processing documentation prepared by the Vendor and logged and documented information regarding its information security measures, and in any event will not entitle Company to conduct technological investigations on the Vendor’s information systems.
- Company shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Vendor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
- If any Supervisory Authority: (i) contacts the Vendor with respect to its systems or any processing of Company Personal Data carried out by the Vendor, (ii) conducts, or gives notice of its intent to conduct, an inspection of the Vendor with respect to the processing of Company Personal Data, or (iii) takes, or gives notice of its intent to take, any other regulatory action alleging improper or inadequate practices with respect to any processing of Company Personal Data carried out by the Vendor, then the Vendor shall immediately notify the Company and shall subsequently supply the Company with all information pertinent thereto to the extent permissible by law.
- Company shall bear all costs for audits set out herein.
- Restricted Transfers
- In the event that the processing activities under this Addendum are considered Restricted Transfer, the Company (as “data exporter”) and Vendor, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Company to Vendor.
- Vendor warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor, Vendor’s entry into the Standard Contractual Clauses under Section 16.1, as agent for and on behalf of that Sub-processor will have been duly and effectively authorised (or subsequently ratified) by that Sub-processor.
- General Terms
1.5 Governing law and jurisdiction- Without prejudice to Mediation and Jurisdiction and Governing Law sections of the Standard Contractual Clauses:
- the Parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
1.6 Assignation of rights or obligations
- Neither Party may assign its rights or obligations under this Addendum without the prior written consent of the other Party.
1.7 Notices - All notices to a Party under this Addendum shall be in writing and sent to its address as set forth at the beginning of this Addendum, or to such other address as such Party has provided the other in writing for such purpose. Notices may be sent by post, courier, fax or email.
- Notices shall be deemed to have been duly given (i) on the day of delivery when delivered in person or by courier, (ii) three (3) business days after the day when the notice was sent when sent by post, and (iii) on the day when the receiver has manually confirmed that it is received when sent per fax or email.
1.8 Term and termination - This Addendum shall enter into force on the date hereof. Unless terminated earlier (i) due to a material breach of the terms of this Addendum, in which case this Addendum shall be terminated with immediate effect if the other Party fails to cure such breach in a satisfactory manner within fifteen (15) days after the other Party’s written demand thereof, or (ii) this Addendum shall remain in force until the termination or expiration of the Principal Agreement, whereupon it shall terminate automatically without further notice. The termination or expiration of this Addendum shall immediately terminate any processing agreement entered into between Vendor and any Sub-processor.
- Either Party may terminate this Addendum by giving the other Party thirty (30) days written notice.
1.9 Liability and indemnification - Each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties including government/authority fines and penalties resulting from, arising out of or relating to any breach by such first-mentioned Party of the this Addendum and in the applicable Data Protection Laws.
- Any loss suffered by a Party resulting from, arising out of or relating to a breach of this Addendum by the other Party that is not due to claims from third parties under Section 17.7 shall be governed by the provisions regarding liability and limitation of liability in the Principal Agreement.
- Without prejudice to Mediation and Jurisdiction and Governing Law sections of the Standard Contractual Clauses:
Schedule 1
description of the processing of personal data
- THE PROJECT
Guesty is a software management platform for short-term and vacation rentals. Processing of personal data is for the purpose of assisting property management companies, property owners and guests and simplifying their managing their vacation. - DATA SUBJECTS
The personal data processed concern the following categories of data subjects:
Customers, employees, consumer customers and/or representatives of corporate customers and suppliers. - CATEGORIES OF PERSONAL DATA
The personal data processed concern the following categories of personal data:Name, gender, phone number, address, email address, company name and VAT number, personal identification number, credit card information, device information, IP number, location tracking.We may also collect feedback, comments and questions received from you in service-related communication and activities, such as meetings, phone calls, documents, and emails. From our websites, we may collect your IP-address and actions taken on the site.
- PURPOSE OF THE PERSONAL DATA PROCESSING
We collect and use personal data mainly to perform direct sales and direct marketing for Controller through its representatives and provide customer service, as well as other operational activities with respect to the managed properties, on behalf of the Controller and upon Controller’s instructions. - PROCESSING OPERATIONS
The personal data processed will be subject to the following basic processing activities:Send Controller marketing communications which it has requested, through Controller’s representatives. These may include information about our products and services, events, activities, and promotions of our associated partners’ products and services.Perform direct sales activities in cases where legitimate and mutual interest is established.
Perform contractual obligations such as order confirmation, license details, invoice, reminders, and the like. The contract may be with Guesty directly or with a Guesty partner.Follow up on incoming requests (customer support, emails, chats, or phone calls).
- DURATION OF PROCESSING
The personal data will be processed with the following duration:We store personal data for as long as we find it necessary to fulfil the purpose for which the personal data was collected, while also considering our need to answer your queries or resolve possible problems, to comply with legal requirements under applicable laws, to attend to any legal claims/complaints, and for safeguarding purposes.This means that we may retain your personal data for a reasonable period of time after your last interaction with us. When the personal data that we have collected is no longer required, we will delete it in a secure manner. We may process data for statistical purposes, but in such cases, data will be anonymized.
- SECURITY MEASURES
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to reasonably ensure a level of security appropriate to that risk.