Data Processing Policy

1. DEFINITIONS AND INTERPRETATION

The GDPR (General Data Protection Regulation) on data protection sets out a number of different reasons an entity may collect and process clients personal data, including:

1.1.

Any terms that are capitalised but not defined in this DPP shall have the meanings given to them in the Agreement. Any rules of interpretation set out in the Agreement shall apply to this DPP..

1.2.

The terms controller, processor, data subject, personal data, special categories of personal data, processing (and any similar terms), personal data breach, supervisory authority and third party shall have the meanings given to them in the Data Protection Laws (as defined below).

1.3. Definitions

Applicable Law

The applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states at any time together with applicable laws in the United Kingdom (UK) at any time.

Data Protection Laws

All Applicable Laws relating to the processing, privacy and/or use of personal data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances:

(a) the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR);

(b) the UK Data Protection Act 2018;

(c) any laws which implement any such laws; and

(d) any laws which replace, extend, re-enact, consolidate or amend any of the former (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time).

Standard Contractual Clauses

The standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council as available at:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

(as may be amended, updated or superseded from time to time).

Sub-processor

Another processor engaged by Proplynx for carrying out processing activities in respect of any personal data behalf of the Customer.

1.4. 

In the event of any conflict or inconsistency between any of the terms of this DPP and the Agreement, this DPP shall prevail to the extent of such conflict or inconsistency. Except as specifically amended by this DPP, the Agreement shall remain unchanged and in full force and effect.

2. APPLICATION OF THIS DPP AND ROLES OF THE PARTIES

2.1 Application:

This DPP shall only apply to the extent that Proplynx is acting as a processor on behalf of the Customer; the Customer is established within the EEA and/or Proplynx processes personal data relating to data subjects located in the EEA.

2.2 Roles:

While the parties acknowledge that whether a party is a controller or processor is a question of fact, the parties acknowledge and agree that:

2.2.1

the Customer shall be a controller and Proplynx shall be a processor in respect of any personal data processed by Proplynx on the Customer’s behalf;

2.2.2

Proplynx shall be a controller in its own right for any personal data where Proplynx determines the purposes and manner of the processing, including for the purposes of:

(a) managing its direct relationship with the individuals benefiting from the Services (Guests) throughout the period of their stay, including (without limitation) arranging check in, the provision of internet access and responding to queries or complaints;

(b) verifying Guests’ identification;

(c) conducting fraud monitoring, prevention, detection and prosecution; and

(d) complying with its own record retention obligations.

2.3 Customer’s obligations:

Nothing in this DPP relieves the Customer of any responsibilities or liability under the Data Protection Law and the Customer warrants that:

2.3.1

All instructions given by it to Proplynx in respect of the personal data shall comply with the Data Protection Laws;

2.3.2

Except to the extent within Proplynx’s control, the Customer is solely responsible for the accuracy, integrity and quality of the personal data and the means by which the Customer obtained the personal data; and

2.3.3

it has established a lawful ground(s) for and provided data subjects with fair processing information in connection with all processing activities which may be undertaken by Proplynx and its Sub-processors under the Agreement.

2.4 Proplynx’s obligations:

Proplynx shall process the personal data in compliance with its obligations under the Data Protection Laws and otherwise in accordance with the terms of this DPP and the Agreement.

3. INSTRUCTIONS AND DETAILS OF THE PROCESSING

3.1 Customer’s instructions:

Unless required by Applicable Law (in which case Proplynx shall, to the extent permitted by Applicable Law, inform the Customer of such requirement in advance) Proplynx shall, and shall take steps to ensure that its Personnel shall, process the personal data only in accordance with the Customer’s documented instructions pursuant to this DPP and the Agreement.

3.2 Infringing instructions:

Proplynx shall promptly inform the Customer if it becomes aware of any processing instruction that, in Proplynx’s opinion, infringes the Data Protection Laws.

3.3 Details of the processing:

Schedule 1 sets out the scope, nature, purpose and duration of the processing and the types of personal data and categories of data subjects as may apply to the processing of the personal data by Proplynx under the Agreement.

4. SECURITY OF THE PROCESSING, BREACH NOTIFICATION AND PERSONNEL

4.1 Security of the processing:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects Proplynx shall, in relation to the processing of personal data under the Agreement, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk.

4.2 Notification of personal data breaches:

Proplynx shall notify the Customer of any personal data breach involving the personal data without undue delay and shall provide the Customer with such information as the Customer may require in relation to such personal data breach.

4.3 Personnel:

Proplynx shall ensure that its Personnel are subject to a binding written contractual obligation to keep the personal data confidential except where disclosure is required by Applicable Law (in which case Proplynx shall, to the extent permitted by Applicable Law, inform the Customer of such requirement in advance).

5. SUB-PROCESSORS

5.1 Authorised Sub-processors:

Subject to 5.3 below, the Customer authorises Proplynx to engage Sub-processors as set out in Proplynx’s privacy notice, as amended from time to time and found here: https://www.proplynx.com/privacy-policy.

5.2 Obligations regarding Sub-processors:

Proplynx shall:

5.2.1

Prior to the relevant Sub-processor carrying out any processing activities in respect of the personal data, appoint each Sub-processor under a written contract provision containing materially the same obligations as under this DPP that is enforceable by Proplynx (including those relating to sufficient guarantees to implement appropriate technical and organisational measures);

5.2.2     

Ensure each such Sub-processor complies with all such obligations; and

5.2.3     

Remain fully liable for all the acts and omissions of each Sub-processor as if they were its own.

6. DATA SUBJECT REQUESTS AND ASSISTANCE

6.1 Data subject requests:

Proplynx shall, when acting as processor of the personal data, refer all requests that it receives from any data subject exercising their rights under the Data Protection Laws to the Customer without undue delay.

6.2 Assistance with data subject requests:

Taking into account the nature of the processing and information available to Proplynx, Proplynx shall implement and maintain appropriate technical and organisational measures to ensure, as far as possible, the fulfilment by the Customer of its obligation to respond to requests by data subjects exercising their rights under the Data Protection Laws.

6.3 Assistance with other compliance obligations:

Taking into account the nature of the processing and information available to Proplynx, Proplynx shall provide the Customer with such assistance as it reasonably requires in ensuring compliance with the Customer’s obligations under the Data Protection Laws with respect to:

6.3.1

security of processing;

6.3.2

Data protection impact assessments (as such term is defined in Data Protection Laws);

6.3.3

Prior consultation with a supervisory authority regarding high risk processing; and

6.3.4

Notifications to the supervisory authority and/or communications to data subjects by the Customer in response to any personal data breach.

Proplynx reserves it right to charge for works that are in excessive of what is strictly required to comply with Data Protection Laws.

7. INTERNATIONAL TRANSFERS OF PERSONAL DATA

7.1 Transfers of personal data:

Proplynx shall not transfer any personal data outside the EEA unless such transfers, to the extent required under Data Protection Laws, are effected by way of such legally enforceable mechanism(s) for the transfer of personal data outside the EEA and the UK as may be permitted under the Data Protection Laws at any time (Appropriate Safeguards). The provisions of the Agreement shall constitute the Customer’s instructions with respect to any transfers in accordance with clause 3.1 (Customer’s instructions).

8. AUDITS

8.1 Audits:

Proplynx shall, on request by the Customer, make available to the Customer such information as is reasonably necessary to demonstrate Proplynx’s compliance with its obligations under this DPP and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose provided:

8.1.1

such audit, inspection or information request is reasonable and is subject to the Customer giving Proplynx reasonable prior notice of such audit, inspection or information request;

8.1.2

Audit rights only be exercised once in any consecutive 12-month period, unless otherwise required by a supervisory authority or if the Customer has reasonable grounds to believe that Proplynx is in breach of this DPP; and

8.1.3

any such audit or inspection is undertaken during Proplynx’s normal business hours, with minimal disruption to the businesses of Proplynx and each Sub-Processor.

9. TERMINATION OF THE AGREEMENT

9.1 Deletion or return of personal data:

Without affecting Proplynx’s obligations under the Agreement, following expiry or termination of the Agreement (or any part of it), Proplynx shall promptly and at the Customer’s option either delete or return (in such format and by such secure means as Proplynx shall determine) all copies of the personal data processed by Proplynx and its Sub-processors in respect of the Services.

10. WITHDRAWAL OF THE UK FROM THE EU (BREXIT)

10.1  

In the event that the UK withdraws from the EU without any agreement being reached between the UK Government and the European Council as to any transitional period or future relationship between the UK and the EU or EEA (No Deal Brexit), the parties acknowledge that the UK shall become a ‘third country’ for the purposes of the GDPR.

10.2  

In the event of a No Deal Brexit, the Standard Contractual Clauses shall be deemed to be incorporated into this DPP with immediate effect.

SCHEDULE 1 – DETAILS OF THE PROCESSING