The new data protection legislation, the General Data Protection Regulation 2016 (the “GDPR”), came into effect on 25th May 2018.
This new legal framework builds upon existing legislation, introducing new and enhanced obligations and responsibilities upon all parties either holding and/or utilising personal information inside the European Union and/or using such information for a European citizen.
Evan Evans and the wider Travel Corporation Group have reviewed their data processing practices in light of the new regulations and have detailed below their new terms and conditions around these. They will amend and update these if and where necessary going forward.
1. Definitions
1.1 In this schedule, the following definitions and rules of interpretation apply:
‘Agreement’
Means the contract, agreement or terms and conditions to which this schedule is appended.
‘Applicable Law’
Means the law of any Member State from time to time.
‘Complaint’
Means a complaint which relates to or impacts upon the Processor’s Processing of the Protected Data (including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority).
‘Controller’
Means the Travel Corporation business or company that is a party to the Agreement, being a controller (or data controller) as defined in the Data Protection Laws.
‘Processor’
Means the party providing services to or on behalf of the Controller under the Agreement, being ta processor (or data processor) as defined in the Data Protection Laws.
‘Data Protection Laws’
Means: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); and/or (ii) any applicable corresponding, related or equivalent national laws or regulations (including, in the UK, any legislation enacted to implement the GDPR or equivalent data protection rules into UK law); and (iii) in each case, any regulatory guidance or codes of practice relating to or judicial or administrative interpretation of, such legislation, laws or regulations from time to time.
‘Data Subject’, ‘Personal Data’, ‘Personal Data Breach’ and ‘Processing’
Shall each have the meaning attributed to such term in the Data Protection Laws (and in relation to “Processing”, use of the term “Process” shall be given the same meaning).
‘Data Subject Request’
Means a request made by a Data Subject to exercise any of the rights of Data Subjects under the Data Protection Laws.
‘Member State’
Means a country that is a member of the European Union or European Economic Area from time to time (including, both before and after Brexit, the United Kingdom).
‘Protected Data’
Means Personal Data which is provided to the Processor by or on behalf of the Controller or to which the Controller (or a representative of the Controller) gives the Processor access or which is otherwise obtained by the Processor in connection with the performance its obligations under this Agreement.
‘Supervisory Authority’
Means any regulatory or supervisory authority, board or other body responsible for administering the Data Protection Laws in any relevant jurisdiction.
2. Processor, Controller and Data Protection Laws
2.1 The Processor acknowledges that pursuant to the Agreement, it will have access to and/or
need to use Protected Data.
2.2 The Processor will ensure that its Processing of the Protected Data is in accordance with
the Data Protection Laws.
2.3 The Controller will ensure that it has in place all necessary consents and notices to enable
the Processor to be able to process the Protected Data in the manner envisaged by this
Agreement.
3. Details of the Processing
3.1 The processing to be carried out by the Processor under the Agreement shall comprise the processing set out in the Table (Data Processing Details) and such other processing as may be agreed by the parties in writing from time to time.
3.2 The Processing of the Protected Data by the Processor shall, unless otherwise specified by the Controller, continue for the period specified in this Agreement or (if no such period is specified) until the termination or expiry of this Agreement.
4. Instructions
4.1 Subject to paragraph 3.2 below, the Processor shall (and shall ensure that each person acting under its authority shall) only process the Protected Data: (a) as set out in this paragraph 4; and the Table (Data Processing Details) to the extent necessary to meet its obligations under this Agreement; and (b) in accordance with the Controller’s documented instructions as set out in this paragraph 4 and the Table (Data Processing Details) as updated from time to time by the written agreement of the parties (the “Processing Instructions”).
4.2 The Processor may process the Protected Data to the extent necessary to comply with any Applicable Law PROVIDED THAT where such requirement exists, the Processor shall (unless prohibited by the relevant Applicable Law from doing so on important grounds of public interest), notify the Controller of the required processing prior to undertaking the same.
4.3 The Processor shall immediately inform the Controller in writing if, in the Processor’s reasonable opinion, a Processing Instruction infringes Data Protection Laws (providing details of the reasons for its opinion).
5. Technical and organisational measures
5.1 The Processor undertakes that it has in place and shall, at its own cost and expense, maintain in place, appropriate technical and organisational measures to ensure that any Processing of Personal Data meets the requirements of Data Protection Laws and ensures the protection of the rights of Data Subjects.
5.2 Without prejudice to the provisions of paragraph 4.1, the Processor shall (taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing to be undertaken by the Processor under this Agreement and the risk to the rights and freedoms of individuals), implement (at no cost to the Controller), appropriate technical and organisational measures to ensure in relation to the Protected Data, a level of security appropriate to the risk, including (as appropriate) the measures listed in Article 32(1) of the GDPR.
6. Confidentiality
6.1 The parties agree that the Protected Data shall constitute confidential information for the purposes of this Agreement.
6.2 The Processor shall ensure that all personnel authorised by it to process the Protected Data are subject to contractual obligations to keep the Protected Data confidential.
6.3 The Processor shall ensure that access to the Protected Data is strictly limited to such persons who require access to it to for the purposes of this Agreement.
7. Data Subject Requests
7.1 Without prejudice to its obligations under paragraphs 4.1 and 4.2, the Processor shall (at no cost to the Controller):
7.1.1 implement such technical and organisational measures as may reasonably be practicable to assist the Controller to fulfil its obligations under the Data Protection Laws to respond to Data Subject Requests relating to the Protected Data;
7.1.2 refer any Data Subject Request relating to the Protected Data that is received by it to the Controller without undue delay (and in any event within [48 (forty-eight) hours of its receipt of such Data Subject Request);
7.1.3 keep a detailed record of all Data Subject Requests received by it relating to the Protected Data;
7.1.4 provide such information and assistance to the Controller in connection with any Data Subject Request relating to the Protected Data as the Controller may reasonably require (within such reasonable timescales as may be specified by the Controller); and
7.1.5 not directly respond to any Data Subject Request relating to the Protected Data without the Controller’s prior written consent.
8. Sub-processors
8.1 The Processor shall not appoint any third party to process the Protected Data on its behalf without the Controller’s specific prior written consent.
8.2 In the event that the Controller consents to the appointment of any such third party, the Processor shall:
8.2.1 prior to engaging the relevant third party, carry out adequate due diligence to ensure that the third party in question is capable of providing the level of protection in respect of the Protected Data required by this Agreement;
8.2.2 be responsible for all acts and omissions of such third party; and
8.2.3 ensure that the arrangement between the relevant third party and the Processor is governed by a written contract including terms which offer at least the same level of protection for the Protected Data as those set out in this Agreement.
9. Transfers outside the EEA
9.1 The Processor shall not transfer any of the Protected Data outside the European Economic Area unless the prior written consent of the Controller has been obtained. and the following conditions are fulfilled:
9.1.1 either: (i) the transfer is to a country, territory, international organisation or sector which the European Commission has decided ensures an adequate level of data protection for Data Subjects; or (ii) the Controller has provided appropriate safeguards in relation to the transfer to the satisfaction of the Controller;
9.1.2 the Data Subjects affected by such transfer will have enforceable rights and effective legal remedies in respect of their Personal Data in the relevant country, territory, international organisation or sector; and
9.1.3 the Processor complies with its obligations under Data Protection Laws by providing an adequate level of protection to any Protected Data that is transferred.
10. Assistance to be provided by the Processor
10.1 Without prejudice to the provisions of paragraph 10, the Processor shall (at no cost to the Controller) in connection with its Processing of the Protected Data, provide such information, co-operation and other assistance to the Controller as the Controller may reasonably require to ensure its compliance with its obligations under Data Protection Laws relating to:
10.1.1 the security of Processing;
10.1.2 data protection impact assessments (as such term is defined in the Data Protection Laws); including prior consultation with any Supervisory Authority regarding high risk Processing;
10.1.3 Personal Data Breach notifications; and
10.1.4 any remedial action to be taken and/or notifications to be made in response to any Personal Data Breach.
11. Personal data breaches and complaints
11.1 The Processor shall promptly notify the Controller of any Personal Data Breach involving Protected Data that is in the Processor’s possession or under its control (such notification to be provided, at the latest, within [24 (twenty-four)] hours of the Processor becoming aware of such Personal Data Breach).
11.2 Any notification of a Personal Data Breach provided to the Controller shall include sufficient information to enable the Controller to meet any obligations under Data Protection Laws relating to Personal Data Breaches (including to report Personal Data Breaches to Supervisory Authorities and/or Data Subjects).
11.3 The Processor shall not directly notify any Personal Data Breach involving the Protected Data to any Supervisory Authority or a Data Subject.
11.4 The Processor shall (at no cost to the Controller):
11.4.1 promptly notify the Controller of any Complaint received by the Processor (such notification to include full details of the relevant Complaint); and
11.4.2 provide to the Controller such further information and/or assistance in relation to the Complaint as the Controller may reasonably require, within such timescales as the Controller may reasonably specify (including information relating to steps taken by the Processor to tackle the cause of the Complaint).
11.5 Without prejudice to any other right or remedy available to the Controller, the Processor shall promptly resolve to the Controller’s reasonable satisfaction (at no cost to the Controller) any data protection or security issues relating to the Processor’s Processing of the Protected Data that the Controller may from time to time report to the Processor.
12. Deletion or return of Personal Data
12.1 Unless storage of any Protected Data is required by Applicable Law (in which case the Processor shall inform the Controller of such requirement), the Processor shall promptly on termination or expiry of this Agreement, either (as required by the Controller) securely delete or securely return to the Controller all of the Protected Data (including all copies of the same).
13 Records and Audits
13.1 The Processor shall (at its own cost and expense):
13.1.1 make available to the Controller such information as the Controller may reasonably require from time to time to demonstrate the Processor’s compliance with the Data Protection Laws and its obligations relating to the Processing of the Protected Data under this Agreement; and
13.1.2 permit and contribute to such audits by the Controller (or the Controller’s mandated auditors) relating to the Processor’s Processing of the Protected Data and/or its compliance with Data Protection Laws as the Controller may reasonably require from time to time.
14. Processor’s liability under the Data Protection Laws
14.1 The Processor acknowledges that none of the above terms shall relieve it of its own direct responsibilities and liabilities under the Data Protection Laws.
Data Processing Details
Subject matter of processing:
Processing is solely in conjunction with the Processor's performance of its obligations under the Agreement.
Duration of the processing:
Period of the Agreement
Types of Personal Data:
Personal data will be provided to the Processor for the sole purpose of performing their obligations under this agreement which may include but is not limited to: Names; addresses; contact details; date of birth; nationality; passport details; dietary requirements; special requests.
Categories of Data Subjects:
Customers of the Travel Corporation Group