GDPR DATA PROCESSING

The new data protection legislation, the General Data Protection Regulation 2016 (the “GDPR”), comes into effect on 25th May 2018.

This new legal framework builds upon existing legislation, introducing new and enhanced obligations and responsibilities upon all parties either holding and/or utilising personal information inside the European Union and/or using such information for a European citizen. 

Tracoin and the wider Travel Corporation Group have reviewed their data processing practices in light of the new regulations and have detailed below their new terms and conditions around these. They will amend and update these if and where necessary going forward.

Different Terms and Conditions apply whether you are a DATA PROCESSOR or DATA CONTROLLER. The Terms and Conditions for both are detailed below.

 
Tracoin Logo.jpg
TTC_WithoutURL.png
 
 
 
 

DATA PROCESSOR TERMS AND CONDITIONS


1. DEFINITIONS

1.1 In this schedule, the following definitions and rules of interpretation apply:

AGREEMENT: Means the contract, agreement or terms and conditions to which this schedule is appended.

APPLICABLE LAW: Means the law of any Member State from time to time.

COMPLAINT: Means a complaint which relates to or impacts upon the Processor’s Processing of the Protected Data (including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority).

CONTROLLER: Means the TTC business or company that is a party to the Agreement, being a controller (or data controller) as defined in the Data Protection Laws.

PROCESSOR: Means the party providing services to or on behalf of the Controller under the Agreement, being ta processor (or data processor) as defined in the Data Protection Laws.

DATA PROTECTION LAWS: Means: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); and/or (ii) any applicable corresponding, related or equivalent national laws or regulations (including, in the UK, any legislation enacted to implement the GDPR or equivalent data protection rules into UK law); and (iii) in each case, any regulatory guidance or codes of practice relating to or judicial or administrative interpretation of, such legislation, laws or regulations from time to time.

DATA SUBJECT, PERSONAL DATA, PERSONAL DATA BREACH & PROCESSING: Shall each have the meaning attributed to such term in the Data Protection Laws (and in relation to “Processing”, use of the term “Process” shall be given the same meaning).

DATA SUBJECT REQUEST: Means a request made by a Data Subject to exercise any of the rights of Data Subjects under the Data Protection Laws.

MEMBER STATE: Means a country that is a member of the European Union or European Economic Area from time to time (including, both before and after Brexit, the United Kingdom).

PROTECTED DATA: Means Personal Data which is provided to the Processor by or on behalf of the Controller or to which the Controller (or a representative of the Controller) gives the Processor access or which is otherwise obtained by the Processor in connection with the performance its obligations under this Agreement.

SUPERVISORY AUTHORITY: Means any regulatory or supervisory authority, board or other body responsible for administering the Data Protection Laws in any relevant jurisdiction.


2. PROCESSOR, CONTROLLER & DATA PROTECTION LAWS

2.1 The Processor acknowledges that pursuant to the Agreement, it will have access to and/or need to use Protected Data.

2.2 The Processor will ensure that its Processing of the Protected Data is in accordance with the Data Protection Laws.

2.3 The Controller will ensure that it has in place all necessary consents and notices to enable the Processor to be able to process the Protected Data in the manner envisaged by this Agreement.


3. DETAILS OF THE PROCESSING

3.1  The Processing to be carried out by the Processor under the Agreement shall comprise the processing set out in the Table (Data Processing Details) and such other processing as may be agreed by the parties in writing from time to time.

3.2 The Processing of the Protected Data by the Processor shall, unless otherwise specified by the Controller, continue for the period specified in this Agreement or (if no such period is specified) until the termination or expiry of this Agreement.


4. INSTRUCTIONS

4.1 Subject to paragraph 4.2 below, the Processor shall (and shall ensure that each person acting under its authority shall) only process the Protected Data: (a) as set out in this paragraph 4; and the Table (Data Processing Details) to the extent necessary to meet its obligations under this Agreement; and (b) in accordance with the Controller’s documented instructions as set out in this paragraph 4 and the Table (Data Processing Details) as updated from time to time by the written agreement of the parties (the “Processing Instructions”). 

4.2 The Processor may process the Protected Data to the extent necessary to comply with any Applicable Law PROVIDED THAT where such requirement exists, the Processor shall (unless prohibited by the relevant Applicable Law from doing so on important grounds of public interest), notify the Controller of the required processing prior to undertaking the same. 

4.3 The Processor shall immediately inform the Controller in writing if, in the Processor’s reasonable opinion, a Processing Instruction infringes Data Protection Laws (providing details of the reasons for its opinion).


5. TECHNICAL & ORGANISATIONAL MEASURES

5.1 The Processor undertakes that it has in place and shall, at its own cost and expense, maintain in place, appropriate technical and organisational measures to ensure that any Processing of Personal Data meets the requirements of Data Protection Laws and ensures the protection of the rights of Data Subjects.

5.2  Without prejudice to the provisions of paragraph 5.1, the Processor shall (taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing to be undertaken by the Processor under this Agreement and the risk to the rights and freedoms of individuals), implement (at no cost to the Controller), appropriate technical and organisational measures to ensure in relation to the Protected Data, a level of security appropriate to the risk, including (as appropriate) the measures listed in Article 32(1) of the GDPR.


6. CONFIDENTIALITY

6.1 The parties agree that the Protected Data shall constitute confidential information for the purposes of this Agreement.

6.2 The Processor shall ensure that all personnel authorised by it to process the Protected Data are subject to contractual obligations to keep the Protected Data confidential.

6.3 The Processor shall ensure that access to the Protected Data is strictly limited to such persons who require access to it to for the purposes of this Agreement.


7. DATA SUBJECT REQUESTS

7.1 Without prejudice to its obligations under paragraphs 5.1 and 5.2, the Processor shall (at no cost to the Controller):

(a) Implement such technical and organisational measures as may reasonably be practicable to assist the Controller to fulfil its obligations under the Data Protection Laws to respond to Data Subject Requests relating to the Protected Data;

(b) Refer any Data Subject Request relating to the Protected Data that is received by it to the Controller without undue delay (and in any event within [48 (forty eight) hours of its receipt of such Data Subject Request).

(c) Keep a detailed record of all Data Subject Requests received by it relating to the Protected Data.

(d) Provide such information and assistance to the Controller in connection with any Data Subject Request relating to the Protected Data as the Controller may reasonably require (within such reasonable timescales as may be specified by the Controller); and

(e)not directly respond to any Data Subject Request relating to the Protected Data without the Controller’s prior written consent.


8. SUB-PROCESSORS

8.1 The Processor shall not appoint any third party to process the Protected Data on its behalf without the Controller’s specific prior written consent.

8.2 In the event that the Controller consents to the appointment of any such third party, the Processor shall:

(a) Prior to engaging the relevant third party, carry out adequate due diligence to ensure that the third party in question is capable of providing the level of protection in respect of the Protected Data required by this Agreement.

(b) Be responsible for all acts and omissions of such third party; and

(c) ensure that the arrangement between the relevant third party and the Processor is governed by a written contract including terms which offer at least the same level of protection for the Protected Data as those set out in this Agreement.


9. TRANSFERS OUTSIDE THE EEA

9.1 The Processor shall not transfer any of the Protected Data outside the European Economic Area unless the prior written consent of the Controller has been obtained. and the following conditions are fulfilled:

(a) Either: (i) the transfer is to a country, territory, international organisation or sector which the European Commission has decided ensures an adequate level of data protection for Data Subjects; or (ii) the Controller has provided appropriate safeguards in relation to the transfer to the satisfaction of the Controller.

(b) The Data Subjects affected by such transfer will have enforceable rights and effective legal remedies in respect of their Personal Data in the relevant country, territory, international organisation or sector; and

(c) the Processor complies with its obligations under Data Protection Laws by providing an adequate level of protection to any Protected Data that is transferred.


10. ASSISTANCE TO BE PROVIDED BY THE PROCESSOR

10.1 Without prejudice to the provisions of paragraph 10, the Processor shall (at no cost to the Controller) in connection with its Processing of the Protected Data, provide such information, co-operation and other assistance to the Controller as the Controller may reasonably require to ensure its compliance with its obligations under Data Protection Laws relating to:

(a) The Security of Processing.

(b) Data protection impact assessments (as such term is defined in the Data Protection Laws); including prior consultation with any Supervisory Authority regarding high risk Processing;

(c) Personal Data Breach notifications; and

(d) any remedial action to be taken and/or notifications to be made in response to any Personal Data Breach.


11. PERSONAL DATA BREACHES & COMPLAINTS

11.1 The Processor shall promptly notify the Controller of any Personal Data Breach involving Protected Data that is in the Processor’s possession or under its control (such notification to be provided, at the latest , within [24 (twenty four)] hours of the Processor becoming aware of such Personal Data Breach). 

11.2 Any notification of a Personal Data Breach provided to the Controller shall include sufficient information to enable the Controller to meet any obligations under Data Protection Laws relating to Personal Data Breaches (including to report Personal Data Breaches to Supervisory Authorities and/or Data Subjects).

11.3 The Processor shall not directly notify any Personal Data Breach involving the Protected Data to any Supervisory Authority or a Data Subject.

11.4 The Processor shall (at no cost to the Controller):

(a) Promptly notify the Controller of any Complaint received by the Processor (such notification to include full details of the relevant Complaint); and

(b) Provide to the Controller such further information and/or assistance in relation to the Complaint as the Controller may reasonably require, within such timescales as the Controller may reasonably specify (including information relating to steps taken by the Processor to tackle the cause of the Complaint).

11.5 Without prejudice to any other right or remedy available to the Controller, the Processor shall promptly resolve to the Controller’s reasonable satisfaction (at no cost to the Controller) any data protection or security issues relating to the Processor’s Processing of the Protected Data that the Controller may from time to time report to the Processor.


12. DELETION OR RETURN OF PERSONAL DATA

12.1 Unless storage of any Protected Data is required by Applicable Law (in which case the Processor shall inform the Controller of such requirement), the Processor shall promptly on termination or expiry of this Agreement, either (as required by the Controller) securely delete or securely return to the Controller all of the Protected Data (including all copies of the same).


13. RECORDS & AUDITS

13.1 The Processor shall (at its own cost and expense):

(a) Make available to the Controller such information as the Controller may reasonably require from time to time to demonstrate the Processor’s compliance with the Data Protection Laws and its obligations relating to the Processing of the Protected Data under this Agreement; and

(b) Permit and contribute to such audits by the Controller (or the Controller’s mandated auditors) relating to the Processor’s Processing of the Protected Data and/or its compliance with Data Protection Laws as the Controller may reasonably require from time to time.


14. PROCESSOR'S LIABILITY UNDER THE DATA PROTECTION LAWS

14.1 The Processor acknowledges that none of the above terms shall relieve it of its own direct responsibilities and liabilities under the Data Protection Laws.


DATA PROCESSING DETAILS:

SUBJECT MATTER OF PROCESSING

Processing is solely in conjunction with the Processor's performance of its obligations under the Agreement. 

Duration of the Processing:

Period of Agreement

Types of Personal Data: 

Personal data will be provided to the Processor for the sole purpose of performing their obligations under this agreement which may include, but is not limited to: Names; addresses; contact details; date of birth; nationality; passport details; dietary requirements; special requests. 

Categories of Data Subjects: 

Customers of the Travel Corporation Group


DATA CONTROLLER TERMS AND CONDITIONS


1. DEFINITIONS

1.1 IN THESE TERMS AND CONDITIONS (the “Conditions”), THE FOLLOWING words and expressions shall have the following meanings unless inconsistent with the context:

Agreed Purpose: Means the performance by each Party of its obligations under the Contract.

Contract:  Means the contract that refers to these Conditions and requires compliance with them.

Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures: as set out in the UK Data Protection Legislation in force at the time.

Data Discloser: means a Party that discloses Shared Personal Data to the other Party.

Data Protection Legislation:  means the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a Party.

Parties: means the Parties to the Contract and “Party” shall mean either one of them.

Permitted Recipients: means the Parties to the Contract, the employees of each such Party and any third parties engaged to perform obligations in connection with the Contract.

Shared Personal Data: means the personal data to be shared between the Parties under Condition 2.1, which may include individuals’ names, addresses, contact details, dates of birth, nationality, passport details, dietary requirements and details of special requests.

UK Data Protection Legislation:  means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.


2. DATA PROTECTION

2.1            Shared Personal Data. This Condition sets out the framework for the sharing of personal data between the Parties as controllers. Each Party acknowledges that one Party (referred to in this Condition as the Data Discloser) will regularly disclose to the other Party Shared Personal Data collected by the Data Discloser for the Agreed Purposes.

2.2            Effect of non-compliance with UK Data Protection Legislation. Each Party shall comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 days of written notice from the other Party, give grounds to the other Party to terminate the Contract with immediate effect.

2.3            Particular obligations relating to data sharing. Each Party shall:

(a)         ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;

(b)         give full information to any data subject whose personal data may be processed under the Contract of the nature such processing. This includes giving notice that, on the termination of the Contract, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;

(c)         process the Shared Personal Data only for the Agreed Purposes;

(d)         not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;

(e)         ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by these Conditions and the Contract;

(f)          ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other Party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

(g)         not transfer any personal data received from the Data Discloser outside the EEA unless the transferor:

(i)           complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller); and

(ii)         ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the GDPR; or (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) Binding corporate rules are in place or (iv) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

2.4            Mutual assistance. Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall:

(a)         consult with the other Party about any notices given to data subjects in relation to the Shared Personal Data;

(b)         promptly inform the other Party about the receipt of any data subject access request;

(c)         provide the other Party with reasonable assistance in complying with any data subject access request;

(d)         not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other Party wherever possible;

(e)         assist the other Party, at the cost of the other Party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;

(f)          notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation;

(g)         at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of the Contract unless required by law to store the personal data;

(h)         use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;

(i)           maintain complete and accurate records and information to demonstrate its compliance with this Condition 2.4 and allow for audits by the other Party or the other Party's designated auditor; and

(j)           provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the Parties' compliance with the Data Protection Legislation.