DATA PROCESSING AGREEMENT

This Annex sets forth the Data Processing Agreement regarding the processing of personal data (the “Data Processing Agreement” or the “Agreement”), the purpose of which is to determine, in a transparent manner and by mutual agreement, the respective responsibilities of the parties for compliance with data protection obligations , taking into account the activities carried out under the main Contract by which RESTAURANT BOOKING & DISTRIBUTION SERVICES SLU (hereinafter, “CoverManager”), hereinafter, the “Processor” or “Data Processor” , will provide certain services (the “Services”) that will involve access to personal data for which the Client, hereinafter, the “Controller” or “Data Processor”, is responsible.

Therefore, in compliance with the obligations imposed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “GDPR”) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, “LOPDGDD”), the Parties agree to the conclusion and signing of this Data Processing Agreement, which shall be governed by the provisions of Article 28 of the GDPR, and by the following:

CLAUSES:

FIRST.- SUBJECT-MATTER

The subject-matter of this document is to establish the conditions under which CoverManager will process the personal data to which it has access as a consequence of the performance of the main contract to which this Agreement is attached (hereinafter, the Main Contract).

In accordance with the provisions of the Main Contract, CoverManager will have access to personal data for which the Client is the Data Controller.

The following categories of data shall be processed exclusively:

• First name and surname
• E-mail address
• Telephone number
• Reservation data provided by the Client’s users

The data subjects shall be:

• Those natural persons who make reservations, place orders, or who are otherwise customers of the Client

Specification of the processing to be carried out:

• COLLECTION.
• RECORDING.
• ALTERATION.
• STORAGE.
• CONSULTATION.
• RESTRICTION.
• ERASURE.
• DESTRUCTION.

SECOND.- DURATION

This Agreement shall enter into force on the date of the signing of the Main Contract and its duration shall be linked to the validity and duration of said Main Contract.

The data shall be processed for the duration of the contractual relationship with that legitimate basis and, once it has ended, the Processor shall delete, and/or return to the Controller, and/or return to another processor designated by the Controller, the personal data and delete any copy in its possession. This is with the exception of any data that must be kept blocked until the extinction of any legal liability that may have arisen from the contractual relationship between the parties.

THIRD.- OBLIGATIONS OF THE CONTROLLER

It is the responsibility of the Controller, in addition to complying with all obligations attributed to it throughout this Data Processing Agreement, to carry out the following tasks:

a. To comply with all necessary technical and organisational measures to ensure the security of the processing, the premises, equipment, systems, programs, and persons involved in the processing of the personal data referred to, as stipulated in the regulations in force and applicable at all times.

b. To deliver or make accessible to the Processor the data detailed in the first clause of this document, as well as the necessary instructions to carry out the processing of the data.

c. To respond to the rights of the individuals affected by the processing, such as the rights of access, rectification, erasure and opposition, restriction of processing, data portability and not to be subject to automated individual decision-making, in collaboration with the Processor.

d. To carry out, where appropriate, a data protection impact assessment of the processing operations to be performed by the Processor.

e. To ensure, prior to and during the processing, compliance with the applicable data protection regulations by the Processor.

f. To supervise the processing, including carrying out inspections and audits.

g. To communicate to the Processor any variation that occurs in the personal data provided, so that it may be updated.

h. To guarantee that the data submitted for processing as a consequence of the provision of the Services have been, are and will be collected and processed by the Controller in accordance with the obligations stipulated by the GDPR, taking into particular account the need for a legal basis to legitimise the processing, as indicated in Article 6 of the GDPR. In the event that the legal basis for the processing is the consent of the data subject, the Controller undertakes to collect it in compliance with all the requirements established in Art. 7 GDPR.

i. To guarantee that it has complied with the duty to provide all information to the data subjects at the time of collection of the data being processed, in compliance with the provisions of Art. 13 and 14 of the GDPR, as appropriate.

FOURTH.- OBLIGATIONS OF THE PROCESSOR

The Processor, in relation to the personal data to which it has access as a consequence of the Main Contract, undertakes to:

a. Use the personal data subject to processing, or that which it collects for inclusion, only for the purpose of this commission. Under no circumstances may it use the data for its own purposes.

b. Process personal data only on documented instructions from the Controller , including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

c. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality. Compliance with this obligation must be documented by the Processor and made available to the Controller.

d. Take all necessary security measures in accordance with the provisions of the GDPR.

e. Keep, in writing, a record of all categories of processing activities carried out on behalf of the Controller, which shall contain all the provisions of Article 30 of the GDPR.

f. Maintain confidentiality and secrecy regarding the personal data to which it has access for the purpose of providing the Services.

g. Not to disclose personal data to third parties unless it has the express authorisation of the Controller, and in legally permissible cases.

h. The Processor may communicate the data to other processors of the same controller, in accordance with the latter’s instructions. In this case, the Controller shall identify, in advance and in writing, the entity to which the data are to be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication.

i. Provide the Controller with the necessary information to demonstrate compliance with the obligations established in this Data Processing Agreement.

j. Provide such assistance as may be required by the Controller for the carrying out of audits or inspections, conducted by the Controller or by another auditor authorised by the Controller. Audits may be carried out periodically, on a planned or “ad hoc” basis, upon notification to the Processor with a reasonable notice period, during the Processor’s normal working hours.

k. Appoint a data protection officer (“DPO”) or, if his or her appointment is not mandatory, a person responsible for data protection. The contact details of this person shall be provided to the Controller.

l. To collaborate in the fulfilment of the Controller’s obligations, and to offer support to the same, where appropriate and so requested by the Controller, in: (i) carrying out data protection impact assessments regarding the personal data to which it has access; (ii) consulting the supervisory authority, where a prior consultation is required.

m. Destination of the Data: at the end of the Main Contract, the Processor must return the personal data to the Controller or destroy them, at the latter’s choice. In the absence of express instructions, the personal data will be destroyed within thirty (30) days from the end of the Main Contract. However, the Processor may keep a copy of the data duly blocked, as long as liabilities may arise from the execution of the provision of the Services.

n. Notification of data security breaches. The Processor shall notify the Controller, without undue delay , and in any case before the maximum period of 72 hours, through the contact person indicated for this purpose by the Controller, of any incident relating to data protection, within its area of responsibility. Among others, it must inform the Controller of any processing that may be considered unlawful or unauthorised, any loss, destruction or damage to the data and any incident considered a data security breach. The notification must be accompanied by all relevant information for the documentation and communication of the incident to the relevant authorities or affected data subjects. The Processor shall additionally assist the Controller in relation to the notification obligations in accordance with the GDPR (in particular, arts. 33 and 34 of the GDPR) and any other applicable present or future regulation that modifies or complements these obligations.

o. Exercise of rights: when the data subjects exercise the rights of access, rectification, erasure and objection, restriction of processing, data portability and not to be subject to automated individual decision-making, to the Processor, the Processor shall communicate this by e-mail through the contact person indicated for this purpose by the Controller. The communication must be made within a maximum period of 7 days in order to be dealt with within the established legal time limits, and in no case later than the working day following receipt of the request, and shall be submitted to the Controller together with all information that may be relevant for its resolution.

p. Security measures: in relation to technical and organisational security measures, the Processor shall implement mechanisms to:

• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• Regularly test, assess and evaluate the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
• Pseudonymise and encrypt personal data, where appropriate.

In particular, the Parties have agreed on a list of measures to be implemented by the Processor, as set out below:

• Robust password encryption: The SHA-256 algorithm is used to encrypt passwords, protecting them against unauthorised access and security breaches.
• Secure communication protocols: TLS 1.3 and TLS 1.2 are implemented to encrypt information, discarding previous protocols.
• Brute-force protection: IP addresses are automatically blocked after multiple failed login attempts to prevent unauthorised access.
• Web Application Firewall (WAF): Acts as a security barrier that blocks malicious traffic and protects the web application against common attacks.
• Logging and monitoring: New Relic and a dedicated database are used to log accesses, actions and errors, allowing for analysis and early detection of security issues.

FIFTH.- DATA DISCLOSURE AND SUB-PROCESSING

The Controller grants a general authorisation for the Processor to sub-contract part of the Services with third-party entities or sub-contractors (the “Sub-processor”).

The Processor shall inform the Controller of the processing it intends to sub-contract, clearly and unequivocally identifying the sub-contracting company and its contact details. The sub-contracting may be carried out if the Controller does not object within a period of fifteen (15) days.

The Processor shall exercise due diligence in selecting only those sub-processors that provide sufficient guarantees to implement appropriate technical and organisational measures, in such a way that the sub-contracted processing complies with the requirements of the GDPR and the protection of the rights of the data subjects is guaranteed.

The Sub-processor, who shall also have the status of a processor, shall be equally obliged to comply with the obligations imposed on the Processor and the instructions issued by the Controller, as set forth in this Data Processing Agreement. It is the responsibility of the Processor to regulate the new relationship in a contract signed by the Processor and the Sub-processor, so that the Sub-processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as the initial Processor, with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the Sub-processor, the Processor shall remain fully liable to the Controller with regard to the fulfilment of the obligations included in this Data Processing Agreement.

In accordance with the aforementioned authorisation, the Processor uses the following sub-processors for the data processing regulated in this agreement: See Appendix I.

SIXTH.- INTERNATIONAL TRANSFERS

The Processor shall not carry out international transfers of personal data to which it has access, and for which the Controller is responsible, unless it has prior authorisation from the Controller or such transfers are made in accordance with Articles 45, 46, or 47 of the GDPR. 

SEVENTH.- LIABILITY

The Processor shall be considered a controller if it uses the data subject to this Data Processing Agreement for other purposes, discloses them, or uses them in breach of the stipulations of this Data Processing Agreement, being liable for the infringements it has personally committed.

EIGHTH.- BREACH

In the event that either party breaches any of the clauses of this annex and/or the applicable personal data protection legislation, it shall be liable before the Data Protection Agency for any infringements that may have been committed.

NINTH.- NOTICES

For the purposes of notices and requests, the parties designate as their addresses those set forth in the Main Contract. Any change of address by one of the parties must be notified to the other party immediately and by a means that guarantees receipt of the message. For electronic communications, those sent to the email addresses regularly used between the parties shall be valid.

APPENDIX I: SUB-PROCESSORS

In accordance with the provisions of Article 28 of the GDPR, CoverManager uses a series of providers to be able to provide its services, it being necessary for them to have access to the personal data of the Client’s users, for which the Client is the Controller.

Said providers shall be subject to the same conditions, obligations, and security measures as CoverManager with respect to the Controller.

By virtue of the foregoing, the Client maintains the status of Controller, CoverManager is the Processor, and the Provider acts as a Sub-processor. Consequently, CoverManager shall follow the instructions, regarding the processing, issued by the Controller. In turn, and based exclusively on such instructions, CoverManager shall provide them to the Sub-processors.

The providers that act as Sub-processors based on the foregoing are as follows: