(hereinafter referred to as „the client“)
(hereinafter referred to as „MHS“)
The client uses the services of MHS in order to sustainably increase the hotels’ direct business.
Therefore the client’s usage of personal data can’t be excluded in this context.
Article 28 DSGVO necessitates the closure of a contract for order data processing.
The legitimacy of such order processing under Article 28 DSGVO requires the client to place an order with MHS. This contract contains this client’s order with MHS and regulates the rights and obligations of both parties in accordance with the data processing as well as with consequential particular obligations in reference to data protection and data security. Generally the client is responsible for the compliance with the regulations of DSGVO and other data protection regulations and therefore retains sole authority of the data to be processed.
a) MHS processes personal data on behalf of the client under Article 4 Number 8 and under Article 28 of Regulation (EU)2016/679- General Data Protection Regulation (DSGVO). This contract regulates the rights and obligations of both parties in connection with the processing of personal data.
b) Provided the term “data processing” or “processing” (of data) is being used in this contract, the definition of “processing” will underlie Article 4 Number 2 of the DSGVO.
2. Object of the order
This agreement applies to all actions relating to the underlying order and with which employees of MHS or through MHS contracted third parties come in contact with the client’s personal or provided data. The client’s order with MHS incorporates the work and/or services as stated in attachment 1. The data undergoing processing, nature and purpose of the processing, the nature of personal data and the categories of affected people are also listed in this attachment.
3. Obligations of MHS
a) MHS uses personal data solely within the regulations of the agreement and/or within compliance of the client’s possible additional instructions.
Exceptions to this are legal regulations that might obligate MHS to an ulterior processing.
In such a case MHS will inform the client of the legal requirements before the processing provided the right affected won’t prohibit such a notification due to am important public interest. Otherwise purpose, nature and scope of the data processing comply with this contract and/or the client’s instructions.
Any data processing deviating hereof of is prohibited to MHS unless the client has agreed to it in written form.
b) MHS is binded to execute the data processing of the order solely in the member states of the European Union (EU) or the European Economic Area (EWR).
c) MHS will immediately inform the client if a client’s instruction are violating legal regulations. MHS is entitled to withhold the execution of the respective instruction until the client either confirms or changes it. Provided MHS can demonstrate that an execution of the client’s instruction will lead to a liability of MHS under Article 82 DSGVO, MHS does then maintain the right to withhold further processing until the clarification of liability between the two parties has been performed.
4. Reporting Obligation of MHS
a) MHS is obligated to inform the client about each violation of data protection regulations or of contractual regulations and/or the client’s instructions which occurred within the data processing by the client himself or other employed people engaged with the processing. The same applies to each violation of the protection of personal data which MHS processes by the client’s order.
b) Furthermore MHS will inform the client immediately if a supervisory authority under Article 58 DSGVO operates against MHS and this might effect a control of the processing which MHS executes by the client’s order.
c) MHS knows that the client has a reporting obligation under Article 33, 34 DSGVO which includes a reporting to the supervisory authority within 72 hours after having known.
MHS will support the client with the realization of the reporting obligations. MHS will particularly inform the client about each unauthorized access to personal data that has been processed by the client’s order immediately after knowledge of the access. The report of MHS to the client has to contains the following information in particular:
a. A description of the nature of the violation of personal data if possible stating the categories and an approximate number of the affected people and categories and an approximate number of the affected personal data records.
b. a description of the measures executed or suggested by MHS in order to remove the violation of the protection of personal data and also possible measures to reduce detrimental effects.
5. MHS’s obligation to cooperate
a) MHS assists the client in his obligation to answer to requests of realization of rights of people affected under Article 12-23 DSGVO.
b) MHS helps with the creation of directories of the client’s processing activities
c) MHS supports the client in the fulfillment of the obligations stated in Article 32-36 DSGVO in consideration of the nature of processing and the information available to it.
6. Powers of supervision
a) The client has the right to control in so far as necessary the compliance with legal provisions for data protection and/or the compliance with the contractual regulations agreed on by the parties and/or the compliance with the client’s instructions to MHS
b) MHS is obligated to the provision of information towards the client as far as this is necessary for the execution of inspection according to Abs. a).
c)The here mentioned contractual parties assume that an inspection will only be necessary once a year. Nature und process of inspection underlie the individual agreement between MHS and the client. Additional inspections are to be accounted for by the client.
d) MHS can decide to have the compliance with technical and organizational measures verified by presentation of a suitable, recent certificate of reports or report extracts of independent authorities (e.g. data protection officer) or of a suitable certification provided the examination report facilitates the client to be convinced of the compliance with the technical and organizational measures according to attachment 3 of this contract.
e) MHS is obligated to provide the client with the necessary information in case of measures of the supervisory authority towards the client according to Article 58 DSGVO particularly in regards to disclosure and inspection obligation and to facilitate on-the-spot checks for the respective responsible supervisory authority. The client has to be informed hereof.
7. Subcontract conditions
a) MHS is authorized to engage the subcontractors stated in this contract’s attachment 2 for processing the data on behalf of the order. The change of subcontractor or the commissioning of additional subcontractors is permitted according to the conditions stated in paragraph b).
b) MHS has to choose the subcontractor carefully and has to check prior to commissioning that the subcontractor can comply with the conditions agreed on between MHS and the client. Particularly before and regularly during the contractual period MHS hat to check that the subcontractor has chosen the necessary technical and organizational measures according to Article 32 DSGVO for the protection of personal data. MHS will inform the client in case of an intended change of a subcontractor or a planned commissioning of a new subcontractor in good time but the latest 4 weeks prior to the change / the new commissioning in written form (“Information”). The client has the right to object to the change or the new commissioning of the subcontractor stating the respective reasons in written form within three weeks after having received the “Information”. The objection can be withdrawn by the client any time in written form. In case of an objection MHS can terminate the contractual relationship with the client giving at least 14 days to end of a calendar month. With the cancelation period MHS will respect the client’s interests accordingly. If there is no objection from the client within three weeks of access to the “information” then this counts as the client’s affirmation for the change / new commissioning of the respective subcontractor. The meaning of the client’s silence will be pointed out to him in the “information”.
c) MHS is obligated to get a confirmation from the subcontractor as to him naming an operational data protection officer according to Article 37 DSGVO provided the subcontractor is legally obligated to name an operational data protection officer. If the subcontractor can’t name a data protection officer then he is obligated to use the data protection officer of MHS.
d) MHS has to ensure that the regulations and the client’s additional instructions agreed on in this contract also apply to the subcontractor.
e) MHS has to enter a contract for commissioned data processing with the subcontractor that concurs with the requirements of Article 28 DSGVO. Furthermore MHS has to impose the same obligations for the protection of personal data on the subcontractor as have been agreed upon between the client and MHS. By request MHS has to transmit a copy of the
contract of the commissioned data processing to the client. The electronic transmission is admissible.
f) MHS is especially obligated to ensure by contractual regulations that that the client’s and the supervisory authority’s powers of inspection apply to the subcontractor and that correspondent powers of inspection are agreed upon with the client and the supervisory authority. Furthermore it has to be stipulated that inspection measures and possible on-the spot checks have to be accepted by the subcontractor.
g) Services which MHS uses as mere ancillary services in order to carry out business activity are not to be regarded as subcontractor relations according to paragraph a) to f). This includes for example cleaning services, pure telecommunications services without direct reference to services which MHS generated for the client, postal and courier services, transport services, surveillance services. Notwithstanding MHS is obligated that appropriate measures and technical and organizational measure have been taken in order to secure the protection of personal data this also applies to ancillary services rendered by third parties.
8. Confidentiality obligation
a) During the processing of data for the client MHS is obligated to maintain the confidentiality of data which it received in accordance with the order or which it came in knowledge of.
b) MHS has familiarized its employees with the for them relevant regulations of the data protection and obligated them to confidentiality.
c) The employees‘ obligation has to be verified according to paragraph b by the client’s request.
9. Protection of rights for individuals affected
a) The client is solely responsible for the protection of the rights for individuals affected. MHS is obligated to support the client in his obligation to process requests of individuals affected according to Article 12-23 DSGVO. In particular MHS has to ensure that the client immediately receives the necessary information in order for him to realize his obligations from Article 12 paragraph 3 DSGVO.
b) As far as a participation of MHS is required by the client for the protection of the rights of individuals affected – especially in respect of information, correction, blocking or deletion – MHS will take the appropriate measures according to the client’s instructions. MHS will support the client where possible with suitable technical and organizational measures in order to fulfill his obligation to answer the requests for the execution of the rights for individuals affected.
c) Regulations about a possible compensation for additional efforts which result from cooperative performances towards the client in correlation with enforcement of rights for individuals affected at MHS remain unaffected.
Payment of MHS will be agreed on separately.
11. Technical and organizational measures for data protection
a) MHS obligates itself towards the client to comply to the technical and organizational measures which are necessary for the compliance with the applicable data protection regulations. This includes the regulations from Article 32 DSGVO.
b) The existing status of the technical and organizational measures at the time of conclusion of contract has been added to this contract in attachment 3. The parties agree that modifications of the technical and organizational measures might be required for the adaptation to technical and legal factors.
Essential modifications which could impair the integrity, confidentiality and availability of personal data will beforehand be agreed upon by MHS and the client.
Regulations which will merely cause minor technical or organizational modifications and not impair the integrity, confidentiality and availability of personal data can be realized by MHS without the client’s approval. The client can request a current version of the MHS’s chosen technical and organizational measures once a year or where there are reasonable grounds.
12. Duration of order
a) The contract starts with the approval and runs for the duration of the parties’ existing main contract about the client’s usage of services rendered by MHS.
b) The client can terminate the contract anytime without adherence to a cancelation period if MHS gravely violated the applicable data protection regulations or obligations from this contract, MHS can’t or won’t execute the client’s instructions or MHS contrary to contract denies access to the client or the responsible supervisory authority.
By the client’s request MHS has to return or delete all attained documents, data and created processing or usage results associated with the contractual relation after the contract’s termination. The deletion has to be documented in an appropriate manner. Possible legal retention obligations or other obligations for the retention of the data remain unaffected.
14. Final clause
a) This agreement underlies the German law.
b) Ancillary agreements are required in written form.
c) Should individual components of this contract be invalid then this will not affect the validity of the contracts remaining regulations.
Leipzig, den 24. Mai 2018
Managing director myhotelshop GmbH
Through the (re)confirmation of the terms and conditions the client has electronically delivered his declaration of intent for the conclusion of the contract
Services of MHS
Scope, nature and purpose:
Creation of placements (selection, setup and optimization of campaigns), consulting and management (development of strategies in direct online marketing) and website service (stronger conversions and increased booking experience).
Nature of data:
Any data accumulated by MHS within the contractual relation especially of its business clients, their employees, particularly name, address, e-mail address, if necessary telephone number as well as details for usage of contact and order fulfillment.
Employees of the contractual partner as well as the hotel’s customers.
Usage of supporting platforms, through MHS or apparent third parties from the subcontractual relation, for the delivery of stipulated services:
The supporting platforms for their part represent their own business which work and act in conformity with DSGVO since the 25.05. MHS has to insure itself of this fact from the time of the collaboration between MHS and the supporting platforms/businesses. These businesses can be separately contacted by the client. The client also has the right to request information about personal data of the client through MHS and after specification of a legitimate and justified reason.
MHS currently appoints the following subcontractors:
- easybill, easybill GmbH, Düsselstr. 21, 41564 Kaarst
- neue emotionale GbR, Agentur für digitales Marketing, Schlesische Straße 28 · 10997 Berlin
- Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp
Technical and organizational measures of MHS
MHS takes the following technical and organizational measures for data protection according to Article 32 DSGVO:
a) Access control
Access to data processing systems with which personal data can be processed or used is to be denied to unauthorized people:
Storage of data in a computer center / on a not publicly accessible server:
- electronic access control system with logging
- documented distribution of keys to employees
- guidelines for guest support in the company
- staffing of the computer center at business hours and constant availability of the people responsible
b) access control
The usage of the data processing systems by unauthorized people is to be prevented:
- Implementation through user account control, access to EDV systems only possible with username/password.
- MHS itself distributes passwords which can be altered after a first-time initiation
c) access control
It is to be guaranteed that the person authorized to use a data processing system can solely access data subject to access authorization and that personal data can’t unauthorizedly be read, copied, modified or erased during processing, usage and after storage:
- Setup of an access right concept with every single customer getting access only onto their own areas and data
- protocol of all access into the logfiles of MHS and third parties
- To ensure the secrecy of access data and for potential forwarding of those to employees is under the responsibility of the customer
d) Separation control
it is to be ensured that data that is collected for different reasons can also be treated separately:
- Data of the customer will either be physically or logically saved separately
- Data backup will as well be handled physically or logically separately
a) Data entry control
It is to be ensured that you can check and determine later if and from whom personal data can be entered, changed or deleted in data processing system:
- The data are entered and managed by MHS itself
- the access for MHS is protocolled, especially for access on databases and systems of the customer, which contain personal data.
b) Data Transfer Control
It is to be ensured that personal data during an electronic transfer or during a transport or the storage on a harddrive cant be read, copied, changed or deleted by unauthorized access and that you can checked and determined at which steps of the transmission of personal data through facilities of the data transfer is intended:
- Employees are (newly) committed under the data protection of the GDPR and or / §53 BDSG,
- the transfer of all data to and from customer areas only happen under SSL security
- for the implementation of means of transfer to external system (data export) is under the responsibility of the customer.
3. Availability and load-bearing capacity
It is to be ensured that personal data is protected against random destruction and loss:
- Customer data are regularly saved as data backups - by using redundant system,
- by using electricity systems that run flawless
4. Processes to regularly check, rate and evaluate
The employees will be regularly trained and updated around data protection policies and are aware with all procedural instructions and user policies for the data protection under the customer order, also considering the instruction power of the client. Every employee will therefore be obligated on the first day of his job latest to sign a document that ensures that he or she works under the dataprotection conditions of GDPR. Without that signed document an employee will not get access to personal data.