GDPR Addendum
General Data Protection Regulation
Data Protection Addendum
This Data Protection Addendum (Addendum) supplements the Master Services Agreement (“MSA”) entered into between Global Travel Solutions Group, Inc. (“GTSG”) and the customer identified under the applicable MSA, to whom such services are provided (Customer).
The parties wish to include a provision for the requirements of the General Data Protection Regulation (GDPR) in the Agreement. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set out below shall be added as an addendum to the MSA.
The terms set out in this Addendum will retroactively take effect from May 25, 2018 and in the event of a conflict between this Addendum and the MSA, the terms of this Addendum shall supersede the MSA.
1. DEFINITIONS
Appropriate Safeguards
means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
Data Controller
has the meaning given in applicable Data Protection Laws from time to time.
Data Processor
has the meaning given in applicable Data Protection Laws from time to time.
Data Protection Laws
means, as binding on either party or the services provided under the MSA:
the GDPR;
any laws which implement any such law; and
any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.
Data Subject
has the meaning given in applicable Data Protection Laws from time to time.
GDPR
means the General Data Protection Regulation (EU) 2016/679.
Personal Data
has the meaning given in applicable Data Protection Laws from time to time.
2. DATA PROTECTION
2.1 Both parties will comply with all applicable requirements of the Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
2.2 The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Data Controller and GTSG is the Data Processor. Schedule 1 sets out the scope, nature and purpose of processing by GTSG, the duration of the processing and the types of Personal Data and categories of Data Subject.
2.3 Without prejudice to the generality of clause 2.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to GTSG for the duration and purposes of this Addendum. The Customer shall ensure all instructions given by it to GTSG in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
2.4 Without prejudice to the generality of clause 2.1, GTSG shall, in relation to any Personal Data processed in connection with the performance by the GTSG of its obligations under the MSA:
process that Personal Data only on the written instructions of the Customer unless GTSG is required by law to process that Personal Data;
immediately inform the Customer if GTSG is requested to take any action which may infringe the GDPR or other data protection laws of the EU or a member state;
ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected;
ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify the Customer without undue delay on becoming aware of a Personal Data breach;
at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the MSA unless required by Data Protection Laws to store the Personal Data;
maintain complete and accurate records and information to demonstrate its compliance with the Data Protection Laws and to assist with any further information required to ensure that both parties meet their obligations under Article 28 of the GDPR; and
permit audits by the Customer or the Customer's designated auditor, subject to a maximum of one audit request in any 12-month period.
2.5 The Customer acknowledges that GTSG’s processing facilities are based in the United States of America and other countries. The Customer agrees that GTSG may transfer and process Personal Data anywhere in the world where GTSG or its sub-processors maintain data processing operations. The Customer agrees that GTSG may transfer Personal Data outside of the European Economic Area (EEA) or Switzerland, provided all transfers by GTSG of Personal Data outside of the EEA or Switzerland (and any onward transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws.
2.6 The Customer consents to GTSG appointing sub-processor(s) as third-party processors of Personal Data under the Agreement, and provides a general authorization for GTSG to appoint further sub-processors. GTSG confirms that it has entered or (as the case may be) will enter into a written agreement with such third-party processors incorporating terms which are substantially similar to those set out in this clause 2. As between the Customer and GTSG, GTSG shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 2.6.
2.7 The Customer shall indemnify and keep indemnified GTSG against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to data subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Customer of its obligations under this Addendum.
2.8 GTSG may, at any time on not less than 30 days’ notice, revise this Addendum by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Addendum).
2.9 The Customer hereby represents and warrants that the person accepting this Addendum by clicking “I agree” or signing below (or through whichever other means) is authorized to (i) execute agreements on behalf of the Customer, and (ii) bind the Customer to the terms of this Addendum. The acceptance of this Addendum by whichever means, electronic or otherwise, demonstrates the intent of the parties to be bound hereby.
2.10 The parties each acknowledge and agree that (i) this Addendum is intended as an amendment to the MSA between the parties pursuant to which GTSG provides services to the Customer, and (ii) the parties intend for this Addendum to be binding. This Addendum, regardless of how accepted by the parties, is equivalent to and shall have the same effect as a written agreement executed by each of the parties.
Schedule 1
Processing, Personal Data and Data Subjects
1. Processing of Personal Data by GTSG under the MSA shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subject set out in this Schedule 1.
1. Processing by GTSG
1.1 Subject-matter of processing
The subject matter of the data processing under this Addendum is the Customer Personal Data processed by GTSG pursuant to the services provided to the Customer under the MSA.
1.2 Nature and purpose of processing
GTSG will process Personal Data for the purposes of providing the services to the Customer in accordance with the MSA.
1.3 Duration of the processing
The duration of the processing under the MSA is determined by the Customer and as set forth in the MSA.
2. Types of personal data
Personal Data relating to individuals processed by GTSG in order to provide services under the MSA, including of the Customer’s personnel and customers, including but not limited to the following:
First and last name
Email address
Telephone number
Address
Location data
Online identifier
IP address
Device details
Cookie data
3. Categories of data subject
Visitors to the Customer’s website, provided by GTSG as a part of the services, and customers of the Customer who are “EU data subjects” as defined herein and whose data is processed by GTSG.
Personnel of the Customer.
Updated June 10, 2022