DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) sets out the additional terms, requirements and conditions on which we will process Personal Data when providing services under the Terms of Service, which you have already accepted (and are available here: https://www.traveltek.com/uk/terms-of-service/
1. Definitions and Interpretation
Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
EEA: the European Economic Area.
1.2 This Addendum is subject to the terms of the Terms of Service and is incorporated into the Terms of Service Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Addendum.
1.3 In the case of any conflict or ambiguity between any provisions of this Addendum and the provisions of the Terms of Service the provisions of this Addendum will prevail.
1.4 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Addendum is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
1.5 The parties acknowledge that for the purposes of the Data Protection Legislation, you are the Controller and we are the Processor.
1.6 You warrant that you have and shall obtain all necessary appropriate consents and notices in place to enable lawful transfer of Personal Data to us for the duration and purposes of this Addendum.
1.7 We shall, in relation to any Personal Data processed in connection with the performance by us of our obligations under this Addendum:
- process that Personal Data on the documented written instructions of you unless we are required by applicable law to otherwise process that Personal Data, in which case, we shall notify you of this before performing the processing to the extent legally permissible;
- ensure that we have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
- ensure that all personnel who have access to and/ or process Personal Data are obliged to keep the Personal Data confidential; and
- not transfer any Personal Data outside of the United Kingdom or EEA unless your prior written consent has been obtained and the following conditions are fulfilled:
- you or we have provided appropriate safeguards in relation to the transfer;
- the data subject has enforceable rights and effective legal remedies;
- we comply with our obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
- we comply with reasonable instructions notified to us in advance by you with respect to the processing of the Personal Data;
- assist you, at your cost, in responding to any request from a Data Subject and in ensuring compliance with your obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify you without undue delay on becoming aware of a Personal Data Breach;
- at the written direction of you, delete or return Personal Data and copies thereof to you on termination of the Terms of Service unless required by applicable law to store the Personal Data; and
- maintain complete and accurate records and information to demonstrate our compliance with this
1.8 You consent to us appointing Amazon Web Services (AWS) as a third-party processor of Personal Data under this Addendum. We confirm that we have entered into or (as the case may be) will enter into written agreements with any third party processors (including those detailed in this clause) which will reflect and will continue to reflect the requirements of the Data Protection Legislation. As between you and us, we shall remain liable for the acts or omissions of any third-party processor appointed by us pursuant to this Addendum.
1.9 You and we acknowledge that the nature, purpose and duration of the processing activities to be carried out under the Terms of Service, and the type of personal data and data subjects concerned, shall be as stated in, or reasonably inferred from, the terms of the Terms of Service.