1. This Data Processing Addendum (“Addendum”) forms part of the Guesty Software and Service
Agreement (“Principal Agreement”) between: (i) Guesty Inc. (“Vendor”) acting on its own
behalf and as agent for each Vendor affiliate; and (ii) the customer listed on the PrincipalAgreement (“Company”).
2. In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms
and conditions set out below shall be added as an Addendum to the Principal Agreement. Except
where the context requires otherwise, references in this Addendum to the Principal Agreement
are to the Principal Agreement as amended by, and including, this Addendum. Except as
modified below, the terms of the Principal Agreement shall remain in full force and effect.
3. Under the Principal Agreement the nature and purposes of processing Personal Data by the
Vendor as data processor shall be limited to those set forth in Schedule 1.
4. Definitions
4.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms
shall be construed accordingly:
4.1.1 “Applicable Laws” means (a) European Union or Member State laws with respect
to any Company Personal Data in respect of which any Company is subject to EU
Data Protection Laws; and (b) any other applicable law with respect to any
Company Personal Data in respect of which any Company is subject to any other
Data Protection Laws;
4.1.2 “Company Personal Data” means any Personal Data Processed by Vendor on
behalf of a Company pursuant to or in connection with the Principal Agreement;
4.1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent
applicable, the data protection or privacy laws of any other country;
4.1.4 “EEA” means the European Economic Area;
4.1.5 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into
domestic legislation of each Member State and as amended, replaced or superseded
from time to time, including by the GDPR and laws implementing or supplementing
the GDPR;
4.1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
4.1.7 “Restricted Transfer” means:
4.1.7.1 a transfer of Company Personal Data from any Company to Vendor; or
4.1.7.2 an onward transfer of Company Personal Data from Vendor to a Subprocessor, or between two establishments of Vendor,
1.1.1 in each case, where such transfer would be prohibited by Data Protection Laws (or
by the terms of data transfer agreements put in place to address the data transfer
restrictions of Data Protection Laws) in the absence of the Standard Contractual
Clauses to be established under Section 16.1 below;
4.1.8 “Services” means the services and other activities to be supplied to or carried out
by or on behalf of Vendor for Company pursuant to the Principal Agreement;
4.1.9 “Standard Contractual Clauses” means the contractual clauses set out in
Schedule 2, amended as indicated (in square brackets and italics) in that Schedule;
4.1.10 “Sub-processor” means any person (including any third party and any Vendor
affiliate, but excluding an employee of Vendor or any of its sub-contractors)
appointed by or on behalf of Vendor to Process Personal Data on behalf of the
Company in connection with the Principal Agreement; and
4.1.11 “Vendor” means Vendor and any entity that owns or controls, is owned or
controlled by or is or under common control or ownership with Vendor, where
control is defined as the possession, directly or indirectly, of the power to direct or
cause the direction of the management and policies of an entity, whether through
ownership of voting securities, by contract or otherwise.
4.1.12 “Party”/”Parties” means the Company and the Vendor separately, or jointly, as
the case may be;
4.1.13 “Purpose” means as described in Schedule 1; and
4.1.14 “Supervisory Authority” means any court, regulatory agency or authority which,
according to Applicable Laws and/or regulations, supervises privacy issues and/or
the processing of personal data.
4.2 The terms, “commission”, “controller”, “data subject”, “member state”, “personal data”,
“personal data breach”, “processing”, “processor” and “supervisory authority” shall have
the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
5. Special undertakings of the Parties
5.1 Roles, ownership of personal data, processing and purpose
5.1.1 The Company shall be considered the controller of the personal data processed on
its behalf and in accordance with its instructions, which concerns its respective data
subjects. The Vendor shall be considered a processor of the personal data processed
on behalf of the Company.
5.1.2 The Vendor may only process the Company Personal Data for the Purpose and to
the extent it is necessary for the fulfilment of the Vendor’s obligations under this
Addendum or the Principal Agreement.
5.1.3 This Addendum shall apply to the actions of any of Vendor or Company’s affiliates
performing tasks and obligations in the context of this Addendum and any such
affiliates shall have all rights and obligations set forth in this Addendum as if they
were Vendor or Company, as applicable.
5.2 Special undertakings of the Company
5.2.1 The Company undertakes to:
(a) Ensure that there is a legal ground for processing the personal data covered by
this Addendum;
(b) Ensure that any disclosure or transfer of Company Personal Data to Vendor
confirms to the Applicable Laws.
(c) Inform the Vendor about any erroneous, rectified, updated or deleted personal
data subject to the Vendor’s processing; and
(d) Fully comply with any request of data subjects and with any data subject rights
under Applicable Laws.
(e) Provide the Vendor with documented instructions regarding the Vendor’s
processing of the personal data, as may be required from time to time.
5.3 Special undertakings of the Vendor
5.3.1 The Vendor undertakes to:
(a) Only process the Company Personal Data in accordance with Applicable
Laws and the Company documented instructions, including with regard to
transfers of personal data to a third country or an international organisation,
unless required to do so by Applicable Laws; in such a case, the Vendor shall
inform the Company of that legal requirement before processing the personal
data, unless such information is prohibited by the Applicable Laws on
important grounds of public interest;
(b) Taking into account the nature of the processing, implement appropriate
technical and organisational measures to reasonably ensure a level of security
appropriate to the risk and reasonably assist the Company by appropriate
technical and organisational measures, insofar as this is possible, for the
fulfilment of the controller’s obligation to respond to requests for exercising
the data subject’s rights or with respect to data breaches in Applicable Laws;
and
(c) Make available to the Company all information reasonably necessary to
demonstrate compliance with the obligations laid down in this Addendum.
6. Processing of Company Personal Data
6.1 The Company:
6.1.1 instructs Vendor (and authorises Vendor to instruct each Sub-processor) to:
6.1.1.1 process Company Personal Data; and
6.1.1.2 in particular, transfer Company Personal Data to any country or
territory,
as reasonably necessary for the provision of the Services and consistent with the
Principal Agreement; and
6.2 Schedule 1 to this Addendum sets out certain information regarding the Vendor’s processing of
the Company Personal Data. Company shall immediately inform Vendor of any required
amendments to Schedule 1 by written notice to Vendor, and the Parties shall negotiate in goodfaith the amendment of Schedule 1.
7. Confidentiality
1.3. Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor
of Vendor who may have access to the Company Personal Data, and to ensure that all such
individuals are subject to confidentiality undertakings or professional or statutory obligations
of confidentiality.
8. Data Security
8.1 Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of Processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, Vendor shall in relation to the Company Personal Data
implement appropriate technical and organizational measures to reasonably ensure a level of
security appropriate to that risk.
9. Sub-processing
9.1 Company authorises Vendor to appoint (and permit each Sub-processor appointed in accordance
with this Section 9 to appoint) Sub-processors in accordance with this Section 9 and any
restrictions in the Principal Agreement.
9.2 Vendor may continue to use those Sub-processors already engaged by Vendor as at the date of
this Addendum, as listed on the Vendor’s website, subject to Vendor meeting the obligations
set out in Section9.4.
9.3 Vendor shall give Company prior written notice of the appointment of any new Sub-processor.
If, within 7 days of receipt of that notice, Company notifies Vendor in writing of any objections
(on reasonable grounds) to the proposed appointment:
9.3.1 Vendor shall work with Company in good faith to make available a commercially
reasonable change in the provision of the Services which avoids the use of that
proposed Sub-processor; and
9.3.2 where such a change cannot be made within 30 days from Vendor’s receipt of
Company’s notice, the Company shall be responsible to find an alternative Subprocessor that accepts to provide services to Vendor under similar conditions than
the Sub-processors objected by Company. In the event such proposed alternative
Sub-processor is not accepted by Vendor, then Company may by written notice to
Vendor with immediate effect terminate the Principal Agreement to the extent that
it relates to the Services which require the use of the proposed Sub-processor.
9.4 With respect to each Sub-processor, Vendor shall:
9.4.1 ensure that the arrangement between the Vendor, and the Sub-processor, is
governed by a written contract including terms which offer at least the same level
of protection for Company Personal Data as those set out in this Addendum; and
9.4.2 if that arrangement involves a Restricted Transfer, ensure that the Standard
Contractual Clauses are at all relevant times incorporated into the agreement
between on the one Vendor and the Sub-processor.
9.5 Vendor shall ensure that each Sub-processor performs the obligations under this Addendum, as
they apply to processing of Company Personal Data carried out by that Sub-processor, as if it
were party to this Addendum in place of Vendor.
10. Data subject rights
10.1 Vendor shall:
10.1.1 promptly notify Company if Vendor receives a request from a data subject under
any Data Protection Law in respect of Company Personal Data; and
10.1.2 ensure that the Vendor does not respond to that request except on the documented
instructions of Company or as required by Applicable Laws to which the Vendor is
subject.
11. Personal Data Breach
11.1 Vendor shall notify Company without any delay but no later than within 48 hours in writing
upon Vendor or any Sub-processor becoming aware or has reasons to believe of a Personal Data
Breach affecting Company Personal Data, providing Company with reasonably sufficient
information to allow Company to meet its obligations to report or inform Data Subjects of the
Personal Data Breach under the Data Protection Laws.
11.2 Immediately following Vendor’s notification to Company of a Personal Data Breach, the Parties
shall coordinate with each other to investigate the breach. Vendor agrees to reasonably
cooperate with Company, at Company’s expense, in Company’s handling of the matter,
including, without limitation:
11.2.1 assisting with any investigation;
11.2.2 facilitating interviews with Vendor’s employees and others involved in the matter;
and
11.2.3 making available all reasonably necessary records, logs, files, data reporting and
other materials required to comply with applicable law, regulation, industry
standards or as otherwise reasonably required by Company.
11.3 Vendor agrees to assist Company in advising the Supervisory Authority and data subjects about
Personal Data Breach. It shall not, however, inform any third party of any Personal Data Breach
without first obtaining Company’s prior written consent, other than to inform a complainant (if
any) that the matter has been forwarded to Company, or if otherwise required under any
Applicable Law.
11.4 Company shall reimburse Vendor for actual reasonable costs incurred by Vendor in responding
to, and mitigating damages caused by any security incident or Personal Data Breach, including
all costs of notice and/or remediation.
12. Data Protection Impact Assessment and Prior Consultation
1.4 Vendor shall provide reasonable assistance to Company, at Company’s expense, with any data
protection impact assessments, and prior consultations with Supervising Authorities or other
competent data privacy authorities, in each case solely in relation to Processing of Company
Personal Data by, and taking into account the nature of the Processing and information available
to, the Vendor.
13. Cooperation and Coordination
13.1 Upon reasonable request by Company, Vendor shall as promptly and as reasonably practicable
provide Company with a written report containing information reasonably requested by
Company relating to: (i) any security event and Personal Data Breach; or (ii) actual or
reasonably suspected non-compliance with this Addendum. In addition, Vendor shall provide
Company with any documents reasonably requested by Company related to the foregoing,
including without limitation, any information security assessment and security control audit
reports.
14. Deletion or return of Company Personal Data
14.1 Subject to Section 14.2 Vendor shall promptly and in any event within fourteen (14) days of the
date of termination or expiration of any Services involving the Processing of Company Personal
Data (the “End Date”), or of the date of a written notice by Company, delete and procure the
deletion of all copies of those Company Personal Data.
14.2 Vendor may retain Company Personal Data to the extent required by Applicable Laws and only
to the extent and for such period as required by Applicable Laws and always provided that
Vendor shall ensure the confidentiality of all such Company Personal Data and shall ensure that
such Company Personal Data is only Processed as necessary for the purpose(s) specified in the
Applicable Laws requiring its storage and for no other purpose.
15. Audit rights
15.1 At the request of Company and on its expense, but not more than once per year, Vendor shall
conduct site audits of the information technology and information security controls for all
facilities used in complying with its obligations under this Addendum. Company shall treat such
audit reports as Vendor’s confidential information.
15.2 Company shall have the right to perform audits, not more than once per calendar year and upon
prior written notice of at least thirty (30) days to Vendor, of the Vendor’s processing of the
Company Personal Data in order to verify the Vendor’s, and any Sub-processor’s, compliance
with this Addendum. The audit shall be confined to processing documentation prepared by the
Vendor and logged and documented information regarding its information security measures,
and in any event will not entitle Company to conduct technological investigations on the
Vendor’s information systems.
15.3 Company shall make (and ensure that each of its mandated auditors makes) reasonable
endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or
disruption to the Vendor’s premises, equipment, personnel and business while its personnel are
on those premises in the course of such an audit or inspection.
15.4 If any Supervisory Authority: (i) contacts the Vendor with respect to its systems or any
processing of Company Personal Data carried out by the Vendor, (ii) conducts, or gives notice
of its intent to conduct, an inspection of the Vendor with respect to the processing of Company
Personal Data, or (iii) takes, or gives notice of its intent to take, any other regulatory action
alleging improper or inadequate practices with respect to any processing of Company Personal
Data carried out by the Vendor, then the Vendor shall immediately notify the Company and
shall subsequently supply the Company with all information pertinent thereto to the extent
permissible by law.
15.5 Company shall bear all costs for audits set out herein.
16. Restricted Transfers
16.1 In the event that the processing activities under this Addendum are considered Restricted
Transfer, the Company (as “data exporter”) and Vendor, (as “data importer”) hereby enter into
the Standard Contractual Clauses in respect of any Restricted Transfer from that Company to
Vendor.
16.2 Vendor warrants and represents that, before the commencement of any Restricted Transfer to a
Sub-processor, Vendor’s entry into the Standard Contractual Clauses under Section 16.1, as
agent for and on behalf of that Sub-processor will have been duly and effectively authorised (or
subsequently ratified) by that Sub-processor.
17. General Terms
1.5. Governing law and jurisdiction
17.1 Without prejudice to Mediation and Jurisdiction and Governing Law sections of the Standard
Contractual Clauses:
17.1.1 the Parties to this Addendum hereby submit to the choice of jurisdiction stipulated
in the Principal Agreement with respect to any disputes or claims howsoever arising
under this Addendum, including disputes regarding its existence, validity or
termination or the consequences of its nullity; and
17.1.2 this Addendum and all non-contractual or other obligations arising out of or in
connection with it are governed by the laws of the country or territory stipulated for
this purpose in the Principal Agreement.
1.6. Assignation of rights or obligations
17.2 Neither Party may assign its rights or obligations under this Addendum without the prior written
consent of the other Party.
1.7. Notices
17.3 All notices to a Party under this Addendum shall be in writing and sent to its address as set forth
at the beginning of this Addendum, or to such other address as such Party has provided the other
in writing for such purpose. Notices may be sent by post, courier, fax or email.
17.4 Notices shall be deemed to have been duly given (i) on the day of delivery when delivered in
person or by courier, (ii) three (3) business days after the day when the notice was sent when
sent by post, and (iii) on the day when the receiver has manually confirmed that it is received
when sent per fax or email.
1.8. Term and termination
17.5 This Addendum shall enter into force on the date hereof. Unless terminated earlier (i) due to a
material breach of the terms of this Addendum, in which case this Addendum shall be terminated
with immediate effect if the other Party fails to cure such breach in a satisfactory manner within
fifteen (15) days after the other Party’s written demand thereof, or (ii) this Addendum shall
remain in force until the termination or expiration of the Principal Agreement, whereupon it
shall terminate automatically without further notice. The termination or expiration of this
Addendum shall immediately terminate any processing agreement entered into between Vendor
and any Sub-processor.
17.6 Either Party may terminate this Addendum by giving the other Party thirty (30) days written
notice.
1.9. Liability and indemnification
17.7 Each Party shall indemnify and hold the other Party harmless from and against all losses due to
claims from third parties including government/authority fines and penalties resulting from,
arising out of or relating to any breach by such first-mentioned Party of the this Addendum and
in the applicable Data Protection Laws.
17.8 Any loss suffered by a Party resulting from, arising out of or relating to a breach of this
Addendum by the other Party that is not due to claims from third parties under Section 17.7
shall be governed by the provisions regarding liability and limitation of liability in the Principal
Agreement.
SCHEDULE 1
DESCRIPTION OF THE PROCESSING OF PERSONAL DATA
1. THE PROJECT
Robinhurst Hospitality along with Guesty Platform is a software management platform for short-term and vacation rentals. Processing of personal
data is for the purpose of assisting property management companies, property owners and guests and
simplifying their managing their vacation.
2. DATA SUBJECTS
The personal data processed concern the following categories of data subjects:
Customers, employees, consumer customers and/or representatives of corporate customers and
suppliers.
3. CATEGORIES OF PERSONAL DATA
The personal data processed concern the following categories of personal data:
Name, gender, phone number, address, email address, company name and VAT number, personal
identification number, credit card information, device information, IP number, location tracking.
We may also collect feedback, comments and questions received from you in service-related
communication and activities, such as meetings, phone calls, documents, and emails. From our
websites, we may collect your IP-address and actions taken on the site.
4. PURPOSE OF THE PERSONAL DATA PROCESSING
We collect and use personal data mainly to perform direct sales and direct marketing for Controller
through its representatives and provide customer service, as well as other operational activities with
respect to the managed properties, on behalf of the Controller and upon Controller’s instructions.
5. PROCESSING OPERATIONS
The personal data processed will be subject to the following basic processing activities:
Send Controller marketing communications which it has requested, through Controller’s
representatives. These may include information about our products and services, events, activities, and
promotions of our associated partners’ products and services. Perform direct sales activities in cases
where legitimate and mutual interest is established.
Perform contractual obligations such as order confirmation, license details, invoice, reminders, and the
like. The contract may be with Guesty directly or with a Guesty partner.
Follow up on incoming requests (customer support, emails, chats, or phone calls).
6. DURATION OF PROCESSING
The personal data will be processed with the following duration:
We store personal data for as long as we find it necessary to fulfil the purpose for which the personal
data was collected, while also considering our need to answer your queries or resolve possible
problems, to comply with legal requirements under applicable laws, to attend to any legal
claims/complaints, and for safeguarding purposes
This means that we may retain your personal data for a reasonable period of time after your last
interaction with us. When the personal data that we have collected is no longer required, we will delete
it in a secure manner. We may process data for statistical purposes, but in such cases, data will be
anonymized.
7. SECURITY MEASURES
Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of Processing as well as the risk of varying likelihood and severity for the rights and
freedoms of natural persons, Vendor shall in relation to the Company Personal Data implement
appropriate technical and organizational measures to reasonably ensure a level of security appropriate
to that risk.