Appendix B to the Regulations of SmartHotel System - Partner

Personal data processing entrustment agreement

I. Introductory remarks

  1. As part of SmartHotel’s performance of the Agreement, the personal data of the Partner’s Employees or Associates, including Owners, Administrators and Users and End Users are processed, the sole controller of which is the Partner or an entity designated by the Partner. The Partner merely entrusts SmartHotel (in case the Partner is the controller of the Users’ personal data), pursuant to Article 28 of the General Data Protection Regulation of April 27, 2016. (hereinafter referred to as the “Regulation”) personal data sets (hereinafter referred to as the “Data Sets”) for processing, under the terms and for the purpose specified in the Agreement. SmartHotel undertakes to process the Data Sets entrusted to it only at the direction of the Partner in accordance with the Agreement, the Ordinance and other generally applicable laws that protect the rights of data subjects.
  2. SmartHotel declares that it applies security measures that meet the requirements of the Ordinance.
  3. Data shall be processed by SmartHotel only during the Term of the Agreement.

II. Purpose of data processing and scope

  1. The Data Collections will be processed by SmartHotel in order to perform its obligations under the Agreement, i.e., among others, the use of the SmartHotel System by the Partner, the correct operation of the SmartHotel System and to enable communication with the person using the Partner’s services and the remote confirmation of the reservation.
  2. The datasets will contain personal data of the Partner’s Employees or Associates, including Owners, Administrators and Users and End Users.
  3. The Data Collections entrusted under the Agreement shall include the following personal data: first name, last name, e-mail address, cell phone number, WhatsApp number, room number provided at the time of booking.

III. Method of processing personal data

  1. The Data Collections will be processed in digital form, i.e. within the framework of the use of the SmartHotel System.
  2. The processing of the Data Collections will consist of performing operations such as: collecting, recording, storing, developing, changing, sharing.

IV. SmartHotel's obligations

  1. SmartHotel undertakes to perform the Agreement with the utmost diligence to technically safeguard the interests of the Partner or the entity that is the controller of the personal data of the Partner’s Employees or Associates, including Owners, Administrators and Users, and End Users with respect to the processing of Datasets.
  2. SmartHotel undertakes to exercise due diligence in processing the entrusted Datasets.
  3. SmartHotel undertakes, in processing the entrusted Data Collections, to secure them by applying appropriate technical and organizational measures ensuring an adequate degree of security corresponding to the risks associated with the processing of the Data Collections, as referred to in Article 32 of the Ordinance.
  4. SmartHotel undertakes to grant formal authorizations to process personal data, to the extent that SmartHotel itself is authorized under the Agreement to process the Data Collections, to all persons who will process the entrusted Data Collections in order to perform the Agreement.
  5. SmartHotel undertakes to ensure that the confidentiality (as referred to in Article 28(3)(b) of the Ordinance) of the processed Data Collections is maintained by the persons it authorizes to process the Data Collections for the performance of the Agreement, both during their employment with SmartHotel and after termination of their employment.
  6. Subject to the Partner’s decision in this regard, within 14 business days from the date of termination of the Agreement, the Processor shall be obliged to delete or return any Personal Data entrusted to it and delete any existing copies thereof, unless applicable law prescribes the retention of such Personal Data.
  7. To the extent possible, SmartHotel shall assist the Partner or the entity that is the controller of Users’ personal data to the extent necessary to comply with the obligation to respond to the requests of the data subject and to comply with the obligations set forth in Articles 32-36 of the Ordinance.
  8. SmartHotel, upon discovery of a violation of personal data protection, shall, without undue delay, report it to the Partner or the entity that is the controller of the personal data of the Partner’s Employees or Associates, including Owners, Administrators and Users, and End Users, no later than within 1 business day of the occurrence of the violation.
  9. SmartHotel declares that the system in which the data will be processed will, at a minimum, meet the requirements set forth in Article 32 of the Ordinance, including but not limited to: pseudonymization and encryption of personal data; the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services; the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident; and the regular testing, measurement and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.
  10. SmartHotel shall be responsible for the culpable provision or use of Personal Data contrary to the content of the Agreement, and in particular for providing access to Data Sets entrusted for processing to unauthorized persons.
  11. SmartHotel agrees to promptly inform the Partner or the entity that is the controller of the personal data of the Partner’s Employees or Associates, including Owners, Administrators and Users, and End Users of any proceeding, especially administrative or judicial, concerning the processing by SmartHotel of the Datasets specified in the Agreement, of any administrative decision or ruling concerning the processing of such Data Sets directed to SmartHotel, as well as of any planned, if known, or ongoing checks and inspections concerning SmartHotel’s processing of such Data Sets, in particular by inspectors authorized by the President of the Office for Personal Data Protection. This paragraph applies only to Datasets entrusted to SmartHotel by the Partner or the entity that is the controller of the personal data of Guests.
  12. SmartHotel shall be obliged to provide the Partner with all information necessary to demonstrate compliance with the data protection obligations imposed on the Partner or the entity that is the controller of the personal data of the Partner’s Employees or Associates, including Owners, Administrators and Users and End Users by the provisions of the Regulation. The Partner may request access to the information referred to in the preceding sentence no more than twice a year within 7 days of such request.

V. Further entrustment of data processing

  1. Any further entrustment by SmartHotel to a subcontractor for the processing of Personal Data originating from the Partner or the entity that is the controller of the Personal Data of the Partner’s Employees or Associates, including Owners, Administrators and Users and End Users, requires: obtaining the consent of the Partner/Personal Data Administrator to entrust the Datasets for processing to a specific entity and concluding an agreement on entrusting the processing of the Datasets between SmartHotel and the subcontractor with the content approved by the Partner/Personal Data Administrator, or concluding an agreement on entrusting the processing of the Datasets by the Partner/Personal Data Administrator directly with the subcontractor.
  2. The transfer of entrusted Data Collections to a third country may only take place at the written direction of the Partner, unless such obligation is imposed on SmartHotel by EU law or the law of a Member State to which SmartHotel is subject. In this case, SmartHotel shall inform the Partner/Personal Data Controller of this legal obligation prior to the start of processing, unless such law prohibits the provision of such information due to important public interest.
  3. The subcontractor referred to above shall comply with the same guarantees and obligations imposed on SmartHotel in the Agreement.
  4.