Date of last update: 17.04.2022
The current Annex to the Terms and Conditions PYNBOOKING provides the specific rules concerning the processing of the personal data managed or collected by the Client, as Data Controller, by S.C. PYNBOOKING NET SRL, in the role of Data Processor, according to the EU Regulation 2016/679 (“GDPR”) as well as any subsequent national legislation applicable in the domain of personal data protection.
Art 1. Terms
The terms of the current Annex, will be interpreted according to GDPR and, where applicable, the used terms will be understood following the definitions foreseen in art. 4 of GDPR.
Art 2. Processing objective
The object of the personal data processing is the processing of personal data by the Data Processor, managed or collected by the Data Controller for the purpose of providing the services selected by the Data Controller, as foreseen in the Terms and Conditions of PYNBOOKING.
Art 3. Collected data
The personal data provided by the Data Controller and processed according to this Annex are, as appropriate, according to the level of integration of the PYNBOOKING service:
1 Personal data of the Data Controller’s (Client’s) guests necessary for contracting, invoicing, legal obligations of the Data Controller or other legal basis identified by the Data Controller. These data (such as name, surname, identification data or other personal data needed for purposes above) are being collected directly or indirectly and processed via the PYNBOOKING services.
2 Traffic data, which may include technical data (such as IP address), are considered personal data of the website visitors or Data Controller’s applications, if these applications or websites are created or managed by the PYNBOOKING services.
3 Credit card data of the guests, only if they are filled in by the Data Controller’s (Client’s) guests, only in the specific conditions established by the booking platform, integrated payment processor and/or bank.
4 Name, surname, email, phone number and other personal data of the Data Controller’s employees – as established by the Data Controller – used for accounts with different access rights to certain PYNBOOKING services or to be integrated in the information processed by certain PYNBOOKING services (e.g. invoicing)
Art.4 Categories of Data Subjects:
The categories of data subjects are :
• guests (clients) of the Data Controller
• visitors of websites and applications of the
Data Controller
• employees of the Data Controller
Art. 5. Specific instructions
By the current Annex, the Data Controller empowers the Data Processor to:
1. Process personal data specified in article 3 for the purpose specified in art. 7, in the following ways
• data introduced directly by Data Controller
• data added by the Data Controller from other parties, by integrating (through API) services from these parties with PYNBOOKING services (e.g. importing reservation bookings from other providers, online payments services, etc.)
• data collected directly or indirectly by the PYNBOOKING, through its services, in the name of the Data Controller (e.g. by Booking Engine, Guest App or any other service directly accessible to the Data Controller’s guests).
2. To send processed personal data to other data processors of the Data Controller, by selecting data categories and by receiving the necessary access data for transferring the information to these providers where the Data Controller has an account.
3. To send email or SMS messages in the name of the Data Controller, for the specific service of email or SMS communications (if this service is being used by the Data Controller);
4. To display credit card data in the Data Controller’s account, only in the case when these data are completed by the Data Controller’s guests, in the specific conditions established by the booking reservation platform, integrated payment processor and/or bank, depending on each case;
Art. 6. Duration of processing
Personal data processing will be done in accordance with the Data Controller’s instructions, but the period cannot exceed the duration of the Terms and Conditions.
Art. 7 The nature and purpose of processing
The nature and purpose of processing are established by the Data Controller based on the Terms and Conditions, that is provision of PYNBOOKING services, depending on the package bought and/or used.
Art. 8 Secondary Data Processors
In case the Data Processor is the one processing the data through other Data Processors recruited by him (from now on known as “Secondary Data Processors”), this operation have to respect the following principles:
8.1. According to this article the Data Controller agrees to authorize the Data Processor to process his data through the following secondary Data Processors:
⁃ Amazon (Ireland/SUA) - for hosting and/or sending emails or SMS, if applicable.
⁃ DataTrans (Switzerland) – for hosting credit card data, if applicable.
8.2. For future Secondary Data Processors, the Data Processor gets a general authorization to subcontract any other Data Processor from EU, EEA or a country with adequate protection acknowledged by the European Commission decision, that is necessary provide some parts of the current data processing and ensures and adequate level of security, at least at the same level as the current contract. This authorization including the obligation of informing the Data Controller, by a message in its account or by email. The Data Controller has the possibility to object within 2 working days and/or to withdraw from the contract according to art. 10 from the Terms and Conditions.
Art. 9. Rights and Obligations of the Data Controller
• right to receive information or to check, directly or through a mandated auditor, whether the Data Processor applies the proper technical and organizational measures, so that the processing abides to the GDPR policies and assures rights protection of the targeted persons; the verification will happen after an up front notification, written, including via email, sent 14 days ahead of the actual verification, after covering the estimated costs established by the Data Processor ;
• right to be assisted by the Data Processor, especially in order to carry out his obligation to reply to requests regarding the specific rights of the targeted person, except if the data is already directly available in the PYNBOOKING account of the Data Controller;
• Right to object to secondary Data Processors by the Data Controller according to art. 8.2;
• To abide, on his own, the regulations of GDPR in his duty as Data Controller, concerning personal data processing by the Data Processor, on his behalf;
• obligation to inform data subjects of the uses of personal data as required by GDPR, including about sharing their data with the Data Processor, if required (especially in the case of Booking Engine, Guest app or any other Service provided by PYNBOOKING and directly accessible to the Client’s guest);
• obligation to rely on a valid legal ground for the processing of personal data under GDPR or other applicable law;
• obligations to implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of personal data is performed in accordance with GDPR, including for securing the transfer of data from its data subjects or other parties to the Data Processor;
• Data Controller understands that from the moment of data deletion, after ending the service provision of the Data Processor, following GDPR and art 10 obligations of the current contract, the data can’t be recovered and it is the full responsibility of the Data Controller to ensure that they have made a complete copy of these data, before the contract ends;
• In any situation when the Data Controller must fulfill an obligation, such as informing the data subject on a data breach, the Data Processor can’t be held responsible of the inaction of the Data Controller from that obligation.
Art. 10. Rights and Obligations of the Data Processor:
• Obligation to inform the Data Controller, within 10 days if, according to the Data Processor, any instruction is an infringement on the GDPR and/or other legal provision concerning personal data processing;
• Obligation to notify Data Controller without undue delay after becoming aware of a personal data breach when the data is processed by the Data Processor;
• Obligation to assist Data Controller with all the necessary information in order to notify, if necessary, the competent data protection authority for data breaches, but without taking the place of the Data Controller in its obligations;
• Obligation to ensure respecting its obligations according to art. 32-36 from GDPR, if the Data Processors’ costs are covered accordingly;
• Obligation to assist Data Controller to fulfill Data Controller obligations to respond to data subjects’ requests to exercise their rights as provided under applicable law and to send any such request to the Data Controller, in maximum 5 days from the date of receiving this data. This obligation does not apply if the Data Controller has already access by the technical tools provided by the Data Processor, the possibility to solve directly the request of the data subject (e.g. access right, when the Data Controller already has all the information on what data is being collected);
• Obligation not to send personal data and information that could be personal data and take note of, during this contract implementation;
• Obligation to ensure data confidentiality training of its own staff that is processing personal data;
• Obligation to include specific confidentiality contractual obligations to its employees and secondary data processors;
• Obligation to reveal certain personal data, when requested by specific public authority or court of law, or any other third party foreseen by specific legislation, based on a legal obligation or other specific condition foreseen in applicable legislation.
• The right to recruit secondary Data Processors according to art. 8 or when it has received an approval from the Data Controller
• The right to cover the costs generated by providing assistance to the Data Controller in the specific situations foreseen by GDPR according to art. 9, if these costs are over the monthly cost of the services provided to the Data Controller.
• The right to use statistical information containing only anonymized data, resulted from the services provided according to the current contract and/or the Data Processor’s services in general.
• Obligation to delete all personal data processed as Data Processor, after closure of services connected to the processing, within maximum 15 days from ending the contract between the two parties, except of the Data Controller imposes a shorter term in a written notification;
• Data Processor may not establish purposes or means of data processing, as these are established exclusively by the Data Controller.
Art.11 Security of data processing
The Data Processor must implement appropriate technical and organizational measures to ensure standard industry security measures appropriate to the risk. In assessing the appropriate level of security, Data Processor must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
Art.12 Liability
The Data Controller agrees to exempt the Data Processor of any liability for any damage caused by the following:
• Breach of contract due to events that exceed any liability of the Data Processor;
• Abidance by the Data Controller’s instructions or breach of the Data Controller’s instructions justified by notifications regarding its illegality;
• Lack or vitiation of agreement of targeted persons.
• Breach of contract due to any actions of the Data Controller;
Art.13 Responsibilities
Data Controller and the Data Processor will share their responsibilities on ensuring personal data protection (for example on confidentiality or security of personal data processing) depending on access and effective control on personal, both from a legal and technical perspective.
Art.14 Entry into force and modification
This Annex will enter into force on 17 April 2022 and is valid until its modification by PYNBOOKING and informing the clients of thereof. Using the PYNBOOKING account after receiving the information upon its modification means the acceptance of the present document.