Data Processing Agreement in Accordance with Article 28 GDPR
Version 131221, Last updated: December 13th, 2021
1 Subject Matter of Data Processing Agreement
1.1 The subject matter of this agreement is set forth in the agreement on the making available of the Laya Travel Package Management Service as concluded between Laya Technologies GmbH (“Laya”) and the customer („Main Agreement“). This Agreement on Data Processing („Data Processing Agreement“) specifies the parties’ duties regarding data protection laws and applies to all services which relate to the commissioned data processing and where Laya or its personnel may get in contact with personal data, which are provided to Laya by the customer.
1.2 The type of processed data and categories of data subjects, and the nature and purpose of processing of personal data by Laya on behalf of the customer and the categories of data subjects are defined in Appendix 1.
1.3 Unless provided otherwise in this Data Processing Agreement any data processing owed under this Data Processing Agreement shall take place in Germany or in a member state of the European Union (EU) or another member state of the European Economic Area (EEA). Any processing in a third country is subject to the specific requirements set forth in Art. 44 et seqq. GDPR.
2 Technical and Organizational Measures
2.1 Laya shall establish measures in accordance with Article 28 (3) c, and Article 32 GDPR, in particular in conjunction with Article 5 GDPR. The measures to be taken are measures of data security and measures that guarantee an appropriate data protection level taking account of risks for confidentiality, integrity, availability and resilience of systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk for the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account. The measures taken by Laya are specified in Appendix 2.
2.2 The technical and organizational measures are subject to technical progress and further development. In this respect, Laya may implement alternative adequate measures. However, the security level of the defined measures shall not be reduced. Substantial changes must be documented.
2.3 Laya regularly controls the internal processes as well as the technical and organizational measures in order to ensure the protection of the rights of data subjects and that Laya will continuously process data in accordance with all applicable data protection laws.
3 Rectification, Restriction and Erasure of Data; Rights of Data Subjects
3.1 Laya may not on its own authority modify or delete the data that is being processed on behalf of the customer, or restrict the processing of such data, but only on documented instructions from the customer. In the event that a data subject contacts Laya directly concerning a modification or deletion of data, or restriction of processing, Laya shall immediately forward the data subject’s request to the customer.
3.2 To the extent included in the scope of services, the data deletion policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Laya in accordance with documented instructions from the customer. Laya may request payment of fees for assistance which is not owed under the Main Agreement.
4 Quality Assurance and Other Duties of Laya
4.1 Laya entrusts only such employees with the data processing outlined in this Data Processing Agreement who have been bound to confidentiality. Unless required by law to process the data, Laya shall not process the data except as on instructions from the customer, which includes the processing allowed under this Data Processing Agreement and the Main Agreement. The customer shall immediately confirm oral instructions (at the minimum in text form). Laya shall inform the customer immediately if Laya considers that an instruction violates data protection laws. Laya shall then be entitled to suspend the execution of the relevant instructions until the customer confirms or changes them.
4.2 Laya shall assist the customer in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as stipulated in Articles 32 through 36 GDPR. These include: 4.2.1 The obligation to report a personal data breach immediately to the customer, 4.2.2 The obligation to assist the customer with regard to the customer’s obligation to provide information to the data subject and to immediately provide the customer with all relevant information in this regard. 4.2.3 Supporting the customer with its data protection impact assessment. 4.2.4 Supporting the customer regarding prior consultation with the supervisory authority.
4.3 Laya may charge a fee for support which is not included in the description of services in the Main Agreement or which is caused by a misconduct of the customer.
5.1 Subcontracting for the purpose of this Data Processing Agreement is to be understood as the contracting of services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. Laya shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the customer’s data, even in the case of outsourced ancillary services.
5.2 The customer herewith agrees that Laya may engage sub-processors within the territory of the EU and/or EEA, provided that Laya and the sub-processor conclude an agreement according to Article 28 (4) GDPR.
5.3 Subject to the condition set forth in Section 5.2 the customer herewith agrees that Laya engages the companies listed in Appendix 3 as a sub-contractor for the collection, processing and/or use of data.
5.4 Laya shall notify the customer of any intended change with respect to the addition of, or replacement by, any other processors. The customer may object to such change for good cause by giving notice within 14 days as of receipt of the notification of change. If the customer does not oppose within such term, the change shall be deemed approved. The customer may not oppose without having an own legitimate interest which prevails over the interests of Laya.
6 Supervisory Rights of the Customer
6.1 The customer has the right, after consultation with Laya, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The customer has the right to convince itself on site in Laya’s business premises of Laya’s compliance with this Data Processing Agreement by means of random checks, which are, as a rule, to be announced in good time.
6.2 Laya shall ensure that the customer is able to verify compliance with the obligations of Laya in accordance with Article 28 GDPR. Laya undertakes to give the customer the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
6.3 Evidence of such measures may be provided by
- a) Compliance with approved codes of conduct pursuant to Article 40 GDPR;
- b) Certification according to an approved certification procedure in accordance with Article 42 GDPR;
- c) Current certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor);
- d) A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT baseline protection certification developed by the German Federal Office for Security in Information Technology (BSI) or ISO/IEC 27001).
6.4 Laya may claim remuneration for enabling customer inspections.
7 Deletion and Return of Personal Data
7.1 Copies or duplicates of the data shall not be created without the knowledge of the customer, with the exception of (i) backup copies as far as they are necessary to ensure appropriate data processing, and (ii) retention of data required to meet statutory data retention laws.
7.2 After having completed the services owed by Laya under the Main Agreement, or earlier upon request by the customer, Laya shall hand over to the customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the Main Agreement that have come into its possession, in a data-protection compliant manner. The log of the destruction or deletion shall be provided on request. Laya’s obligations under this Section 7.2 do not apply to the extent that Union or EU Member State law requires storage of the personal data.
7.3 Documentation which is used to demonstrate data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by Laya in accordance with the respective retention periods. Laya may hand such documentation over to the customer at the end of the contract duration to relieve Laya of this contractual obligation.
8 Term of Processing; Termination
The duration of this Data Processing Agreement corresponds to the term of the Main Agreement and includes the term after termination of the Main Agreement until full return of deletion of the personal data, which have been provided by the customer to Laya in connection with the performance of the Main Agreement. This does not affect the right to terminate this Data Processing Agreement with good cause.
9 General Provisions
9.1 This Data Processing Agreement shall be governed by and construed in accordance with German law, with the exception of its conflict of laws rules. Place of performance and jurisdiction is Munich, Germany.
9.2 Any amendments or additions to this Data Processing Agreement, including this Section 9.2, require written form.
9.3 Should certain provisions of this Data Processing Agreement be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be deemed to be replaced by a provision that comes as close as possible to fulfilling the economic intent and purpose of the invalid provision. The same applies to any loopholes in the Data Processing Agreement.
Appendix 1: Nature and Purpose of Processing, Subject Matter of Processing, Type of Data, Categories of Data Subjects
Appendix 2: Technical and Organizational Measures
Appendix 3: Subcontractors
Appendix 1: Nature and Purpose of Processing of Personal Data, Type of Data, Categories of Data Subjects
Nature and purpose of processing
Management and booking of travel packages on the Laya technology platform. In particular, personal data are processed for the purpose of booking of travel packages and making them available to the respective service providers, including traders (organisers and retailers), airlines and car rental suppliers. Personal data may also be used for the purpose of reporting of bookings and invoicing. Moreover, Laya might become aware of personal data when providing support under the Main Agreement.
Type of data
|Booking / Confirmation of Receipt||Reporting / Invoicing|
|– Title, first name, surname|
– Address (postal code, street, city, state, country)
– Email address
– Phone number
– Date of birth
– Payment method (no details of payment)
– Booking number
– Booking date
– Travel dates
– Price of travel package
Categories of data subjectsUsers of customer’s website / travelersCustomer’s personnel
Appendix 2: Technical and Organizational Measures
The Contractor shall take the following technical and organisational measures for data security within the meaning of Art. 32 GDPR.
Admittance controlNo unauthorised access to data processing systems, e.g.: Magnetic or chip cards, keys, electric door openers, plant security or gatekeepers, alarm systems, video systems;
- Alarm system
- Protection of building shafts
- Automatic access control system
- Chip card/transponder locking system
- Manual locking system
- Security locks
- Key control (key issue etc.)
- Careful selection of cleaning staff
- Careful selection of security staff
Access controlNo unauthorised system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media;
- Assignment of user rights
- Creation of user profiles
- Password assignment
- Authentication with user name/password
- Assignment of user profiles to IT systems
- Use of VPN technology
- Security locks
- Key control (key issuance etc.)
- Use of intrusion detection systems
- Use of anti-virus software
- Use of a hardware firewall
- Use of a software firewall
Admission controlNo unauthorised reading, copying, modification or removal within the system, e.g: Authorisation concepts and access rights according to needs, logging of accesses;
- Creation of an authorisation concept
- Administration of rights by system administrator
- Number of administrators reduced to the “bare minimum
- Password policy incl. password length, password change
- Secure storage of data media
- Physical deletion of data media before reuse
- Proper destruction of data media (DIN 66399)
- Use of document shredders or service providers (if possible with data protection seal of approval)
Separation controlSeparate processing of data collected for different purposes, e.g. multi-client capability, sandboxing;
- physically separate storage on separate systems or data carriers
- Logical client separation (on the software side)
- Creation of an authorisation concept
- Determination of database rights
- Separation of productive and test systems
PseudonymisationThe processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to appropriate technical and organisational measures;
- Pseudonymisation of personal data (personnel numbers)
- Pseudonymisation in database applications (special tables for personal data and information)
- Pseudonymisation in file transfers (personal data are pseudonymised and transferred separately from the information).
Transfer controlNo unauthorised reading, copying, modification or removal during electronic transmission or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
- Establishment of dedicated lines or VPN tunnels
- Transmission of data in anonymised or pseudonymised form
- Creating an overview of regular retrieval and transmission processes
- For physical transport: secure transport containers/packaging
- For physical transport: careful selection of transport personnel and vehicles
Input controlDetermining whether and by whom personal data have been entered into, modified or removed from data processing systems, e.g.: Logging, document management;
- Logging of the entry, modification and deletion of data
- Creation of an overview showing which applications can be used to enter, change and delete which data.
- Traceability of entry, modification and deletion of data through individual user names (not user groups)
- Retention of forms from which data has been transferred to automated processing
- Allocation of rights to enter, change and delete data on the basis of an authorisation concept.
3 Availability and Resilience
Availability controlProtection against accidental or deliberate destruction or loss, e.g.: Backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and contingency plans;
- Uninterruptible power supply (UPS)
- Air conditioning in server rooms
- Devices for monitoring temperature and humidity in server rooms
- Protective socket strips in server rooms
- Fire and smoke detection systems
- Fire extinguishers in server rooms
- Alarm notification in case of unauthorised access to server rooms
- Creation of a backup & recovery concept
- Testing data recovery
- Creation of a contingency plan
- Keeping data backups in a secure, off-site location
- Server rooms not under sanitary facilities
4 Procedures for regular review, assessment and evaluation
- Review by internal IT at the following intervals: quarterly
5 Data Protection-Friendly Default Settings
- When purchasing equipment and software, the possibility of privacy-by-design/privacy-by-default is taken into account as a selection criterion.
- When setting up the equipment, special search is made for setting options to implement privacy-by-design/privacy-by-default.
- Data minimisation is activated (input fields that are not required are deactivated).
6 Order Control
No order processors in the sense of Art. 28 GDPR are used without corresponding instructions from the client;
- Selection of the processor(s)/sub-processor(s) also according to data protection and data security criteria.
- Pre-check of the data protection requirements at the processor’s premises
- Regular monitoring of the processor(s)/sub-processor(s).
- The Contractor shall ensure that the employees involved in the processing of the Client’s data and other persons working for the Contractor are prohibited from processing the data outside the scope of the instructions.
- The Contractor warrants that the persons authorised to process the Personal Data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality. The confidentiality/confidentiality obligation shall continue to exist even after termination of the order.
Appendix 3: Subcontractors
|Subcontractor||Subcontractor Location||Subcontracted Services|
|AWS||Server location Frankfurt a.M., Germany||Application Hosting|
|Hubspot||Server location European Union||CRM, Ticket System|
|Hyperguest||Israel – GDPR standard contractual clauses||Hotel Booking Facilitator|