Version 131221, Last updated: December 13th, 2021
1.1 The subject matter of this agreement is set forth in the agreement on the making available of the Laya Travel Package Management Service as concluded between Laya Technologies GmbH (“Laya”) and the customer („Main Agreement“). This Agreement on Data Processing („Data Processing Agreement“) specifies the parties’ duties regarding data protection laws and applies to all services which relate to the commissioned data processing and where Laya or its personnel may get in contact with personal data, which are provided to Laya by the customer.
1.2 The type of processed data and categories of data subjects, and the nature and purpose of processing of personal data by Laya on behalf of the customer and the categories of data subjects are defined in Appendix 1.
1.3 Unless provided otherwise in this Data Processing Agreement any data processing owed under this Data Processing Agreement shall take place in Germany or in a member state of the European Union (EU) or another member state of the European Economic Area (EEA). Any processing in a third country is subject to the specific requirements set forth in Art. 44 et seqq. GDPR.
2.1 Laya shall establish measures in accordance with Article 28 (3) c, and Article 32 GDPR, in particular in conjunction with Article 5 GDPR. The measures to be taken are measures of data security and measures that guarantee an appropriate data protection level taking account of risks for confidentiality, integrity, availability and resilience of systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk for the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account. The measures taken by Laya are specified in Appendix 2.
2.2 The technical and organizational measures are subject to technical progress and further development. In this respect, Laya may implement alternative adequate measures. However, the security level of the defined measures shall not be reduced. Substantial changes must be documented.
2.3 Laya regularly controls the internal processes as well as the technical and organizational measures in order to ensure the protection of the rights of data subjects and that Laya will continuously process data in accordance with all applicable data protection laws.
3.1 Laya may not on its own authority modify or delete the data that is being processed on behalf of the customer, or restrict the processing of such data, but only on documented instructions from the customer. In the event that a data subject contacts Laya directly concerning a modification or deletion of data, or restriction of processing, Laya shall immediately forward the data subject’s request to the customer.
3.2 To the extent included in the scope of services, the data deletion policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Laya in accordance with documented instructions from the customer. Laya may request payment of fees for assistance which is not owed under the Main Agreement.
4.1 Laya entrusts only such employees with the data processing outlined in this Data Processing Agreement who have been bound to confidentiality. Unless required by law to process the data, Laya shall not process the data except as on instructions from the customer, which includes the processing allowed under this Data Processing Agreement and the Main Agreement. The customer shall immediately confirm oral instructions (at the minimum in text form). Laya shall inform the customer immediately if Laya considers that an instruction violates data protection laws. Laya shall then be entitled to suspend the execution of the relevant instructions until the customer confirms or changes them.
4.2 Laya shall assist the customer in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as stipulated in Articles 32 through 36 GDPR. These include: 4.2.1 The obligation to report a personal data breach immediately to the customer, 4.2.2 The obligation to assist the customer with regard to the customer’s obligation to provide information to the data subject and to immediately provide the customer with all relevant information in this regard. 4.2.3 Supporting the customer with its data protection impact assessment. 4.2.4 Supporting the customer regarding prior consultation with the supervisory authority.
4.3 Laya may charge a fee for support which is not included in the description of services in the Main Agreement or which is caused by a misconduct of the customer.
5.1 Subcontracting for the purpose of this Data Processing Agreement is to be understood as the contracting of services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. Laya shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the customer’s data, even in the case of outsourced ancillary services.
5.2 The customer herewith agrees that Laya may engage sub-processors within the territory of the EU and/or EEA, provided that Laya and the sub-processor conclude an agreement according to Article 28 (4) GDPR.
5.3 Subject to the condition set forth in Section 5.2 the customer herewith agrees that Laya engages the companies listed in Appendix 3 as a sub-contractor for the collection, processing and/or use of data.
5.4 Laya shall notify the customer of any intended change with respect to the addition of, or replacement by, any other processors. The customer may object to such change for good cause by giving notice within 14 days as of receipt of the notification of change. If the customer does not oppose within such term, the change shall be deemed approved. The customer may not oppose without having an own legitimate interest which prevails over the interests of Laya.
6.1 The customer has the right, after consultation with Laya, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The customer has the right to convince itself on site in Laya’s business premises of Laya’s compliance with this Data Processing Agreement by means of random checks, which are, as a rule, to be announced in good time.
6.2 Laya shall ensure that the customer is able to verify compliance with the obligations of Laya in accordance with Article 28 GDPR. Laya undertakes to give the customer the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
6.3 Evidence of such measures may be provided by
6.4 Laya may claim remuneration for enabling customer inspections.
7.1 Copies or duplicates of the data shall not be created without the knowledge of the customer, with the exception of (i) backup copies as far as they are necessary to ensure appropriate data processing, and (ii) retention of data required to meet statutory data retention laws.
7.2 After having completed the services owed by Laya under the Main Agreement, or earlier upon request by the customer, Laya shall hand over to the customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the Main Agreement that have come into its possession, in a data-protection compliant manner. The log of the destruction or deletion shall be provided on request. Laya’s obligations under this Section 7.2 do not apply to the extent that Union or EU Member State law requires storage of the personal data.
7.3 Documentation which is used to demonstrate data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by Laya in accordance with the respective retention periods. Laya may hand such documentation over to the customer at the end of the contract duration to relieve Laya of this contractual obligation.
The duration of this Data Processing Agreement corresponds to the term of the Main Agreement and includes the term after termination of the Main Agreement until full return of deletion of the personal data, which have been provided by the customer to Laya in connection with the performance of the Main Agreement. This does not affect the right to terminate this Data Processing Agreement with good cause.
9.1 This Data Processing Agreement shall be governed by and construed in accordance with German law, with the exception of its conflict of laws rules. Place of performance and jurisdiction is Munich, Germany.
9.2 Any amendments or additions to this Data Processing Agreement, including this Section 9.2, require written form.
9.3 Should certain provisions of this Data Processing Agreement be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be deemed to be replaced by a provision that comes as close as possible to fulfilling the economic intent and purpose of the invalid provision. The same applies to any loopholes in the Data Processing Agreement.
Appendix 1: Nature and Purpose of Processing, Subject Matter of Processing, Type of Data, Categories of Data Subjects
Appendix 2: Technical and Organizational Measures
Appendix 3: Subcontractors
Nature and purpose of processing
Management and booking of travel packages on the Laya technology platform. In particular, personal data are processed for the purpose of booking of travel packages and making them available to the respective service providers, including traders (organisers and retailers), airlines and car rental suppliers. Personal data may also be used for the purpose of reporting of bookings and invoicing. Moreover, Laya might become aware of personal data when providing support under the Main Agreement.
Type of data
|Booking / Confirmation of Receipt||Reporting / Invoicing|
|– Title, first name, surname|
– Address (postal code, street, city, state, country)
– Email address
– Phone number
– Date of birth
– Payment method (no details of payment)
– Booking number
– Booking date
– Travel dates
– Price of travel package
Categories of data subjectsUsers of customer’s website / travelersCustomer’s personnel
The Contractor shall take the following technical and organisational measures for data security within the meaning of Art. 32 GDPR.
Admittance controlNo unauthorised access to data processing systems, e.g.: Magnetic or chip cards, keys, electric door openers, plant security or gatekeepers, alarm systems, video systems;
Access controlNo unauthorised system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media;
Admission controlNo unauthorised reading, copying, modification or removal within the system, e.g: Authorisation concepts and access rights according to needs, logging of accesses;
Separation controlSeparate processing of data collected for different purposes, e.g. multi-client capability, sandboxing;
PseudonymisationThe processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to appropriate technical and organisational measures;
Transfer controlNo unauthorised reading, copying, modification or removal during electronic transmission or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
Input controlDetermining whether and by whom personal data have been entered into, modified or removed from data processing systems, e.g.: Logging, document management;
Availability controlProtection against accidental or deliberate destruction or loss, e.g.: Backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and contingency plans;
No order processors in the sense of Art. 28 GDPR are used without corresponding instructions from the client;