Data Processing Agreement in Accordance with Article 28 GDPR

Version 131221, Last updated: December 13th, 2021

1 Subject Matter of Data Processing Agreement

1.1 The subject matter of this agreement is set forth in the agreement on the making available of the Laya Travel Package Management Service as concluded between Laya Technologies GmbH (“Laya”) and the customer („Main Agreement“). This Agreement on Data Processing („Data Processing Agreement“) specifies the parties’ duties regarding data protection laws and applies to all services which relate to the commissioned data processing and where Laya or its personnel may get in contact with personal data, which are provided to Laya by the customer.

1.2 The type of processed data and categories of data subjects, and the nature and purpose of processing of personal data by Laya on behalf of the customer and the categories of data subjects are defined in Appendix 1.

1.3 Unless provided otherwise in this Data Processing Agreement any data processing owed under this Data Processing Agreement shall take place in Germany or in a member state of the European Union (EU) or another member state of the European Economic Area (EEA). Any processing in a third country is subject to the specific requirements set forth in Art. 44 et seqq. GDPR.

2 Technical and Organizational Measures

2.1 Laya shall establish measures in accordance with Article 28 (3) c, and Article 32 GDPR, in particular in conjunction with Article 5 GDPR. The measures to be taken are measures of data security and measures that guarantee an appropriate data protection level taking account of risks for confidentiality, integrity, availability and resilience of systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk for the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account. The measures taken by Laya are specified in Appendix 2.

2.2 The technical and organizational measures are subject to technical progress and further development. In this respect, Laya may implement alternative adequate measures. However, the security level of the defined measures shall not be reduced. Substantial changes must be documented.

2.3 Laya regularly controls the internal processes as well as the technical and organizational measures in order to ensure the protection of the rights of data subjects and that Laya will continuously process data in accordance with all applicable data protection laws.

3 Rectification, Restriction and Erasure of Data; Rights of Data Subjects

3.1 Laya may not on its own authority modify or delete the data that is being processed on behalf of the customer, or restrict the processing of such data, but only on documented instructions from the customer. In the event that a data subject contacts Laya directly concerning a modification or deletion of data, or restriction of processing, Laya shall immediately forward the data subject’s request to the customer.

3.2 To the extent included in the scope of services, the data deletion policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Laya in accordance with documented instructions from the customer. Laya may request payment of fees for assistance which is not owed under the Main Agreement.

4 Quality Assurance and Other Duties of Laya

4.1 Laya entrusts only such employees with the data processing outlined in this Data Processing Agreement who have been bound to confidentiality. Unless required by law to process the data, Laya shall not process the data except as on instructions from the customer, which includes the processing allowed under this Data Processing Agreement and the Main Agreement. The customer shall immediately confirm oral instructions (at the minimum in text form). Laya shall inform the customer immediately if Laya considers that an instruction violates data protection laws. Laya shall then be entitled to suspend the execution of the relevant instructions until the customer confirms or changes them.

4.2 Laya shall assist the customer in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as stipulated in Articles 32 through 36 GDPR. These include: 4.2.1 The obligation to report a personal data breach immediately to the customer, 4.2.2 The obligation to assist the customer with regard to the customer’s obligation to provide information to the data subject and to immediately provide the customer with all relevant information in this regard. 4.2.3 Supporting the customer with its data protection impact assessment. 4.2.4 Supporting the customer regarding prior consultation with the supervisory authority.

4.3 Laya may charge a fee for support which is not included in the description of services in the Main Agreement or which is caused by a misconduct of the customer.

5 Subcontracting

5.1 Subcontracting for the purpose of this Data Processing Agreement is to be understood as the contracting of services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. Laya shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the customer's data, even in the case of outsourced ancillary services.

5.2 The customer herewith agrees that Laya may engage sub-processors within the territory of the EU and/or EEA, provided that Laya and the sub-processor conclude an agreement according to Article 28 (4) GDPR.

5.3 Subject to the condition set forth in Section 5.2 the customer herewith agrees that Laya engages the companies listed in Appendix 3 as a sub-contractor for the collection, processing and/or use of data.

5.4 Laya shall notify the customer of any intended change with respect to the addition of, or replacement by, any other processors. The customer may object to such change for good cause by giving notice within 14 days as of receipt of the notification of change. If the customer does not oppose within such term, the change shall be deemed approved. The customer may not oppose without having an own legitimate interest which prevails over the interests of Laya.

6 Supervisory Rights of the Customer

6.1 The customer has the right, after consultation with Laya, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The customer has the right to convince itself on site in Laya’s business premises of Laya’s compliance with this Data Processing Agreement by means of random checks, which are, as a rule, to be announced in good time.

6.2 Laya shall ensure that the customer is able to verify compliance with the obligations of Laya in accordance with Article 28 GDPR. Laya undertakes to give the customer the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.

6.3 Evidence of such measures may be provided by

  • a) Compliance with approved codes of conduct pursuant to Article 40 GDPR;
  • b) Certification according to an approved certification procedure in accordance with Article 42 GDPR;
  • c) Current certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor);
  • d) A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT baseline protection certification developed by the German Federal Office for Security in Information Technology (BSI) or ISO/IEC 27001).

6.4 Laya may claim remuneration for enabling customer inspections.

7 Deletion and Return of Personal Data

7.1 Copies or duplicates of the data shall not be created without the knowledge of the customer, with the exception of (i) backup copies as far as they are necessary to ensure appropriate data processing, and (ii) retention of data required to meet statutory data retention laws.

7.2 After having completed the services owed by Laya under the Main Agreement, or earlier upon request by the customer, Laya shall hand over to the customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the Main Agreement that have come into its possession, in a data-protection compliant manner. The log of the destruction or deletion shall be provided on request. Laya’s obligations under this Section 7.2 do not apply to the extent that Union or EU Member State law requires storage of the personal data.

7.3 Documentation which is used to demonstrate data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by Laya in accordance with the respective retention periods. Laya may hand such documentation over to the customer at the end of the contract duration to relieve Laya of this contractual obligation.

8 Term of Processing; Termination

The duration of this Data Processing Agreement corresponds to the term of the Main Agreement and includes the term after termination of the Main Agreement until full return of deletion of the personal data, which have been provided by the customer to Laya in connection with the performance of the Main Agreement. This does not affect the right to terminate this Data Processing Agreement with good cause.

9 General Provisions

9.1 This Data Processing Agreement shall be governed by and construed in accordance with German law, with the exception of its conflict of laws rules. Place of performance and jurisdiction is Munich, Germany.

9.2 Any amendments or additions to this Data Processing Agreement, including this Section 9.2, require written form.

9.3 Should certain provisions of this Data Processing Agreement be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be deemed to be replaced by a provision that comes as close as possible to fulfilling the economic intent and purpose of the invalid provision. The same applies to any loopholes in the Data Processing Agreement.


Appendix 1: Nature and Purpose of Processing, Subject Matter of Processing, Type of Data, Categories of Data Subjects

Appendix 2: Technical and Organizational Measures

Appendix 3: Subcontractors 

Appendix 1: Nature and Purpose of Processing of Personal Data, Type of Data, Categories of Data Subjects

Nature and purpose of processing

Management and booking of travel packages on the Laya technology platform. In particular, personal data are processed for the purpose of booking of travel packages and making them available to the respective service providers, including traders (organisers and retailers), airlines and car rental suppliers. Personal data may also be used for the purpose of reporting of bookings and invoicing. Moreover, Laya might become aware of personal data when providing support under the Main Agreement.

Type of data

Booking / Confirmation of Receipt Reporting / Invoicing
  • Title, first name, surname
  • Address (postal code, street, city, state, country)
  • Email address
  • Phone number
  • Date of birth
  • Payment method (no details of payment)
  • Surname
  • Booking number
  • Booking date
  • Travel dates
  • Price of travel package
  • Categories of data subjects

  • Users of customer’s website / travelers
  • Customer’s personnel
  • Appendix 2: Technical and Organizational Measures


    Appendix 3: Subcontractors

    Subcontractor Subcontractor Location Subcontracted Services
    AWS Server location Frankfurt a.M., Germany Application Hosting
    Hubspot Server location European Union CRM, Ticket System
    Go beyond rooms.
    Thank you! Your submission has been received!
    Oops! Something went wrong while submitting the form.

    © 2021 Laya Technologies