1.2. For other terms that are neither defined in this article 1 nor elsewhere in this C2C DPA, it shall be referred to the definition provided by Data Protection Law.
1.3. In the event of a conflict between the C2C DPA or any addendum hereto and the Agreement, the C2C DPA and the addendum shall prevail.
1.4. In the event of a conflict between this C2C DPA and any addenda to this C2C DPA (including the SCCs), the strictest provision shall prevail.
2. Purpose of Processing
2.1. Unless agreed otherwise in the Agreement or in this C2C DPA or if a Party has obtained valid Data Subject’s consent, each Party shall only Process Personal Data it has received from the other Party insofar such is necessary to comply with its obligations under the Agreement and this C2C DPA (including the SCCs).
3. Duration
3.1. The C2C DPA comes into force at the effective date of the Agreement and is valid for the duration of the Agreement.
3.2. However, all clauses of this C2C DPA shall survive the expiration and termination of the Agreement insofar as it relates to Personal Data Processed during the duration of the Agreement.
4. Obligation of the Parties
4.1. In the context of the implementation of this C2C DPA, each Party shall remain independent Controllers from each other. For purposes of the CCPA and only to the extent applicable, the Parties agree that (i) each party acts as a Third Party and the other acts as a Business and (ii) the transfer of Personal Data between parties is not a Sale because it is not for monetary or other valuable consideration and meets the exception in Cal. Civil Code § 1798.140(ad)(2)(A).
4.2. In that regard, each Party undertakes to Process Personal Data in accordance with this C2C DPA and Data Protection Law, in particular by informing Data Subjects and ensuring the protection of their rights, guaranteeing the security and confidentiality of the Personal Data Processed, inter alia by introducing internal organizational and security measures and by ensuring the lawfulness of the Processing, obtaining a valid Data Subject consent for the Processing of Canadian Personal Data and retaining evidence of such consent.
4.3. Each party (i) has the right to take reasonable steps to ensure that the other party uses Personal Data in a manner consistent with the party’s obligations under Data Protection Law, (ii) shall notify the other party if it determines that it can no longer meet its obligations under Data Protection Law, and (iii) has the right, upon notice to the other party, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
4.4. Each Party shall inform the other Party of any complaints, requests or inquiries received from Data Subjects in relation to the Personal Data it has received from the other Party, including but not limited to requests to exercise their rights of access, rectification, erasure, restriction, information, data portability, consent withdrawal, or to provide observation in the case of automated decision making system. The Party receiving a complaint, request or enquiry shall respond to Data Subjects in accordance with the SCCs and Data Protection Law. The other Party shall provide all reasonably requested information and assistance.
4.5. Each Party will notify the other Party without delay of any Security Incident. In the event of a Security Incident, the Party experiencing the Security Incident shall promptly take adequate remedial measures. Each Party shall provide the other Party with all reasonably required cooperation to handle the Security Incident in accordance with the SCCs and Data Protection Law, such as adequately informing the Supervisory Authorities, or any other competent privacy commissioner or authority, and the affected Data Subjects.
5. Transfer of Personal Data
5.1. The Parties acknowledge that Data Protection Law contains restrictions on the Transfer of Personal Data. To the extent applicable, each Party shall only Transfer Personal Data in relation to this Agreement in accordance with applicable Data Protection Law and subject to this article 5.
5.2. Transfers from the EEA. Where a Transfer is made from the EEA, the SCCs are incorporated into this DPA and apply to the transfer as follows:
(i) Module One applies;
(ii) In Clause 7, the optional docking clause applies;
(iii) In Clause 11(a), the optional language does not apply;
(iv) In Clause 17, Option 1 applies with the governing law being that of France;
(v) In Clause 18(b), disputes will be resolved before the courts of France;
(vi) Annex I of the SCCs is completed with the information in Annex I of this DPA;
(vii) Annex II of the SCCs is completed with the information in Annex II of this DPA.
5.3. Transfers from Switzerland. Where a Transfer is made from Switzerland, the SCCs are incorporated into this DPA and apply to the transfer as modified in Article 5.2, except that:
(i) references to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland; and
(ii) references to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).
5.4. Transfers from the UK. Where a Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer. Table 1 is completed with the information provided in Annex I. Table 2 is completed with the information in Article 5.2. Table 3 is completed with the information provided in Annexes I and II. Table 4 is completed by selected both “Importer” and “Exporter.” Part 2 is selected.
5.5. Unless agreed otherwise, to the extent required by Data Protection Law, Hotel shall provide Group with all reasonably required assistance and information to enable Group to perform a Transfer Impact Assessment. Parties agree that the result of a Transfer Impact Assessment may require amending this C2C DPA. The obligations of Hotel under this article are without prejudice to Hotel’s warranties and obligations under Clause 14 of the SCCs.
5.6. If, based on the Transfer Impact Assessment, Group considers that the Non-Adequate Country laws or practices prevent or may prevent Hotel from fulfilling its obligations under the SCCs or UK Transfer Addendum and Group considers that there are no Supplementary Measures that sufficiently ensure an essentially equivalent level of protection for the specific Transfer or such measures are not acceptable (e.g., due to the costs of these measures or the adverse effect they may have on Group), Group may refuse or suspend the Transfer by providing Hotel a written notice. In such case, article 5.8 will apply.
5.7. If Hotel notifies Group thatin accordance with the SCCs or UK Transfer Addendum it has reason to believe that it has become subject to laws or practices which prevent Hotel from fulfilling its obligations under the SCCs or UK Transfer Addendum, Hotel shall promptly provide Group with all reasonably required assistance and information to enable Group to assess whether Supplementary Measures can be implemented by Group or the Hotel to address the situation. If Group determines that there are no Supplementary Measures that can sufficiently ensure an essentially equivalent level of protection for the specific Transfer or such measures are not acceptable (e.g., due to the costs of these measures or the adverse impact they may have on Group), Group may suspend the Transfer by providing Hotel a written notice. In such case, article 5.8 will apply. At receipt of the notice, Hotel will immediately take all action to effectuate such suspension. This article applies mutatis mutandis if Group otherwise has reason to believe that Hotel can no longer comply with the SCCs or UK Transfer Addendum.
5.8. These rights of Group under this article 5 are without prejudice to any other rights of Group under the Agreement, this C2C DPA or at law.
6. Security Measures
6.1. Each Party shall maintain a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of each Party’s business; (b) the type and sensitivity level of information that the Parties will process; and (c) the need for security and confidentiality of such information (“Security Program”). With respect to Hotel Security Program shall include the measures detailed under Annex II and be designed to: (a) protect the confidentiality, integrity, and availability of the Personal Information; (b) protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal Information; (c) protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of the Personal Information; (d) protect against accidental loss or destruction of, or damage to, Personal Information; and (e) safeguard Personal Information in accordance with Data Protection Law.
7. Retention
7.1. Unless explicitly agreed otherwise in the Agreement or in this C2C DPA, each Party will retain the Personal Data it has received from the other Party only as long as necessary to perform its obligations under the Agreement. With respect to any such Personal Data retained following termination of the Agreement, that Party shall continue to protect such Personal Data in accordance with the terms of the Agreement and this C2C DPA.
8. Notices
8.1. All notices, requests, demands and determinations under this C2C DPA (other than routine operational communications), shall be in writing and shall be sent to the DPO, should such have been designated in accordance with Data Protection Law, or any other person in charge of protection of Personal Data in the company to the addresses set forth in the Agreement (including any cc notice designations).
8.2. A Party may from time to time change its address or designee for notification purposes by giving the other Party prior written notice of the new address or designee and the date upon which it shall become effective. Such notice of change of address or designee shall be made in accordance with the provisions of this clause.
9. Changes to Data Protection Law
9.1. The Parties agree to negotiate in good faith in case changes should be brought to this C2C DPA to comply with the Data Protection Law, to address the legal interpretation of Data Protection Law or to address changes to Data Protection Law.
10. Governing law
10.1. This C2C DPA will be governed by French law.
ANNEX I
A. LIST OF PARTIES
Data exporter
Name
| GROUP
|
As specified in the Agreement
| As specified in the Agreement
|
Activities relevant to the data transferred under these Clauses
| Reservation of rooms and accommodation requests and stays at a hotel.
|
Role (controller / processor)
| Controller
|
Data importer
Name
| HOTEL
|
As specified in the Agreement
| As specified in the Agreement
|
Activities relevant to the data transferred under these Clauses
| Processing Personal Data to manage the reservation of rooms and accommodation requests and to provide hotel services.
|
Role (controller / processor)
| Controller
|
B. DESCRIPTION OF TRANSFER
Nature of the Processing operations
[please specify the Processing operations to be conducted by the Data Processor]
| Providing data in order to organize accommodation and/or hotel stay activities
|
Purpose(s) of Processing:
[please specify all purposes for which the Personal Data will be processed by the Data Processor]
|
Facilitating guest reservations and hotel services
|
Category/ies of Personal Data
non sensitive data: name, surname, date of birth, date of travel, gender, passport number, e-mail address, etc;
sensitive data: racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, genetic or biometric data used to uniquely identify a natural person, data concerning a natural person's physical or mental health or condition, sex life or sexual orientation]]
|
Personal Data collected by the Hotel may include the following:
Contact details (for example, last name, first name, telephone number, email)
Personal information (for example, date of birth, nationality)
Information relating to children (for example, first name, date of birth, age)
Credit card number (for transaction and reservation purposes)
Information contained on a form of identification (such as ID card, passport or driver license)
Membership number for the Accor loyalty program or another partner program (for example, an airline loyalty programme) and information related to activities within the context of the loyalty program
Arrival and departure dates
Preferences and interests (for example, smoking or non-smoking room, preferred floor, type of bedding, type of newspapers/magazines, sports, cultural interests, food and beverages preferences, etc.)
Questions/comments, during or following a stay in a hotel
Technical and location data generated as a result of using websites and applications.
|
Category/ies of Data Subjects
| Group attendees
|
Duration of Processing Operations
[please specify the length of time for which personal Data Processing activities will be carried out.]
| Hotel will process Personal Data for the term of the Agreement and for any length of time required by applicable law.
|
Frequency of the data transfer(s)
| Transfers on a continuous basis as needed to provide the services.
|
Retention period (or criteria for retention) [please specify the retention period or, if that is not possible, the criteria used to determine that period
| Hotel will retain Personal Data for the term of the Agreement and to the extent required by any applicable law.
|
Restrictions / safeguards with regards to sensitive data (if applicable)[please specify the applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions, keeping a record of access to data, restrictions for onward transfers or additional security measures
| NA
|
C. COMPETENT SUPERVISORY AUTHORITY
Commission Nationale de l'Informatique et des Libertés (CNIL) (French supervisory authority)
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The Parties undertake, within their respective area of responsibility and in relation to the subject matter of the Agreement, to implement all standard necessary and appropriate technical and organizational measures using generally accepted state-of-the-art technology and in compliance with a Supervisory Authority’s recommendations, such as all the measures listed below (i.e., French Data Protection Authority’s recommendations about security and confidentiality standard measures). The measures defined and implemented by Hotel depend, in part, on the location and may vary accordingly, without affecting the required level of security. The parties may agree on further measures to be implemented in addition to those described below.
Hotel may also implement further measures according to its policies and standards.
Adherence of Hotel to an approved code of conduct (as referred to in GDPR, Article 40) or an approved certification mechanism (as referred to in GDPR Article 42) may be used as an element by which to demonstrate sufficient guarantees.
Hotel shall implement and maintain certain administrative, technical and organizational security measures designed to ensure a level of security appropriate to the risks that are presented by its Processing of Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of such Processing and the likelihood and severity of risk in relation to the rights and freedoms of the Data Subjects. Hotel will provide a general description of its technical and organizational security measures upon Group’s request when submitted by emailing us at lawdept@accor.com.
To view this in French, please click here.
To view this in Spanish, please click here.
