This Data Processing Agreement (“DPA”) is incorporated into and forms part of Xola’s Terms of Service for Providers (“Terms”). Xola Inc. and Provider are parties to the Terms under which Xola Inc. provides the Service (defined below).
To the extent there is any conflict between this DPA, the Terms, or any other agreement between the Parties this DPA will prevail.
This DPA sets out the Parties obligations and rights under the Data Protection Laws (defined below).
1. Definitions
1.1 Capitalized terms used but not defined in this DPA that relate to the Service by Xola Inc., shall have the meanings given to them in the Terms.
1.2 Capitalized terms that relate to data processing shall have the meanings given to them in the Data Protection Laws when applicable.
1.3 “Consent” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
1.4 “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.5 “Data Protection Laws” means the GDPR and other applicable laws relating to the protection and use of information and data, including but not limited to rules regarding the processing of Personal data and the protection of privacy, and any laws or regulations ratifying, implementing, adopting, supplementing, amending or replacing such laws or regulations.
1.6 “Data Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.
1.7 “Data Subject” means an identified or identifiable natural person
1.8 “Data Subject Request” means requests of Data Subjects to exercise their rights under Data Protection Law.
1.9 “Personal Data” means any information relating to an identified or identifiable individual.
1.10 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
1.11 “Processing” means the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
1.12 “Provider’s Partners” means any other third party who Processes Provider’s Personal Data for providing their services to the Provider and whom Xola Inc. transfers Personal Data based upon Provider instructions.
1.13 “Subprocessor” means another Data Processor that is engaged by Xola Inc. as a subcontractor to perform parts of the Service.
2. Roles
2.1 Xola Inc. Processes Personal Data on behalf of Provider when providing the Service and acts as the Data Processor under applicable Data Protection Laws while Provider acts as the Data Controller. Parties acknowledge and agree that, within the scope of using the Service, Provider is the Data Controller and Xola Inc. is the Data Processor.
2.2 If the Provider requests Xola Inc. to Process Personal Data and share it with Provider’s Partners, Xola Inc. will continue to act as the Data Processor for the Processing of Personal Data and will collaborate with Provider’s Partners in this regard.
3. Responsibilities of Provider
3.1 As the Data Controller, Provider is accountable for ensuring and demonstrating that all Processing of Personal Data complies with Data Protection Laws.
3.2 Provider represents and warrants that all Personal Data is Processed in accordance with Data Protection Laws and that Xola Inc. has all necessary rights and authorizations to Process the Personal Data, including, without limitation:
(i) ensuring that all Personal Data is collected and Processed fairly and lawfully in accordance with Data Protection Laws, and that there is a lawful basis for Processing Personal Data;
(ii) obtaining the necessary Consent from Data Subjects, and where required confirming that Consent has been obtained from the Data Subjects before sharing any information with Xola Inc.;
(iii) ensuring that all Personal Data is accurate and up to date and that a notice or similar documentation in accordance with Data Protection Laws is provided by Provider to the Data Subjects prior to the collection of Personal Data which describes the Processing to be undertaken by Xola Inc. pursuant to the Service and this DPA.
4. Data Processing Details
4.1 Details of Personal Data Processing:
- The subject matter of the Processing: To perform the Service as described in the Terms.
- Nature of the Processing: Collecting and transmitting Personal Data to Provider. For example submitting Personal Data of guests to the Provider from the Online Booking System for the purpose of reserving activities. Monitoring Data Subject’s use of the Service and conducting analytics regarding such use.
- Purpose: Providing and improving the Service, including enabling the Data Subject to enter into an Activity Contract. Analysing website visitor statistics for analytical and statistical purposes with the aim of improving the Service, and/or development and improvement of products and services.
- Duration of the Processing: The duration of the Personal Data Processing is determined by Provider.
- Type of Personal Data: Personal Data shared by Provider to use the Service, including: full name, phone number, email address, payment detail, online surfing history, information that Provider shares with Xola Inc. or information that is collected by means of cookies or similar technologies. Data of customers who visit or interact with the Provider’s websites and share their Personal Data for the purpose of reserving activities. These individuals may include customers, guests, or any other individuals engaging with the Provider’s online platform to make reservations through Xola’s reservation software service.
- The categories of Data Subjects: Provider’s employees and Website visitors
4.2 Where Xola Inc. acts as a Data Processor under this DPA with respect to the Processing of Personal Data, Xola Inc. shall:
- Process the Personal Data as instructed in this DPA to perform the Service, unless Provider issues additional documented instructions, in writing, as mutually agreed by the Parties or as otherwise required by law. In the latter case, Xola Inc. shall inform Provider of that legal requirement before Processing unless the law prohibits this on important grounds of public interest;
- upon request make available to Provider information reasonably necessary to demonstrate compliance with (i) this DPA, and (ii) obligations that stem directly from the GDPR or Data Protection Laws; and,
- Process Personal Data for the irreversible anonymization and/or aggregation of data to ensure that such Personal Data is no longer Personal Data if Xola Inc. uses Personal Data for research, analysis, improvement and development purposes.
5. Technical and organizational measures
5.1 Provider shall implement appropriate security measures to safeguard Personal Data against unauthorized access, disclosure, alteration, and destruction.
5.2 Each Party will ensure appropriate technical and organizational measures to secure the Personal Data in accordance with Data Protection Laws, including the following:
- Measures for ensuring events logging;
- Measures for user identification and authorization;
- Measures of encryption of Personal Data;
- Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services.
6. Subprocessing
6.1 Provider hereby provides Xola Inc. general authorization for engaging Subprocessors. The list of Subprocessors used by Xola Inc. at the time of Provider’s acceptance of this DPA can be found on the Xola Inc.’s Subprocessors Webpage. Xola Inc. will keep the Provider informed of any intended changes concerning the addition or replacement of Subprocessors through Xola Inc.’s Subprocessors Webpage. In the event of any objection to the use of a particular Subprocessor, Provider retains the right of termination as set out in the Terms. For the avoidance of doubt, Articles 28.2 and 28.4 of the GDPR apply with full effect where Subprocessors have been engaged.
6.2 Xola Inc. may engage with Provider’s Partners based on Provider’s request to facilitate various operations, including without limitation the transfer of specific types of information from Provider’s website, and other collaborative efforts. In such instances, as the Data Controller, Provider remains responsible for how Provider’s Partners handle Provider’s data. It is Provider’s responsibility to establish and maintain contractual terms with Provider’s Partners to govern this relationship. Unless Xola Inc. receives further instructions from Provider, Xola Inc. will continue this Processing activity between Xola Inc. and Provider’s Partners. As the Data Controller, Provider bears the responsibility for notifying Xola Inc. of any required termination of data transfers between Xola Inc. and Provider’s Partners.
7. Data subject requests
7.1 As the Data Controller, Provider is responsible for facilitating the exercise of Data Subjects’ rights.
7.2 If Provider requires assistance from Xola Inc. to respond to a Data Subject Request, Provider shall provide all necessary details to Xola Inc. and Xola Inc. shall reasonably assist Provider upon written request.
7.3 Provider remains solely responsible for correctly assessing legality and legitimacy of requests and complaints in relation to the Processing and shared in the context of the Service before responding, and taking appropriate steps in response.
8. Notification and Management of Personal Data Breaches
8.1 In the event of a Personal Data Breach, Xola Inc. will notify Provider without undue delay after Xola Inc. becomes aware of the Personal Data Breach. Such notification shall contain, in so far as this is known, the presumed cause of the Personal Data Breach, the categories of Personal Data and Data Subjects and the number of Data Subjects involved. Further information shall, as it becomes available, subsequently be provided without undue delay. Xola Inc. shall cooperate with Provider to comply with Provider’s obligations under the GDPR or Data Protection Laws.
8.2 Provider will decide whether the Personal Data Breach must be notified to the supervisory authority and/or the Data Subject, provided that Provider, subject to mandatory requirements under Data Protection Laws, (i) shall use best efforts to consult with Xola Inc. and take into account Xola’s reasonable requirements as to timing, content and manner of disclosure or notification, and recipient prior to making any disclosure or notification to any third-party (including any supervisory authority and Data Subjects) in relation to a Personal Data Breach, (ii) acknowledge and agrees that Xola Inc. retains the right to voluntarily inform any third-party about any Personal Data Breach; and (iii) shall not mention Xola Inc. without its prior written authorization when notifying Data Subjects or any other third-party of a Personal Data Breach that Xola Inc. hosts or stores.
8.3 In the event of a Personal Data Breach, Xola Inc. will take all reasonable measures without undue delay to remedy the Personal Data Breach, minimize the consequences and prevent further Personal Data Breaches.
8.4 Xola Inc. will keep a register of the Personal Data Breaches where Xola Inc. acted as a Data Processor and the measures taken in response to Personal Data Breaches. Upon request by Provider, the Data Controller will be given access to the aforementioned register.
9. Assistance with Regulatory inquiries or Compliance
9.1 Xola Inc. will reasonably assist Provider in (i) providing necessary information for carrying out a Data Protection Impact Assessment and Prior Consultation as described in the GDPR, and (ii) handling with inquiries, investigations, or requests from or notifications to a supervisory authority in connection with the Processing in relation to the Service. Nevertheless, Provider remains solely responsible for assessing the requests and complaints related to Processing and shared in the context of the Service before responding, and taking appropriate steps in response.
9.2 In the event that Provider requires assistance, Provider should promptly notify Xola Inc. in written form, detailing the specific nature of the assistance needed. Xola Inc. commits to providing assistance within a reasonable time frame without causing undue interruption to the business operations of Xola Inc..
10. Data transfers and Standard Contractual Clauses
10.1 Provider agrees that where the Processing involves transfers of Personal Data within the meaning of Chapter 5 of the GDPR, Xola Inc. and its Subprocessors may ensure compliance with Chapter 5 of the GDPR by using one of the transfer mechanisms referred to Chapter 5 of the GDPR. For example, by using standard contractual clauses adopted by the Commission in accordance with the GDPR or the Data Protection Laws. Upon request, Xola Inc. will provide Provider with information on how it complies with Chapter 5 of the GDPR, where applicable.
11. Audits
11.1 During the use of the Services, at Provider’s request, Xola Inc. shall permit and contribute to audits of the Processing covered by this DPA. The costs of this audit shall be borne by Provider (both Provider’s own costs and Xola’s costs). Before executing an audit, Provider shall first request the reasonably necessary information from Xola Inc. to demonstrate Xola’s compliance with this DPA. The audit shall only take place if Provider, even after receiving the information referred to in the preceding paragraph, has reasonable doubts as to Xola’s compliance with this DPA. In the event of an audit, Provider shall give Xola Inc. at least 60 days notice and such audit will be limited to the Processing and systems where Xola Inc. Processes Personal Data as a Data Processor. Audits cannot be conducted more than once during any consecutive 12 month period, lasting a maximum of two business days, and only during business hours without impact on the Xola Inc. business.
12. Confidentiality
12.1 Xola Inc. shall ensure that employees, contractors and other persons working for Xola Inc. that are authorized to Process Personal Data, are subject to a contractual obligation of confidentiality or are under an appropriate statutory obligation of confidentiality.
13. Data retention and return
13.1 For 12 months following termination of the Service for any reason whatsoever, subject to this DPA, Xola Inc. will return or anonymize Personal Data at Provider’s request. After 12 months following termination of the Service, Xola Inc. shall not be required to retain, and shall have the right to delete, without prejudice to Provider’s right to reactivate the Service and within that context instruct Xola Inc. to withhold from deleting the Personal Data. Xola Inc. is not obliged to return or delete Personal Data if Xola Inc. is legally required to keep Personal Data, for example due to supervisory and tax obligations.
14. Liability
14.1 The limitations of liability agreed in the Terms shall apply to this DPA.
14.2 Provider shall not be entitled to recover any fines imposed on Provider by a supervisory authority on any legal ground whatsoever from Xola Inc..
15. Term
15.1 The term and termination agreed in the Terms shall apply to this DPA.
16. Applicable Law and Forum
16.1 The applicable law and forum agreed in the Terms shall apply to this DPA.
17. Amendments and Updates
17.1 The applicable law and forum agreed in the Terms shall apply to this DPA.