Data Processing Agreement

This Data Processing Agreement is applicable to all processing of personal data to be undertaken by CHARTSPMS LIMITED, registered in Ireland under company number 523336 (hereinafter: Processor) for the benefit of its client (hereinafter: Controller) to whom it provides services.

Data Processing Agreement

(last amended on 7 September 2018)

This Data Processing Agreement is applicable to all processing of personal data to be undertaken by CHARTSPMS LIMITED, registered in Ireland under company number 523336 (hereinafter: Processor) for the benefit of its client (hereinafter: Controller) to whom it provides services (hereinafter: ChartsPMS Services) as listed in Appendix 4. This DPA is incorporated into the relevant ChartsPMS Services agreement attached to or incorporated by reference into the ordering document previously executed by customer.

Purposes of processing

Processor hereby agrees under the terms of this Data Processing Agreement to process personal data on Controller’s behalf.

Processing shall be done in accordance with the documented instructions from the controller (included parameters set by the Controller from Privacy Control Panel) solely for the purpose of the contracted ChartsPMS Services, and all purposes compatible therewith or as determined jointly.

The personal data to be processed by Processor for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data Processing Agreement.

Processor shall not process the personal data for any other purpose unless with Controller’s consent.

Controller shall inform Processor of any processing purposes to the extent not already mentioned in this Data Processing Agreement.

All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.

Processor’s obligations with respect to the controller

Regarding the processing operations referred to in the clause “Purposes of processing”, Processor shall comply with applicable data processing legislation such as the General Data Protection Regulation (GDPR).

Upon first request Processor shall inform Controller about any measures taken to comply with its obligations under this Data Processing Agreement.

All obligations for Processor under this Data Processing Agreement shall apply equally to any person processing personal data under the supervision of Processor, including but not limited to employees.

Processor shall inform Controller if in its opinion an instruction of Controller would violate the legislation referred to in the first clause of this article. If Controller informed by the Processor pursue and maintain such instruction, Controller shall be responsible for any consequences.

Processor shall provide reasonable assistance to Controller in the context of any privacy impact assessments to be made by Controller, in case this is required by law. Processor will charge reasonable costs for doing so (see fees).

Transfer of personal data

Processor may process the personal data in any country within the European Union.

Transfer to countries outside the European Union is also permitted, provided that the legal requirements for doing so have been fulfilled.

Processor shall report to Controller of the countries involved outside the EU. The list of sub-processors Appendix 3 constitute such report.

Allocation of responsibilities

Processor shall make available IT facilities to be used by Controller for the purposes mentioned above.

Processor is solely responsible for the processing of personal data under this Data Processing Agreement in accordance with the instructions of Controller and under the explicit supervision of Controller. For any other processing of personal data, including but not limited to any collection of personal data by Controller, processing for purposes not reported to Processor, processing by sub-processors and/or for other purposes, the Processor does not accept any responsibility.

Controller declares and warrants that the content, usage and instructions to process the personal data as meant in this Data Processing Agreement are lawful and do not violate any right of any third party.

Controller declares and warrants to be solely responsible for personal data being self-hosted, temporary or on a regular basis, even when using ChartsPMS Services.

Controller shall indemnify the Processor for any claims which are the result of non-compliance of Controller with applicable privacy legislation and/or this Data Processing Agreement and/or Processor recommendations.

Controller shall set parameters of the property Privacy Control Panel that has been designed to assist the Controller in his duty to maintain subjects’ personal data protection.

Controller acknowledge to take all organizational and technical measures to comply with recommendations and terms of use of the ChartsPMS Services.

Processor provides support exclusively for ChartsPMS Services as listed in Appendix 4. Any service and version of service strikethrough or not listed in Appendix 4 is no longer supported by Processor and might no longer be compliant with applicable legislation, therefore use of such service is the sole responsibility of the Controller.

Data subjects’ right to information:

  • It is the controller’s responsibility to inform the data subjects concerned by the processing operations at the time data are being collected and to collect subject’s consent. Processor provides Controller with administration of tools (activation, content edition, link to Collector’s legal pages, check boxes) in order to help Controller to collect subject’s consent.
  • It is the controller’s responsibility to provide data subjects with tools to exercise their rights.
Involvement of sub-processors

The processor may engage another processor (hereinafter “sub-processor”) to conduct specific processing activities.

The Controller hereby grants permission to the Processor, within the framework of the Processor’s Agreement, to engage sub-processors as listed in Appendix 3.

The Processor shall inform the Controller about any proposed changes in sub-processors engaged. The Controller has the right to object (in writing, within two weeks and supported by arguments) to a proposed new/changed sub-processor. Should the Controller object, the Parties will jointly endeavour to find a solution.

In any event, Processor shall ensure that any sub-processors are bound to at least the same obligations as agreed between Controller and Processor. Controller has the right to inspect the agreements containing such obligations.


Processor shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing operations involved, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed).

Processor shall  take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default.

Processor has implemented the security measures as per Appendix 2.

Processor does not warrant that the security is effective under all circumstances.

Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken. Controller is responsible for the parties’ compliance with these security measures.

Notification and communication of data breaches

Controller is responsible at all times for notification of any security breaches and/or personal data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed) to the competent supervisory authority, and for communication of the same to data subjects.

In order to enable Controller to comply with this legal requirement, Processor shall notify Controller within 48 hours after becoming aware of an actual or threatened security or personal data breach.

A notification under the previous clause shall be made at all times, but only for actual breaches.

The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:

  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Processing requests from data subjects

In the event a data subject makes a request to exercise his or her legal rights under data protection legislation to the Processor, the Processor shall pass on such request to Controller by email, and Controller shall process the request.

Processor may inform the data subject of this passing on.

The processor shall assist the controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

The Processor can charge reasonable costs for such assistance.

Confidentiality obligations

All personal data that Processor receives from Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties. Processor shall not use personal data information that relates to an identified or identifiable individual for any goals other than for which it was obtained.

The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the personal data to sub-processors, the provision to sub-processors is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.


Controller has the right to have audits performed on Processor by an independent third party bound by confidentiality obligations to verify compliance with the security requirements, compliance with data processing regulations, unauthorised use of personal data by Processor personnel, compliance with the Data Processing Agreement, and all issues reasonably connected thereto.

This audit may be performed once every year, no earlier than two months after the Controller has provided written notice to the Processor.

Processor shall give its full cooperation to the audit and shall make available all reasonably relevant information, including supporting data such as system logs.

The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either party or jointly.

The costs of the whole audit shall be borne by Controller, this includes the expenses incurred by the processor as part of the said audit (namely but not limited to employee working hours dedicated to the audit, travels, etc.)

Liability and contractual fine

The liability of Processor for any damages as a result of a failure to comply with this Data Processing Agreement, unlawful acts or otherwise, is excluded. To the extent such liability cannot be excluded, it is limited to direct damages per event (a sequence of successive events counting as one event), up to the amount received by Processor for all activities under this Data Processing Agreement for the month prior to the event.

Direct damages shall include only:

  • damages to physical objects;
  • reasonable and proven costs to cause Processor to regain compliance with this Data Processing Agreement;
  • reasonable costs to assess the cause and extent of the direct damage as meant in this article; and
  • reasonable and proven costs that Controller has incurred to limit the direct damages as meant in this article.

Any liability for indirect damages by Processor is excluded. Indirect damages are all damages that are not direct damages, and thus including but not limited to consequential damages, lost profits, missed savings, reductions in goodwill, standstill damages, failure to meet marketing requirements, damages as a result of using data prescribed by Controller, or loss, corruption or destruction of data.

No limitation of liability shall exist if and to the extent the damages are a result of intentional misconduct or gross negligence on the part of Processor or its directors.

Unless Processor is permanently unable to perform an obligation under this Data Processing Agreement, any liability shall exist only if Controller puts Processor on notice of default, including a reasonable term for addressing the failure, and Processor fails to comply even after this term. The notice shall contain a detailed description of the failure to ensure that Processor has a reasonable opportunity to address the failure.

Any claim for damages from Controller to Processor that is not specifically notified in detail shall be extinguished by the passage of three (3) months after the date its cause first arose.

Term and termination

This Data Processing Agreement enters into force upon acceptance by the Controller.

This Data Processing Agreement is entered into for the duration of the cooperation between the parties.

Upon termination of the Data Processing Agreement, regardless of reason or manner, Processor shall – at the choice of Controller – return in original format and/or destroy all personal data available to him

Changes to the Agreement

The Processor preserves the right to change this Data Processing Agreements. Changes and supplements are also applicable to agreements which have already been concluded, with observance of a term of thirty (30) days after the announcement of the change.

Changes will be announced on the website, in the Privacy Control Panel, or via email to Controller, or another channel of which Processor can prove that the announcement has reached Controller. Non-material changes of minor importance can be implemented at all times and do not require an announcement.

If Controller does not wish to accept a change, Controller has to make Processor aware of this, within fourteen (14) days, In writing, and supported by arguments. Processor may reconsider the change in response to this. If Processor does not annul the change, the Controller can terminate the agreement until the day that the new Data Processing Agreement becomes applicable; the agreement will then be terminated from the day that the new conditions become applicable.

Applicable law and competent venue

This Data Processing Agreement and its execution are subject to Irish law.

To the extent not otherwise provided for in mandatory law, all disputes related to the agreement will be submitted to the competent court in Dublin, Ireland.

Appendix 1

  • Personal data and data subjects

    Personal Data

    Processor shall process the below personal data under the supervision of Controller:

    • Names
    • Addresses
    • Telephone numbers
    • E-mail addresses
    • Web sites
    • Date of birth
    • Place and country of birth
    • Language
    • Nationality
    • Gender
    • Tax number
    • Occupation
    • ID card or passport: number, issuing country, issue date, expiry date
    • Credit card details
    • Details of arrival and departure
    • Booked accommodations
    • Used travel agency

    Data Subjects

    Of the following categories of data subjects:

    • Customers of the Controller
    • Leads and potential customers of the Controller

    Controller declares and warrants that the description of personal data and categories of data subjects in this Appendix is complete and accurate, and shall indemnify and hold harmless Processor for all faults and claims that may arise from a violation of this representation and warranty.

Appendix 2

  • Implemented security measures
    • Secure network and systems: Firewall configurations protect the data.
    • Network segmentation: No direct Internet access to data storage (DMZ).
    • Logical access control: Access requires asymmetrical key pairs protected by strong passwords.
    • Encrypted transmission: All data sent over the Internet is encrypted using TLS.
    • Audit trail and logging: All user actions are logged.
    • Physical access control: Physical access is controlled and monitored.
    • Organisational measures: Access to data is limited and defined by need to know.

Appendix 3

  • Sub-Processors
    • Hosting: Country selected by client in Privacy Control Panel
    • Development: Australia
    • Support: Ukraine, Ireland
    • R&D: Israel

Appendix 4

  • ChartsPMS Services
    • PMS:
      • PMS – V2 (Web Based)
      • PMS – V1.2 (Original Cloud)
      • PMS – V1.1 (Original Desktop) *
    • Booking Engine
    • Channel Manager
    • Review Module

    *PMS V1.1 (Original Desktop) is no longer supported and not compliant with personal data protection regulations.