Hotelinking Data Processing Addendum

For the purposes of this Data Processing Addendum (“DPA”), capitalized terms not otherwise defined herein shall have the meanings set forth in the applicable SaaS Agreement, Terms and Conditions, or under Applicable Data Protection Legislation (as defined below). The following terms shall have the meanings set out below:

1.1. “Affiliate”

Means any entity that directly or indirectly controls, is controlled by, or is under common control with a party. “Control” means ownership or control, directly or indirectly, of more than 50% of the voting interests of the subject entity.

1.2. “Applicable Data Protection Legislation”

Means all applicable laws and regulations relating to the processing, protection, privacy, and security of personal data, including but not limited to:

• Regulation (EU) 2016/679 (“GDPR”).
• The GDPR as implemented in the United Kingdom (“UK GDPR“).
• The Swiss Federal Data Protection Act (“Swiss DPA”).
• The California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA”), and
• Other applicable data protection laws in jurisdictions where Hotelinking operates or provides services.

1.3. “Controller”

Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in GDPR Article 4(7) and its equivalents under Applicable Data Protection Legislation.

1.4. “Customer”

Means the hotel group, entity, or organization subscribing to Hotelinking’s Services that enters into the SaaS Agreement or Terms & Conditions and acts as the Data Controller in respect of Customer Personal Data.

1.5. “Customer Personal Data”

Means any Personal Data processed by Hotelinking on behalf of the Customer under the Agreement, including but not limited to:

• Guest data collected via GuestMaker (e.g. email, name, nationality, MAC address).
• Identity and reservation data processed via Deskforce (e.g. ID/passport photos, signature, check-in/out metadata),
• Employee or IT contact data provided by the Customer in relation to WiFiBot and network monitoring services.

1.6. “Data Subject”

Means an identified or identifiable natural person whose Personal Data is processed under this DPA.

1.7. “Personal Data”

Means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR and equivalent terms under other Applicable Data Protection Legislation, including but not limited to guest details, contact information, device identifiers, and reservation-related information.

1.8. “Processing” / “Process”

Means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

1.9. “Processor”

Means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller, as defined in GDPR Article 4(8) and its equivalents.

1.10. “Restricted Transfer”

Means a transfer of Personal Data to a country outside the EEA, UK, or Switzerland which is not subject to an adequacy decision under the Applicable Data Protection Legislation and therefore requires appropriate safeguards under GDPR Article 46 or its equivalent provisions.

1.11. “Security Breach”

Means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Hotelinking, in accordance with GDPR Article 33.

1.12. “Services”

Means the software-as-a-service solutions provided by Hotelinking under the Agreement, including:

• GuestMaker: Hotel WiFi captive portal and marketing automation platform.
• Deskforce: Digital check-in/out and payment automation platform.
• WiFiBot: Network infrastructure monitoring and NOC services.

1.13. “Standard Contractual Clauses (SCCs)”

Means the standard contractual clauses adopted by the European Commission or relevant data protection authorities as lawful mechanisms for cross-border data transfers, including any applicable UK Addendum or Swiss Addendum.

1.14. “Sub-processor”

Means any third party (including Hotelinking Affiliates) engaged by Hotelinking to process Customer Personal Data on its behalf.

1.15. “Supervisory Authority”

Means an independent public authority established under Applicable Data Protection Legislation, such as the Spanish Data Protection Authority (AEPD), the UK Information Commissioner’s Office (ICO), or the Swiss FDPIC.

2.1. Applicability

This DPA applies only to the extent that Hotelinking processes Customer Personal Data on behalf of the Customer in the course of providing the Services under the Agreement. It governs the processing of Personal Data where such processing is subject to Applicable Data Protection Legislation, including but not limited to the GDPR, UK GDPR, Swiss DPA, or CCPA/CPRA.

2.2. Relationship of the Parties

Hotelinking acts as a Data Processor (or sub-processor where the Customer is a processor for another controller), and the Customer acts as a Data Controller (or as a processor on behalf of a third-party controller) with respect to the Processing of Customer Personal Data.

2.3. Duration

This DPA remains in effect for the term of the Agreement and shall survive its termination to the extent that Hotelinking continues to process Customer Personal Data on behalf of the Customer.

2.4. Product-Specific Applicability

This DPA applies to the following product modules, depending on the services contracted by the Customer:

• GuestMaker: Applies where Hotelinking processes personal data obtained via WiFi captive portals, including guest identification, MAC addresses, and PMS-linked reservation metadata.
• Deskforce: Applies where Hotelinking processes guest data for digital check-in, including ID document images, electronic signatures, and payment credentials processed via integrated payment gateways.
• WiFiBot: Applies only to the extent that Hotelinking processes operational metadata that may include identifiable employee or network administrator information (e.g. login, alerts, device monitoring logs). WiFiBot does not process guest Personal Data.

2.5. Conflict of Terms

In the event of any conflict between this DPA and other agreements between the parties (including the Agreement or the Terms & Conditions), the provisions of this DPA shall prevail to the extent of such conflict with regard to data protection and privacy matters.

2.6. Incorporation by Reference

This DPA forms an integral part of the Agreement between the parties. By continuing to use the Services after the Effective Date of this DPA, the Customer agrees to the terms of this DPA, including the relevant Standard Contractual Clauses incorporated herein by reference.

3.1. Roles of the Parties

In the context of this DPA and the Services provided:

• The Customer acts as the Data Controller (or, where applicable, as a Processor acting on behalf of a third-party Controller).
• Hotelinking acts as the Data Processor, processing Customer Personal Data only on documented instructions from the Customer, unless required to do so by law.

For specific product modules:

• For GuestMaker and Deskforce, Hotelinking acts as a processor with respect to personal data collected from hotel guests on behalf of the Customer.
• For WiFiBot, Hotelinking acts as Processor only to the limited extent of processing user identifiers related to network administrators or IT personnel. Guest data is not collected or processed by WiFiBot.

3.2. Customer Instructions

Hotelinking will process Customer Personal Data only:

• To provide the Services and fulfill its obligations under the Agreement.
• As documented in this DPA or other written instructions provided by the Customer.
• As required to comply with applicable law (in which case Hotelinking will, to the extent permitted by law, inform the Customer before processing).

3.3. Lawfulness of Instructions

The Customer shall ensure that its instructions:

• Comply with all applicable data protection laws.
• Are consistent with the Agreement and this DPA.
• Do not cause Hotelinking to breach any applicable law when acting upon those instructions.

Hotelinking will inform the Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Legislation.

3.4. Additional Instructions

Any additional instructions (beyond those required for service delivery and described herein) must be:

• Submitted in writing.
• Mutually agreed between the parties.
• Reasonably scoped and feasible in Hotelinking’s environment.

Requests that materially deviate from the Service functionality or standard processing workflows may require a formal change request and be subject to additional costs.

4.1. Limitation of Use

Hotelinking shall process Customer Personal Data solely for the purposes of:

• Providing, maintaining, and supporting the Services to which the Customer has subscribed.
• Fulfilling its obligations under the Agreement and this DPA.
• Complying with applicable legal obligations (e.g., Spanish, EU, or other data protection laws).

Hotelinking shall not process Customer Personal Data for any purpose other than those explicitly set out in this DPA or documented by the Customer, unless required to do so by applicable law.

4.2. Product-Specific Processing Purposes

• GuestMaker
  Hotelinking processes guest data to enable personalized and verified WiFi access, generate marketing audiences, enrich CRM profiles, validate contact details, and synchronize reservation metadata from connected PMS systems.
• Deskforce
  Hotelinking processes data for the purposes of digital guest registration, identity verification (e.g. scanning and auto-deleting ID documents), capturing guest consent, enabling digital payments, and generating check-in/check-out records.
• WiFiBot
  Hotelinking processes operational network metadata (e.g., MAC/IP/device status) for the sole purpose of proactive infrastructure monitoring, fault detection, alerting, and ensuring network reliability. Guest-level personal data is not collected or stored.

4.3. Prohibition on Secondary Use

Hotelinking will not:

• Use Customer Personal Data for its own commercial or marketing purposes.
• Sell, license, or otherwise disclose Customer Personal Data to third parties for unrelated purposes.
• Combine Customer Personal Data with personal data collected independently by Hotelinking, unless explicitly authorized by the Customer.

4.4. Aggregated and Anonymized Data

Hotelinking may aggregate or anonymize Customer Personal Data to create statistical or benchmarking insights, provided that:

• Such data cannot be used to identify or re-identify any data subject.
• The results are used exclusively for internal improvements, product development, or market insights.

5.1. Customer’s General Compliance Obligations

The Customer agrees and represents that:

• It has obtained all necessary rights, authorizations, and lawful bases under Applicable Data Protection Legislation to transfer Customer Personal Data to Hotelinking for processing.
• It shall comply with all applicable privacy and data protection laws in its use of the Services and in providing instructions to Hotelinking.
• It is solely responsible for determining the lawfulness of processing activities carried out under its instructions.

5.2. Transparency and Lawful Collection

The Customer is responsible for ensuring that:

• Data subjects (e.g., hotel guests, employees, or other individuals) have been informed of the processing activities, including Hotelinking’s role as a processor.
• All required notices under GDPR Article 13/14 or other applicable laws are provided to data subjects in a transparent, clear, and timely manner.
• All necessary consents or other valid legal bases for processing are in place and documented.

5.3. Accuracy and Minimization

The Customer shall ensure that:

• Customer Personal Data shared with Hotelinking is accurate, up-to-date, and relevant for the purpose for which it is processed.
• Unnecessary or excessive data is not transferred to Hotelinking through integrations, uploads, or use of the Services.

5.4. Customer’s Use of the Services

The Customer agrees to:

• Use the Services in a manner that does not violate Applicable Data Protection Legislation or Hotelinking’s Terms & Conditions.
• Configure and use Hotelinking features (e.g. data capture forms, PMS integrations, email tools) in accordance with privacy best practices and applicable regulations (e.g. marketing opt-ins, consent logs).
• Manage and restrict user access to Customer’s Hotelinking account as appropriate, including implementing role-based access controls and using strong authentication methods.

5.5. Cooperation with Hotelinking

The Customer agrees to cooperate in good faith with Hotelinking in connection with:

• Responding to data subject requests (see Section 13).
• Performing Data Protection Impact Assessments (DPIAs), audits, or consultations with Supervisory Authorities as required by law.
• Investigating or mitigating any actual or suspected security incidents or data breaches involving Customer Personal Data.

5.6. Use of Sub-Processors by the Customer

Where the Customer shares Customer Personal Data with third-party systems, integrations, or vendors that are not managed by Hotelinking (e.g., their own CRM, payment provider, PMS, etc.), the Customer is solely responsible for ensuring that such third parties comply with applicable data protection obligations.

6.1. Confidentiality Obligations of Hotelinking Personnel

Hotelinking shall ensure that all employees, contractors, and other personnel authorized to process Customer Personal Data are:

• Subject to a written obligation of confidentiality, whether through employment agreements, contractor terms, or separate NDAs.
• Given appropriate training on their responsibilities under this DPA and Applicable Data Protection Legislation, including secure data handling and reporting obligations.
• Granted access to Customer Personal Data strictly on a need-to-know basis, aligned with their role and responsibilities.

6.2. Confidential Information

Each party agrees to treat Customer Personal Data as Confidential Information under the Agreement, and to:

• Protect it with the same level of care as its own confidential information, but no less than a reasonable standard of care.
• Refrain from disclosing it to third parties except as permitted under this DPA (e.g. to approved Sub-processors under Section 7 or as required by law under Section 6.4).
• Not use Customer Personal Data for any purpose outside the scope of the Agreement and this DPA.

6.3. Retention of Confidentiality Obligations

Hotelinking’s confidentiality obligations shall:

• Survive the termination or expiry of the Agreement or this DPA; and…
• Continue until all Customer Personal Data has been deleted or returned in accordance with Section 10 (Return or Deletion of Data).

6.4. Legally Compelled Disclosure

If Hotelinking is required by law, court order, or governmental authority to disclose any Customer Personal Data, it shall:

• Promptly notify the Customer (unless legally prohibited from doing so).
• Limit the disclosure to the minimum required.
• Cooperate with the Customer, at Customer’s expense, in seeking a protective order or other appropriate remedy to prevent or limit such disclosure.

6.5. Background Checks

Where permitted by law and applicable to the role, Hotelinking may conduct background checks on employees who will access production systems containing Customer Personal Data.

7.1. Authorization for Sub-Processing

The Customer hereby provides Hotelinking with a general written authorization to engage Sub-processors for the Processing of Customer Personal Data, provided that:

• Hotelinking shall ensure that Sub-processors are subject to data protection obligations that are no less protective than those set forth in this DPA.
• Hotelinking shall restrict each Sub-processor’s access to Customer Personal Data only to what is strictly necessary to provide the Services.
• Hotelinking shall remain fully liable for the acts and omissions of its Sub-processors to the same extent it would be liable if performing the services itself.

7.2. Current Sub-Processors

Hotelinking maintains a list of approved Sub-processors. This list includes (as of the Effective Date):

• Amazon Web Services (AWS) – cloud infrastructure and data hosting (EU, primarily Ireland region).
• Zendesk – support ticketing system used by Hotelinking’s Customer Support team.
• Other infrastructure or monitoring tools as may be listed from time to time.

7.3. Notification of Changes

Hotelinking will notify the Customer of any intended changes to the Sub-processor list by:

• Sending an email to the Customer’s designated contact (or by Customer opting into a distribution list).
• Posting a change notification at the above Sub-processor URL.

The Customer will be given at least 20 days’ notice before a new Sub-processor begins processing Customer Personal Data.

7.4. Right to Object

If the Customer has a reasonable and legitimate objection to the engagement of a new Sub-processor (based on data protection grounds), it must:

• Notify Hotelinking in writing within 20 days of receiving notice of the intended change.
• Provide specific reasons for the objection related to data protection risks.

Upon receiving such objection, Hotelinking will work with the Customer in good faith to find a commercially reasonable alternative. If no mutually agreeable solution is found within 30 days, either party may terminate the affected portion of the Services (limited to the module or feature dependent on the new Sub-processor) with written notice.

7.5. International Sub-Processors

If a Sub-processor is located outside the EEA, UK, or Switzerland in a country not recognized as providing adequate protection, Hotelinking shall ensure that appropriate safeguards are in place for any such transfer in accordance with Section 12 (Transfer Mechanisms).

8.1. Assistance with Data Protection Impact Assessments (DPIAs)

Upon Customer’s written request and where required by Applicable Data Protection Legislation, Hotelinking shall provide reasonable cooperation and assistance to the Customer (at the Customer’s expense) in connection with:

• Conducting data protection impact assessments (DPIAs) that relate to Hotelinking’s processing of Customer Personal Data.
• Evaluating the impact of planned processing operations on the protection of personal data, particularly when introducing new technologies or services.
• Implementing mitigation measures or safeguards identified during the DPIA process that are reasonably within Hotelinking’s control.

Assistance may include documentation on Hotelinking’s security practices, architecture overviews, technical details of processing, and relevant audit reports or certifications (e.g. SOC 2, ISO 27001, AWS compliance materials).

8.2. Consultation with Supervisory Authorities

If the Customer is required to consult a Supervisory Authority prior to certain processing activities under Article 36 of the GDPR (or equivalent provisions), Hotelinking shall:

• Assist the Customer in meeting any data protection authority’s requests for information regarding the processing activities under Hotelinking’s responsibility.
• Cooperate in good faith with such authorities by providing relevant information and documentation.
• Make Hotelinking’s relevant personnel reasonably available, where required by the authority or Customer for official inquiries or follow-up.

8.3. Cost Allocation

Hotelinking shall provide the above assistance to a reasonable extent, taking into account the nature of the processing and the information available. Where such requests are extensive, require non-standard support, or result in material cost or operational burden, Hotelinking may charge a reasonable fee, subject to prior written notice and agreement with the Customer.

9.1. Security Program Commitment

Hotelinking shall implement and maintain a comprehensive written Information Security Management System (ISMS) aligned with ISO/IEC 27001 and SOC 2 standards. The ISMS includes administrative, technical, and physical safeguards designed to:

• Ensure the confidentiality, integrity, and availability of Customer Personal Data.
• Protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.
• Detect, prevent, and respond to security threats and vulnerabilities.

9.2. Technical and Organizational Measures

Hotelinking’s security measures include, but are not limited to, the following categories (as detailed in Schedule 2 of this DPA):

• Data Encryption: AES-256 encryption at rest and TLS 1.2+ encryption in transit.
• Access Controls: Role-based access, VPN-only connections, MFA for critical systems.
• Backups: Daily encrypted backups, monthly snapshots, tested disaster recovery procedures.
• Vulnerability Management: Regular internal scans, external penetration testing, patch management.
• Monitoring & Auditing: Centralized logging (e.g., AWS CloudTrail), threat detection (e.g., GuardDuty), real-time alerting (e.g., JOOPbox).
• Personnel Training: GDPR and security awareness training for all staff with access to Personal Data.

Full details are available in Hotelinking’s security documentation and supporting policies, such as:

• Access Control Policy.
• Operations Security & Backup Procedures.
• Incident Response Plan.
• Business Continuity & Disaster Recovery Policy.

9.3. Continuous Improvement

Hotelinking continuously monitors, evaluates, and improves its security measures. Updates or enhancements shall not reduce the overall level of protection for Customer Personal Data.

9.4. Confidentiality of Processing

All individuals acting under Hotelinking’s authority who have access to Customer Personal Data shall be bound by confidentiality obligations as per Section 6 of this DPA.

9.5. Security Breach Notification

In the event of a Security Breach involving Customer Personal Data, Hotelinking shall:

• Notify the Customer without undue delay upon becoming aware of the breach.
• Provide all relevant details as required by GDPR Article 33(3), including:
  • The nature and scope of the breach.
  • Categories and approximate number of data subjects and records affected.
  • Likely consequences and impact.
  • Mitigation and remedial actions taken or planned.
• Cooperate with the Customer to facilitate any legally required notifications to data subjects or supervisory authorities.

Hotelinking’s internal breach response protocol is aligned with its Personal Data Breach Notification Procedure.

9.6. No Admission of Fault

Any notification under this Section shall not be construed as an acknowledgment by Hotelinking of fault or liability regarding the Security Breach.

9.7. Customer Responsibilities

The Customer remains solely responsible for:

• Properly configuring and securing its use of the Services.
• Protecting access credentials, endpoints, and integrations.
• Backing up its own data and reviewing Hotelinking’s retention timelines.
• Assessing the appropriate level of security required for its use case and ensuring compliance with any sector-specific obligations (e.g., tourism laws, payment regulations).

10.1. Deletion or Return Upon Termination

Upon termination or expiration of the Agreement, Hotelinking shall, at the Customer’s written election:

• (a) Permanently delete all Customer Personal Data in its possession or control, or
• (b) Return such data to the Customer in a structured, commonly used, and machine-readable format (e.g., CSV or JSON), followed by deletion.

If the Customer does not request return or deletion within 30 days after termination, Hotelinking will proceed with deletion in accordance with Section 10.3 below.

10.2. Data Export Assistance

Hotelinking will provide reasonable assistance, upon written request made prior to termination or within the retention window, to export Customer Personal Data. Any assistance requiring custom effort (e.g., data reformatting, bulk transfers, or API builds) may be subject to a mutually agreed professional services fee.

10.3. Default Deletion Timelines

• Live Systems: Customer Personal Data is deleted from Hotelinking’s production systems no later than 30 days following the end of the Agreement, unless retention is legally required.
• Backups: Backup data containing Customer Personal Data will be securely deleted within 14 days of removal from live systems, using AWS lifecycle policies and media sanitization practices aligned with NIST SP 800-88 standards.
• Anonymized Data: Non-identifiable, fully anonymized data may be retained indefinitely for analytical or statistical purposes, provided it cannot be re-identified.

10.4. Retention Required by Law

If Hotelinking is required by law, regulation, court order, or binding legal obligation to retain some or all Customer Personal Data, it shall:

• Retain only the data strictly necessary for compliance.
• Isolate it from further processing (except as required by law).
• Notify the Customer of the retention, unless prohibited from doing so.

10.5. Certification of Deletion

Upon written request by the Customer, Hotelinking shall confirm in writing that Customer Personal Data has been deleted in accordance with this Section.

11.1. Customer’s Right to Audit

The Customer (or its appointed third-party auditor, subject to Section 11.3) has the right to audit Hotelinking’s compliance with this DPA and Applicable Data Protection Legislation, to the extent required by law and where such audit cannot be satisfied through other available means.

Audits may include:

• Reviewing Hotelinking’s technical and organizational measures.
• Assessing data processing practices.
• Verifying compliance with security and confidentiality obligations under this DPA.

11.2. Scope and Process

Audit rights are subject to the following conditions:

• Audits must be conducted during normal business hours and in a manner that does not disrupt Hotelinking’s operations.
• Customer must provide at least 30 days’written notice prior to the requested audit.
• Audits are limited to once per year unless:
  • Required by law or regulator, or
  • Following a confirmed Security Breach affecting Customer Personal Data.
• The audit scope must be mutually agreed and may not include unrelated proprietary data, customer data, or intellectual property of Hotelinking or its other customers.

11.3. Use of Third-Party Auditors
If the Customer engages a third-party auditor:

• The auditor must be bound by appropriate confidentiality obligations.
• Hotelinking may object to the appointment of an auditor if the auditor is a competitor or lacks adequate credentials, in which case the Customer must select another auditor.

11.4. Alternatives to Direct Audit
To reduce operational impact, the Customer agrees that its audit rights may be fulfilled, at Hotelinking’s option, by one or more of the following:

• Provision of Hotelinking’s most recent third-party SOC 2 Type II, ISO/IEC 27001, or equivalent audit reports.
• Completion of a detailed data protection and security questionnaire.
• Online or in-person audit session with Hotelinking’s Information Security Officer to review controls, policies, and certifications.

Such documentation is available via Hotelinking’s Trust Center or upon request.

11.5. Cost of Audits

Unless required by a data protection authority or in response to a confirmed breach, Customer shall bear its own costs of the audit. Hotelinking reserves the right to charge a reasonable fee for supporting Customer audits that go beyond standard due diligence or impose a material burden.

12.1. Location of Processing

Hotelinking primarily stores and processes Customer Personal Data in Amazon Web Services (AWS) data centers located in Ireland (region, EEA).

Where data must be transferred outside the EEA, UK, or Switzerland to countries that have not received an adequacy decision, Hotelinking shall ensure such transfers are made in compliance with Applicable Data Protection Legislation.

12.2. Lawful Transfer Mechanisms

If Hotelinking transfers Customer Personal Data to a third country or international organization not covered by an adequacy decision, such transfers shall be safeguarded by one of the following:

• The EU Commission’s Standard Contractual Clauses (SCCs), as adopted under Implementing Decision (EU) 2021/914.
• The UK’s International Data Transfer Addendum (UK Addendum) or other applicable UK transfer mechanism.
• The Swiss Addendum approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
• Binding Corporate Rules, certifications, or other lawful transfer tools, where applicable.

12.3. Incorporation of SCCs

The SCCs are incorporated by reference into this DPA and apply as follows:

• Module Two (Controller to Processor) applies when the Customer is the Controller and Hotelinking is the Processor.
• Module Three (Processor to Sub-processor) applies when the Customer is a Processor and Hotelinking is acting as a Sub-processor.

Customization of the SCCs:

• Clause 7 (Docking Clause): applies.
• Clause 9 (Use of Sub-processors): Option 2 applies with a 20-day notification period (per Section 7 of this DPA).
• Clause 11: does not apply.
• Clause 17 (Governing Law): Irish law, unless another EU Member State is specified by the Customer.
• Clause 18 (Jurisdiction): Courts of Ireland, unless the Customer is established in another EU Member State, in which case that Member State’s courts apply.

12.4. UK and Swiss Transfers

Where Customer Personal Data is subject to the UK GDPR or Swiss DPA:

• The SCCs apply with modifications as required by the UK Addendum or Swiss Addendum, respectively.
• For the UK, references to the GDPR shall be interpreted as references to the UK GDPR.
• For Switzerland, references to EU institutions are interpreted in accordance with the Swiss DPA.
• Disputes shall be subject to the jurisdiction of England and Wales (for UK transfers) or the competent Swiss courts.

12.5. Additional Safeguards

Where required by law or best practices (e.g., post-Schrems II guidance), Hotelinking implements additional safeguards for international transfers, including:

• Encryption of data in transit and at rest.
• Access restrictions based on least privilege.
• Secure authentication and key management practices.
• Contractual obligations with Sub-processors to challenge access requests from public authorities and to notify Hotelinking where legally permitted.

12.6. Objections to Transfer Mechanisms

If the Customer reasonably determines that any mechanism used by Hotelinking for international data transfers is no longer valid or sufficient, the parties will work together in good faith to implement an alternative lawful transfer mechanism.

13.1. Data Subject Requests (DSRs)

Where Hotelinking processes Customer Personal Data, it shall—taking into account the nature of the processing—provide the Customer with reasonable assistance in responding to requests from data subjects to exercise their rights under Applicable Data Protection Legislation, including:

• Right of access.
• Right to rectification.
• Right to erasure (“right to be forgotten”).
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing.
• Right not to be subject to automated decision-making, where applicable.

Hotelinking will not independently respond to such requests unless instructed by the Customer or required by law.

13.2. Redirecting Requests

If Hotelinking receives a request directly from a data subject and can reasonably identify the Customer as the relevant controller, Hotelinking will:

• Promptly forward the request to the Customer.
• Inform the data subject that the request must be made directly to the Customer.
• Refrain from responding directly unless legally required to do so.

13.3. Tools and Automation

Hotelinking provides self-service tools and administrative functionality (via its platform) that Customers may use to:

• View, export, delete, or restrict guest data.
• Manage user access and data retention settings.
• Configure consent mechanisms and data capture logic (e.g., for GuestMaker or Deskforce).
• Log and manage identity document deletions (e.g., 48-hour limit for scanned ID storage in Deskforce).

13.4. Cost and Scope of Assistance

Hotelinking shall provide this assistance at no additional cost where such support is:

• Included in the Services; and
• Reasonably limited in scope and frequency.

Where assistance goes beyond what is normally provided (e.g., custom data exports, manual analysis, data mapping, or third-party correspondence), Hotelinking reserves the right to charge reasonable administrative fees, subject to prior notice.

13.5. Regulatory Cooperation

If the Customer is required to consult or respond to a supervisory authority regarding Hotelinking’s processing of Customer Personal Data, Hotelinking shall:

• Provide timely and relevant information about its processing activities.
• Cooperate in good faith to support the Customer’s compliance efforts.
• Make relevant personnel available, if required, for regulatory inquiries or meetings.

14.1. No Sale

Hotelinking certifies that it does not sell Customer Personal Data to any third party, and shall not do so under any circumstances, including for monetary or other valuable consideration, as defined under the California Consumer Privacy Act (CCPA) and other applicable U.S. or international laws.

14.2. No Cross-Context Behavioral Advertising

Hotelinking shall not:

• Share Customer Personal Data for purposes of cross-context behavioral advertising, targeted advertising, or profiling across unaffiliated websites or services.
• Use or disclose Customer Personal Data for building consumer profiles for unrelated commercial purposes.

14.3. No Use Beyond Scope

Hotelinking will not retain, use, or disclose Customer Personal Data:

• For any purpose other than to provide the Services or as permitted by law.
• Outside the direct business relationship between Hotelinking and the Customer.
• For combining Customer Personal Data with any other personal data collected from non-Customer sources, unless expressly authorized by the Customer or required by law.

14.4. Compliance with U.S. State Privacy Laws

To the extent that Hotelinking’s processing of Customer Personal Data is subject to the CCPA, CPRA, or similar state laws in the United States (e.g., Colorado Privacy Act, Virginia CDPA):

• Hotelinking acts as a Service Provider (or Processor) as defined in such laws.
• Hotelinking certifies that it understands and will comply with the restrictions set forth in this Section.
• Hotelinking shall notify the Customer if it determines that it can no longer meet its obligations under applicable U.S. data protection laws.

14.5. Sub-Processor Flow-Down

Hotelinking shall ensure that all Sub-processors processing Customer Personal Data are contractually prohibited from selling or sharing such data in violation of this Section or any applicable privacy law.

15.1. Order of Precedence

In the event of any conflict or inconsistency between this DPA and any other agreement between the parties, including the Agreement or Terms & Conditions, the order of precedence shall be:

• This DPA.
• The Agreement or Terms & Conditions.
• Hotelinking’s Privacy Policy.

Where applicable, the Standard Contractual Clauses (SCCs) incorporated under Section 12 shall prevail over all other conflicting provisions of this DPA or the Agreement to the extent required by law.

15.2. Entire Agreement

This DPA, including its Schedules and incorporated SCCs, constitutes the entire agreement between the parties concerning data processing under the Agreement and supersedes any prior data protection terms.

15.3. No Third-Party Beneficiaries

Except where explicitly provided by the SCCs or applicable data protection laws (e.g., for the benefit of data subjects), this DPA does not grant rights to any third party.

15.4. Amendments

Hotelinking may update this DPA from time to time to reflect:

• Changes in data protection laws.
• Updates to the SCCs, UK Addendum, or Swiss DPA.
• Enhancements in Hotelinking’s security or data handling practices.

Material changes will be communicated to the Customer at least 20 days in advance via email or designated notification channel. If the Customer reasonably objects to a material update, the parties shall work in good faith to resolve the concern. In absence of resolution, the Customer may terminate the affected Services upon written notice before the effective date of the changes.

15.5. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Spain, without regard to conflict of laws principles.

Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Palma de Mallorca, Illes Balears, Spain, unless otherwise required by the SCCs or applicable data protection laws (e.g., GDPR Article 79).

15.6. Severability

If any provision of this DPA is found to be invalid, unlawful, or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid portion shall be interpreted to best achieve its original intent.

15.7. Force Majeure

Neither party shall be liable for failure or delay in performance due to events beyond its reasonable control, including but not limited to acts of God, natural disasters, governmental actions, or network failures, provided that the affected party promptly notifies the other and uses reasonable efforts to mitigate the impact.

15.8. Language

This DPA may be published in multiple languages. In case of any conflict or discrepancy, the English version shall prevail, unless otherwise required by applicable law.