Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into and forms part of FareHarbor’s Terms of Service for Providers (“Terms”). FareHarbor and Provider are parties to the Terms under which FareHarbor provides the Service (defined below).

To the extent there is any conflict between this DPA, the Terms, or any other agreement between the Parties this DPA will prevail.

This DPA sets out the Parties obligations and rights under the Data Protection Laws (defined below).

1. Definitions

1.1        Capitalized terms used but not defined in this DPA that relate to the Service by FareHarbor, shall have the meanings given to them in the Terms.

1.2        Capitalized terms that relate to data processing shall have the meanings given to them in the Data Protection Laws when applicable.

1.3        “Consent” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

1.4        “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

1.5        “Data Protection Laws” means the GDPR and other applicable laws relating to the protection and use of information and data, including but not limited to rules regarding the processing of Personal data and the protection of privacy, and any laws or regulations ratifying, implementing, adopting, supplementing, amending or replacing such laws or regulations.

1.6        “Data Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.

1.7        “Data Subject” means an identified or identifiable natural person, e.g. a Booker.

1.8        Data Subject Request means requests of Data Subjects to exercise their rights under Data Protection Law.

1.9        “Personal Data” means any information relating to an identified or identifiable individual.

1.10        Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

1.11        “Processing” means the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data. 

1.12        “Provider’s Partners” means any other third party who Processes Provider’s Personal Data for providing their services to the Provider and whom FareHarbor transfers Personal Data based upon Provider instructions.

1.13        Subprocessor means another Data Processor that is engaged by FareHarbor as a subcontractor to perform parts of the Service.

2. Roles

2.1        FareHarbor Processes Personal Data on behalf of Provider when providing the Service and acts as the Data Processor under applicable Data Protection Laws while Provider acts as the Data Controller. Parties acknowledge and agree that, within the scope of using the Service, Provider is the Data Controller and FareHarbor is the Data Processor. 

2.2        If the Provider requests FareHarbor to Process Personal Data and share it with Provider’s Partners, FareHarbor will continue to act as the Data Processor for the Processing of Personal Data and will collaborate with Provider’s Partners in this regard.

3. Responsibilities of  Provider

3.1        As the Data Controller, Provider is accountable for ensuring and demonstrating that all Processing of Personal Data complies with Data Protection Laws.

3.2        Provider represents and warrants that all Personal Data is Processed in accordance with Data Protection Laws and that FareHarbor has all necessary rights and authorizations to Process the Personal Data, including, without limitation: 

(i) ensuring that all Personal Data is collected and Processed fairly and lawfully in accordance with Data Protection Laws, and that there is a lawful basis for Processing Personal Data;

(ii) obtaining the necessary Consent from Data Subjects, and where required confirming that Consent has been obtained from the Data Subjects before sharing any information with FareHarbor;

(iii) ensuring that all Personal Data is accurate and up to date and that a notice or similar documentation in accordance with Data Protection Laws is provided by Provider to the Data Subjects prior to the collection of Personal Data which describes the Processing to be undertaken by FareHarbor pursuant to the Service and this DPA. 

4. Data Processing Details

4.1        Details of Personal Data Processing:

      1. The subject matter of the Processing: To perform the Service as described in the Terms. 
      2. Nature of the Processing: Collecting and transmitting Personal Data to Provider. For example submitting Personal Data of Bookers to the Provider from the Online Booking System for the purpose of reserving activities. Monitoring Data Subject’s use of the Service and conducting analytics regarding such use.
      3. Purpose: Providing and improving the Service, including enabling the Data Subject to enter into an Activity Contract. Analysing website visitor statistics for analytical and statistical purposes with the aim of improving the Service, and/or development and improvement of products and services. 
      4. Duration of the Processing: The duration of the Personal Data Processing is determined by Provider.
      5. Type of Personal Data: Personal Data shared by Provider to use the Service, including: full name, phone number, email address, payment detail, online surfing history, information that Provider shares with FareHarbor or information that is collected by means of cookies or similar technologies. Data of Bookers who visit or interact with the Provider’s websites and share their Personal Data for the purpose of reserving activities. These individuals may include Bookers, guests, or any other individuals engaging with the Provider’s online platform to make reservations through FareHarbor’s reservation software service.
      6. The categories of Data Subjects: Provider’s Bookers and employees. Website visitors

4.2        Where FareHarbor acts as a Data Processor under this DPA with respect to the Processing of Personal Data, FareHarbor shall: 

      1. Process the Personal Data as instructed in this DPA to perform the Service, unless Provider issues additional documented instructions, in writing, as mutually agreed by the Parties or as otherwise required by law. In the latter case, FareHarbor shall inform Provider of that legal requirement before Processing unless the law prohibits this on important grounds of public interest;
      2. upon request make available to Provider information reasonably necessary to demonstrate compliance with (i) this DPA, and (ii) obligations that stem directly from the GDPR or Data Protection Laws; and,
      3. Process Personal Data for the irreversible anonymization and/or aggregation of data to ensure that such Personal Data is no longer Personal Data if FareHarbor uses Personal Data for research, analysis, improvement and development purposes.

5. Technical and organizational measures

5.1        Provider shall implement appropriate security measures to safeguard Personal Data against unauthorized access, disclosure, alteration, and destruction.

5.2        Each Party will ensure appropriate technical and organizational measures to secure the Personal Data in accordance with Data Protection Laws, including the following:

      1. Measures for ensuring events logging;
      2. Measures for user identification and authorization; 
      3. Measures of encryption of Personal Data;
      4. Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      5. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services.

6. Subprocessing

6.1        Provider hereby provides FareHarbor general authorization for engaging Subprocessors. The list of Subprocessors used by FareHarbor at the time of Provider’s acceptance of this DPA can be found on the FareHarbor Subprocessors Webpage. FareHarbor will keep the Provider informed of any intended changes concerning the addition or replacement of Subprocessors through FareHarbor Subprocessors Webpage. In the event of any objection to the use of a particular Subprocessor, Provider retains the right of termination as set out in the Terms. For the avoidance of doubt, Articles 28.2 and 28.4 of the GDPR apply with full effect where Subprocessors have been engaged. 

6.2        FareHarbor may engage with Provider’s Partners based on Provider’s request to facilitate various operations, including without limitation the transfer of specific types of information from Provider’s website, and other collaborative efforts. In such instances, as the Data Controller, Provider remains responsible for how Provider’s Partners handle Provider’s data. It is Provider’s responsibility to establish and maintain contractual terms with Provider’s Partners to govern this relationship. Unless FareHarbor receives further instructions from Provider, FareHarbor will continue this Processing activity between FareHarbor and Provider’s Partners. As the Data Controller, Provider bears the responsibility for notifying FareHarbor of any required termination of data transfers between FareHarbor and Provider’s Partners. 

7. Data subject requests

7.1        As the Data Controller, Provider is responsible for facilitating the exercise of Data Subjects’ rights.

7.2        If Provider requires assistance from FareHarbor to respond to a Data Subject Request, Provider shall provide all necessary details to FareHarbor and FareHarbor shall reasonably assist Provider upon written request. 

7.3        Provider remains solely responsible for correctly assessing legality and legitimacy of requests and complaints in relation to the Processing and shared in the context of the Service before responding, and taking appropriate steps in response. 

8. Notification and Management of Personal Data Breaches

8.1        In the event of a Personal Data Breach, FareHarbor will notify Provider without undue delay after FareHarbor becomes aware of the Personal Data Breach. Such notification shall contain, in so far as this is known, the presumed cause of the Personal Data Breach, the categories of Personal Data and Data Subjects and the number of Data Subjects involved. Further information shall, as it becomes available, subsequently be provided without undue delay. FareHarbor shall cooperate with Provider to comply with Provider’s obligations under the GDPR or Data Protection Laws.

8.2        Provider will decide whether the Personal Data Breach must be notified to the  supervisory authority and/or the Data Subject, provided that Provider, subject to mandatory requirements under Data Protection Laws, (i) shall use best efforts to consult with FareHarbor and take into account FareHarbor’s reasonable requirements as to timing, content and manner of disclosure or notification, and recipient prior to making any disclosure or notification to any third-party (including any  supervisory authority and Data Subjects) in relation to a Personal Data Breach, (ii) acknowledge and agrees that FareHarbor retains the right to voluntarily inform any third-party about any Personal Data Breach; and (iii) shall not mention FareHarbor without its prior written authorization when notifying Data Subjects or any other third-party of a Personal Data Breach that FareHarbor hosts or stores.

8.3        In the event of a Personal Data Breach, FareHarbor will take all reasonable measures without undue delay to remedy the Personal Data Breach, minimize the consequences and prevent further Personal Data Breaches.

8.4        FareHarbor will keep a register of the Personal Data Breaches where FareHarbor acted as a Data Processor and the measures taken in response to Personal Data Breaches. Upon request by Provider, the Data Controller will be given access to the aforementioned register.

9. Assistance with Regulatory inquiries or Compliance

9.1        FareHarbor will reasonably assist Provider in (i) providing necessary information for carrying out a Data Protection Impact Assessment and Prior Consultation as described in the GDPR, and (ii) handling with inquiries, investigations, or requests from or notifications to a supervisory authority in connection with the Processing in relation to the Service. Nevertheless, Provider remains solely responsible for assessing the requests and complaints related to Processing and shared in the context of the Service before responding, and taking appropriate steps in response. 

9.2        In the event that Provider requires assistance, Provider should promptly notify FareHarbor in written form, detailing the specific nature of the assistance needed. FareHarbor commits to providing assistance within a reasonable time frame without causing undue interruption to the business operations of FareHarbor.

10. Data transfers and Standard Contractual Clauses

10.1        Provider agrees that where the Processing involves transfers of Personal Data within the meaning of Chapter 5 of the GDPR, FareHarbor and its Subprocessors may ensure compliance with Chapter 5 of the GDPR by using one of the transfer mechanisms referred to Chapter 5 of the GDPR. For example, by using standard contractual clauses adopted by the Commission in accordance with the GDPR or the Data Protection Laws. Upon request, FareHarbor will provide Provider with information on how it complies with Chapter 5 of the GDPR, where applicable. 

11. Audits

11.1        During the use of the Services, at Provider’s request, FareHarbor shall permit and contribute to audits of the Processing covered by this DPA. The costs of this audit shall be borne by Provider (both Provider’s own costs and FareHarbor’s costs). Before executing an audit, Provider shall first request the reasonably necessary information from FareHarbor to demonstrate FareHarbor’s compliance with this DPA. The audit shall only take place if Provider, even after receiving the information referred to in the preceding paragraph, has reasonable doubts as to FareHarbor’s compliance with this DPA. In the event of an audit, Provider shall give FareHarbor at least 60 days notice and such audit will be limited to the Processing and systems where FareHarbor Processes Personal Data as a Data Processor. Audits cannot be conducted more than once during any consecutive 12 month period, lasting a maximum of two business days, and only during business hours without impact on the FareHarbor business.

12. Confidentiality

12.1        FareHarbor shall ensure that employees, contractors and other persons working for FareHarbor that are authorized to Process Personal Data, are subject to a contractual obligation of confidentiality or are under an appropriate statutory obligation of confidentiality.

13. Data retention and return

13.1        For 12 months following termination of the Service for any reason whatsoever, subject to this DPA, FareHarbor will return or delete Personal Data at Provider’s request. After 12 months following termination of the Service, FareHarbor shall not be required to retain, and shall have the right to delete, without prejudice to Provider’s right to reactivate the Service and within that context instruct FareHarbor to withhold from deleting the Personal Data. FareHarbor is not obliged to return or delete Personal Data if FareHarbor is legally required to keep Personal Data, for example due to supervisory and tax obligations.

14. Liability

14.1        The limitations of liability agreed in the Terms shall apply to this DPA.

14.2        Provider shall not be entitled to recover any fines imposed on Provider by a  supervisory authority on any legal ground whatsoever from FareHarbor.

15. Term

15.1        The term and termination agreed in the Terms shall apply to this DPA.

16. Applicable Law and Forum

16.1        The applicable law and forum agreed in the Terms shall apply to this DPA.

17. Amendments and Updates

17.1        The applicable law and forum agreed in the Terms shall apply to this DPA.