Data Processing Agreement
pursuant to Art. 28 GDPR

October 2021

(1) Within the scope of the provision of services under the Contract, which in particular has as its object the procurement and management of travel resources in the sense of a business travel agency ("Main Contract"), processes - depending on who is the contractual partner of the Customer -

a) Comtravo GmbH, Schinkestraße 20, 12047 Berlin, or

b) Comtravo Operations GmbH, Ludwigstraße 54 - 56, 89231 Neu-Ulm in cooperation with Comtravo GmbH, Schinkestraße 20, 12047 Berlin as Joint Controllers (Art. 26 GDPR)

personal data as a Processor for which the Customer is the Controller within the meaning of Art. 4 No. 7 GDPR ("Data").

(2) In case b), the Joint Controlling results from the position of Comtravo Operations GmbH as a fully owned subsidiary of Comtravo GmbH, which is supported by the parent company with software, services and financial services (e.g., factoring). In this context, the companies jointly determine the purposes and means of processing.

(3) This Agreement specifies the rights and obligations of the Parties under data protection law in connection with the data processing by the Processor pursuant to Art. 28 GDPR for the execution of the Main Contract.

1. Subject and duration of data processing

1.1 The Processor shall process the Data on behalf of and in accordance with the instructions of the Controller within the meaning of Article 28 of the GDPR ("Order Data Processing").

1.2 The subject of the order is the agency services and management of travel means and related services in the sense of a business travel agency under the Main Contract.

1.3 The term and termination of this Agreement shall be governed by the provisions governing the term and termination of the Main Contract. The termination of the Main Contract shall automatically result in termination of this Agreement. An isolated termination of this Agreement is excluded.

2. Nature, purpose, and place of data processing

2.1 The nature and purpose of the processing of the Data by the Processor shall be determined by the Main Contract. This includes the following activities and purposes:

a) Agency services and management (e.g., rebooking, cancellation, preparation of evaluations) of travel resources in the sense of a business travel agency;

b) Settlement and accounting of purchased travel resources in terms of a business travel agency;

c) Determination of refund or compensation claims (e.g., in accordance with the EU Passenger Rights Regulation) on the basis of an evaluation of the travel data and mediation of a specialized third-party service provider who takes over the enforcement of claims using the travel data on behalf of the customer;

d) Providing advice on required visas based on an evaluation of travel data and mediation of a specialized third-party service provider to handle visa application and processing using travel data on behalf of the customer;

e) Insofar as the Controller is a contractual partner of Circula GmbH, Schönhauser Allee 148, 10435 Berlin ("Circula") and commissions the Processor with the exchange of data with Circula, the Processor transfers the following data to Circula: e-mail address of the traveler as well as travel data (including information on the overnight stay or means of travel together with the respective costs) in order to enable a travel expense report by Circula on behalf of the Controller.

3. Categories of data subjects

The categories of persons affected by the handling of Data under this Agreement (data subjects) include:

a) Employees (e.g., salaried employees, trainees, temporary workers, freelancers);

b) Other persons traveling on behalf of or arranged by the Controller.

4. Type of personal data

The following types of Data are affected by Order Data Processing:

a) Master data (e.g., name, title/academic degree, date of birth, language, nationality);

b) Contact details (e.g., e-mail address, telephone number, address);

c) Communication data (e.g., communication content and metadata of emails);

d) Travel data (e.g., date, time, means of travel chosen, flight number, passport number);

e) Billing information (e.g., billing details, bank account information, credit card information, payment information);

f) Employment relationship data (e.g., the traveler is an employee of the responsible party);

g) Travel preference data (e.g., price range, preferred airlines, quiet room, loyalty systems such as Miles&More);

h) Data on claims for reimbursement or compensation (e.g., amount of passenger compensation, affected person, fellow travelers).

5. Rights and duties of the Controller

5.1 The Controller is responsible for the lawfulness of the processing and for safeguarding the rights of the data subjects.

5.2 The Controller is entitled to issue instructions on the type, scope, and procedure of data processing. Verbal instructions shall be confirmed by the Processor in writing or in text form (e.g., by email) without delay at the request of the Controller.

5.3 The Controller shall inform the Processor without undue delay if errors or irregularities are detected in connection with the Order Processing of Data by the Processor.

6. Duties of the Processor

6.1 The Processor shall process the Data exclusively in accordance with this Agreement and/or the underlying Main Contract and in accordance with the instructions of the Controller. The Processor shall ensure this through appropriate controls.

6.2 The Processor shall assist the Controller in fulfilling the rights of the data subjects (Chapter III of the GDPR), in particular with regard to rectification, restriction of processing and erasure, notification and provision of information, to the extent of its capabilities.

6.3 Insofar as nothing to that effect is provided for by the applicable laws, the Processor shall correct, delete, or restrict the processing of the Data at the instruction of the Controller.

6.4 Insofar as a data subject contacts the Processor directly to exercise their data subject rights, the Processor shall forward this request to the Controller immediately upon receipt.

6.5 The Processor confirms that it has appointed a Data Protection Officer and monitors compliance with data protection and data security regulations with the involvement of the Data Protection Officer. The Data Protection Officer of the Processor is currently:

Widegreen & Data GmbH, represented by the CEO Hans-Chr. Widegreen, Wrangelstraße 5, 10997 Berlin, e-mail: hcw@anddata.de.

6.6 In the event that the Processor determines or facts justify the assumption that the Data processed by it for the Controller are subject to a breach of the statutory protection of personal data pursuant to Art. 33 GDPR (data protection breach), the Processor shall inform the Controller without undue delay and in full, taking into account the statutory requirements.

6.6 In the event that the Processor determines or facts justify the assumption that the Data processed by it for the Controller are subject to a breach of the statutory protection of personal data pursuant to Art. 33 GDPR (data protection breach), the Processor shall inform the Controller without undue delay and in full, taking into account the statutory requirements.

6.7 The Processor shall impose a confidentiality obligation in writing on the persons engaged in the processing of Data.

6.8 The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to it.

6.9 After termination of the Main Contract, the Processor shall either delete or return all data processed on behalf of the Controller, at the Controller's discretion, provided that the deletion of such data does not conflict with any statutory retention obligations of the Processor. The data protection-compliant deletion shall be documented upon request and confirmed to the Controller upon request.

7. Control rights of the Controller

7.1 The Controller shall be entitled to monitor compliance with the provisions on data protection and this Agreement to the extent required, either itself or through third parties, after prior notification, during normal business hours, without disrupting the business operations of the Processor or jeopardizing the security measures for other Controllers and at its own expense.

7.2 The Processor shall grant the Controller the access, information, and inspection rights necessary to carry out the checks. The exercise of the aforementioned rights by the Controller must be notified in advance and in sufficient time.

7.3 At the option of the Parties, instead of an on-site inspection, proof can also be provided by submitting a suitable, current audit certificate, reports or report extracts from independent bodies (e.g., auditors, data protection officers/auditors) or suitable certification through IT security or data protection audits ("audit report"), if the audit report enables the Controller to reasonably satisfy itself of compliance with the regulations on data protection and this Agreement.

8. Subcontracting relationships

8.1 The Controller authorizes the Processor to use further processors (subcontractors) in accordance with the following paragraphs. This authorization constitutes a general written authorization within the meaning of Art. 28 para. 2 GDPR.

8.2 The Processor currently cooperates in performance of the Order with the subcontractors named in Annex 1, with whose commissioning the Controller agrees.

8.3 The Processor shall be entitled to engage additional subcontractors or to replace already engaged subcontractors. The Processor shall inform the Controller in advance of any intended change regarding the involvement or replacement of a subcontractor. The Controller may object to an intended change.

8.4 The objection to the intended change shall be raised with the Processor within two (2) weeks after receipt of the information about the change. In the event of an objection, the Processor shall endeavor to propose an alternative solution. Irrespective of this, in the event of an objection, the Controller and the Processor may terminate this Agreement and the Main Contract with a notice period of one (1) month to the end of the month.

8.5 If a subcontractor is used, a level of protection comparable to that of this Agreement must always be ensured. The Processor shall be responsible to the Controller for all acts and omissions of the subcontractors it uses.

9. Technical and organizational measures

9.1 The Processor shall implement the technical and organizational measures specified in Annex 2 prior to the start of the processing of the Data and maintain them during the contractual relationship.

9.2 As the technical and organizational measures are subject to technical progress and technological development, the Processor is permitted to implement alternative and adequate measures, provided that this does not fall below the security level of or expand the measures specified in Annex 2. The Processor shall document such changes and make them available to the Controller upon request.

10. Liability and Indemnification

The Processor shall be liable to the Controller in accordance with the statutory provisions for all damages caused by culpable violations of this Agreement as well as of the statutory data protection provisions applicable to it, which the Processor, its employees, or those commissioned by it to perform the contract cause during the provision of the contractual services. The Processor shall not be liable for compensation if the Processor proves that it has processed the data of the Controller provided to it exclusively in accordance with the instructions of the Controller and has complied with its obligations specifically imposed on Processors under the GDPR.

11. Final provisions

11.1 In case of contradictions between the provisions of this Agreement and the provisions of the Main Contract, the provisions of this Agreement shall prevail.

11.2 Amendments, supplements, and the cancellation of this Agreement and all of its components must be made in writing. The same shall apply to any amendment or cancellation of the text form requirement. Verbal collateral agreements do not exist and are also excluded for future amendments to this agreement.

11.3 This Agreement shall be governed by German law. The place of jurisdiction shall be the registered office of the Processor.

11.4 If provisions of this Agreement are or become invalid or contain a loophole, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision that comes as close as possible to the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.

Annexes

Annex 1: Subcontracting relationships
Annex 2:
Technical and organizational measures pursuant to Section 9 of the Data Processing Agreement

Annex A:  Subcontracting relationships

The Processor currently cooperates with the following subcontractors in the performance of the Order Processing:


Google

● Name/Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043,
● Location: USA
● Contact in Germany: Google Germany GmbH, ABC-Straße 19, 20354 Hamburg, 040-808179000 www.google.de
● Product/Operation: Google Workspace, Cloud Infrastructure
● Categories of data concerned: Master data, contact data, communication data, travel data, employment data, billing data, travel preference data, data on compensation claims
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: ISO certification (ISO 27001, 27017, 27018)

Zendesk

● Name/Company: Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103, USA
● Location: USA
● Contact in Germany: Zendesk GmbH, Neue Schönhauser Str. 3-5, 10178 Berlin, 030-30808524, www.zendesk.de
● Product/Operation: Zendesk Support
● Categories of data concerned: Master data, contact data, communication data, travel data, employment data
● Categories of data subjects: Customers, end users of the customer (e.g,. employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: Binding Corporate Rules (Processor Policy)

AWS

● Name/Company: Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109, USA
● Location: USA
● Contact in Germany: -
● Product/Operation: System & Web Hosting, Cloud Infrastructure
● Categories of data concerned: Master data, contact data, communication data, travel data, employment data, billing data, travel preference data, data on compensation claims
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: ISO certification (ISO 27001, 27017, 27018); reports on system organisation and control; auditing by external auditors; server locations within the EU (Frankfurt a.M. and Ireland)

Salesforce

● Name/Company: salesforce.com Inc., Salesforce Tower, 415 Mission Street, San Francisco, CA 94105, USA
● Location: USA
● Contact in Germany: Salesforce.com Germany GmbH Erika-Mann-­Str. 31, 80636 München, 0800-1822338, www.salesforce.de
● Product/Operation: Salesforce CRM
● Categories of data concerned: Master data, contact data, communication data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: Binding Corporate Rules (Data Protection)

AirHelp

● Name/Company: AirHelp Germany GmbH, Boxhagener Str. 18, 10245 Berlin, Germany
● Location: Germany
● Contact in Germany: (see above)
● Product/Operation: Determination and enforcement of passenger compensation claims
● Categories of data concerned: Master data, contact data, communication data, travel data, employment data, data on compensation claims
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Data Protection Agreement
● Measures for comp. level of protection: -

refundrebel

● Name/Company: refundrebel GmbH, Pettenkoferstr. 9, 67063 Ludwigshafen am Rhein, Germany
● Location: Germany
● Contact in Germany: (see above)
● Product/Operation: Determination and enforcement of compensation claims from train delays and cancellations
● Categories of data concerned: Master data, contact data, communication data, travel data, employment data, data on compensation claims
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Data Protection Agreement
● Measures for comp. level of protection: -

HubSpot

● Name/Company: HubSpot, Inc., 25 First Street, , Cambridge, MA 02141, USA
● Location: USA
● Contact in Germany: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin
● Product/Operation: Customer Relationship Management, Communication
● Categories of data concerned: contact data, communication data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: Binding Corporate Rules, Data Center (ISO 27001 certificate)

Fullstory

● Name/Company: FullStory, Inc., 1745 Peachtree St. NE, Atlanta, GA 30309, USA
● Location: USA
● Contact in Germany: -
● Product/Operation: Usage analysis within “MyComtravo”
● Categories of data concerned: Master data, contact data, communication data, travel data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: Data Center (ISO 27001 certificate), Sub-Processor-Management

Delighted

● Name/Company: Delighted LLC, 333 W. River Park Drive, Provo, UT 84604, USA
● Location: USA
● Contact in Germany: -
● Product/Operation: Customer communication, surveys
● Categories of data concerned: contact data, communication data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: Data Center (ISO 27001 certificate); PEN-Testing; encryption of the data stock; Security Policy; Security Training

Vonage

● Name/Company: Vonage Limited, 25 Canada Square Level 37, London E14 5LQ, UK
● Location: UK
● Contact in Germany: -
● Product/Operation: Cloud Communication, VoIP Service, ContactWorld
● Categories of data concerned: Contact details, communication data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Standard contractual clause and case-by-case assessment with regard to a level of protection comparable to the EU
● Measures for comp. level of protection: ISO 27001:2013 certification; PEN-Testing; Change Management Policy; Auditing (Security); Security Awareness Training; Corporate Risk Management

Stripe

● Name/Company: Stripe Payments Europe Ltd, The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland
● Location: Ireland
● Contact in Germany: -
● Product/Operation: Payment Processor
● Categories of data concerned: User identifiers, purchase data
● Categories of data subjects: Customers, end users of the customer
● Protection: Data Protection Agreement
● Measures for comp. level of protection: -

LCR/LCC

● Name/Company: Lufthansa City Center Reisebüropartner GmbH, Lyoner Straße 36, 60528 Frankfurt / Main,
● Location: Germany
● Contact in Germany: (see above)
● Product/Operation: Provision of technologies and framework agreements to booking providers and service providers
● Categories of data concerned: Master data, contact data, communication data, travel data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Data Protection Agreement
● Measures for comp. level of protection: -

A3M

● Name/Company: A3M personal Mobile Protection GmbH, Hintere Grabenstraße 26, 72070 Tübingen, Germany
● Location: Germany
● Contact in Germany: (see above)
● Product/Operation: Travel Alert and Travel Security Provide, sublicensed through LCR
● Categories of data concerned: Master data, contact data, communication data, travel data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Data Protection Agreement through LCR
● Measures for comp. level of protection: -

AERTicket

● Name/Company: AERTicket Conso GmbH, Boppstr. 10, 10967 Berlin, Germany
● Location: Germany
● Contact in Germany: (see above)
● Product/Operation: Airline Ticket Wholesale
● Categories of data concerned: Master data, contact data, communication data, travel data
● Categories of data subjects: Customers, end users of the customer (e.g., employees)
● Protection: Data Protection Agreement
● Measures for comp. level of protection: -

The below suppliers and intermediaries receive data from the Processor in the course of the Order Processing. During the booking confirmation the Controller agrees that the Processor forwards the required information to these suppliers and enters into an agreement with the respective supplier or intermediary. As such, Comtravo and its affiliates are not the processor in such cases. For the sake of transparency, we list these partners here.

Sabre

● Name/Company: Sabre GLBL Inc, 3150 Sabre Drive, Southlake, TX 76092 USA
● Location: USA
● Product/Operation: GDS

Amadeus

● Name/Company: Amadeus IT Group S.A., C/Salvador de Madariaga 1, 28027 Madrid, Spain
● Location: Spain
● Product/Operation: GDS

HitchHiker

● Name/Company: HitchHiker GmbH, Berner Straße 81, 60437 Frankfurt a.M., Germany
● Location: Germany
● Product/Operation: Ticketing API

Booking.com

● Name/Company: Booking.com, Herengracht 597, 1017 CE Amsterdam, Netherlands
● Location: The Netherlands
● Contact in Germany: Hotel Broker

HRS

● Name/Company: HRS Hotel Reservation Service, Breslauer Platz 4, 50668 Köln, Germany
● Location: Germany
● Contact in Germany: Hotel Broker

Deutsche Bahn

● Name/Company: DB Vertrieb GmbH, Europa-Allee 78-84, 60486 Frankfurt a.M, Germany
● Location: Germany
● Contact in Germany: DB Internet Booking Engine

Annex B: Technical and organizational measures pursuant to Section 9 of the Data Processing Agreement

The Processor warrants that it has taken the following technical and organizational measures:

1. Measures to ensure confidentiality

1.1 Entry control: Measures that physically deny unauthorized persons access to IT systems and data processing equipment with which personal data are processed, as well as confidential files and data carriers.
- Badge reader, controlled key allocation, chip card;
- Door security (electronic door opener, etc.);
- Surveillance equipment (alarm systems, video);
- Central reception desk manned during the day.

1.2 Access control: Measures that prevent unauthorized persons from processing or using data protected under data protection law.
- Password procedure (minimum 8-digit passwords, special characters, minimum length, regular change of password);
- Automatic blocking (after 5 minutes of inactivity);
- Limitation of the number of authorized employees;
- Verschlüsselung von Datenträgern
- Access lists;
- Encryption of data carriers, if used.

1.3 Access control: Measures to ensure that authorized users can only access the personal data subject to their access authorization, so that data cannot be read, copied, modified, or removed without authorization during processing, use, and storage.
- Authorization concepts (profiles, roles, etc.) and their documentation;
- Evaluation/logging.

1.4 Segregation requirement: Measures to ensure that data collected for different purposes are processed separately and are segregated from other data and systems in such a way that unplanned use of these data for other purposes is precluded.
- Authorization concepts;
- Software-based customer separation;
- Separation of test and production systems.

1.5 Pseudonymization: Measures that reduce the direct reference to a person during processing in such a way that an assignment to a specific data subject is only possible with the use of additional information. The additional information must be kept separate from the pseudonym by means of suitable technical and organizational measures.
- For the main service, this is not possible and not in the customer's interest, as booking requests are answered individually to bookers/persons.
- For general analyses we anonymize all data.
- For the evaluation of personal inquiries/offers, we work with pseudonymization, whereby no personal data other than gender and age is used here.

2. Measures to ensure the integrity

2.1 Transfer control: Measures to ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or during their transport or storage on data media, as well as measures to verify and determine to which entities personal data are intended to be transferred.
- Electronic signature;
- Logging;
- Transmission of data via encrypted data networks or tunnel connections (VPN);
- Traceability of data entry, modification, and deletion through individual user names.

2.2 Input control: Measures to ensure that it is possible to check and establish retrospectively whether and by whom personal data have been entered into, modified, or removed from data processing systems.
- Logging of all system activities;
- Log evaluation systems.

3. Measures to ensure availability and resilience

3.1 Availability control: Measures to ensure that personal data are protected against accidental destruction or loss.
- Data backup procedures;
- Regular tests of data recovery.

3.2 Rapid recoverability: Measures to ensure the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident.
- Data backup procedure.

4. Measures for the regular evaluation of the security of data processing

Measures that ensure data protection-compliant and secure processing.
- Regular data protection auditing;
- 4-eyes principle for data-intensive processing;
- Formalized processes for the management of data protection incidents.