Your privacy is important to us. It is Servr LTD.’s policy to respect your privacy regarding any information we may collect from you across our website and application, https://servrhotels.com, and other sites we own and operate.
When you visit our website and application, our servers may automatically log the standard data provided by your web browser. It may include your computer’s Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other details.
We may also collect data about the device you’re using to access our website and application. This data may include the device type, operating system, unique device identifiers, device settings, and geo-location data. What we collect can depend on the individual settings of your device and software. We recommend checking the policies of your device manufacturer or software provider to learn what information they make available to us.
We may ask for personal information, such as your:
Business data refers to data that accumulates over the normal course of operation on our platform. This may include transaction records, stored files, user profiles, analytics data and other metrics, as well as other types of information, created or generated, as users interact with our services.
We will process your personal information lawfully, fairly and in a transparent manner. We collect and process information about you only where we have legal bases for doing so.
These legal bases depend on the services you use and how you use them, meaning we collect and use your information only where:
Where you consent to our use of information about you for a specific purpose, you have the right to change your mind at any time (but this will not affect any processing that has already taken place).
We don’t keep personal information for longer than is necessary. While we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. That said, we advise that no method of electronic transmission or storage is 100% secure and cannot guarantee absolute data security. If necessary, we may retain your personal information for our compliance with a legal obligation or in order to protect your vital interests or the vital interests of another natural person.
We may collect, hold, use and disclose information for the following purposes and personal information will not be further processed in a manner that is incompatible with these purposes:
We may disclose personal information to:
The personal information we collect is stored and processed where we or our partners, affiliates and third-party providers maintain facilities. By providing us with your personal information, you consent to the disclosure to these overseas third parties.
We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means.
Where we transfer personal information from a non-EEA country to another country, you acknowledge that third parties in other jurisdictions may not be subject to similar data protection laws to the ones in our jurisdiction. There are risks if any such third party engages in any act or practice that would contravene the data privacy laws in our jurisdiction and this might mean that you will not be able to seek redress under our jurisdiction’s privacy laws.
Choice and consent: By providing personal information to us, you consent to us collecting, holding, using and disclosing your personal information in accordance with this privacy policy. If you are under 16 years of age, you must have, and warrant to the extent permitted by law to us, that you have your parent or legal guardian’s permission to access and use the website and application and they (your parents or guardian) have consented to you providing us with your personal information. You do not have to provide personal information to us, however, if you do not, it may affect your use of this website and application or the products and/or services offered on or through it.
Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.
Restrict: You may choose to restrict the collection or use of your personal information. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below. If you ask us to restrict or limit how we process your personal information, we will let you know how the restriction affects your use of our website and application or products and services.
Access and data portability: You may request details of the personal information that we hold about you. You may request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may request that we erase the personal information we hold about you at any time. You may also request that we transfer this personal information to another third party.
Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading or out of date.
Notification of data breaches: We will comply laws applicable to us in respect of any data breach.
Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.
Unsubscribe: To unsubscribe from our e-mail database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication.
We use “cookies” to collect information about you and your activity across our site. A cookie is a small piece of data that our website and application stores on your computer, and accesses each time you visit, so we can understand how you use our site. This helps us serve you content based on preferences you have specified. Please refer to our Cookie Policy for more information.
If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may continue to use your personal information according to this policy.
Our website and application may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.
At our discretion, we may change our privacy policy to reflect current acceptable practices. We will take reasonable steps to let users know about changes via our website and application. Your continued use of this site after any changes to this policy will be regarded as acceptance of our practices around privacy and personal information.
If we make a significant change to this privacy policy, for example changing a lawful basis on which we process your personal information, we will ask you to re-consent to the amended privacy policy.
This policy is effective as of November 9, 2020.
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Subscription Terms (the “Principal Agreement”), entered into by and between the entity identified under the applicable Order Form (“Customer”) and the Servr entity identified under the applicable Order Form and/or its Affiliates (“Servr”) (the DPA together with the Principal Agreement or any Order Forms signed under the Principal Agreement are collectively referred to as the “Agreement”). Servr and Customer are hereinafter jointly referred to as “Parties” and individually as “Party.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.
1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 “Applicable Laws” means (a) EU or Member State laws addressing any Customer Personal Data in respect of which Customer is subject to EU Data Protection Laws; and (b) any other applicable law addressing any Customer Personal Data in respect of which the Customer is subject to any other Data Protection Laws.
1.3 “Customer Personal Data” means any Personal Data Processed by Servr on behalf of Customer pursuant to or in connection with the Principal Agreement other than Personal Data provided to Servr directly by an individual including, any of Customer’s clients or any other third party.
1.4 “Data Protection Laws” means (a) EU Data Protection Laws; (b) the UK GDPR; (c) the Swiss FADP, and (d) to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including the United States and Israel.
1.5 “EEA” means the European Economic Area, which includes all EU Member States as well as Iceland, Liechtenstein and Norway.
1.6 “EU” means the European Union, which is comprised of the following countries (each a “Member State”): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
1.7 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.8 “EU SCC” or “EU Standard Contractual Clauses” mean the annex to the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the council as shall be amended from time to time (including without limitation, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021), in all cases incorporating the Relevant Amendments (as defined above). Upon the effective date of adoption for any revised standard contractual clauses by the European Commission, all references in this DPA to the “EU SCCs” shall refer to that latest version and the parties shall cooperate to prepare such amendments to this DPA, including the Relevant Amendments, as may be required to take into account and give effect to the European Commission’s adoption of the revised standard contractual clauses. In the event of any conflict or inconsistency between the terms of this DPA and the provisions of the EU SCC (to the extent the latter has been entered into by the parties pursuant to Section 12 (Restricted Transfers) below), the provisions of the EU SCC shall prevail.
1.9 “FADP” means the Swiss Federal Act on Data Protection dated 19 June 1992 and any subsequent amendments, replacements, or supplements including any guidelines and clarifying materials published by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
1.10 “GDPR” means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements or supplements.
1.11 “Relevant Amendments” means the amendments to the EU SCC, the UK Addendum, and the Swiss Addendum identified under Annex 2 (Standard Contractual Clauses).
1.12 “Restricted Transfer” means (i) a transfer of Customer Personal Data from Customer to Servr; or (ii) an onward transfer of Customer Personal Data from Servr to a Sub Processor, or between two establishments of Servr, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a legal transfer mechanism to be established under this DPA, including without limitation the applicable Standard Contractual Clauses.
1.13 “Sub Processor” means any third party (including any Servr Affiliate, but excluding an employee of Servr or any of its sub-contractors) appointed by or on behalf of Servr or any Servr Affiliate to Process Personal Data on behalf of the Customer in connection with the Principal Agreement.
1.14 “Standard Contractual Clauses” or “SCCs” means the EU SCC, the UK Addendum, and the Swiss Addendum as defined herein, and as applicable to the transfers of Personal Data pursuant to this DPA.
1.15 “Swiss Addendum” means the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner, specifically the Federal Act on Data Protection. Upon the publication in the Federal Gazette and the entry into force of the revised Federal Act on Data Protection, this term will refer to the latter act.
1.16 “UK Addendum” means the International Data Transfer Addendum to the EU Commission standard contractual clauses issued by the UK Information Commissioner’s Office (version, B1.0, in force 21 March 2022).
1.17 “UK GDPR” means the United Kingdom’s Data Protection Act 2018 and the GDPR as adapted into law of the United Kingdom by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
1.18 The terms, “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Special Categories of Data,” “Process/Processing,” “Controller,” “Processor,” “Supervisory Authority,” and “Third Country” shall have the same meanings given to them in the GDPR (or another applicable Data Protection Law).
2.1 This DPA shall only apply with respect to Personal Data obtained by Servr as a result of Customer’s use of Servr’s Services, as described in Annex 1 (Details of Processing of Customer Personal Data) attached hereto. In connection with each Party’s rights and obligations under this Agreement, as between the Parties, Servr shall Process Customer Personal Data solely as a data Processor acting on behalf of Customer, and Customer shall be deemed the Controller of such Personal Data.
2.2 Servr shall not Process Customer Personal Data other than according to the Customer’s documented reasonable and customary instructions as specified in the Principal Agreement or this DPA, which were specifically and explicitly agreed to by Servr, unless such Processing is required by Applicable Laws. Servr shall inform the Customer of such legal requirement before processing unless the law prohibits such action on public interest grounds.
2.3 Customer instructs Servr (and authorizes Servr to instruct each Sub Processor) to (i) Process Customer Personal Data only to the extent required for the provision of Servr’s Services under the Agreement; and, in particular (ii) transfer Customer Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with Sections 2.1-2.2 above, Section 12 (Restricted Transfers) below, the Agreement, and in accordance with Applicable Laws.
2.4 Furthermore, Customer warrants and represents that it is and will remain duly and effectively authorized to give the instruction set out in Section 2.1 and any additional instructions as provided pursuant to the Agreement and/or in connection with the performance thereof, on behalf of itself and each relevant Customer Affiliate, at all relevant times and at least for as long as the Agreement is in effect and for any additional period during which Servr is lawfully processing the Customer Personal Data. In addition, Customer warrants and represents that it has obtained all permissions, consents, authorizations and approvals, including by making all notices, required for it to allow Servr to access and process Customer Personal Data as permitted hereunder.
2.5 Customer sets forth the details of the Processing of Customer Personal Data, as required by Article 28(3) of the GDPR in Annex 1 (Details of Processing of Customer Personal Data), attached hereto.
2.6 Without derogating from any other provision of the Agreement, where either party Processes Personal Data for purposes not set forth in Section 4.1 (Customer Data) of the Principal Agreement, each party shall be separately and independently responsible for complying with the obligations that apply to it as a separate and independent Controller (or other cognate terms) under the Data Protection Laws.
Customer shall comply with all applicable laws in connection with the performance of this DPA. As between the Parties, Customer shall be solely responsible for compliance with applicable laws (including Data Protection Laws) regarding the collection and transfer of Customer Personal Data to Servr. Where Customer acts as a Processor on behalf of a third-party Controller, Customer shall be solely liable with its obligations vis-à-vis such third Party Controller, and comply with such third-party Controller’s instructions. Customer agrees not to provide Servr with any special categories of data, as defined in Article 9 of the GDPR, other than as provided in Annex 1 (Details of Processing of Customer Personal Data).
Servr shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know/access basis, and that all Servr personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Customer Personal Data.
In relation to the Customer Personal Data, Servr shall implement appropriate technical and organizational measures as identified under Annex 4 (Technical and Organizational Measures) including to the extent appropriate and applicable the measures referred to in Article 32(1) of the GDPR, to establish an appropriate level of security for the Customer Personal Data. Such security has to be sustained throughout the entire duration of this DPA and must aim to (i) ensure the ongoing confidentiality and security of Processing systems and services in connection with the Processing of the Customer Personal Data; and (ii) restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident. In assessing the appropriate level of security, Servr shall consider the risks presented by Processing, paying particular attention to risks arising from a Personal Data Breach.
6.1 Customer authorizes Servr and each Servr Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 6 to appoint) Sub Processors in accordance with this Section 6 and any restrictions in the Agreement.
6.2 Servr and each Servr Affiliate may continue to use those Sub Processors already engaged by Servr or any Servr Affiliate as of the date of this DPA as identified in Annex 3 to this DPA (List of Authorized Sub Processors), including for the purpose of cloud hosting services by reputable Sub Processors, as well as any Sub Processors whom Customer requested Servr to use.
6.3 Servr may appoint new Sub Processors and shall give prior notice of the appointment of any new Sub Processor (e.g., by e-mail), whether by general or specific reference to such Sub Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub Processor. If Customer notifies Servr in writing of any objections (on reasonable grounds) to the proposed appointment within seven (7) days of such notice, Servr shall not appoint the proposed Sub Processor for the Processing of Customer Personal Data until reasonable steps have been taken to address the objections raised by Customer, and Customer has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Customer’s reasonable objections then Customer or Servr may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination. Otherwise, Customer shall be deemed to have accepted such appointment.
6.4 With respect to each new Sub Processor, Servr shall:
6.4.1 take reasonable steps (for instance by way of reviewing privacy policies as appropriate) before the Sub Processor first Processes Customer Personal Data, to ensure that the Sub Processor is committed to providing the level of protection for Customer Personal Data required by the Agreement;
6.4.2 ensure that the arrangement between Servr and the Sub Processor is governed by a written contract, including terms which offer a materially similar level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of Data Protection Laws; and
6.4.3 remain fully liable to Customer for the performance of any and all Processing of Customer Personal Data performed by Sub Processor in connection with the specific Processing activities performed by Sub Processor on behalf of Customer.
7.1 Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Customer Personal Data, etc.). After considering the nature of the Processing, Servr shall reasonably endeavor to assist Customer insofar as feasible, to fulfil Customer’s said obligations with respect to such Data Subject requests, as applicable, at Customer’s sole expense.
7.2 Servr shall:
7.2.1 unless otherwise required under applicable laws, promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
7.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Servr is subject, in which case Servr shall, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before it responds to the request.
8.1 Servr shall notify Customer without undue delay upon Servr becoming aware of a Personal Data Breach either affecting or related to Servr’s or Servr’s Affiliates Processing of such Customer Personal Data. In such event, Servr shall provide Customer with information (to the extent in Servr’s possession) to assist Customer to meet any obligations to inform Data Subjects or data protection authorities of the Personal Data Breach under the Data Protection Laws.
8.2 At the written request and sole expense of the Customer, Servr shall reasonably cooperate with Customer and take such commercially reasonable steps as are agreed by the Parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
At the written request of the Customer, Servr and each Servr Affiliate shall provide reasonable assistance to Customer, at Customer’s expense, with any data protection impact assessments or prior consultations with Supervising Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Customer Personal Data by Servr.
10.1 Subject to Section 10.2 below, Servr shall promptly, but no later than sixty (60) days of the date of cessation of any Services involving the Processing of Customer Personal Data, delete or return all copies of such Customer Personal Data, except any copies that are authorized to be retained under this DPA or required to be retained in accordance with applicable law and/or regulation.
8.2 Subject to the Agreement, Servr may retain Customer Personal Data to the extent authorized or required by applicable laws, provided that Servr shall ensure the confidentiality of all such Customer Personal Data and shall ensure that it is only Processed for such legal purpose(s)
8.3 Upon Customer’s prior written request, Servr shall provide written certification to Customer that it has complied with this Section 10.
.
11.1 Upon prior written request from the Customer, subject to Sections 11.2 and 11.3, and only to the extent required under applicable Data Protection Laws, Servr shall coordinate to make available to a reputable independent auditor mandated by Customer such information necessary to reasonably demonstrate compliance with this DPA, and allow for audits, including inspections by such reputable auditor in relation to the Processing of the Customer Personal Data by Servr, provided that such third-party auditor shall be subject to confidentiality obligations.
11.2 Provisions of information and audits shall be at Customer’s sole expense and may only arise under Section 11.1, but only to the extent that the Agreement does not otherwise give Customer any information and audit rights that meet the relevant requirements of the applicable Data Protection Laws. In any event, all audits or inspections shall be subject to the terms of the Agreement, and to Servr’s obligations to third parties, including with respect to confidentiality.
11.3 Customer shall give Servr reasonable prior written notice of any audit or inspection to be conducted under Section 11.1 and shall not cause (and ensure that each of its mandated auditors does not cause) any damage, injury or disruption to Servr’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Servr need not give access to its premises for the purposes of such an audit or inspection if:
11.3.1 an individual fails to produce reasonable evidence of their identity and authority;
11.3.2 Servr was not given a written notice of such audit or inspection at least 2 weeks in advance;
11.3.3 the audit or inspection takes place outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer has given notice to Servr that this is the case before attendance outside those hours begins; or
11.3.4 the audit or inspection is for a premises outside Servr’s control (such as data storage farms of Servr’s cloud hosting providers).
12.1 Processing of Personal Data shall be carried out by Servr exclusively within the EU / EEA, Switzerland or the United Kingdom, unless otherwise previously and explicitly approved in writing by the Customer. The approval shall be deemed granted for Sub Processors enumerated in the table Annex 3 (List of authorized Sub Processors) attached hereto. Servr undertakes to ensure that the transfer of personal data outside the EU / EEA, Switzerland or the United Kingdom, if applicable, is carried out on the basis of the applicable Standard Contractual Clauses.
12.2 Where one Party is subject to the GDPR and they transfer Personal Data to the other Party who has its place of business in a Third Country, the terms of the transfer between the Parties shall be governed by the EU Standard Contractual Clauses which are incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, but only to the extent applicable to the transfer. The particular roles of the Parties, the applicable extent, and the relevant modules of the EU Standard Contractual Clauses that will apply to such transfers are defined in Section A of Annex 2 (Standard Contractual Clauses). Section A of Annex 2 includes all necessary information that is required in the Appendix to the EU Standard Contractual Clauses.
12.3 Where one Party transfers Personal Data from the United Kingdom to the other Party who has its place of business in a Third Country, the terms of the transfer between the Parties shall be governed by the UK Addendum that is incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, as applicable to the transfer. The Parties agree that the UK Addendum is appended to the EU Standard Contractual Clauses as modified (including the selection of modules and disapplication of optional clauses) by Section 12.2 and Section A of Annex 2 (Standard Contractual Clauses). Section B of Annex 2 includes all necessary information that is required in Part 1 of the UK Addendum.
12.4 Where one Party transfers Personal Data from Switzerland to the other Party who has its place of business in a Third Country, the terms of the transfer between the parties shall be governed, to the extent applicable by the Swiss Addendum which is incorporated herein by reference and considered duly executed between the parties upon execution of this DPA. The Parties agree that the Swiss Addendum is appended to the EU Standard Contractual Clauses as modified by Section 12.2 and Section C of Annex 2 (Standard Contractual Clauses). Section C of Annex 2 includes all necessary information that is required in Part 17 of the Swiss Addendum.
13.1 Governing Law and Jurisdiction.
13.1.1 The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
13.1.2 This DPA and all non-contractual or other obligations arising out of or in connection therewith are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement
13.2 Order of Precedence. Nothing in this DPA reduces Servr’s obligations under the Agreement in relation to the protection of Personal Data or permits Servr to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Principal Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originates from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Customer’s own obligations and liabilities towards Servr under the Agreement, and/or pursuant to the GDPR or any law applicable to Customer, in connection with the collection, handling and use of Personal Data by Customer or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Servr and/or providing access thereto to Servr.
13.3 Changes in Data Protection Laws
13.3.1 Customer may by at least forty-five (45) calendar days’ prior written notice to Servr, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Customer Personal Data to be made (or continue to be made) without breach of that Data Protection Law.
13.3.2 If Customer gives notice with respect to its request to modify this DPA under Section 13.3.1:
11.3.1.1 Servr shall make commercially reasonable efforts to accommodate such modification request; and
13.3.2.2 Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Servr to protect Servr against additional risks, or to indemnify and compensate Servr for any further steps and costs associated with the variations made herein.
13.3.3 If Customer gives notice under Section 3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days, then Customer or Servr may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
13.4 Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This Annex 1 includes certain details of the Processing of Customer authorized user Personal Data as required by Article 28(3) or 28(4) GDPR.
Data Exporter | Data Importer |
Name: the Customer entity identified in the Order Form | Name: the Servr entity identified in the Order Form |
Role: Controller/Processor | Role: Processor |
Subject Matter and Duration of the Processing of Customer Personal Data. The subject matter and duration of the Processing of the Controller Personal Data are set out in the Agreement.
The Nature and Purpose of the Processing of Customer Personal Data: rendering Services in the nature of a Software-as-a-Service hotel services automation solution, personalized Property Management System, as detailed in the Principal Agreement.
The types of Customer Personal Data to be Processed are as follows:
a. Contact information: full name, email address, phone number and physical address, including city and state.
b. Booking information: the Customer’s clients’ check-in and check-out dates the booking service through which the Customer’s clients’ booking is facilitated, and any other information available under the Customer’s booking form (in any manner), Customer’s booking confirmation email, or any other information otherwise made available by Customer concerning Customer’s clients’ booking.
c. Personal Identification documents: Passport, Government ID or Driving License
d. Transaction data: Masked Credit Card Details
e. Usability data: Such includes Check-in and Check-out Dates and booking service or related information such as about your stay or hospitality, traveling or other preferences including special needs or medical conditions, and your general product and service preferences where Customer provides any special categories of personal data co Servr (such as, special needs or medical conditions of the Customer’s visitor or any other person using the Servr services on behalf of Customer), Customer is required to obtain and maintain any and all consents and authorization required by such persons in connection with their use of the Servr services.
The categories of Data Subjects to whom the Customer Personal Data relates to are as follows:
Customer’s personnel, Customer’s clients, Customer’s vendors.
The obligations and rights of Customer. The obligations and rights of Customer and Customer Affiliates are set out in the Agreement and this DPA.
A. EU Standard Contractual Clauses
For the purposes of the EU Standard Contractual Clauses, the Parties agree on the following:
i) MODULE ONE and MODULE FOUR language shall be deleted.
ii) Clause 7 (Docking Clause) does not apply.
iii) For Clause 9 (Use of sub-processors) (a) (only for MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor), Option 1 applies with a 30-day time period.
iv) The optional paragraph under Clause 11 (Redress) (a) does not apply.
v) For Clause 17 (Governing Law) (only for MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor), Option 1 applies. The EU Standard Contractual Clauses shall be governed by the law of Ireland.
vi) For Clause 18 (Choice of Forum and Jurisdiction), any dispute arising from the EU Standard Contractual Clauses shall be resolved by the courts of Ireland.
The following modules of the EU Standard Contractual Clauses apply to the transfers under this DPA:
For the avoidance of doubt, modules not checked above do not apply to the transfers under this DPA.
Data Exporter (name, address, contact person and contact details, activities relevant to the data transferred under the EU Standard Contractual Clauses, role): | As set forth under the Agreement and any order form, fee schedule, purchase order or similar document executed between the parties thereunder. |
Data Importer (name, address, contact person and contact details, activities relevant to the data transferred under the EU Standard Contractual Clauses, role): | As set forth under the Agreement and any order form, fee schedule, purchase order or similar document executed between the parties thereunder. |
Categories of data subjects whose personal data is transferred: | See Annex 1 |
Categories of personal data transferred: | See Annex 1 |
Special categories of personal data (if applicable): | See Annex 1 |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): | The Processing is continuous for the duration of the Principal Agreement. |
Nature of the Processing: | The nature and purpose of Processing of Personal Data for the Controller are defined in the Principal Agreement. |
Purpose(s) of the data transfer and further processing: | The nature and purpose of Processing of Personal Data for the Controller are defined in the Principal Agreement. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | The personal data will be Processed in accordance with this DPA. |
Competent Supervisory Authority: | the Supervisory Authority having competent jurisdiction as set forth under Clause 13 of the EU SCC’s |
Technical and organizational measures (only for MODULE TWO and MODULE THREE): | See Annex 4 for technical and organizational measures implemented by the data importer. |
List of sub-processors (only for MODULE TWO and MODULE THREE): | See Annex 3 below. |
B. UK Addendum
Start date | The execution date of the DPA |
Addendum EU SCCs | The UK Addendum is appended to the EU Standard Contractual Clauses incorporated by Section 9.2 of the DPA as modified by Section A of Exhibit 3. |
List of Parties | Data Exporter: See Section A of Annex 2 Data Importer: See Section A of Annex 2 |
Description of Transfer | See Section A of Annex 2 |
Technical and Organizational Measures | See Annex 4 below |
List of Sub processors | See Annex 3 below |
Ending the UK Addendum when the Approved UK Addendum changes | Neither of the Parties may end the UK Addendum under Section 19. |
C. Swiss Addendum
Insofar as the data transfer under the DPA is governed by the FADP, provided that none of these amendments will have the effect or be construed to amend the Standard Contractual Clauses in relation to the processing of Personal Data under to the GDPR, the following shall apply:
Start date | The execution date of the DPA |
Addendum EU SCCs | The Swiss Addendum is appended to the EU Standard Contractual Clauses incorporated by Section 12.4 of the DPA as modified by Section A of Exhibit 3. |
List of Parties | Data Exporter: See Section A of Annex 2 Data Importer: See Section A of Annex 2 |
Description of Transfer | See Section A of Annex 2 |
Technical and Organizational Measures | See Annex 4 below |
List of Sub processors | See Annex 3 below |
Ending the Swiss Addendum when the Approved Swiss Addendum changes | Neither of the Parties may end the Swiss Addendum under Section 17. |
Servr GuestX is a fully automated platform that is hyper customizable and user-friendly, offering contactless operations to boost guest experiences and non-booking revenues, all while reducing costs.