Glow small - Hotelbird GmbH


Data Processing Agreement


Hotelbird GmbH, Plinganserstraße 150, 801369 München

– hereinafter referred to as “Processor” –



 -hereinafter referred to as the “Controller” –

Binding contact person for the Controller:


Contact details:________________


The parties have concluded a software service agreement.

In connection with the performance of the software service agreement, the Processor shall process the Controller’s personal data. In the opinion of the parties, the Processor’s activities under this agreement constitute processing on behalf of the Controller. In order to specify the mutual rights and obligations under data protection law, the parties conclude this agreement on commissioned processing in accordance with Art. 28 of the General Data Protection Regulation (GDPR) (“Agreement“).


As part of the provision of services and in accordance with the software service agreement, the Processor shall receive access to personal data and shall process it exclusively on behalf of and in accordance with the instructions of the Controller. The Controller is responsible for assessing the admissibility of the data processing.

The provisions of this Agreement shall apply to all activities in connection with the software service agreement which enable the Processor and its employees or persons commissioned by the Processor to come into contact with personal data originating from the Controller or collected for the Controller (“Controller Data”).


The Processor may only process the Controller Data in a manner, to the extent and for the purposes set out in Annex 1. The processing of the Controller Data by the Processor relates exclusively to the types of Controller Data and the categories of da-ta subjects specified in Annex 1.

The contractually agreed service is provided exclusively in a member state of the European Union or in a state party to the agreement on the European Economic Area. Data processing in third countries may only take place if the requirements of Chapter V of the GDPR (Art. 44 et seq. GDPR) are met (e.g. adequacy decision of the Com-mission, standard data protection clauses, approved codes of conduct).


The Processor may only collect, process or use Controller Data in accordance with this Agreement and the instructions of the Controller.

3.2 The Controller’s instructions shall always be issued in writing (Textform). If necessary, the Controller may also issue instructions verbally or by telephone. However, instruc-tions issued verbally or by telephone require immediate confirmation by the Controller’s designated authorized representative in writing (Textform).

Instructions are issued by the Controller’s authorized representative. Currently, the binding contact person named on page 2 of this Agreement acts as the Controller’s au-thorized representative. The Controller shall notify the Processor in good time of any change in the person authorized to issue instructions.

The parties agree that the following person shall be authorized to receive instructions from the Controller:

Mr. Juan A. Sanmiguel
Telephone number: +49 (0) 89 95 45 99 31 0

The Processor may notify the Controller of a new authorized recipient at any time.

Instructions that go beyond the service agreed in the software service contract shall be treated as a request to change the service.

The Processor is obliged to carry out reasonable instructions from the Controller within a reasonable timeframe.

If the Processor is of the opinion that an instruction from the Controller violates this Agreement or the applicable data protection law, it must inform the Controller of this immediately. The Processor shall be entitled to suspend the execution of the instruc-tion until the Controller confirms or amends the instruction.

If an instruction does not comply with section 2.1 it is only admissible if a correspond-ing new specification in accordance with section 2.1 is made.


The Processor warrants that it will process the Controller Data in accordance with the provisions of this Agreement and the instructions of the Controller pursuant to Section 3.1.

The Processor must correct, delete or restrict the processing of personal data from the contractual relationship if the Controller requests this by means of an instruction and this does not conflict with the legitimate interests of the Processor. He shall
ensure that the data processed for the Controller is strictly separated from other data stocks.

The Processor shall keep a register in accordance with Art. 30 (2) GDPR.

If the Controller is obliged vis-à-vis a state or government authority, a data subject or another person to provide information about the Controller Data or its collection or use, the Processor shall be obliged to support the Controller in providing such information upon first request.

To the extent permitted by law, the Processor shall inform the Controller without undue delay of any communications from the supervisory authority (e.g. inquiries, corrections regarding measures or conditions) addressed to the Processor in connection with the processing of personal data under this Agreement. To the extent permitted by law, the Processor shall only provide information to third parties, including supervisory authori-ties, after consultation with the Controller, provided that such consultation does not re-sult in the failure to meet a set deadline. The Processor shall not be liable for the Con-troller’s failure to process the request within the deadline unless the Processor is at fault.

The Processor shall support the Controller in its data protection impact assessments and in the context of prior consultations with the supervisory authority.


The Processor undertakes to maintain confidentiality when processing Controller Data.

The Processor shall only use employees for the execution of the order who have been obligated in writing to maintain confidentiality and who have been familiarized in ad-vance with the data protection provisions relevant to them or who are subject to an appropriate statutory duty of confidentiality. The Processor and any person subordi-nate to the Processor who has access to personal data may only process this data in accordance with the instructions of the Controller, including the powers granted in this Agreement, unless they are legally obliged to process it.

This confidentiality obligation shall survive the termination of the Agreement.


The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. The Processor shall take all necessary technical and organizational measures to process the Controller’s data in accordance with Art. 32 GDPR, in particular at least the measures listed in An-nex 2.

The Processor is permitted to implement alternative adequate technical and organiza-tional measures, provided that the security level does not fall below the technical and organizational measures specified in Annex 2.

Upon request, the Processor shall provide the Controller with evidence of compliance with the technical and organizational measures specified in Annex 2.


In the event of disruptions, suspected breaches of data protection or breaches of the Processor’s contractual obligations, suspected security incidents or other irregularities in the processing of Controller Data, the Processor shall inform the Controller immedi-ately in writing (Textform).

In the event of a personal data breach, the Processor shall notify the Controller of information in accordance with Art. 33 para. 3 lit. a GDPR, as far as it is aware of this.

The Processor shall immediately take the necessary measures to secure the data and to mitigate possible adverse effects on the data subjects, inform the Controller thereof and request further instructions.

The Processor shall support the Controller in notifying the persons concerned of a breach.


The Controller shall be entitled to inspect compliance with the provisions on data protection and data security and the contractual agreements, including the processing of Controller Data by the Processor, as well as compliance with the technical and or-ganizational measures taken and the correctness of the Processor’s data processing processes and programs, in order to assure the compliance with the provisions of this Agreement, the instructions issued by the Controller and the relevant statutory data protection provisions. The Controller shall only carry out inspections to the extent re-quired by law and shall not disproportionately disrupt the Processor’s business pro-cesses.

The Controller shall document the results of the inspection and inform the Processor of any irregularities found. If circumstances are identified during the inspection that are to be subject to change in the future, the Controller shall inform the Processor immediate-ly of the necessary procedural changes.

The Processor shall assist these inspections where necessary.

To enable checks in accordance with section 8.1 the Processor shall be obliged, upon request, to provide the Controller with existing certificates, audit reports and other re-sults of checks with regard to the collection and use of Controller Data. The Controller shall bear the costs of the inspection itself.


The Processor may generally establish subcontracting relationships with regard to the processing of Controller Data; sub-processors may also be companies affiliated with the Processor.

The contractually agreed services shall be provided using the sub-processors listed in Annex 3. The Controller agrees to the use of the sub-processors listed at in Annex 3.

The Processor is entitled to enter into further subcontracting relationships with sub-processors. The parties agree that the commissioning of sub-processors is allowed, provided that (i) an agreement is concluded with the sub-processor that meets the re-quirements of Art. 28 (2) – (4) GDPR and (ii) the Processor informs the Controller of the commissioning of sub-processors a reasonable time in advance in writing (Text-form) and the Controller does not object to the commissioning of a sub-processor for good cause within a period of 14 days in writing (Textform).

If the Processor wishes to engage a sub-processor in a third country, the require-ments of Art. 44 et seq. GDPR (e.g. adequacy decision of the Commission, standard data protection clauses, approved codes of conduct) must be met.

The Controller agrees that the sub-processor may in turn commission sub-processors, provided that the sub-processor concludes agreements with the other sub-processors that meet the requirements of Art. 28 (2) – (4) GDPR.

If, in the event of an objection in accordance with Section 9.3, the Processor is unable to perform the service owed under the software service agreement due to the objec-tion or can only perform it at an economically unreasonable expense, the Processor shall be entitled to a termination for cause. The Controller’s rights shall remain unaf-fected.


The rights of the persons affected by the processing of Controller Data must be asserted against the Controller. If a data subject contacts the Processor directly for in-formation, correction, deletion or restriction of the processing of the Controller Data concerning him/her, the Processor shall forward this request to the Controller without delay.

The Processor is obliged to support the Controller in the fulfillment of requests and rights of data subjects for information, correction, restriction of processing, deletion or other rights under Chapter III GDPR of Controller Data. In particular, the Processor shall, upon request, provide the Controller with information about the stored Controller Data (also insofar as it relates to the purpose of storage), the recipients of Controller Data to whom the Processor passes it on in accordance with the order and the pur-pose of storage, unless the Controller has this information itself.

The Processor is obliged to correct, delete or restrict the processing of Controller Data without undue delay at the Controller’s instruction if this does not conflict with the Pro-cessor’s legitimate interests. The Processor shall confirm to the Controller the correc-tion, restriction of processing and deletion in accordance with the instructions upon re-quest.

The Processor shall not be liable for the Controller’s failure to process the request of the data subject(s) in due time, unless the Processor is at fault.


As far as as no other legal reason exists, the Processor shall completely and irretriev-ably delete or destroy the Controller Data provided to it by the Controller and acquired in the course of the performance of the contract as soon as the Controller requests it to do so.

The Processor shall prepare a log for each deletion of Controller Data, which shall be submitted to the Controller upon request.


The Processor is entitled to demand reasonable remuneration for such activities under this Agreement that go beyond the usual services to ensure the technical and organi-zational measures, the execution of instructions, support services for inspections or measures by the supervisory authorities or in connection with the rights of data sub-jects and which require disproportionate effort and are not voluntarily or negligently caused by the Processor.


The term of this Agreement corresponds to the term of the software service agree-ment.

The software service agreement may only be continued in the event of termination of this Agreement if it is excluded that the Processor uses or accesses Controller Data.


Liability is governed by Art. 82 GDPR.

However, internally between the Controller and the Processor, the Processor shall only be liable for damage caused by processing if the Processor

  • has not complied with its specific obligations under the GDPR or
  • has not complied with the controller’s lawful instructions or has acted contrary to such instructions.

Further liability claims according to the statutory provisions remain unaffected.

The limitation of liability under the software service agreement shall apply accordingly.


Amendments, supplements and the cancellation of this Agreement require the writing (Textform).

Should individual provisions of this Agreement be or become invalid or contain a loophole, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and best meets the requirements of Art. 28 et seq. GDPR is best met.

In the event of contradictions between this Agreement and other agreements between the parties, in particular the software service agreement, the provisions of this Agree-ment shall take precedence.

This Agreement is governed by German law.

Exclusive place of jurisdiction is Munich.


Annex 1        Purpose, type and scope of data processing, type of data and group of data subjects

Annex 2          Technical and organizational measures

Annex 3          Sub-processors

Annex 1:        Purpose, type and scope of data processing, type of data and group of data subjects

The purpose, type and scope of data processing, the type of data and the group of data subjects are governed by the software service agreement and are summarized as follows:

Purpose of data processing– Data management of customer data
– Order processing and provision of services, in particular:
– Reservation and guest profile management
– Invitation to online check-in and online check-out
– Online check-in via web, app, kiosk app and reception app
– Online payment and check-out via web, app, kiosk app and reception app
– Digital key via app and key cards via kiosk app and reception app
– Online booking via app
– Logging, monitoring and analysis of user events and third-party systems to monitor system quality and traceability
– Fraud check for online payment
Type of data– Personal master data (name, form of address, address, city, country, gender, title, date of birth, nationality, language, business address, signature, ID document, preferences)
– Communication data (telephone, e-mail)
– Contract master data (reservation data with reservation IDs, date, status, category, room, booking channel, package code, comments, memberships)
– Usage data
– Marketing data
– Customer history (past bookings, number of stays)
– Contract billing and payment data (total price, payment items, payments, installments, date, payment method)
– Payment details: Payment method and further information depending on the selected payment method such as: Credit and debit card details, card number, cardholder, IBAN, name of bank
– Fraud check data: Payment details, device identifier, device fingerprint/persistent cookies, email, shopper reference, IP address, phone numbers, address data (billing and delivery address)
Circle of those affected– Hotel guests

Annex 2:        Technical and organizational measures

Measures to prevent access to data processing systems by unauthorized persons (e.g. physical barriers such as locked doors):

  • The responsible person for the data center is responsible for access control at the Processor. This person determines the objects and areas to be secured.
  • Premises in which IT systems are located are equipped with an access control system.
  • Access to the premises is adequately secured by doors, door locks and locked windows. The rooms are located on the upper floor. You can only enter the premises after ringing the bell and the door is opened.
  • The premises are locked as soon as a room is unoccupied for a longer period of time.

Measures to prevent unauthorized access to data processing systems (e.g. passwords, protection against hackers):

  • The login requires the entry of a password (authentication) combined with a user ID (identification) before accessing data or programs.
  • Each authorized person has their own, individual password that is known only to them. The passwords of employees are unknown even to superiors and administrators. Group passwords are not used.
  • Employees are required to set complex passwords.
  • Passwords are stored and transmitted in encrypted form. The keys for cryptographic procedures are stored securely.
  • Access is automatically blocked after 3-5 unsuccessful login attempts.
  • The granting of an access authorization is approved by the designated system owner.
  • A password-protected screen saver is activated when work is interrupted.

In addition:

  • a jump server with SSH encryption is used.
  • data on mobile IT systems is encrypted.
  • unauthorized persons have no access to the BIOS setup.
  • there is a central access server.

Measures to ensure that data is only accessed by those authorized to access this specific data (e.g. authorization management):

  • Orderly checking and allocation of authorizations  
  • There is an authorization concept in which network shares and access authorizations to folders and files are defined for individual user groups.
  • If an employee is transferred or leaves the company, the access authorizations that are no longer required (or all access authorizations in the event of departure) are revoked.
  • The server consoles are locked.
  • If computers or data carriers have to be taken away by external service providers, the data on them is logically deleted.
  • Remote maintenance options are only approved in individual cases. Remote maintenance must first be approved by the controller or network administrator.
  • As soon as they are no longer required, data carriers are physically destroyed or overwritten several times using a secure procedure.

§ 2 Pseudonymization and encryption

Measures for pseudonymization and encryption of personal data:

  • Data carriers are encrypted.
  • As far as practicable, personal data is pseudonymized.

§ 3 Integrity

Measures to protect data during input and transmission/forwarding:

  • Access rights are assigned according to the “need-to-know” principle. Only as many access rights are assigned as are necessary to perform the tasks of the respective role.
  • Authorization is checked automatically based on the user ID.
  • To implement differentiated access rights, the processed personal data is distributed across different data records and servers / IT systems. In addition, there are differentiated processing rights (e.g. “read only”, “change”).
  • Access authorizations are approved by the management at the request of the management or the person responsible for the specialist area and granted by the IT administration in accordance with their instructions. Access rights are reviewed every 3 months.
  • A change management system exists. Approved configuration changes are made by the IT administrator.
  • An event log is created
  • Transaction-based processing control can be used to subsequently check whether and by whom data has been entered, changed or removed from IT systems.
  • The system configuration, including the default configuration, is checked and controlled.
  • Security measures are in place to prevent unauthorized copying of data to local computers.
  • When data is transmitted via data transmission lines, data with sensitive content is encrypted. The following services are used for transmission: E-mail, WWW, FTP. The following security standards are used: For transmission via WWW https or SSL/TLS, for FTP SFTP.

§ 4 Availability, Recoverability and Resilience

Measures to ensure availability, access to personal data and recoverability:

  • In the event of a physical or technical incident, personal data can be restored restored in a timely manner.
  • Systems have the ability to deal with risk-related changes and are tolerant of disruptions and attacks.
  • Security-relevant updates and patches for operating systems and application programs are installed within 7 days.
  • Firewall
  • Virus protection
  • There is an uninterruptible power supply (UPS)
  • Internal IT management and IT security control management
  • Hard disk mirroring is performed.
  • A total backup of all data is made daily, with the exception of data on mobile devices. The backup administrator is controller for this. 12 generations of backup copies are stored.
  • Backup logs are created and checked for documentation purposes. The backup procedure is documented and checked regularly.

§ 5 Order Control / Contract Conformity Control

  • Monitoring compliance with measures to ensure data minimization, Data quality, accountability, availability and recoverability at sub-processors
  • Measures are taken to ensure event logging.
  • Data and programs are stored in different directories and partitions.
  • Measures are taken and controlled by Processor to protect data during storage and  to ensure the physical security of locations where personal data is processed.
  • Before major maintenance, remote maintenance or repair work, a complete backup of the affected systems is created.
  • The Controller shall be informed of program interruptions/program errors.
  • A one-time password is used to carry out remote maintenance.
  • Procedures are in place to regularly test, assess and evaluate the effectiveness of the technical and organizational measures to ensure the security of processing.
  • The backup media are stored in the data center. There is a regulation in this regard.

§ 6 Data Separation

Software-based exclusion (Controller separation) and separation of test and production data ensure that data processed for different purposes is processed separately.

Annex 3:        Sub-Processors

Sub-Processor   ActivitiesPurposeCategories of dataPlace of data processing
Hetzner Online GmbHDatabases for the storage of order data
Hosting of the server application
S3 memoryr
Data management of order data
Order processing and provision of services
Storage of Apple Wallet pass and registration forms
Personal master data, communication data, contract master data, customer history, contract billing and payment data, usage data from telemedia services, marketing dataDE
myLoc managed IT AGHosting of the server application for key generation for Messerschmitt and SaltoOrder processing and provision of services, in particular key generationPersonal master data, communication data, contract master data, customer history, contract billing and payment data, usage data from telemedia services, marketing dataDE
Mailjet GmbHE-mail dispatchOrder processing and provision of services, in particular invitation to online check-in and check-outPersonal master data, communication data, contract master dataDE | USA
Heroku, IncProxy for outgoing requests with fixed IP addressesOrder processing and provision of servicesPersonal master data, communication data, contract master data, contract billing dataDE | USA
Optile GmbHPayment processor for the execution of paymentsOrder processing and provision of servicesContract master data, contract billing and payment dataDE
Zoho Corporation Pvt. LtdHelpdesk ToolSupport requests from customersPersonal master data, contract master dataDE
Adyen N.V.Online payment service provider, fraud checkPayment processing for card not present and point of sale payments; fraud check for paymentsPayment type and details, fraud check dataEU