1. CONTRACTING PARTIES

S.C. AMHOTECH SOFTWARE S.R.L., with registered office in (locality) Bucharest, str. Șos. Chitilei, nr. 37, county/sector 1, registered at the Bucharest Trade Register Office, under nr. J40/21395/2022, fiscal code nr. 47079907, with account nr. ROXX, opened at Raiffeisen Bank – Suc. Chitilei, represented by Adnana Isabelle Matei, acting as Administrator, owner of the Amhotech – HotelAdmin platform, as PROCESSOR

and

The Client, the user of the AMHOTECH – HotelAdmin platform and all services offered through it, as OPERATOR

have agreed to enter into this Annex with exclusive reference to ensuring the protection of personal data. This document must be accepted prior to the use of any service offered by it. Any order confirmed by the Customer by ticking the “Personal Data Processing Policy” box constitutes acceptance by the Customer of the Processor’s terms and conditions.

  1. DEFINITIONS AND TERMS

2.1. AMHOTECH – HotelAdmin – is the trade name of S.C. AMHOTECH SOFTWARE S.R.L., a legal entity of Romanian nationality with registered office in (locality) Bucharest, str. Șos. Chitilei, nr. 37, county/sector 1, registered at the Trade Register Office of Bucharest, under nr. J40/21395/2022, fiscal code nr. 47079907.

2.2. Client – Accommodation unit, user of the AMHOTECH platform – HotelAdmin, classified as a tourist accommodation structure, according to the legal provisions in force.

2.3. AMHOTECH – HotelAdmin platform – portal HotelAdmin.ro – the internet website, as well as all the services accessible on this website or its subdomains.

2.4 In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as the “Regulation”), the parties agree to the following definitions:

2.4.1 Personal data: means any information (any sequence of characters, signs, numbers or letters) relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An ‘identifiable natural person’ is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to more specific elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity.

2.4.2. Processor: the recipient of the main contract services, who determines the purposes and means of processing personal data.

2.4.3. Processor: the service provider of the main contract.

2.4.4. Sub-contractor: here means any third party to the parties to the Contract which has a contractual relationship with the Processor for the provision of the services covered by the Contract.

2.4.5 Processing of personal data: means any operation or set of operations which is performed by the Processor using automated means and applied to personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  1. Object of processing

3.1. The Controller hereby authorises the Processor to process the Controller’s data for the purpose of providing the services stipulated in the main service contract.

3.2. This agreement shall apply to all activities of the Processor and its subcontractors which are necessary to be able to provide the services stipulated in the main service contract.

  1. Data collected

The personal data processed under this contract are:

4.1 Personal data appearing in automatically transmitted messages from the platform, orders, documents, newsletter subscription, account creation, contact messages, offer request messages such as: Name, surname of the document issuer and his/her identification data, email, telephone and in case the document is issued to a natural person customer: name, surname, full address and, if applicable, bank account, CNP. The Processor may also add additional personal data directly to the documents issued, which the Processor cannot foresee.

4.2. Personal data that appear when setting up the transmission of emails to the client – user email and password by which emails are transmitted, as well as email addresses to which notifications and documents are sent.

  1. Categories of data subjects

5.1. The categories of data subjects are: Employees and Customers.

5.2. The Operator is and will remain the owner of the personal data subject to this Agreement.

  1. Specific instructions

Pursuant to this contract, the Operator gives the following specific instructions to the Processor:

6.1 To collect and process personal data received from the Operator directly for the purposes set out in Article 8.

6.2. To send email messages on behalf of the Operator for the email document transmission service.

  1. Duration of processing

The duration of the processing of personal data shall be identical to the duration of the operation of the main service contract.

  1. Nature and purpose of the processing

The nature and purpose of the processing are those established by the Operator under the main contract, i.e. the provision of services included on the AMHOTECH – HotelAdmin platform.

  1. Subcontracting

9.1 The Processor has the right to delegate certain data processing activities to the sub-processors specified below:

OPTIC SERVERS – FEROTERM SRL Str. Crisan 3B, Gherla, Jud. Cluj – hosting, storage, backup and infrastructure services

Change of subcontractors or appointment of additional subcontractors is allowed and will be communicated by the processor to the controller. Following communication of a new subcontractor, the operator has the right to object and terminate the contractual relationship with the processor. Failure to respond to the communication concerning a new subcontractor shall be deemed as an implicit acceptance of the new subcontractor.

9.2. The processor shall carefully select subcontractors and check that by integrating their affectivity the agreements concluded between the operator and the processor can be respected without alteration. In particular, the processor must verify in advance and periodically during the contractual period that each processor takes technical and organisational measures for the protection of personal data required by Article 32 GDPR.

9.3 The Processor shall ensure that the provisions agreed in this contract and, where applicable, the Controller’s additional instructions, apply to the Processors.

9.4. All ancillary services that do not serve the operation of the service offered by the Processor shall not be considered as subcontracting relationships. The processor is however obliged to ensure reasonable precautions to ensure the protection of personal data also in relation to these ancillary services.

  1. Rights and obligations of the Processor

10.1 The right to receive information from the Processor or to verify through a mandated auditor whether the Processor has and implements appropriate technical and organisational measures so that the processing complies with the requirements set out in the GDPR; the verification will take place on the basis of a prior written notification sent at least 14 working days before the verification is carried out.

10.2. The right to receive assistance from the Processor, in particular in fulfilling its obligation to respond to requests from data subjects regarding the exercise of their rights under the GDPR.

10.3. The right to object to other sub-processors under Article 8.1.

10.4. To comply with its obligations under the GDPR in relation to personal data collected or processed by the Processor on its behalf.

10.5. The obligation to make information to data subjects under the GDPR, including information regarding the processing of data by the Processor under this contract.

10.6. The obligation to be solely responsible for establishing the legal basis for the processing of personal data that is the subject of this contract.

10.7. The obligation to implement appropriate technical and organisational measures in accordance with the GDPR, including securing the transfer of data from data subjects to the Processor.

10.8 From the moment of deletion of the data after the end of the provision of services by the Processor, in accordance with the obligations of the GDPR and Article 10 of this contract, the data can no longer be retrieved and it is the entire responsibility of the Processor to ensure that it has made a complete copy of the data.

10.9 In all situations where it is the Processor who is required to perform an obligation, such as, for example, informing the Data Subject of a personal data breach, the Processor cannot be held liable for the Client’s inactions within the scope of that obligation.

  1. Rights and obligations of the Processor:

11.1. The obligation to inform the Controller within a maximum of 10 days if, in its opinion, an instruction violates the GDPR and/or another legal provision on the processing of personal data.

11.2. The obligation to ensure the security of personal data processed on behalf of the Controller in accordance with Article 32 of the GDPR and Article 11 of this Annex.

11.3. The obligation to inform the Controller without undue delay of a breach of the security of the Controller’s personal data during processing carried out by the Controller.

11.4. The obligation to assist the Controller with all necessary information for the notification, if any, to the competent Authority of the data breach, but without substituting the Customer in its notification obligation.

11.5. The obligation to assist the Controller to ensure compliance with the obligations set out in Articles 32-36 of the GDPR.

11.6. The obligation to assist the Controller in dealing with requests from data subjects or to transmit to the Controller any request received from data subjects in relation to personal data that have been collected and processed by the Processor, within a maximum of 5 calendar days of receipt.

11.7. The obligation not to transmit personal data and/or confidential information, which may be personal data, of which it has become aware during the performance of the contract.

11.8. The obligation to provide training to staff authorised to process personal data on the confidentiality of such data.

11.9. The obligation to delete all data collected as a result of this contract as Processor within a maximum of 3 months after the termination of the contract between the two parties.

11.10. The right to disclose certain personal data by virtue of a legal obligation or other condition laid down by law at the request of an authority, public institution or court.

11.11. The right to recruit sub-contractors in accordance with Article 8 or if approved by the Operator.

11.12. The right to be reimbursed for the costs incurred in providing assistance to the Operator, by the Operator, in the situations provided for by the GDPR under Article 9.

11.13. The right to use anonymised statistical information as a result of the activities provided as a result of this contract or its entire activity.

  1. Security of processing

12.1. The Processor must carry out technical and organisational measures to ensure appropriate risk-related security measures in line with good industry practice. In determining the appropriate level of security, the Processor shall take into account the current state of development, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying degrees of probability and severity to the rights and freedoms of natural persons, as well as the risks arising as a result of the processing, in particular those that may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

12.2. In this context, the Processor has established the internal implementation of the following organisational and technical security measures for the security of personal data, taking into account the type of activity provided:

– limited access to the database for a very limited number of employees of the Processor

– permanent monitoring of access to the database

– encryption of the connection used to access the service using SSL

– customer passwords stored encrypted

– backups

  1. Limitation of liability

The Operator agrees to hold the Processor harmless from any liability for damages that may arise from:

– failure to comply with the contract due to events beyond any liability of the Processor.

– compliance or non-compliance with the Processor’s instructions justified in advance by a notification of its legality.

– lack or vitiation of data subjects’ consent or use of a wrong legal basis.

– non-compliance with the contract due to actions of the Processor.

  1. Limitation of liability

The parties shall delimit their responsibilities for ensuring the protection of personal data (e.g. ensuring confidentiality or security of processing) according to the actual access and control exercised over the data, both contractually and technically.

  1. Entry into force and amendments

This Annex comes into force by checking the box “Personal Data Processing Policy” at the time of account registration on the Amhotech – HotelAdmin platform, and is valid until amended by SC AMHOTECH SOFTWARE SRL and informing customers in this regard. The use of the HotelAdmin platform after informing the clients represents their consent to this document and to the subsequently modified documents.