Maistra
Check rates
Hotels Resorts Campsites Brands Destinations Offers Experiences Holidays

DATA PROCESSING AGREEMENT ADDENDUM

DATA PROCESSING AGREEMENT ADDENDUM

This Data Processing Agreement Addendum (“DPA”) regulates the processing of personal data and personally identifiable information exchanged by the Parties in the course of providing services (“Shared Personal Data”), as is agreed by the Parties pursuant to their rights and obligations undertaken by the agreement (the “Master Agreement”).

This DPA is executed as a Schedule to the Master Agreement and defines the rights and obligations of the Parties pursuant to the applicable laws on privacy, in force in the Republic of Croatia from time to time, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (EU 2016/679) (“General Data Protection Regulation”), Act on the Implementation of the General Data Protection Regulation (OG No 42/18), Electronic Communications Act (OG 73/08, 90/11, 133/12, 80/13, 71/14, 72/17), valid from time to time, as well as other regulations, laws, decisions of regulatory authorities, that are in force, binding for the Party to the Master Agreement concerning personal data, as well as, to the extent they are applicable, data privacy regulations in force in the EU, and valid from time to time (“Data Protection Laws”).

Terms Commission, data controller, data processing, data processor, data subject, personal data and special categories of personal data shall have the same meaning as in the General Data Protection Regulation, whereas their akin terms are interpreted accordingly.

Data Processing Agreement Terms

  1. The Parties acknowledge that either Party shall act as an independent Data Controller, solely and independently determining the means and purpose of processing of Personal Data, within the context of their business relationship and in performance of their rights and obligations arising from the Master Agreement, and in accordance with their respective Privacy Policy, as amended from time to time, in line with the Data Protection Laws. 

  2. The Parties agree and acknowledge that, in the event that either Party becomes a processor instructed by the other Party, as a controller of any personal data, the Parties shall enter into a data processing agreement in accordance with Article 28 of the General Data Protection Regulation.

  3. Either Party shall share personal data within the context of the Master agreement, only for the purposes of providing Partner’s guests or employees with accommodation and ancillary services pursuant to the Master Agreement (“Agreed Purposes”). In order to facilitate the services agreed by the Parties under the Master Agreement, the Parties shall share the personal identifiable information for Agreed Purposes, as outlined hereinbelow, in the following manners: (i) via e-mail, in which the Partner shall send the Reservation List to Maistra, or (ii) through an online reservation system “PHOBS”, integrated with the web site operated by the Partner, and made accessible to Maistra Extranet system, or, (iii) in the case of Corporate Business Co-Operation Agreements, through direct contact with the Maistra reservations centre, either via phone or via e-mail. 

  4. For the purpose of processing of Personal data for Agreed Purposes, the Partner may provide Maistra with the following types of Guest Personal data: Identification data (name and last name), gender, date of birth / age, Country of Residence, Date of Arrival, Date of Departure, Accommodation Facility type (hotel / resort / camp) and type of services, reservation or voucher number, flight number (if applicable), contact details (phone number, email address), personal identification document information, if required (No. type, date of issuance, place of issuance, valid through), linked guests, special remarks or additional comments. 

  5. The Parties may exchange additional data, in connection with the guest or their special requests or any other relevant information on the guest’s arrival, related to their stay or in relation to any claims / tort proceedings. 

  6. In addition to the personal identifiable information of the guests, in the course of their business relationship, Maistra and Partner may also exchange the information relating to thePartner’s employees and Maistra’s employees, including, as follows: name and last name, contact details (e-mail and phone number), function and title of the employee. 

  7. The Parties shall process the Shared Personal Data for the duration of the business relationship and as long as is reasonably required to comply with the relevant legal obligations of each party and to meet the business needs of the parties, in accordance with the legitimate interest of each Party. 

  8. The Parties shall ensure:

    • only the persons who are either (i) employees or advisors of the Party, (ii) employees or advisors of the Processor or Sub-Processor of the Party engaged in accordance with the provisions of Data Protection Laws, or (iii) other individuals engaged in to perform obligations of the Party in connection to the Master Agreement (“Authorized Personnel”) shall be permitted to access to the Personal Data, provided they have received personal data training;
    • regular data protection awareness activities are undertaken, including lectures and trainings; 
    • in each and every case, that access to Personal Data is limited only to persons who require access to such Personal Data for the performance of services in accordance with the Master Agreement; 
    • that the Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  9. The Parties confirm they shall transfer data outside of the European Economic Area, only (i) provided that an adequacy decision for that country has been made by the Commission; or (ii) on the basis of the clauses applied in accordance with the COMMISSION IMPLEMENTING DECISION (EU) 2021/915 of 4 June 2021 on standard contractual clauses for transfer of personal data to third countries in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council or any other document that shall be adopted by the European Union to replace or amend standard contractual clauses adopted by the Commission Implementing Decision (EU) 2021/915 (“Standard Contractual Clauses”).

  10. The Parties shall, taking into account objectively identifiable circumstances or events with a potential adverse impact (“Risk”) of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and security measures, suitable for and appropriate to the level of risk, including measures protecting from unauthorized or unlawful processing of Personal Data, as well as from accidental destruction or loss of Personal Data, including the following measures: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, accessibility and resilience of Processing systems; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. 

  11. Organizational and technical measures to be implemented by the Parties in their systems using Personal Data shall include, but are not limited to: (i) the possibility to identify and recognize all Risks; (ii) the protection of systems containing Personal Data; (iii) the ability to detect all changes that may have an impact on operations and the security of systems holding personal data that impacts the confidentiality, integrity or availability of data (“Security Event”); (iv) the ability to respond to a Security Event; (v) the ability to recover the system containing Personal Data after an event that has actual adverse effect on integrity, confidentiality or accessibility of information, system or network entity (“Security Incident”) has occurred. 

  12. The Parties shall immediately, and at the latest within 36 hours, notify each other of each and every event for which exists a reasonable doubt it constitutes a breach of security leading to accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to the shared Personal Data exchanged between the Parties pursuant to the Master Agreement (“Personal Data Breach”). Notification in the event of a Personal Data Breach shall contain at least the following information: (i) circumstances and facts relating to the breach, including number, types and categories of Personal Data affected by the event or incident; (ii) contact details of the data protection officer and other representatives involved in the internal investigation of the breach; (iii) estimate of actual or potential consequences arising out of the Personal Data Breach, (iv) measures implemented to mitigate the consequences of a security incident and a potential Personal Data Breach. 

  13. In the event of a Security incident, the Parties shall take all appropriate actions to mitigate the Personal Data Breach and damage that may have or that has occurred as a result of a Security Incident. 

  14. The Parties shall endeavour to cooperate in mitigating any adverse consequences of a Personal Data Breach, recovering all Personal Data, and removing any and all malfunctions or vulnerabilities that may have led to such an event. 

  15. The Parties shall implement technical and organisational measures necessary to fulfil obligations to act on the request of a Data Subject for exercising his or her rights under the Data Protection Regulations regarding Personal Data, as well as to assist and support each other in acting on such requests. 

  16. The Parties shall assist each other to carry out a data protection impact assessment regarding Personal Data, if such an assessment is required under Data Protection Regulations, as well as to carry out a prior consultation with the supervisory authorities, if so required under articles 35 or 36 of the General Data Protection Regulation. 

  17. The Partner confirms the processing of personal identifiable information shall be protected with the appropriate technical and organizational measures, at least comparable to the level of protection of data protection achieved by using the following organizational security measures: 

    • Technical and organisational measures as may be required in accordance with the General Data Protection Regulation and the Data Protection Laws are documented and in place. 

    • Appropriate measures to minimize the effect of any adverse effects of Security Incidents to the provision of services rendered by the Master Agreement, for the purpose of protection of Personal Data, are documented and in place. 

    • Technical and organizational measures to protect Shared Personal Data include the ability to:

      • Identify Risks to security; 
      • Protect the Systems and Shared Personal Data;
      • Detect the occurrence of a Security Event;
      • Respond to a Security Incident; and
      • Recover from a Security Incident.

    • The identification of Risks is ensured by applying the measures that enable the Partner to:

      • Identify and document internal and external Risks to Shared Personal Data; 
      • Document and address the vulnerabilities to the system that may present a Risk to Shared Personal Data; 
      • Systematically improve risk management strategies, including through continuous information security awareness trainings and campaigns; 
      • Create an inventory of physical devices and systems within the organization; 
      • Create an inventory of software platforms and applications within the organization; 
      • Ensure the employees are aware of the adopted compliance policies, procedures, rules and guidelines and that the Management is aware of the Risks; 
      • Ensure there is an adopted and implemented information security policy or a similar internal document and that the employees are educated on the contents of such a document; 
      • Ensure that information security roles and responsibilities of employees are aligned and coordinated with internal roles and external partners; 
      • Risk management processes are documented and in place.

    • Measures to limit or contain the impact of potential Security Events on Shared Personal Data and the risks to rights and freedoms of data subjects are undertaken. 

    • Access to Shared Personal Data is limited to persons who are authorized to access such data, and who are reasonably required to access such data. Access to Shared Personal Data shall be managed consistently with the assessed risk of unauthorized access, with continuous security checks and analysis, ensuring that:

      • Identity proofing and security credentials checks pertaining to users, processes and devices;
      • Physical access is managed and protected; 
      • Remote access is managed;
      • Access permissions and authorizations are managed; 
      • Passwords are not transmitted in clear text, displayed on screen, or written down in legible form; 
      • Network integrity is protected (e.g. network segmentation); 
      • Users, Devices and other assets are authenticated, in line with the performed Risk assessments. 

    • All users of IT systems are aware of Risks to security and trained to perform their duties and responsibilities in order reduce the Risks to the systems and Shared Personal Data.

    • Privileged users understand their roles and responsibilities in relation to the security of IT systems and Shared Personal Data, including the requirement to protect their passwords and user accounts; 

    • All personnel have received personal data and information security training; 

    • Management and senior staff understand the importance of personal data protection and information security and their role in formally promoting data protection awareness; 

    • Ensuring technical vulnerability management processes are complied with in order to keep software up-to-date by applying security patches when they are made available, by:

      • Adopting a vulnerability management policy; 
      • Systematically keeping track of patch releases; 
      • Documenting awareness of released patches that are not yet implemented; 
      • Developing a patches deployment mechanism
      • Ensuring that the most critical patches are applied immediately.

    • Ensuring removable media is protected; 

    • Ensuring all communication on Shared Personal Data is protected; 

    • Ensuring perimeter defences, such as firewalls, intrusion prevention or detection and data loss prevention solutions are implemented and maintained; 

    • Ensuring Anti-Virus or Anti-Malware systems are implemented and maintained,

Need Help?

Contact us FAQs Manage your booking
Our destinations
Meetings & Events
Maistra
Other
Maistra

Download the new Maistra app!

© 2025 Maistra d.d. is a member of the Adris group