Data Processing

The present document contains the data processing agreement to be carried out by Turitop, S.L. -hereinafter the CONTROLLER- on behalf of and commissioned by the client, hereinafter -the RESPONSIBLE PARTY-.

This document is complementary to the Conditions of Contract document that also appears on this website. Unless otherwise stipulated or agreed, and provided that this agreement is applicable to the services contracted by the user, both are accepted when contracting with Turitop through this website. 

I. IDENTITY OF THE CONTRACTING PARTIES

On the one hand, the supplier of the goods or services contracted by the user is Turitop, S.L., (Turitop) with registered office at Avenida del Atlántico, 9, Residencial Winter Gardens, Bloque 3, Oficinas, 38639 San Miguel de Abona, Santa Cruz de Tenerife, Spain, NIF B-76534759 and user service email address sales@turitop.com. Hereinafter referred to as THE PRINCIPAL

On the other hand, the CLIENT, registered on the website by means of their corresponding access credentials, for which they have full responsibility for use and custody. The user is responsible for the veracity of the personal data provided to Turitop. Hereinafter referred to as THE RESPONSIBLE PARTY.

II. PURPOSE OF THE SERVICES PROVIDED 

EL ENCARCARGADO is a technology company dedicated to the development and commercialisation of a suite of Software as a Service aimed at companies. These tools facilitate the management of reservations, receipt of online payments, integration with resale portals and a large number of other functionalities that allow the automation of tasks and improve the service received by the end customer.

On the other hand, the CLIENT, registered on the website by means of their corresponding access credentials, for which they have full responsibility for use and custody. The user is responsible for the veracity of the personal data provided to Turitop. Hereinafter referred to as THE RESPONSIBLE PARTY.

In the provision of the aforementioned services, THE CONTROLLER will process personal data for which THE RESPONSIBLE PARTY is, for legal purposes, the data controller.

In compliance with the provisions of the General Data Protection Regulation (EU) 2016/679, as well as the Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights, it is the intention of both parties to establish the obligations and responsibilities that correspond to each of them in the processing of personal data, in accordance with the stipulations contained in this document. 

III. DESCRIPTION OF TREATMENTS

The CARRIER will process the data on its own premises, using its own computer system.

The tasks associated with the provision of the contracted service entail the collection of data, its recording, structuring, updating and modification, conservation, extraction, consultation, communication by transmission, interconnection, collation, destruction or return when the tasks entrusted and the periods for which the CARRIER may have responsibilities end.

The data may also be subject to restriction or deletion if a data subject so requests, and may also be disseminated in accordance with the guidelines of the data controller.

IV. IDENTIFICATION OF THE INFORMATION CONCERNED

For the performance of the services arising from the fulfilment of the purpose of the assignment, the RESPONSIBLE PARTY authorises the PRINCIPAL to process the personal data listed below. Certain personal data may be processed indirectly or generically. 

1. The categories of stakeholders whose data may be processed for the purpose of the provision of services that motivates this contract, are:
   • Personnel and human resources
   • Suppliers and partners
   • Contact persons
   • Legal representatives
   • Clients
   • Visitors
   • Users
   • Applicants
2. Likewise, the CARRIER may process the following DATA TYPESHowever, many of them are ancillary and are not processed directly, but are stored together with the data subject's other data:
   • Identifiers
   • Personal characteristics
   • Social circumstances or professional qualifications
   • Academics and professionals
   • Job details
   • Commercial information
   • Economic, financial and insurance
   • Transactions in goods and services

V. DURATION OF THE CONTRACT 

The term of this contract shall commence from the moment of contracting the associated services and is directly related to the provision of the contracted services. It shall terminate at the moment of completion of the tasks entrusted by THE RESPONSIBLE PARTY.

Termination for any reason whatsoever shall require reliable notification of no longer receiving or, as the case may be, providing the services that are the object of the assignment. 

VI. RETURN OF DATA AT THE END OF THE CONTRACT

Upon termination of this contract, the CARRIER must return the media containing personal data to the RESPONSIBLE PARTY and delete any copies in its possession. The personal data processed by the CARRIER will not be transferred or communicated to third parties, not even for storage purposes, except with the express consent of the RESPONSIBLE PARTY.

The return shall entail the complete deletion of the existing data in the systems and documents of the CARRIER. 

Data shall not be destroyed when there is a legal provision requiring their retention, in which case they shall be returned to the data controller, who shall ensure their retention for as long as such obligation persists. The data processor may keep the data, duly blocked, for as long as liabilities may arise from its relationship with the data controller.

VII. OBLIGATIONS OF THE PERSON IN CHARGE

The CARRIER and all personnel under his control undertake to:

• Use the personal data undergoing processing, or those collected for their inclusion, only for the purpose of this order. Under no circumstances may it use the data for its own or other purposes.
• Process the data in accordance with the documented instructions of the CONTROLLER.
• Not to carry out international transfers of data without the authorisation of the RESPONSIBLE PARTY. 
• Keep, in writing, a record of all categories of processing activities carried out on behalf of the CONTROLLER, containing, in accordance with Article 30(2) of Regulation (EU) 2016/679.
• Not to communicate the data to third parties, except with the express authorisation of the RESPONSIBLE PARTY, in the legally admissible cases.
• Maintain the duty of secrecy with regard to the personal data processed by it under this order, even after the end of the contract.
• Ensure that persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures. The CARRIER must inform of the security measures to be applied. The CONTROLLER shall keep at the RESPONSIBLE PARTY's disposal the documentation accrediting compliance with this obligation.
• Ensure the necessary training in personal data protection for persons authorised to process personal data.
• When the data subjects exercise their rights of access, rectification, erasure and objection, limitation of processing or data portability before the CONTROLLER, the latter must communicate this by e-mail to the address indicated by the RESPONSIBLE PARTY. 
• Notify the RESPONSIBILITY CONTROLLER of data security breaches. The CONTROLLER shall notify the RESPONSIBLE, without undue delay and via the e-mail address provided by the RESPONSIBLE.
• Assist the CONTROLLER in notifying security breaches to the CONTROLLING AUTHORITIES and to the STAKEHOLDERS: taking into account the nature of the processing and the information available to the CARRIER, the CARRIER will assist the CONTROLLER in accordance with Article 33 of the GDPR. 
• Due to the nature of the service, the PROCESSOR is not obliged to provide information on the processing of their data to data subjects who may be included in the reports commissioned by the CONTROLLER.
• Make available to the RESPONSIBLE all information necessary to demonstrate compliance with its obligations, as well as for audits or inspections carried out by the RESPONSIBLE or another auditor authorised by the RESPONSIBLE.
• Implement the necessary technical and organisational security measures to ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services. 
• Periodic verification, evaluation and assessment of security measures.

The PROCESSOR shall implement a regular procedure to verify, evaluate and assess the effectiveness of the technical and organisational measures implemented in the processing systems, workplaces and users under its control.

This procedure will lead to the implementation of additional mechanisms, if necessary in accordance with the GDPR. 

VIII. OBLIGATIONS OF THE PERSON RESPONSIBLE

1. Where applicable, the RESPONSIBLE PARTY shall carry out the personal data protection impact assessment of the processing operations to be carried out by the PROCESSOR. The CARRIER has its own impact assessments that are only applicable to its own activity and shall not be liable for the non-compliance with the obligation of the client. 
2. The RESPONSIBLE PARTY must be able to prove that it has the right to entrust the data processing to the PROCESSOR. In this regard, in the event of a claim:
   • Legitimate interest, the client guarantees to have the relevant legitimate interest analysis. 
   • Consent, the client guarantees to have the express, free, clear and informed consent of the data subjects. 
   • Contract, the customer warrants that it has a contract with the data subject, or the data subjects likely to be affected by the research, to carry out such processing.

Adequate legitimation requires, in addition to its validity, having provided, if applicable, information about the processing to the data subjects. Turitop will only carry out the analyses contracted by the client. 

3. Provide the CARRIER with the data necessary for the provision of the service.
4. Conduct prior consultations as appropriate.
5. Ensure, prior to and throughout the processing, that the CARRIER complies with the GDPR.
6. Monitoring the processing, including carrying out inspections and audits. As well as giving clear instructions on processing; adjusted to reality, in particular taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons.

IX. SUBCONTRACTING 

The PRINCIPAL is authorised to subcontract, with prior authorisation from the RESPONSIBLE PARTY, all or part of the services that form part of the object of this contract, and which may involve the processing of personal data.

If there is a need to subcontract any processing, this fact shall be previously communicated to the RESPONSIBLE PARTY, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the CONTROLLER does not express its opposition within the established period.

The PRINCIPAL shall regulate the new relationship in such a way that the new sub-provider is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the PRINCIPAL. In the event of non-compliance by the subcontractor, the initial PRINCIPAL shall remain fully liable to the RESPONSIBLE PARTY for the fulfilment of the obligations.

Express subcontracting authorisations in this contract

The RESPONSIBLE PARTY authorises the CARRIER to subcontract all possible direct or indirect data processing that may be carried out by companies and professionals providing ancillary services, such as IT maintenance, consultancy, auditing, software management and maintenance, among others, necessary for the normal operation of its activity.

In such cases, the third party, i.e. the subcontractor, will also be considered as the PROCESSOR. 

It shall be the responsibility of the initial CARRIER to regulate the new relationship in such a way that the new CARRIER is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as the initial CARRIER, with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the sub-processor, the initial PROCESSOR will remain fully liable to the RESPONSIBLE for the fulfilment of the obligations.

The subcontracting authorisations shall be annexed to this contract..

X. NON-COMPLIANCE

The parties undertake to fulfil their obligations, and to ensure the normal functioning of the content of this agreement. In particular, if the PROCESSOR infringes the General Data Protection Regulation, in determining the purposes and means of the processing, it will be considered as a LIABLE for the processing with respect to such processing.

XI. LIABILITY 

The parties shall be liable for full damages in all cases of negligent or culpable conduct in the performance of their respective obligations under this agreement.

Neither party shall assume any liability for the non-performance or delay in the performance of any of the obligations under this agreement if such non-performance or delay results from or is the consequence of an event of force majeure or fortuitous event accepted as such by the jurisprudence, in particular: natural disasters, war, state of siege, disturbances of public order, transport strike, power failure or any other exceptional measure taken by the administrative or governmental authorities.

XII. CONFIDENTIALITY

The parties guarantee that they will maintain the strictest confidentiality and expressly comply with the duty of professional secrecy in relation to the data that they may have learned about each other, and which were obtained as a result of this contract, during the term of the provision of services and after its termination.

The RESPONSIBLE PARTY, during and after the term of this agreement, will treat all information owned by the RESPONSIBLE PARTY as strictly confidential, taking the necessary measures so that it is not disclosed to third parties, nor can they have access to it without the express authorisation of the RESPONSIBLE PARTY.

XIII. DATA PROTECTION OF THE PARTIES TO THE CONTRACTUAL RELATIONSHIP

The personal data of those involved in the contracting of services, in the case of natural persons or in the case of representatives of a legal person, will be processed by the other party, with the performance of the contract as the purpose and legitimisation of the processing. 

In the case of contact persons from whom data is collected during the provision of services, the data will be processed for the proper performance of the object of the contract, in a legitimate manner in accordance with the legitimate interest of the parties, in accordance with article 19 LOPD 3/2018.

The data will be kept for the legal periods provided for in accordance with the applicable legislation on fiscal, tax and commercial matters.

Both parties are informed of the possibility of exercising their rights of access, rectification, deletion, and in some cases, if applicable, the right of portability and limitation of processing. In order to exercise these rights, they may request the corresponding forms from the other party, or download them from www.agpd.es. Likewise, if they are not satisfied with the reply received from the other party, they may file a complaint with the Spanish Control Authority. www.aepd.es.

XIV. PARTY AUTONOMY

Each of the Parties expressly declares and declares that the relationship hereby entered into is not of an employment, corporate or any other similar nature and that each of the contracting parties is independent and autonomous with respect to the other, each party assuming the responsibility that corresponds to it within the scope of its respective activities, efforts, commitments and obligations and acting with complete freedom of judgement and conscience in the making and exercise of decisions, schedules and respective functions. Furthermore, the Parties state that under no circumstances may the PRINCIPAL or its employees be considered as agents or employees of the RESPONSIBLE PARTY.

XV. NULLITY OR VOIDABILITY OF THIS AGREEMENT

If any of the clauses in this data processing agreement are considered voidable or null and void, they shall be deemed not to have been included, without their voidability affecting the validity of the contract, and all other clauses shall retain their binding force between the parties.