Data Processing Addendum

This Data Processing Addendum ("DPA") is effective upon the earlier of your clicking “Accept” to the Terms and Conditions (the ‘Terms’) or your use of any of the Services and forms part of the Terms between SNAP TECHNOLOGY SOLUTIONS PUBLIC LTD (“SNAP”) and the entity entering the Terms as a Business Partner ("Business Partner").

This DPA is supplemental to the Terms and sets out the roles and obligations that apply when SNAP processes Personal Data falling within the scope of the GDPR on behalf of Business Partner in the course of providing the Services.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms.

1. Definitions

1.1 For the purposes of this DPA:

(a) “EEA" means the European Economic Area.

(b) "GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

(c) "Terms" means the terms and Conditions or other written or electronic agreement between SNAP and Business Partner setting out the provision and use of the platform’s Services.

(d) The terms "Controller", "Processor", "Personal Data", "processing", "special categories of data" and "Data Subject" have the meanings given to them in the GDPR.

(e) “Platform” means the Platform operated by SNAP, accessible from ( http://www.bookwithsnap.com/ )

2. Applicability of DPA

2.1 Applicability.

This DPA will apply onwards to the extent that SNAP processes Personal Data falling within the scope of the GDPR on behalf of Business Partner in the course of providing the Services.

3. Roles and Responsibilities

3.1 Roles of the Parties.

This DPA governs the services where SNAP processes data on behalf of the Business Partner. To that extend and in relation to such services Business Partner is the Data Controller of the Personal Data described in Annex A and SNAP shall process the Personal Data as a Data Processor acting on behalf of Business Partner.

3.2 Business Partner Processing of Personal Data.

Business Partner shall be responsible for:

(a) Complying with all applicable laws relating to privacy and data protection in respect of its use of the Services, its processing of the Personal Data, and any processing instructions it issues to SNAP;

(b) Ensuring it has the right to transfer, or provide access to, the Personal Data to SNAP for processing pursuant to the Terms and this DPA; and

3.3 SNAP Processing of Personal Data.

SNAP shall process the Personal Data for the purposes set out in Annex A and in accordance with the lawful, documented instructions of Business Partner (including the instructions of any users accessing the Platform’s Services on Business Partner 's behalf) as set out in the Terms, this DPA or otherwise in writing.

4. Security

4.1 Security

SNAP shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (a "Security Incident").

4.2 Confidentiality obligations.

SNAP shall ensure that any personnel that it authorizes to process the Personal Data shall be subject to a duty of confidentiality.

4.3 Security Incidents.

Upon becoming aware of a Security Incident affecting Personal Data processed by SNAP, SNAP shall notify Business Partner without undue delay. SNAP shall make reasonable efforts to identify the cause of the Security Incident and to take such steps as SNAP deems necessary and reasonable to mitigate the effects of such Security Incident, to the extent such efforts are within SNAP reasonable control. SNAP shall make reasonable efforts to provide such information as Business Partner may reasonably require to enable Business Partner to fulfil any data breach reporting obligations under the GDPR.

5. Sub-processing

5.1 Sub-processors.

Business Partner agrees that SNAP may engage SNAP affiliates and third-party sub-processors (collectively, "Sub-processors") to process Personal Data on SNAP behalf provided that:

(a) SNAP shall maintain an up-to-date list of Sub-processors which will be available upon request, and;

(b) SNAP imposes on such Sub-processors data protection terms that require it to protect the Personal Data to the standard required by applicable data protection laws.

6. International Transfers

6.1 International transfers.

To the extent that SNAP transfers any Personal Data originating from the EEA to a country that has not been designated by the European Commission as providing an adequate level of data protection, it shall put in place such measures as are necessary to ensure such transfer is in compliance with the GDPR. Business Partner authorizes transfers of Personal Data to such destinations outside of the EEA subject to such appropriate safeguards having been put in place.

7. Cooperation

7.1 Data subject rights.

SNAP shall, taking into account the nature of the processing, provide reasonable assistance to Business Partner insofar as this is possible, to enable Business Partner to respond to requests from data subjects seeking to exercise their rights under the GDPR. In the event such request is made directly to SNAP, SNAP shall promptly inform Business Partner of the same.

7.2 Data protection impact assessments.

SNAP shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance needed to fulfil Business Partner's obligation to carry out data protection impact assessments and prior consultations with supervisory authorities, to the extent required under the GDPR and to the extent Business Partner does not otherwise have access to the relevant information.

7.3 Provision of information and reports.

SNAP shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this DPA by request to dp@bookwithsnap.com

7.4. Audit.

Whilst it is the parties' intention ordinarily to rely on the provision of the documentation to verify SNAP compliance with this DPA, SNAP shall permit the Business Partner (or its appointed third-party auditors) to carry out an audit of SNAP processing of Personal Data under the Terms following a Security Incident suffered by SNAP, or upon the instruction of a data protection authority. Business Partner must give SNAP reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to SNAP operations. Any such audit shall be subject to SNAP security and confidentiality terms and guidelines. If SNAP declines to follow any instruction requested by Business Partner regarding audits, Business Partner is entitled to terminate this DPA and the Terms.

8. Return/Deletion of Data

8.1 Return or deletion of Personal Data.

Upon termination or expiry of the Terms, SNAP shall delete or return to Business Partner the Personal Data (including copies) in SNAP possession. This requirement shall not apply to the extent that SNAP is required by applicable law to retain some or all of the Personal Data.

9. Miscellaneous

9.1 Except as amended by this DPA, the Terms will remain in full force and effect.

9.2 Any claims brought under this DPA shall be subject to the Terms, including but not limited to the exclusions and limitations of liability set forth in the Terms.

9.3 If there is a conflict between this DPA and the Terms, in relation to data protection issues the DPA.

Annex A

Data Processing Description

This Annex A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.

Controller

The controller is:

The entity entering into an agreement with SNAP for the provision of services provided though the Platform, referred to as "Business Partner" in the DPA.

Processor

The processor is :

SNAP, a company incorporated under the laws of the Republic of Cyprus, which provides services through the Platform as per the Terms and other related services ("Services") to the Business Partner.

Data subjects

The personal data to be processed concern the following categories of data subjects:

•          Consumers and employees of the Business Partner: past, present and potential consumers and employees of the Business Partner located in the EEA whose Personal Data is submitted to the Services.

•          Other EEA individuals whose Personal Data is submitted to or processed through the Services on behalf of the Business Partner.

Categories of data

The personal data to be processed concern the following categories of data:

•          Contact information: such as names, email addresses, phone numbers, contact details

•          Sales information: such as details of the transactions undertaken through the platform, products/services purchased, date/time, payment amount/method, cancellation, refunds, communications with Business Partner etc.

•          Any other information that clients have provided to the Business Partner which are processed through the Services, the extent of which is determined and controlled by the Business Partner or consumer in their sole discretion

Special categories of data (if appropriate)

The personal data to be processed concern the following special categories of data (please specify):

SNAP may collect or process any special categories of data such as health related data necessary for the provision of its Services.

Processing operations

The personal data will be subject to the following basic processing activities:

•          The provision, operation and delivery of the Services

•          Any other purposes pursuant to Business Partner's Terms with SNAP