4. Subcontractors and Personnel
4.1 Personnel. CSI shall: (i) inform its personnel with access to Subscriber Personal Data of the confidential nature of Subscriber Personal Data, and (ii) obligate such personnel to maintain the confidentiality of Subscriber Personal Data.
4.2 Subcontractors.
4.2.1 Subscriber consents to CSI engaging subcontractors or subprocessors to process Subscriber Personal Data (collectively “Subprocessors”) to perform the Services. The current list of Subprocessors (“Subprocessor List”) is incorporated herein as Annex 2 CSI shall update Subscriber with any changes to processors in advance of such change (except where shorter notice is required due to exceptional circumstances). In the event Subscriber reasonably objects to a change made to the Subprocessor List and CSI is unable to provide the Services without the use of such Subprocessor and no other reasonable solution can be mutually agreed to, either party may promptly terminate the Agreements (in whole or in part), by providing written notice to the other party and Subscriber will receive a prorated refund of any prepaid, unused fees for the period following the effective date of termination.
4.2.2
Where CSI uses any Subprocessors to process Subscriber Personal Data to provide the Services, CSI shall contractually impose at least the same level of protection for Subscriber Personal Data as provided for in this DPA. CSI shall require that persons authorized to process Subscriber Personal Data are: (i) informed of the confidential nature of Subscriber Personal Data, and (ii) obligated to keep Subscriber Personal Data confidential. CSI shall remain liable for any breach of the Agreement caused by a Subprocessor to the same extent as if CSI had caused such breach.
| Information required for Sections I – IV of the SCC | |
|---|---|
| Clause 7 (Docking Clause) | The option under clause 7 shall apply. |
| Clause 9 (use of sub-processors) | Option 2 under clause 9 shall apply. For the purposes of clause 9(a), the agreed list of sub-processors is set out as provided in Section 4.2 of this DPA. CSI shall inform Subscriber of any changes to sub-processors following the procedure provided for in Section 4.2 of this DPA. Where CSI enters into the SCC with a sub-processor in connection with the provision of the Services, Subscriber hereby grants CSI authority to provide a general authorisation on Subscriber's behalf for the engagement of sub-processors by those sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors. |
| Clause 11 (Redress) | The option under Clause 11 shall not apply. |
| Clause 13 (Supervision) | At Clause 13(a), all three options are retained and apply as relevant where the transfer falls within the territorial scope of Regulation (EU) 2016/679. Where Subscriber is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office shall act as competent supervisory authority. Where Subscriber is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations. |
| Clause 17 (Governing Law) | The governing law for the purposes of Clause 17 shall be (i) the laws of the EU Member State in which the Data Exporter is established where the relevant transfer falls within the territorial scope of application of Regulation (EU) 2016/679; or (ii) the laws of England & Wales. |
| Clause 18 (Choice of forum and jurisdiction) | The courts under Clause 18 shall be (i) the courts of Spain where the relevant transfer falls within the territorial scope of application of Regulation (EU) 2016/679; or (ii) the courts of England & Wales. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes. |
| Information to be incorporated into Annex I of the SCC | |
| Data Exporter | Name: The Data Exporter is Subscriber as defined on page 1 of the DPA and its affiliates established within the EU, Switzerland and/or the UK that are using the Services. Address: As set out in the Agreements. Contact person’s name, position and contact details: As set out in the Agreements. Activities relevant to the data transferred under these Clauses: Recipient of the Services pursuant to the Agreement. Signature and date: By entering into this DPA, Data Exporter is deemed to have signed the SCC, including the Appendix to the SCC. Role (controller/processor): Controller |
| Data Importer | Name: The Data Importer is CSI as defined on page 1 of the DPA Address: 11 Continental Blvd, Suite C Merrimack, NH 03054 Contact person’s name, position and contact details: Privacy Team, support@campsoftwareinc.com Activities relevant to the data transferred under these Clauses: Signature and date: By entering into this DPA, Data Importer is deemed to have signed the SCC, including the Appendix to the SCC. Role (controller/processor): Processor. |
| Categories of data subjects whose personal data is transferred | Subscribers and their authorized representatives and users, as well as individuals whose personal data Subscribers may provide in connection with the Services (e.g., personal information relating to Subscribers’ customers, crew information, passengers’ information). |
| Categories of personal data transferred | Depending on the data subject, the personal data transferred may include: • Personal and work contact information (name, phone number, email address, company information). • Financial information which Customer chooses to provide (e.g., payment card information, transactional data) • Flight and aircraft information (e.g., origin and destination, airports, aircraft tail number) •Passenger information (name, email address, customs clearance information) |
| Sensitive data transferred (if applicable) | None |
| Frequency of the transfer | On-going basis depending on the use of the Services by Subscriber |
| Nature of the processing | CSI will use the personal data transferred on behalf of and at the direction of the Subscriber to provide the Services contracted by the Subscriber, and as set forth in Section 2.2 of this DPA. |
| Purpose(s) of the data transfer and further processing | CSI will process Subscriber Personal Data as necessary in order to perform the Services and any related activities set forth in the Agreements. |
| Duration of Processing | CSI will process Subscriber Personal Data for the duration of the Agreements unless otherwise agreed upon in writing. |
| Sub-Processor Transfers | Sub-processors will process Subscriber Personal Data (i) as necessary to perform the Services pursuant to the Agreements and (ii) for the duration of the Agreements, unless otherwise agreed in writing. |
| Competent Supervisory Authority | As set out above against Clause 13. |
| Information to be incorporated into Annex II of the SCC | |
| Technical and Organisational Measures | In addition to any data security requirements set forth in the Agreements, CSI shall comply with the following: CSI will implement, maintain, and continuously control and update, appropriate technical and organisational security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. These measures may include: 1. Preventing unauthorised persons from gaining access to data processing systems with which personal data are processed or used (physical access control) by taking measures such as: • Documenting security and other incidents, maintaining an incident log; • Protecting and managing physical access to assets and facilities; and • Implementing and maintaining security controls for each computer room and/or data centre and any area containing personal data. 2. Preventing data processing systems from being used without authorisation (logical access control) by taking measures such as: •Using appropriate network security devices such as intrusion detection systems, routers and firewalls; • Periodic review of user access to sensitive applications; • Secure log-in with unique user-ID/password for each user; • Locking of unattended workstations; • Role-based access for critical systems containing personal data; • Implementing and maintaining process for routine system updates for known vulnerabilities; • Monitoring for security vulnerabilities on critical systems and applications; • Deployment and updating of antivirus software; and • Compliance with applicable laws, regulations and industry standards (including, where relevant, the Payment Card Industry Data Security Standard). 3. Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorisation (access control to data) by taking measures such as: • Using appropriate network security devices such as intrusion detection systems, routers and firewalls; • Monitoring the network to detect potential cybersecurity events (i.e. malware, DDoS etc); • Secure log-in with unique user-ID/password for each user; • Logging and analysis of system usage; • Role based access for critical systems containing personal data; • Deployment and updating of antivirus software; • Maintaining a documented incident response plan that addresses actions to be carried out should an incident occur; and • Implementing and maintaining response and recovery procedures which are tested in the event of a disaster. 4. Ensuring that personal data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage and that it is possible to verify and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (data transfer control) by taking measures such as: Where appropriate in light of the types or nature of the data processed, encryption of communication, tunnelling (VPN = Virtual Private Network), content filter for outgoing data, firewall and secure transport containers in case of physical transport. 5. Ensuring that personal data are protected against accidental destruction or loss (availability control) by taking measures such as: Maintaining backup procedures and recovery systems, storing redundant servers in separate location, mirroring of hard disks, maintaining uninterruptible power supply and auxiliary power unit, remote storage, climate monitoring and control for servers, fire resistant doors, fire and smoke detection, fire extinguishing system, anti-virus/firewall systems, malware protection, disaster recovery and emergency plan. 6. Ensuring that data collected for different purposes or different principals can be processed separately (separation control) by taking measures such as: • Implementing data segregation where applicable. |
