General terms of data processing

The Parties agree that any personal data provided under the present agreement, in particular the data of persons (guests)
who will be using the hotel services, made available by the Client to the Service Provider, shall be processed in accordance with the terms of the contract and the GDPR.

To the extent required under the applicable data protection regulations, including the GDPR, each of the Parties in their capacity of a controller of personal data shall obtain all the consents from the data subject(s) needed to make personal data available under the agreement to the other Party and to process the data in connection with the performance and payments under the agreement.

Detailed terms of personal data processing by the Provider of Service are set out in documents available at the following website:
https://all.accor.com/information/legal/data-protection.en.shtml

The Parties agree that the Client shall provide details of persons (guests) who will be using the hotel services (i.e. in the form of a guest list) no earlier than one (1) month before the date of commencement of services covered by the agreement by the Service Provider.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the Service Provider being the controller of the personal data provided by the Client under the agreement shall implement appropriate technical and organisational measures, including those specified in Article 32 of the GDPR, to ensure the level of personal data security appropriate to the risk of data processing.

Each of the Parties shall on its own fulfil its obligations of providing information under Articles 13 and 14 of the GDPR with regard to persons whose data are processed by the Party as their controller.
The Parties shall cooperate with each other in order to enable persons whose personal data have been made available based on the agreement to enforce their rights under the GDPR. In this respect, the Parties shall in particular cooperate in the event one of the Parties must make any request, notification or respond to a question or request related to the processing of personal data made available by the other Party on the basis of the agreement.

The Service Provider shall ensure that access to personal data made available to it by the Client on the basis of the agreement is limited only to those persons who have been duly authorized to process personal data.
Under Article 30 of the GDPR, each of the Parties must maintain a record of processing activities under its responsibility with respect to the personal data, of which it is the controller, and must report any personal data breaches in accordance with Articles 33 and 34 of the GDPR.

In the event that either Party suffers damage as a result of the other Party’s breach of this paragraph or that Party’s compliance with the applicable provisions of the GDPR, the injured Party shall have the right to seek indemnity from the other Party for the damage suffered, including indemnity for the costs of any judicial or other proceedings, as appropriate.
Any and all obligations imposed upon a Party with respect to the processing of personal data shall survive the termination or expiry of the agreement.