1. Each Party shall take reasonable steps to protect personal data (i.e., information that relates to an identified or identifiable natural person) processed in the context of the Agreement against loss and unauthorized access, use, deletion and disclosure; and, as required by applicable laws, process personal data in a manner that ensures appropriate confidentiality and security of the personal data.
2. The Provider acknowledges that it is responsible for the handling and security of the personal data . The Provider shall be a data controller (i.e. determines the purposes and means of the data processing) for any personal data it processes. The Provider shall become data controller upon receipt of the personal data either directly or indirectly through a costumer. Each Party shall be solely responsible for the processing of personal data by itself or on its behalf in accordance with applicable data protection laws. The Parties shall, if required by applicable laws, cooperate in good faith and provide assistance in the event data subjects wish to exercise their rights of access, correction, erasure or portability, or in case of requests from competent authorities to demonstrate compliance with obligations applicable to the Party.
3. The Provider warrants that it has, as required by applicable laws, duly and diligently informed (and as required by applicable laws, obtained consents from) its staff members about the processing of their personal data .
4. The Provider shall process personal data that The Provider received from costumer as part of the Services under the Agreement only so far as necessary to perform the requested reservation services, or as otherwise agreed to between the Parties in writing, in accordance with applicable law, including (if applicable) Directive 95/46/EC and 2002/58/EC (as amended or replaced by subsequent legal acts) on the processing of personal data and the protection of privacy or the EU General Data Protection Regulation or if The Provider has obtained explicit consent from the guest to any other use of guest’s personal data.
5. If the Provider will or intends to notify guests (e.g., competent data protection and/or government authorities) of a data breach (any discovered or suspected incident resulting in accidental, unlawful, or unauthorized destruction of, loss of, alteration of, access to, disclosure of, or use of personal data) involving personal data received by the Provider , The Provider shall first, to the extent permitted by law, provide any draft notification and related correspondence to costumer and reasonably cooperate in finalizing such notification and correspondence and other communication that may follow with the guests or authorities
Payment Card Security
5.1 To the extent, the Provider processes payment card information obtained by the costumer through the Provider reservation services, the Provider is required to comply and to have its service providers comply on an ongoing basis with the requirements, compliance criteria and validation processes set forth in the current Payment Card Industry (PCI) Data Security Standard issued by the major credit card companies.