Enquire

Schedule 2 - Data Protection

Schedule 2

  1. DEFINITIONS AND INTERPRETATION

1.1 In this agreement, the following terms shall have the definitions given to them in Data Protection Legislation: “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”, “processes” and “processed” shall be construed accordingly), and “sensitive personal data” and, unless otherwise expressly stated or the context otherwise requires, the following words and expressions shall have the following meanings:

Agreed Purpose”: for the purposes of the performance of this agreement, including provision of the Services by the Manager and the receipt of the Services by the Unit a Party’s record keeping purposes, assessing its rights, obligations and liabilities under this agreement, or electing to exercise any such rights where applicable, and as required by a party to comply with applicable law or the Privacy Statement; 

Appropriate Safeguards”: such legally enforceable mechanism(s) for transfers of personal data as may be permitted under Data Protection Legislation from time to time;

Data Protection Legislation” means any applicable laws relating to the privacy, use and processing of personal data, as applicable to the Manager, the Owner and/or the Services, including:

(a) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data, (General Data Protection Regulation) (“GDPR”);

(a) any laws or regulations implementing Council Directives 2002/58/EC (“ePrivacy Directive”);

(b) in relevant EU countries, all relevant member state laws or regulations giving effect to the ePrivacy Directive or corresponding with the GDPR; 

(c) in the United Kingdom, after it ceases to be an EU member state, any corresponding or equivalent national laws or regulations giving effect to the GDPR or ePrivacy Directive including the Data Protection Act 2018; and 

(d) any judicial or administrative interpretation of any of the above, and any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority, 

in each case, as in force and applicable, and as may be amended, supplemented or replaced from time to time;

Data Security Breach” means a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Protected Data;

Data Subject Request” means a request made by a data subject to exercise any rights of that data subject under Data Protection Legislation in relation to any Protected Data processed by the Manager;

principles” or a “principle” means the principles relating to processing of Protected Data or any one of them, as the context may require, as set out in Data Protection Legislation;

Privacy Statement”: the privacy statement published by the Manager or its Affiliates from time to time;

 “Protected Data” means personal data and sensitive personal data obtained, created or shared (whether by the Owner or the Manager or otherwise) in connection with the Services or the performance of a party’s obligations under this agreement; 

Shared Data” means any Protected Data in respect of which the Owner or the Manager acts as controller, which is shared by the Parties for the Agreed Purpose; and

Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation.

  1. SHARING OF PROTECTED DATA

2.1 The Parties may share Protected Data with each other in connection with Manager’s provision of the Services and the terms of this agreement. In particular:

2.1.1 the Owner may share Protected Data relating to Owner’s employees with the Manager, and the Manager may share Protected Data relating to the Manager’s employees with the Owner, for the Agreed Purpose;

2.1.2 the Owner and the Manager may share with each other Protected Data relating to Occupiers, guests and other visitors to the Unit for the purposes of allowing the Manager to provide the Services;

2.1.3 the Owner may share Protected Data relating to employees or officers of the Owner;

2.1.4 the Manager and the Owner may share Protected Data relating to actual or prospective Occupiers which it has collected through reservations systems and sales and marketing programmes operated by Manager or third-party service providers on its behalf;

2.1.5 the Manager may share Protected Data relating to employees or officers of the Manager; and

2.1.6 the Manager and the Owner may from time to time jointly determine the purpose and means of processing Protected Data in connection with the performance of this agreement or to carry out the Agreed Purpose.

2.2 The type of Protected Data to be processed under this agreement may include:

2.2.1 for all data subjects: names, addresses, emails addresses, telephone numbers, job title, employer’s and other contact details, CCTV recordings, vehicle registration numbers; 

2.2.2 for actual and prospective guests: age, purchase history, service preferences, loyalty scheme membership information, payment card details, marketing preferences, nationality, passport numbers, social media account and activity information, chatbot conversations, IP address, cookie data;

2.2.3 for Owner employees and Manager’s employees: may include all service record information including gender, birth date, age, length of service, sickness and absence records, disciplinary and grievance records, remuneration and benefits, pension and insurance enrolment information, education and training records, professional and trade union memberships, visa and other right to work information, photographs, PAYE/NI numbers and records, information on family, dependents and next of kin, bank account details, racial and ethnic origin; and

2.2.4 any other information identified in the Privacy Statement.

  1. PURPOSE AND COMPLIANCE WITH DATA PROTECTION LEGISLATION

3.1 The Parties envisage that:

3.1.1 in respect of Protected Data relating to the employees or agents of a Party or its Affiliates, investors, managers or agents, such Party is the controller and the other Party is a processor; and

3.1.2 in respect of all other Protected Data processed as part of the Services under this agreement, each Party is a controller.

3.2 Shared Data may be shared by the Manager with the Owner and vice versa during the Term solely for the Agreed Purpose.

3.3 Each Party acknowledges and confirms that it will observe all applicable requirements of Data Protection Legislation and these terms in relation to its processing of the Protected Data, and will, on request, provide the other Party at its own expense (unless otherwise stated below) with reasonable assistance, information and cooperation to ensure compliance with the respective obligations under Data Protection Legislation in relation to the Protected Data. Nothing in this agreement shall prohibit or otherwise restrict either Party from complying with obligations under applicable Data Protection Legislation. 

  1. FAIR AND LAWFUL PROCESSING

4.1 Each Party shall ensure that, when acting as a controller, it processes the Protected Data fairly, lawfully and transparently in accordance with the relevant principle relating to lawful, fair and transparent processing. 

4.2 Each Party acknowledges, confirms and represents that all Protected Data collected or sourced by it or on its behalf for processing in connection with the Services and the performance of this agreement or which is otherwise provided or made available to the other Party shall comply with and have been collected or otherwise obtained in compliance with Data Protection Legislation, and appropriate due diligence has been undertaken on third-party suppliers of Protected Data to verify such matters. 

4.3 The Parties will work together in good faith to ensure the information referred to in Data Protection Legislation (including GDPR Articles 13, 14 and 22) is made available to relevant data subjects in relation to the processing by either Party when acting as a controller, and the information is in a concise, transparent, intelligible and easily accessible form, using clear and plain language as required by Data Protection Legislation including GDPR Article 12.

4.4 Each Party shall, in determining what personal data is required by it in order to perform the Services and its obligations under this agreement or any applicable law, only request personal data that is relevant, adequate and not excessive in accordance with the relevant principles relating to purpose limitation and data minimisation and in accordance with the Privacy Statement. 

4.5 Each Party shall take every reasonable step to ensure that any Protected Data which is inaccurate, having regard to the purposes for which it is processed by either party, is erased or corrected without delay and that any such erasure or deletion by a party is notified to the other without delay.

4.6 Each Party shall (and shall procure that its subcontractors shall) only process Shared Data to the extent reasonably necessary for the Agreed Purpose. 

  1. DATA SUBJECTS’ RIGHTS

5.1 Unless Data Protection Legislation requires otherwise, the Manager shall deal with and respond to any Data Subject Requests or any other queries or complaints from data subjects relating to the Unit that is received by either Party. Therefore the Owner agrees to pass on, to the Manager, Data Subject Requests promptly (and in any event within two (2) business days of Owner’s receipt), provide reasonable assistance as is necessary to enable the Manager to comply with a Data Subject Request and the rights of data subjects under Data Protection Legislation and to respond to any other queries or complaints from data subjects.

5.2 Insofar as the Owner is separately required to deal with any Data Subject Requests directly and not via the Manager, the Manager shall provide to the Owner all reasonable assistance as is necessary to enable the Owner to comply with such Data Subject Request and the rights of data subjects under Data Protection Legislation.

  1. DATA RETENTION 

6.1 A Party shall not (and shall procure that any subcontractor shall not) retain or process Shared Data for longer than is necessary to carry out the Agreed Purpose and shall otherwise comply with the requirements of Data Protection Legislation in respect of the retention of Protected Data. 

6.2 Notwithstanding paragraph 6.1 above, a Party may continue to retain Protected Data if required to do so by law, provided that it notifies the other in writing if that is the case and complies with its obligations under Data Protection Legislation as controller of such Protected Data.

  1. TRANSFERS

7.1 For the purposes of this paragraph 7, transfers of Protected Data shall mean the following:

7.1.1 storing Protected Data on servers outside the EEA; 

7.1.2 subcontracting the processing of Protected Data to processors located outside the EEA; and/or

7.1.3 granting third parties located outside the EEA access rights to the Protected Data.

7.2 Each Party shall not (and shall procure that any subcontractor shall not) disclose or transfer the Protected Data outside the EEA unless such disclosure is in accordance with Data Protection Legislation and:

7.2.1 that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data as determined by the appropriate Supervisory Authority; or 

7.2.2 in the absence of an adequacy designation, there is a mechanism in place for cross-border data transfers utilising Appropriate Safeguards as approved by the appropriate Supervisory Authority.

  1. SECURITY

8.1 In relation to Protected Data, each Party shall:  

8.1.1 implement and maintain appropriate technical and organisational security measures in relation to the processing of the Protected Data, which shall ensure a level of security appropriate to the risk including, as appropriate: (a) pseudonymisation and encryption; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to the Protected Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of those measures (“Security Principle”); and

8.1.2 monitor good industry data security practice and keep compliance with data protection requirements regularly under review, particularly in relation to the technical and legal developments and relevant new or changed security threats, and at its own cost implement any further steps that are necessary to comply adequately with the obligations which are imposed on a controller pursuant to the Security Principle.

  1. TRAINING AND COMPLIANCE

9.1 It is the responsibility of the Manager to ensure that its employees, and consultants it engages to carry out the Services are appropriately trained to handle and process the Protected Data. The level, content and regularity of training shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and processing of the Protected Data.

9.2 Each Party shall promptly on request (and in any event within ten (10) Business Days) provide to the other evidence of compliance with its data processing obligations in relation to Protected Data to enable the requesting entity or its auditors to assess compliance with this agreement or to respond to any request from, or requirement of, any Supervisory Authority or any other regulatory or judicial body of competent jurisdiction.

9.3 Owner shall assist Manager in conducting privacy assessments (and any related consultations) where required under Data Protection Legislation.

  1. DATA SECURITY BREACHES AND REPORTING PROCEDURES

10.1 Having considered the applicable Data Protection Legislation, the Parties shall have in place their own guidance that must be followed in the event of a Data Security Breach.

10.2 Each Party is under a strict obligation to:  

10.2.1 notify any potential or actual Data Security Breach to the other Party within forty-eight (48) hours after identification to enable the parties to consider what action is required in order to resolve the issue in accordance with the applicable Data Protection Legislation; and 

10.2.2 to provide the party that has the obligation under Data Protection Legislation to report the breach (“Reporting Party”), within seventy-two (72) hours of becoming aware of the breach, with such details relating to the breach as the Reporting Party may reasonably require; and

10.2.3 immediately preserve any potential forensic evidence relating to the Data Security Breach, including all relevant records, logs, files, data reporting, and other materials, and make such evidence available to the Reporting Party as required by the Reporting Party; and immediately take all steps to remedy the Data Security Breach condition and undertake appropriate response activities.

10.3 The Parties shall provide reasonable assistance as is necessary to each other to facilitate the handling of any Data Security Breach in an expeditious and compliant manner.

10.4 To the extent permitted by law, neither Party shall:

10.4.1 notify a Supervisory Authority or data subject of any Data Security Breach; or

10.4.2 issue any public statement or otherwise notify any data subject of such Data Security Breach,

without first consulting with the other Party and, in respect of the processor only, obtaining the consent of the controller, such consent not to be unreasonably withheld or delayed.

  1. RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR THE SUPERVISORY AUTHORITY

11.1 If a party (“Receiving Party”) receives a complaint, dispute or claim brought by a data subject or a notice or investigation by the Supervisory Authority which relates directly or indirectly to the other party’s: (i) processing of the Protected Data; or (ii) a failure or potential failure to comply with Data Protection Legislation, the Receiving Party shall, to the extent permitted by law, promptly forward the complaint, notice or communication to the other party and provide the other party with reasonable co-operation and assistance in relation to the same.

11.2 The Parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the relevant Supervisory Authority. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

  1. RECORDS OF PROCESSING ACTIVITIES

12.1 Each Party shall maintain complete, accurate and up to date written records of all categories of processing activities carried out related to this agreement containing such information as required under Data Protection Legislation and this agreement (“Processing Records”). 

12.2 The Manager shall make available to the Owner on request in a timely manner such information (including the Processing Records) as is reasonably required by the Owner to demonstrate compliance by the Owner and the Manager with their obligations under Data Protection Legislation and this agreement, which the Owner may disclose to the Supervisory Authority or any other relevant regulatory authority.  

12.3 Each Party shall be responsible for ensuring that it can demonstrate its own compliance with Data Protection Legislation for accountability purposes.

  1. PROCESSOR OBLIGATIONS

13.1 Where a Party processes Protected Data as a processor on behalf of the other as controller, the Parties shall: 

13.1.1 process the Protected Data only in accordance with controller’s documented instructions (whether in this agreement or otherwise) unless required by EU or member state law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

13.1.2 ensure that persons authorised by it to process the Protected Data have committed themselves to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality; 

13.1.3 take all measures required pursuant to GDPR Article 32 to ensure a level of security for the Protected Data which is appropriate to the level of risk involved in the processing;

13.1.4 not permit any third party to process the Protected Data without the prior written consent of controller, such consent to be subject to the processor meeting the conditions set out in GDPR Article 28 (2) and (4);

13.1.5 taking into account the nature of the processing, assist controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of controller’s obligation to respond to requests for exercising the data subjects’ rights laid down in Chapter III of the GDPR;

13.1.6 assist controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of the processing and the information available to the processor;

13.1.7 at the choice of controller, delete or return all Protected Data to controller as soon as reasonably practicable and in any event within ninety (90) days, upon termination or expiry of this agreement. The processor undertakes to deliver to the controller, at the controller’s request following such ninety (90) day period, a certificate certifying that it does not possess, directly or indirectly, any Protected Data in any format or storage media; and that neither does any third party possess any such Protected Data that has been transferred to it by the processor; notwithstanding the foregoing, the processor is authorised to keep any documentation or media containing Protected Data where storage of such Protected Data is required by Data Protection Legislation or any law of the EU or an applicable member state, or which may be necessary for the sole purposes of responding to any claims formulated in connection with the processing undertaken on account of the controller; such media or documentation must be kept in accordance with this paragraph 13.1.7 and Data Protection Legislation during the respective statute barring period. Upon expiry of this period, such retained Protected Data must be deleted or destroyed; 

13.1.8 make available to controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by controller or another auditor mandated by controller. The controller shall give the processor reasonable notice of any audit or inspection to be conducted and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing any damage, injury or disruption to the processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. The processor need not give access to its premises for the purposes of such an audit or inspection: (A) unless the processor is processing the Protected Data at such premises; (B) to any individual unless he or she produces reasonable evidence of identity and authority; (C) outside normal business hours at those premises, unless the audit or inspection is required to be carried out on an emergency basis by a Supervisory Authority; or (D) for the purposes of more than one audit or inspection in any calendar year, except for any additional audits or inspections which the controller is required or requested to carry out by Data Protection Legislation or a Supervisory Authority;

13.1.9 procure that any person acting under its authority who has access to Protected Data only process the Protected Data as processor on and in accordance with the controller’s documented instructions.

  1. USE OF SUBCONTRACTORS

14.1 The Parties acknowledge and agree that where Manager wishes to engage any third party to process Protected Data in connection with this agreement, Owner provides Manager with a general authorisation to engage such third parties as subcontractors to provide services or products solely for the purpose of performing the Services (the “Permitted Subcontractors”) provided that Manager has undertaken due diligence on the proposed subcontractor. Manager shall provide Owner upon request with a list of Permitted Subcontractors that process Protected Data. Where Manager uses a Permitted Subcontractor who processes Protected Data, Manager shall ensure that it has a written contract in place with that Permitted Subcontractor that imposes on the Permitted Subcontractor obligations no less onerous than those imposed on Manager in this Schedule and Manager shall ensure that the Permitted Subcontractor complies with those obligations and Data Protection Legislation.

14.2 Notwithstanding any consent or approval hereby given by the Owner under paragraph 14.1, the Manager shall remain primarily liable to the Owner for the acts, errors and omissions of any sub-contractor to whom it discloses Protected Data, and shall be responsible to the Owner for the acts, errors and omissions of such sub-contractor as if they were the Manager’s own acts, errors and omissions to the extent that the Manager would be liable to the Owner under this agreement for those acts, errors and omissions. 

Office
Be London
2 Nottingham Court
London
WC2H 9BF
Copyright © 2025 Stay at Mine Limited t/a Be London™️ Company No: 09954539 
menu-circlecross-circle