(Pursuant to Article 28 of EU Regulation 2016/679 – GDPR)
With the digital acceptance of this agreement between [Travel Agency Name] (hereinafter referred to as
the “Data Controller”) and ETM Global Limited, registered in the United Kingdom, with company
number {09721630] and registered office at [82 James Carter Road, Mildenhall, Edmunds, IP28 7DE],
represented by its legal representative (hereinafter referred to as the “Data Processor”), the parties
agree to the following terms:
WHEREAS
● Pursuant to Article 28 of EU Regulation 2016/679 (GDPR), ETM Global Limited ensures the
implementation of appropriate technical and organizational measures, guaranteeing that data
processing activities comply with the GDPR and provide full protection of the rights of data
subjects.
● The processing of personal data provided in the framework of the contractual relationship
between the parties is governed by this agreement and any other lawful instructions issued by the
Data Controller. The Data Processor undertakes to comply with the instructions given by the Data
Controller and fulfill the obligations stipulated in Article 28(3) of the GDPR, which define the
duration, nature, purpose of processing, types of personal data, and categories of data
subjects, along with the obligations and rights of the Data Controller.
● ETM Global Limited provides intermediary services between travel agencies, tour operators,
and various accommodation providers, as well as facilitates the sale and coordination of
travel-related services.
● As part of the contractual relationship between the parties, ETM Global Limited will process
personal data related to clients and/or their representatives on behalf of the Data Controller, for
the purpose of transmitting this data to accommodation and tourism providers where the
clients will be staying during their travels arranged by the Data Controller.
AGREEMENT
1. Appointment of the Data Processor
○ The Data Controller appoints ETM Global Limited as the Data Processor pursuant to
Article 28 of the GDPR.
○ The Data Processor is entrusted with processing personal data strictly for the execution
of the services requested by the Data Controller.
2. Scope, Nature, and Duration of Processing
○ The processing will be conducted at the Data Processor’s premises, using both digital
and physical formats, in accordance with GDPR security and confidentiality measures.
○ The Data Processor shall only retain personal data for the minimum period necessary
to fulfill the agreed services, except where longer retention is required by law or as
instructed by the Data Controller.
○ Upon termination of the contract, the Data Processor will return or delete all personal
data unless legal retention obligations apply.
3. Sub-Processing
○ The Data Processor is authorized to engage sub-processors, provided they comply with
GDPR standards and obligations similar to those in this contract.
○ The Data Controller retains the right to object to any sub-processor appointment and
may revoke the Data Processor’s authority to subcontract at any time, as per Article
28(2) of the GDPR.
4. Obligations of the Data Processor
The Data Processor shall:
○ Process personal data only to the extent necessary for the provision of requested
services.
○ Ensure that all personnel handling personal data are properly trained and bound by
confidentiality obligations.
○ Implement technical and organizational security measures appropriate to the level of
risk, ensuring protection against unauthorized access, loss, or alteration of data.
○ Assist the Data Controller in complying with data subject rights, including requests for
access, rectification, deletion, and restriction of processing.
○ Inform the Data Controller promptly of any data breaches or regulatory investigations
related to the processed personal data.
○ Cooperate with the Data Controller in fulfilling any regulatory obligations related to data
protection compliance.
5. Exclusions and Liabilities
○ The Data Processor is not responsible for obtaining consents from data subjects or
updating personal data unless explicitly instructed.
○ The Data Controller agrees to indemnify and hold harmless ETM Global Limited from
any claims, penalties, or damages resulting from non-compliance by the Data
Controller.
6. Termination
○ This agreement is subject to and dependent on the continuation of the commercial
relationship between the parties.
○ It will be automatically terminated upon the cessation of that relationship or upon
dissolution of either party’s business.
By accepting this agreement digitally, both parties acknowledge and agree to the terms outlined herein.
Please review and confirm your acceptance of the Contract of Responsibilities of the Data
Processor.