Personal Data Processing Agreement

This Data Protection Agreement (“DPA”) forms part of the agreement between the Client and VisionBox, covering Vision-Box’s Products and Services provision as set forth in the Commercial Agreement entered between the Parties and in this DPA.

The Client acknowledges that this DPA pertains the legal requirements under the Applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any.

1. DEFINITIONS

Unless otherwise defined in this DPA, all terms in capital letters that are used will have the meaning given to them by this DPA. In the event of any conflict or inconsistency in terms of data protection safeguards between this DPA and the Commercial Agreement, this DPA will prevail.

Adequacy Decision: a legally binding decision issued by the European Commission, allowing the transfer of Personal Data from the EEA to a third country which has been considered adequate in terms of data protection safeguards;

Affiliate: (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

Applicable Data Protection Laws: in EU Member States, the Regulation as complemented by national and European legislation, including national execution laws, legislation on the processing of personal data in electronic communications, interpretations and guidelines issued by European and national authorities, standard contractual clauses approved by the European Commission or by supervisory authorities, as well as any relevant case-law, namely from the Court of Justice of the European Union, regarding the safeguarding and lawful processing of Personal Data; in non-EU countries, any applicable data protection laws regarding the safeguarding and lawful processing of Personal Data;

Commercial Agreement: the Commercial Agreement entered between Vision-Box and the Client.

Client Personal Data: Personal Data, relating to Data Subjects, processed in the context of the provision of the service by Vision-Box;

Client: The counterparty to Vision-Box in the Commercial Agreement;

Client’s Employees and Contractors: Data Subjects engaged by the Client;

Data Controller: in general, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Data Controller is the Client;

Data Exporter has the meaning set forth in the Standard Contractual Clauses, if applicable;

Data Importer has the meaning set forth in the Standard Contractual Clauses, if applicable;

Data Processor: in general, a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller. For the purposes of this DPA, the Data Processor is Vision-Box;

Data Subject: an identified or identifiable natural person to whom Personal Data refers to. For the purposes of this DPA, the Data Subjects include travellers and passengers. For the avoidance of doubt, Personal Data has the meaning set forth in the Regulation and the Applicable Data Protection Laws;

Data Subjects’ Rights: the rights which Data Subjects are entitled to under the Applicable Data Protection Laws. To the extent that the Regulation is applicable, Data Subjects’ Rights include, e.g., the right to request access to, rectification or erasure of Personal Data, to request the restriction of Processing concerning the Data Subject or to object to Processing, as well as the right to data portability, from the Data Controller;

DPA: this personal Data Processing Agreement, together with Annexes 1 and 2;

EEA: the European Economic Area;

EU: the European Union;

Non-EEA Entity: any entity, acting as Data Processor (or Sub-processor), located in a country outside of the EEA, which Processes Client Personal Data in the context of the provision of the service;

Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the avoidance of doubt, Personal Data has the meaning as set forth in the Regulation and the Applicable Data Protection Laws;

Processing: any operation, or set of operations, which is performed on Personal Data, or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure ordestruction;

Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC;

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

Service: the services to be provided to the Client, as defined in the Commercial Agreement between Vision-Box and the Client;

Special Categories of Personal Data: Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of natural persons, as well as genetic data, biometric data (when Processed for the purpose of uniquely identifying a natural person), data concerning health or data concerning a natural person's sex life or sexual orientation, including data relating to criminal convictions and offences or related security measures;

Standard Contractual Clauses: the Standard Contractual Clauses clauses for the international transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, adopted by the European Commission in its Decision 2010/87/UE on 6 June 2021;

Sub-processor: an entity engaged by the Data Processor to assist it in (or who undertakes any part of) Processing the Personal Data, in fulfilment of the Data Processor’s obligations under this DPA, and identified in the List of Sub-processors, which has been approved by the Data Controller under Clause 5 of this DPA.

Supervisory Authority: any independent public authority which has powers to monitor and enforce the application of the Applicable Data Protection Laws regarding the Processing of Personal Data in the context of the provision of the Service, which in Portugal is ‘CNPD’ – National Commission for Data Protection.

2. DATA PROTECTION ROLES

  1. The Client is the Data Controller regarding the Personal Data processed by Vision-Box in the context of the provision of the Service;
  2. Vision-Box is the Data Processor regarding the Personal Data processed in the context of the provision of the service; and
  3. This DPA governs the relationship between the Parties in terms of respective duties and obligations concerning the Processing of Personal Data by the Data Processor in the context of the provision of the Service.

3. OBLIGATIONS OF THE DATA PROCESSOR

  1. The Data Processor will conduct the processing activity as determined by the Data Controller, in the context of the provision of the service, as described in Annex 1.
  2. Aside from the obligations listed in Annexes 1 and 2 of this DPA, the Data Processor further commits to complying with the following obligations:
    1. The Data Processor will Process Personal Data only as necessary to provide the Service and subject to the Data Controller’s written instructions;
    2. The Data Processor will notify the Data Controller in the event that it considers a specific written instruction received from the Data Controller to be in violation of the Applicable Data Protection Laws;
    3. Vision-Box shall maintain a record of all processing activities carried out on behalf of the Data Controller, containing the specifications required under Article 30 (2) GDPR.
    4. The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the Data Processor and in accordance to the documented instructions to be provided by the Data Controller.
    5. Vision-Box shall provide the necessary information, if requested by the Data Controller, that is needed to draft a Data Protection Impact Assessment and Legitimate Interests Assessments.
    6. Vision-Box, as Data Processor, will notify the Data Controller without undue delay of any contact, communication or correspondence it may receive from a Supervisory Authority, related to the Processing of Personal Data in the context of this DPA and the Service.
    7. The Data Processor has implemented adequate operational, technical and organisational measures under Article 32 of the Regulation (which are described in Annex 2 of this DPA), to protect the Personal Data (including Special Categories of Personal Data, if applicable). The Data Processor is specifically allowed to implement adequate alternative measures or use alternative locations to Process the Customer Personal Data, so long as the security level of the measures is maintained and is, in all respects, adequate. In this case, and prior to the implementation of such adequate alternative measures, the Data Processor shall notify the Data Controller of the content of such alternative measures, which may, however, be subject to the Data Controller’s objection.
    8. In the event that the Data Processor discloses Personal Data to its personnel which is directly and exclusively involved in the provision of the Service, the Data Processor will ensure that such personnel:
      1. is committed to confidentiality or is under an appropriate statutory obligation of confidentiality; and
      2. Processes Customer Personal Data under the instructions of the Data Processor, and in compliance with the Data Processor’s obligations under this DPA.

4. OBLIGATIONS OF THE DATA CONTROLLER

  1. The Data Controller acknowledges and agrees that, in order for the Data Processor to provide the Service, the Data Controller must provide or allow the access to the Personal Data to the Data Processor.
  2. The Data Controller represents and warrants that it has an appropriate legal basis (e.g., Data Subjects’ consent, compliance of contractual obligations, legitimate interests, or other) to Process and disclose the Personal Data to the Data Processor, in the context of the provision of the Service.

5. AUTHORISATION FOR SUB-PROCESSING

The Data Controller acknowledges, agrees and consents that, for the sole and exclusive purpose of providing the Service and subject always to compliance with the terms of this DPA, Personal Data may be Processed by the Data Processor or its Sub-processors.

  1. As such, the Data Controller provides a general authorisation to the Data Processor for the engagement of Sub-processors, provided that the Data Processor informs the Data Controller as to the identity of the Sub-processors whenever the Data Controller requests such information and throughout the duration of the Commercial Agreement. The Data Controller may oppose to changes in the list of Sub-Processors or the addition of new SubProcessors that are different from the ones that were previously identified;
  2. enters into written agreements with each Sub-processor, binding them to the same obligations concerning the Processing of Customer Personal Data as the Data Processor is bound to under this DPA;
  3. retains liability for Sub-processors’ compliance with their obligations under this DPA.

6. INTERNATIONAL TRANSFERS OF PERSONAL DATA AND INCORPORATION OF EU STANDARD CONTRACTUAL CLAUSES

  1. Data Processor shall keep all data processing activities within the EEA territory.
  2. If it becomes necessary for personal data processed under the Commercial Agreement to be transferred to Non-EEA Entities (Sub-Processors), the Data Processor shall ensure that the personal data are adequately protected. To achieve this, the Data Processor shall, unless agreed otherwise with the Data Controller, rely on the Standard Contractual Clauses or alternative mechanisms approved by the European Data Protection Board (EDPB).
  3. Nothing in this DPA shall be construed to prevail over any conflicting clause of the Standard Contractual Clauses.

7. TECHNICAL AND ORGANISATIONAL MEASURES

  1. The Data Processor shall comply with all Applicable Data Protection Laws and its obligations under this DPA and shall not transfer or make accessible to third parties information originating in the Data Controller’s sphere. Taking into account the state of the art, documents and data shall be appropriately secured against accessibility by unauthorized persons.
  2. In regard to its area of responsibility, the Data Processor shall shape its internal organization in a manner that is compliant with the special requirements of data protection. The Data Processor shall also ensure that it has implemented all necessary technical and organizational measures under Article 32 of the GDPR; particularly regarding the measures specified in Annex 2 herein below.
  3. Upon the Data Controller’s request, the Data Processor shall disclose the particulars of how these measures are determined and implemented. The Data Processor may change the implemented security measures, provided that it ensures that these do not fall short of the contractually agreed upon level of protection, in accordance with clause 3.2 f) herein above.

8. DATA SUBJECTS

  1. Taking into account the nature of the processing, the Data Processor will do its best efforts to assist the Data Controller in the fulfilment of the Data Controller’s obligation to provide information and respond to requests to exercise Data Subjects’ rights, by means of appropriate technical and organisational measures.
  2. The Data Processor will cooperate with and assist the Data Controller, according to its best efforts, and provide such information as may be required to lawfully respond to Data Subjects’ Rights requests, or otherwise to enable the Data Controller to comply with its duties related to Data Subjects' Rights under the Applicable Data Protection Laws.

9. OBLIGATIONS OF COOPERATION AND ACCOUNTABILITY

  1. The Parties will cooperate in good faith, in order to ensure compliance with the provisions of this DPA, including, but not limited to, assuring the correct and timely exercise of Data Subjects’ Rights, managing incidents in the event of a security / Personal Data Breach so as to mitigate their possible adverse effects, etc., namely as further detailed in the remaining provisions of this DPA.
  2. The Parties will cooperate in good faith, in order to make available to each other, as well as to Supervisory Authorities, all information necessary to demonstrate compliance with the Applicable Data Protection Laws.

10. CONTROL RIGHTS

  1. Prior to the start of the data processing, Data Processor shall grant Data Controller access to information regarding any existing attestations by experts, certifications or of internal audits. Data Controller may, after timely coordination and during normal business hours, also personally, or through its representatives, audit Data Processor's technical and organizational measures and the technology used in the provision of the Services. Data Controller shall conduct controls in a manner that does not unduly disturb Data Processor’s business operations at its own expenses.
  2. Upon the Data Controller’s verbal, written or electronic request, Data Processor shall, in a timely manner, provide the former with all information and records necessary for controlling its technical and organizational measures.
  3. The Data Controller shall document the control result and notify the Data Processor accordingly. In case of mistakes or irregularities detected by the Data Controller, particularly when assessing older results, the Data Controller shall inform the Data Processor accordingly without undue delay. If the control reveals issues to be avoided in the future that require changes to the process, the Data Controller shall, without undue delay, notify the Data Processor of the necessary changes.
  4. Upon request, the Data Processor shall provide the Data Controller with a comprehensive and upto-date data protection and security concept for the Customer Personal Data processing and regarding authorized persons for access.

11. DATA RETURN AND DELETION

  1. The Data Processor will, at no cost to the Data Controller, return or destroy the Personal Data at the Data Controller’s request. Furthermore, upon the expiration or earlier termination of this DPA, the Data Processor will, at no cost to the Data Controller, return or destroy the Personal Data to the Data Controller, subject to a written request of the Data Controller with reasonable advance notice. This will not apply where mandatory applicable laws (including, but not limited to, the Applicable Data Protection Laws) or binding orders from law enforcement authorities (including, but not limited to, the Supervisory Authority), prevent the Data Processor from doing so.

12. PERSONAL DATA BREACHES

  1. The Data Processor will not be held responsible for any Personal Data Breaches which are not imputable to the Data Processor’s negligence or wilful misconduct or only where it has not complied with obligations of the Applicable Data Protection Laws specifically directed to processors or where it has acted outside or contrary to the provisions of this DPA or the lawful instructions of the Data Controller.
  2. If the Data Processor becomes aware of a Personal Data Breach, it will:
    1. take appropriate actions to contain and mitigate the Personal Data Breach, including notifying the Data Controller as soon as possible, but in no event later than 36 (thirty-six) hours after the Data Processor becomes aware of the Personal Data Breach, in order to enable the Data Controller to expeditiously implement its response programme;
    2. cooperate with the Data Controller to investigate the nature, categories and approximate number of affected Data Subjects, the categories and approximate number of affected Personal Data records and the likely consequences of the Personal Data Breach, in a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the provision of the Service under this DPA;

13. LIABILITY

  1. The rules governing liability shall be the ones applicable to the Commercial Agreement.

14. SEVERABILITY CLAUSE

  1. If any provision of the DPA is held to be or become invalid, unenforceable or incomplete as a whole or in parts, the validity and enforceability of the remaining provisions will not in any way be affected or impaired. Additionally, when such situation arises, the Parties agree to interpret this DPA in the manner that allows for closest interpretation to the original meaning intended by the Parties (taking into account the invalidated, unenforceable or incomplete provisions).

15. NOTICES

  1. Notices under this DPA shall follow the rules for notices under the Commercial Agreement.

16. GOVERNING LAW AND JURISDICTION

  1. This DPA shall be governed under the rules that were set forth under the Commercial Agreement.

ANNEX 1

1. PURPOSES AND DURATION OF DATA PROCESSING ACTIVITIES

Processing of personal data necessary to comply with the Service, namely for the provision of the technical support and the management of the ID control of passengers and travellers.

The duration of the processing shall be in accordance with the Client instructions and the terms of this DPA and the Service.

2. NATURE OF DATA PROCESSING

The personal data will be subject to the following basic Processing activities:

  1. Collection
  2. Retrieval
  3. Structuring
  4. Storage
  5. Recording
  6. Organisation
  7. Deletion
  8. Transmission

3. CATEGORIES OF DATA SUBJECTS

The personal data transferred concern the following categories of Data Subjects:

  1. Passengers/customers of the Data Controller;
  2. Dedicated employees of the Data Controller.

4. TYPES OF PERSONAL DATA

Personal Data to be processed (and stored) by the Data Processor from the time the Data Subject gives his/her consent for data Processing until the Data Subject opts out from the data Processing (withdraw his/her consent):

  1. Passport Number;
  2. Nationality;
  3. Facial image of the Data Subject.

Temporarily stored Personal Data - this includes the Personal Data pushed to the Data Processor related to enrolled passenger’s flight (the flight details of the Data Subject who has provided his/her consent for such Data Processing).

The Personal Data described below shall be deleted/erased by the Data Processor once the Data Subject’s respective flight departs:

  1. Flight Number;
  2. Departure Date and Time;
  3. Passenger Sequence Number;
  4. Destination;
  5. Passenger Name;
  6. Nationality;
  7. Passport Expiry Date,
  8. Passport issue date;
  9. Passport issue country;
  10. Date of Birth;
  11. Lounge eligibility;
  12. Seat number;
  13. Flight Gate number.

3. Personal data of the employees of Data Controller to be Processed by the Data Processor in order to manage the Services:

  1. Photo of the dedicated employees;
  2. Staff number of the dedicated employees

ANNEX 2

Description of the Technical and Organizational Security Measures

This Appendix describes the technical and organizational measures to be implemented by the VisionBox in relation to the Processing of Personal Data under the Service.

1. Admission Control

  1. The Data Processor shall implement and maintain measures to control physical access. It undertakes to:
    1. prevent unauthorized persons from gaining access to data processing systems with which Personal Data are processed; and
    2. protect offices where Personal Data are processed by putting in place appropriate measures against access by unauthorized persons.

2. Entry Control

  1. The Data Processor shall implement and maintain measures to control access to systems. It undertakes to:
    1. prevent unauthorized use of data processing systems;
    2. grant only employees of the Data Processor access to applications which process Personal Data to the extent that they require it for the performance of their function; and
    3. ensure that access control is supported by an authentication system.

3. Access Control

  1. The Data Processor shall implement and maintain measures to control access to data. It undertakes to:
    1. ensure that persons authorized to use a data processing system have access only to the data for which they have the right of access, and that Personal Data cannot be read, copied, modified or removed without authorization, both during Processing and after storage; and
    2. only grant authorization to access Personal Data to employees of the Data Processor who require access to perform their functions in providing the Services under the Agreement. In addition, the Supplier will only grant its employees the level of access (e.g. roles) necessary to perform their functions in providing the Services under the Agreement. Data Processor will ensure that only Data Processor's authorized personnel can access the Personal Data.

4. Transfer Control

  1. The Data Processor shall implement and maintain measures to control disclosure. It undertakes to:
    1. ensure that Personal Data cannot be unauthorizedly read, copied, modified or removed during electronic transmission or transportation, and that it is possible to verify and establish to which entities the transfer of Personal Data by means of data transmission services is envisaged; and
    2. encrypt all Personal Data is stored in an environment without physical access control, or if stored or transferred outside the Supplier's logical and physical access control system.

5. Introduction Control

  1. The Data Processor shall implement and maintain measures to control the introduction. It undertakes to:
    1. ensure that it is possible to verify and establish whether and by whom the Personal Data have been introduced into data processing systems, modified, or removed; and
    2. permit only authorized personnel of the Data Processor to modify any Personal Data within the scope of their duties. The Data Processor shall be required to record any changes made to the Personal Data if such changes are not made by the Controller.

6. Commission Control

  1. The Data Processor shall implement and maintain measures to control the commission. It undertakes to:
    1. ensure that, where Personal Data are processed, the data are processed in accordance with the instructions of the Controller; and
    2. to carry out Processing only in accordance with the instructions of the Controller.

7. Availability Control

  1. The Data Processor shall implement and maintain measures to control availability. It undertakes to:
    1. ensure that Personal Data is protected against destruction or accidental loss; and
    2. implement measures so that in the event of a breach of the Services, the Data Processor shall be able to resume the Services as provided for in the Agreement.

8. Multi-Entity Separation Control

  1. The Data Processor shall implement and maintain measures to control segregation. It undertakes to:
    1. ensure a strict logical or physical separation between Personal Data and other personal information for which the Sub-processor is a controller or processor, and shall treat personal information received from different clients or from the Controller separately; and
    2. ensure that at each step of the Processing, the data controller of personal information can be identified.