In light of this Processing, Aegean Airlines SA / Olympic Air SA and the respective Travel Agent, act as Controllers / Joint Controllers. This Model Clause accompanies the relevant Group Offers.
Recitals:
In consideration of mutual exchange of promises, the parties have agreed to enter into this Clause in order to ensure that adequate safeguards are put in place with respect to the protection of Personal Data as required by Data Protections Laws.
In consideration of the promises, covenants and the mutual obligations hereinafter set forth, the parties agree as follows, the definitions in respect of which are set out at Exhibit A:
1. Data Protection
A. Both parties shall comply with all Data Protection Laws which apply to it in respect of the performance of its obligations under this Clause.
B. The parties shall cooperate reasonably with each other in the fulfilment of their respective obligations in respect of Data Subject requests for third party notification, erasure or other requests under Data Protection Laws.
C. A party shall promptly notify the other party if it receives notice of any claim or complaint in connection with Data Protection Laws in relation to Personal Data in respect of which Aegean Airlines SA / Olympic Air SA and the Travel Agent are Data Controllers.
D. Taking into account the nature of and risks associated with the type of Personal Data collected or used in connection with offered services, each party shall have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing, storing, transmitting of Personal Data by or on behalf of the parties including where appropriate data protection by default and/or by design measures, and all other such measures as may be agreed between the parties.
E. In relation to Personal Data where all parties are Joint Controllers, the parties will provide reasonable assistance and cooperate with each other to ensure each party's compliance with Data Protection Laws. Subject to obligations of confidentiality and Aegean Airlines SA / Olympic Air SA policies on the disclosure of information, where a party has a concern that there has been non-compliance of the other party with this Section 1, the parties agree to exchange information to ascertain the cause of such non-compliance, and take reasonable steps to remediate such non-compliance.
F. The Travel Agent agrees to notify Aegean Airlines SA / Olympic Air SA of a Personal Data Breach without undue delay after becoming aware (but in no event later than 48 hours after becoming aware of the Personal Data Breach); and he shall provide Aegean Airlines SA / Olympic Air SA within the same deadline with such details as Aegean Airlines SA / Olympic Air SA reasonably requires regarding the nature of the Personal Data Breach, any related investigations, the likely consequences, any measures taken by the Travel Agent to address the Personal Data Breach, and provide Aegean Airlines SA / Olympic Air SA with regular updates on these matters. The Travel Agent will co-operate reasonably with Aegean Airlines SA / Olympic Air SA including in respect of any proposed notification to a Supervisory Authority.
G. International Transfers.
(i) The provision of the Travel Agent 's services may require the transfer of Data to countries outside the EEA from time to time. The Travel Agent shall ensure, and shall require its Data Processors to ensure an appropriate mechanism that is recognized by applicable Data Protection Laws is implemented to allow for the data transfer.
(ii) The Travel Agent has, as of the Effective Date, certified its compliance with the EU-Regulation and commit to comply with the EU-Regulation principles pursuant to this Clause, including with onward transfer, unless and if Privacy Shield is no longer considered an appropriate mechanism for data transfers under Data Protection Laws and/or he decides not to renew its certification.
2. General
A. This Clause is without prejudice to the rights and obligations of the parties under the Group Offer which shall continue to have full force and effect. In the event of any conflict between the terms of this Clause and the terms of the Group Offer, the terms of this Clause shall prevail so far as the subject matter concerns the processing of Personal Data.
B. A person who is not a party to this Clause shall not have any rights to enforce this Clause including third party companies (where applicable).
C. Should any provision of this Clause be invalid or unenforceable, then the remainder of this Clause shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
D. This Clause shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Group Offer and each of the parties agrees to submit to the choice of jurisdiction as stipulated in the Group Offer in respect of any claim or matter arising under this Clause.
E. Other than in respect of any accrued liabilities of either party and the provisions of Sections 1 and 2, this Clause shall terminate automatically on the expiry or termination for whatever reason of the Group Offer.
F. This Clause and Exhibit A is part of the Group Offers. No change, amendment, or modification of any provision of this Clause shall be effective unless reduced to writing and signed by an authorized representative of each party.
EXHIBIT A
Definitions
For the purposes of this Clause, the following terms shall have the following meanings:
A. “Group offer” means the Offer for Group reservations issued by the Group Desk of Aegean Airlines SA / Olympic Air SA and forwarded to the Travel Agent.
B. "Data Protection Laws" means any law, rule or regulation relating to the processing, privacy, and use of Personal Data, as applicable to the travel agent or Aegean Airlines SA / Olympic Air SA, including, without limitation (i) as of 25 May 2018 the General Data Protection Regulation (EU) 2016/679 (GDPR), and/or any local and national laws, rules and regulations implementing GDPR or imposing specific privacy-related regulations where GDPR permits; (ii) ePrivacy Laws; and (iii) any other applicable data protection and privacy laws, rules, and regulations, and “Data Controller”, “Data Processor”, “Data Subject” and “processing” shall have the meanings given to those terms under Data Protection Laws.
C. "EEA" means the European Economic Area.
D. “ePrivacy Laws” means (i) in member states of the European Union and the United Kingdom: any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive) and, once in effect, the Regulation concerning the respect for private life and the protection of personal data in electronic communications (Regulation on Privacy and Electronic Communications) 2017/0003 (COD)s; (ii) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority; and (iii) where agreed by the parties in writing industry self-regulatory codes of practice.
D. "Personal Data" means all personal data as defined under Data Protection Laws.
E. "Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Data processed by the controllers pursuant to this Clause.
F. "Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.