DATA PROCESSING ADDENDUM (DPA)

This DPA sets out the terms that apply to the processing of any personal data processed by Portland Brown Limited (registered in England and Wales under company number (05452350) (Portland Brown) and any Sub-processors engaged by Portland Brown on behalf of the Customer in the course of providing the Services.

This DPA is supplemental to Portland Brown’s terms and conditions at https://www.portlandbrown.com/... or Master Services Agreement entered into between the parties, as appropriate (Agreement)

DEFINITIONS AND INTERPRETATION

Any terms that are capitalised but not defined in this DPA shall have the meanings given to them in the Agreement. Any rules of interpretation set out in the Agreement shall apply to this DPA.
The terms controller, processor, data subject, personal data, special categories of personal data, processing (and any similar terms), personal data breach, supervisory authority and third party shall have the meanings given to them in the Data Protection Laws (as defined below).

Definitions

Applicable Law	the applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states at any time together with applicable laws in the United Kingdom (UK) at any time.
Data Protection Laws	all Applicable Laws relating to the processing, privacy and/or use of personal data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances: the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR); the UK Data Protection Act 2018; any laws which implement any such laws; and any laws which replace, extend, re-enact, consolidate or amend any of the former (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time).
Standard Contractual Clauses	the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR is available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as may be amended, updated or superseded from time to time).
Sub-processor	another processor engaged by Portland Brown for carrying out processing activities in respect of any personal data behalf of the Customer.

In the event of any conflict or inconsistency between any of the terms of this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency. Except as specifically amended by this DPA, the Agreement shall remain unchanged and in full force and effect.

(a) managing its direct relationship with the individuals benefiting from the Services (Guests) throughout the period of their stay, including (without limitation) arranging check in, the provision of internet access and responding to queries or complaints;

(b) verifying Guests’ identification;

(d) complying with its own record retention obligations.

Customer’s obligations: Nothing in this DPA relieves the Customer of any responsibilities or liability under the Data Protection Law and the Customer warrants that:
1. all instructions given by it to Portland Brown in respect of the personal data shall comply with the Data Protection Laws;
2. except to the extent within Portland Brown’s control, the Customer is solely responsible for the accuracy, integrity and quality of the personal data and the means by which the Customer obtained the personal data; and
3. it has established a lawful ground(s) for and provided data subjects with fair processing information in connection with all processing activities which may be undertaken by Portland Brown and its Sub-processors under the Agreement.
Portland Brown’s obligations: Portland Brown shall process the personal data in compliance with its obligations under the Data Protection Laws and otherwise in accordance with the terms of this DPA and the Agreement.

Portland Brown reserves it right to charge for works that are in excessive of what is strictly required to comply with Data Protection Laws.

INSTRUCTIONS AND DETAILS OF THE PROCESSING
1. Customer’s instructions: Unless required by Applicable Law (in which case Portland Brown shall, to the extent permitted by Applicable Law, inform the Customer of such requirement in advance) Portland Brown shall, and shall take steps to ensure that its Personnel shall, process the personal data only in accordance with the Customer’s documented instructions pursuant to this DPA and the Agreement.
2. Infringing instructions: Portland Brown shall promptly inform the Customer if it becomes aware of any processing instruction that, in Portland Browns opinion, infringes the Data Protection Laws.
3. Details of the processing: Schedule 1 sets out the scope, nature, purpose and duration of the processing and the types of personal data and categories of data subjects as may apply to the processing of the personal data by Portland Brown under the Agreement.
SECURITY OF THE PROCESSING, BREACH NOTIFICATION AND PERSONNEL
1. Security of the processing: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects Portland Brown shall, in relation to the processing of personal data under the Agreement, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk.
2. Notification of personal data breaches: Portland Brown shall notify the Customer of any personal data breach involving the personal data without undue delay and shall provide the Customer with such information as the Customer may require in relation to such personal data breach.
3. Personnel: Portland Brown shall ensure that its Personnel are subject to a binding written contractual obligation to keep the personal data confidential except where disclosure is required by Applicable Law (in which case Portland Brown shall, to the extent permitted by Applicable Law, inform the Customer of such requirement in advance).
SUB-PROCESSORS
1. Authorised Sub-processors: Subject to 5.3 below, the Customer authorises Portland Brown to engage Sub-processors as set out in Portland Brown’s privacy notice, as amended from time to time and found here: https://www.portlandbrown.com/privacy-policy.
2. Obligations regarding Sub-processors: Portland Brown shall:
  1. prior to the relevant Sub-processor carrying out any processing activities in respect of the personal data, appoint each Sub-processor under a written contract provision containing materially the same obligations as under this DPA that is enforceable by Portland Brown (including those relating to sufficient guarantees to implement appropriate technical and organisational measures);
  2. ensure each such Sub-processor complies with all such obligations; and
  3. remain fully liable for all the acts and omissions of each Sub-processor as if they were its own.
DATA SUBJECT REQUESTS AND ASSISTANCE
1. Data subject requests: Portland Brown shall, when acting as processor of the personal data, refer all requests that it receives from any data subject exercising their rights under the Data Protection Laws to the Customer without undue delay.
2. Assistance with data subject requests: Taking into account the nature of the processing and information available to Portland Brown, Portland Brown shall implement and maintain appropriate technical and organisational measures to ensure, as far as possible, the fulfilment by the Customer of its obligation to respond to requests by data subjects exercising their rights under the Data Protection Laws.
3. Assistance with other compliance obligations: Taking into account the nature of the processing and information available to Portland Brown, Portland Brown shall provide the Customer with such assistance as it reasonably requires in ensuring compliance with the Customer’s obligations under the Data Protection Laws with respect to:
  1. security of processing;
  2. data protection impact assessments (as such term is defined in Data Protection Laws);
  3. prior consultation with a supervisory authority regarding high risk processing; and
  4. notifications to the supervisory authority and/or communications to data subjects by the Customer in response to any personal data breach.

Portland Brown reserves it right to charge for works that are in excessive of what is strictly required to comply with Data Protection Laws.

INTERNATIONAL TRANSFERS OF PERSONAL DATA
1. Transfers of personal data: Portland Brown shall not transfer any personal data outside the EEA unless such transfers, to the extent required under Data Protection Laws, are effected by way of such legally enforceable mechanism(s) for the transfer of personal data outside the EEA and the UK as may be permitted under the Data Protection Laws at any time (Appropriate Safeguards). The provisions of the Agreement shall constitute the Customer’s instructions with respect to any transfers in accordance with clause 3.1 (Customer’s instructions).
AUDITS
1. Audits: Portland Brown shall, on request by the Customer, make available to the Customer such information as is reasonably necessary to demonstrate Portland Brown’s compliance with its obligations under this DPA and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose provided:
  1. such audit, inspection or information request is reasonable and is subject to the Customer giving Portland Brown reasonable prior notice of such audit, inspection or information request;
  2. audit rights only be exercised once in any consecutive 12-month period, unless otherwise required by a supervisory authority or if the Customer has reasonable grounds to believe that Portland Brown is in breach of this DPA; and
  3. any such audit or inspection is undertaken during Portland Brown’s normal business hours, with minimal disruption to the businesses of Portland Brown and each Sub-Processor.
TERMINATION OF THE AGREEMENT
1. Deletion or return of personal data: Without affecting Portland Brown’s obligations under the Agreement, following expiry or termination of the Agreement (or any part of it), Portland Brown shall promptly and at the Customer’s option either delete or return (in such format and by such secure means as Portland Brown shall determine) all copies of the personal data processed by Portland Brown and its Sub-processors in respect of the Services.
WITHDRAWAL OF THE UK FROM THE EU (BREXIT)
1. The UK withdrew from the EU at the end of December 2020 and was granted ‘adequacy’ by the European Commission under the GDPR in 2021. This means that the UK provides adequate protection for personal data transferred from the EU to the UK under the EU GDPR. Should this decision be revoked, the Standard Contractual Clauses shall be deemed to be incorporated into this DPA with immediate effect.

SCHEDULE 1 – DETAILS OF THE PROCESSING

Scope	The provision of the Services by Portland Brown to the Customer.
Nature and purpose of the processing	Portland Brown will process the personal data as necessary to perform the Services pursuant to its rights and obligations under the Agreement.
Duration of the processing	Subject to clause 9 (Termination of the Agreement) of this DPA, for the duration of the Agreement of any Services provided under the Agreement, unless otherwise agreed by the Customer in writing.
Categories of data subjects	Portland Brown provides corporate apartments for rent by its Customers’ employees which will result in the collection and processing of personal data relating to those employees.
Types of personal data	name email address phone number gender date of birth marital status passport/id card information visa information credit card details partner and dependent (including children) names, dob, gender, passport info data regarding health – e.g. allergies, specific health concerns that we need to be aware of language spoken country of residence job title and company working for religious beliefs IP address

Data Processing Addendum