Oxbourne House Apt 11 Lounge2

Data Processing Addendum

This DPA sets out the terms that apply to the processing of any personal data processed by Portland Brown Limited (registered in England and Wales under company number 05452350) (Portland Brown) and any Sub-processors engaged by Portland Brown on behalf of the Customer in the course of providing the Services.

This DPA is supplemental to Portland Brown’s terms and conditions at https://www.portlandbrown.com/terms-and-conditions or the Master Services Agreement entered into between the parties, as appropriate (the “Agreement”).

DEFINITIONS AND INTERPRETATION

1.1. Any terms that are capitalised but not defined in this DPA shall have the meanings given to them in the Agreement. Any rules of interpretation set out in the Agreement shall apply to this DPA.

1.2. The terms controller, processor, data subject, personal data, special categories of personal data, processing (and any similar terms), personal data breach, supervisory authority and third party shall have the meanings given to them in the Data Protection Laws (as defined below).

1.3. Definitions:

  • Applicable Law: the applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states at any time together with applicable laws in the United Kingdom (UK) at any time.

  • Data Protection Laws: all Applicable Laws relating to the processing, privacy and/or use of personal data, including (where applicable):
    (a) the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR);
    (b) the UK Data Protection Act 2018;
    (c) any laws which implement any such laws; and
    (d) any laws which replace, extend, re-enact, consolidate or amend any of the former (including the GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018).

  • Standard Contractual Clauses: the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR, available at:
    https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

  • Sub-processor: another processor engaged by Portland Brown for carrying out processing activities in respect of any personal data on behalf of the Customer.

1.4. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict. Except as amended by this DPA, the Agreement remains unchanged.

2. APPLICATION OF THIS DPA AND ROLES OF THE PARTIES

2.1. This DPA applies only when Portland Brown acts as a processor on behalf of the Customer; the Customer is established within the EEA and/or Portland Brown processes personal data relating to data subjects located in the EEA.

2.2. Roles:

  • The Customer is the controller and Portland Brown is the processor for personal data processed on the Customer’s behalf.

  • Portland Brown is a controller for personal data it processes for its own purposes, including:
    (a) managing its relationship with Guests during their stay;
    (b) verifying Guests’ identification;
    (c) fraud monitoring and prevention;
    (d) complying with record retention obligations.

2.3. Customer’s obligations:

  • All instructions to Portland Brown must comply with Data Protection Laws.

  • Except for matters within Portland Brown’s control, the Customer is responsible for accuracy and quality of the personal data and how it was obtained.

  • The Customer must have a lawful basis and provide fair processing information to data subjects for processing activities undertaken by Portland Brown and its Sub-processors.

2.4. Portland Brown shall process personal data in compliance with Data Protection Laws and in accordance with this DPA and the Agreement.

3. INSTRUCTIONS AND DETAILS OF THE PROCESSING

3.1. Portland Brown will process personal data only according to the Customer’s documented instructions, unless required otherwise by law.

3.2. Portland Brown shall inform the Customer if it believes any instructions infringe Data Protection Laws.

3.3. Details of processing are set out in Schedule 1 below.

4. SECURITY OF THE PROCESSING, BREACH NOTIFICATION AND PERSONNEL

4.1. Portland Brown will implement appropriate technical and organizational measures to ensure security appropriate to the risk.

4.2. Portland Brown shall notify the Customer of any personal data breach without undue delay and provide necessary information.

4.3. Portland Brown will ensure its personnel are bound to confidentiality obligations.

5. SUB-PROCESSORS

5.1. The Customer authorizes Portland Brown to engage Sub-processors as listed in Portland Brown’s privacy notice:
https://www.portlandbrown.com/privacy-policy

5.2. Portland Brown will:

  • Enter into written contracts with Sub-processors including terms similar to this DPA;

  • Ensure Sub-processors comply with obligations;

  • Remain fully liable for Sub-processors’ acts or omissions.

6. DATA SUBJECT REQUESTS AND ASSISTANCE

6.1. Portland Brown shall promptly refer data subject requests to the Customer.

6.2. Portland Brown will assist the Customer in fulfilling data subject rights requests as far as possible.

6.3. Portland Brown shall assist with compliance obligations such as security measures, data protection impact assessments, consultations with supervisory authorities, and breach notifications.

Portland Brown reserves the right to charge for work exceeding what is strictly necessary.

7. INTERNATIONAL TRANSFERS OF PERSONAL DATA

Portland Brown shall not transfer personal data outside the EEA unless done via legally enforceable mechanisms permitted under Data Protection Laws.

8. AUDITS

Portland Brown will allow reasonable audits by the Customer (or its auditor) to demonstrate compliance with this DPA subject to reasonable notice, frequency limits, and during normal business hours.

9. TERMINATION OF THE AGREEMENT

Upon termination or expiry of the Agreement, Portland Brown shall delete or return all personal data as per the Customer’s instructions.

10. WITHDRAWAL OF THE UK FROM THE EU (BREXIT)

The UK was granted adequacy by the European Commission in 2021. Should this be revoked, Standard Contractual Clauses will be incorporated into this DPA immediately.


SCHEDULE 1 – DETAILS OF THE PROCESSING

Scope: Provision of Services by Portland Brown to the Customer.

Nature and purpose of processing: Portland Brown will process personal data as necessary to perform Services pursuant to the Agreement.

Duration: For the duration of the Agreement unless otherwise agreed.

Categories of data subjects: Employees of the Customer who stay in Portland Brown’s corporate apartments.

Types of personal data:

  • Name

  • Email address

  • Phone number

  • Gender

  • Date of birth

  • Marital status

  • Passport/ID card information

  • Visa information

  • Credit card details

  • Partner and dependent names, dates of birth, gender, passport info

  • Health data (e.g., allergies, health concerns)

  • Language spoken

  • Country of residence

  • Job title and company

  • Religious beliefs

  • IP address