Data Processing Addendum

DATA PROCESSING ADDENDUM (DPA)

This DPA sets out the terms that apply to the processing of any personal data processed by Portland Brown Limited (registered in England and Wales under company number (05452350) (Portland Brown) and any Sub-processors engaged by Portland Brown on behalf of the Customer in the course of providing the Services.

This DPA is supplemental to Portland Brown’s terms and conditions at https://www.portlandbrown.com/... or Master Services Agreement entered into between the parties, as appropriate (Agreement)

DEFINITIONS AND INTERPRETATION

1. Any terms that are capitalised but not defined in this DPA shall have the meanings given to them in the Agreement. Any rules of interpretation set out in the Agreement shall apply to this DPA.
2. The terms controller, processor, data subject, personal data, special categories of personal data, processing (and any similar terms), personal data breach, supervisory authority and third party shall have the meanings given to them in the Data Protection Laws (as defined below).

Definitions

Applicable Law	the applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states at any time together with applicable laws in the United Kingdom (UK) at any time.
Data Protection Laws	all Applicable Laws relating to the processing, privacy and/or use of personal data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances: the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR); the UK Data Protection Act 2018; any laws which implement any such laws; and any laws which replace, extend, re-enact, consolidate or amend any of the former (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time).
Standard Contractual Clauses	the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR is available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as may be amended, updated or superseded from time to time).
Sub-processor	another processor engaged by Portland Brown for carrying out processing activities in respect of any personal data behalf of the Customer.

1. In the event of any conflict or inconsistency between any of the terms of this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency. Except as specifically amended by this DPA, the Agreement shall remain unchanged and in full force and effect.

(a) managing its direct relationship with the individuals benefiting from the Services (Guests) throughout the period of their stay, including (without limitation) arranging check in, the provision of internet access and responding to queries or complaints;

(b) verifying Guests’ identification;

(c) conducting fraud monitoring, prevention, detection and prosecution; and

(d) complying with its own record retention obligations.

1. Customer’s obligations: Nothing in this DPA relieves the Customer of any responsibilities or liability under the Data Protection Law and the Customer warrants that:
   1. all instructions given by it to Portland Brown in respect of the personal data shall comply with the Data Protection Laws;
   2. except to the extent within Portland Brown’s control, the Customer is solely responsible for the accuracy, integrity and quality of the personal data and the means by which the Customer obtained the personal data; and
   3. it has established a lawful ground(s) for and provided data subjects with fair processing information in connection with all processing activities which may be undertaken by Portland Brown and its Sub-processors under the Agreement.
2. Portland Brown’s obligations: Portland Brown shall process the personal data in compliance with its obligations under the Data Protection Laws and otherwise in accordance with the terms of this DPA and the Agreement.

Portland Brown reserves it right to charge for works that are in excessive of what is strictly required to comply with Data Protection Laws.

1. INTERNATIONAL TRANSFERS OF PERSONAL DATA
   1. Transfers of personal data: Portland Brown shall not transfer any personal data outside the EEA unless such transfers, to the extent required under Data Protection Laws, are effected by way of such legally enforceable mechanism(s) for the transfer of personal data outside the EEA and the UK as may be permitted under the Data Protection Laws at any time (Appropriate Safeguards). The provisions of the Agreement shall constitute the Customer’s instructions with respect to any transfers in accordance with clause 3.1 (Customer’s instructions).
2. AUDITS
   1. Audits: Portland Brown shall, on request by the Customer, make available to the Customer such information as is reasonably necessary to demonstrate Portland Brown’s compliance with its obligations under this DPA and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose provided:
      1. such audit, inspection or information request is reasonable and is subject to the Customer giving Portland Brown reasonable prior notice of such audit, inspection or information request;
      2. audit rights only be exercised once in any consecutive 12-month period, unless otherwise required by a supervisory authority or if the Customer has reasonable grounds to believe that Portland Brown is in breach of this DPA; and
      3. any such audit or inspection is undertaken during Portland Brown’s normal business hours, with minimal disruption to the businesses of Portland Brown and each Sub-Processor.
3. TERMINATION OF THE AGREEMENT
   1. Deletion or return of personal data: Without affecting Portland Brown’s obligations under the Agreement, following expiry or termination of the Agreement (or any part of it), Portland Brown shall promptly and at the Customer’s option either delete or return (in such format and by such secure means as Portland Brown shall determine) all copies of the personal data processed by Portland Brown and its Sub-processors in respect of the Services.
4. WITHDRAWAL OF THE UK FROM THE EU (BREXIT)
   1. The UK withdrew from the EU at the end of December 2020 and was granted ‘adequacy’ by the European Commission under the GDPR in 2021. This means that the UK provides adequate protection for personal data transferred from the EU to the UK under the EU GDPR. Should this decision be revoked, the Standard Contractual Clauses shall be deemed to be incorporated into this DPA with immediate effect.

SCHEDULE 1 – DETAILS OF THE PROCESSING

Scope	The provision of the Services by Portland Brown to the Customer.
Nature and purpose of the processing	Portland Brown will process the personal data as necessary to perform the Services pursuant to its rights and obligations under the Agreement.
Duration of the processing	Subject to clause 9 (Termination of the Agreement) of this DPA, for the duration of the Agreement of any Services provided under the Agreement, unless otherwise agreed by the Customer in writing.
Categories of data subjects	Portland Brown provides corporate apartments for rent by its Customers’ employees which will result in the collection and processing of personal data relating to those employees.
Types of personal data	name email address phone number gender date of birth marital status passport/id card information visa information credit card details partner and dependent (including children) names, dob, gender, passport info data regarding health – e.g. allergies, specific health concerns that we need to be aware of language spoken country of residence job title and company working for religious beliefs IP address