Data Processing Agreement

Contracting Parties

Processor:
Lambus GmbH
Albert-Einstein-Straße 1
49076 Osnabrück
Germany
Represented by: Hans Knöchel
Email: privacy@lambus.com

Controller:
The company that has electronically accepted this Agreement via the Lambus for Business platform (hereinafter referred to as the "Controller"). The time of acceptance and the contract version are logged electronically.

Preamble

This Agreement governs the obligations of the contracting parties under Art. 28(3) GDPR for the protection of the personal data of data subjects and supplements the Terms of Service of the Lambus for Business platform (hereinafter referred to as the "Main Contract") in this regard. It applies to all processing of personal data related to the Main Contract in which the Processor or third parties engaged by the Processor process personal data on behalf of the Controller.

1. Subject Matter, Duration, and Specification of Data Processing

1.1 Nature, Purpose, and Subject Matter of Processing

• Subject matter: Provision and operation of the Lambus for Business platform for the presentation of travel information and associated support services.
• Purpose: Digitization and management of travel data, booking management, coordination of travel groups, and communication between participants on behalf of the Controller.

Duration of Processing

• Processing takes place for the duration of the main contract, unless the following provisions or statutory obligations require storage beyond this period.
• After termination of the main contract, personal data will be deleted or returned in accordance with Section 2.9 of this Agreement, unless statutory retention obligations preclude this.

Type of Personal Data Processed

• Master data: Last name, first name, date of birth, address.
• Contact data: Email address, phone number.
• Travel data: Booking references, flight numbers, hotel information, travel routes, identity document data (if stored for bookings).
• Usage data: IP addresses, log files, device information.

Categories of Data Subjects

• Customers and prospects of the Controller.
• Employees of the Controller (e.g. administrators or travel coordinators).
• Co-traveling third parties within the groups managed by the Controller.

1.2 In the context of providing the software, personal data may be processed by engaged sub-processors in countries outside the European Union (EU) or the European Economic Area (EEA), in particular in the United States of America.

Such transfer is made exclusively in compliance with the statutory requirements pursuant to Art. 44 et seq. GDPR.

If no adequacy decision of the European Commission exists for the relevant third country, the transfer is made on the basis of appropriate safeguards within the meaning of Art. 46 GDPR, in particular by concluding EU Standard Contractual Clauses (SCCs).

Insofar as a service provider is certified under the EU-US Data Privacy Framework, data transfer is made on the basis of the corresponding adequacy decision of the European Commission.

The provider ensures that an adequate level of data protection is guaranteed for all third-country transfers. The Processor documents the appropriate safeguards employed and makes them available to the Controller upon request.

Changes to the transfer mechanisms used will be notified to the Controller without undue delay.

2. Rights and Obligations of the Processor

2.1 The Processor processes data of data subjects exclusively within the scope of the agreements made and the documented instructions of the Controller and in accordance with data protection regulations, unless it is obligated to another type of processing under Union or Member State law to which the Processor is subject. In the latter case, the Processor shall inform the Controller of those legal requirements before processing, unless such law prohibits this on grounds of an important public interest (Art. 28(3)(a) GDPR). The Processor shall not use the data made available for processing for any other purposes and in particular not for its own purposes. Copies of the data not regulated in the Order or in this Agreement shall not be made.

If the Controller's instructions are initially given verbally, they shall be confirmed in writing or electronically without undue delay. The Controller's instructions are documented by the Processor and retained for the duration of the contractual relationship.

The use of personal data for the development, training, or improvement of the Processor's own or third-party AI models is excluded. Processing for the Processor's own purposes does not take place.

Any processing deviating from this requires a separate written agreement between the parties.

2.2 The Processor shall inform the Controller without undue delay if it considers that an instruction infringes statutory provisions (Art. 28(3)(2) GDPR). If the lawfulness of an instruction is in doubt, the Processor is entitled to suspend the execution of the instruction until it is confirmed or amended by the Controller. If serious violations of personality rights are at stake or if the Processor takes on the risk of a criminal act by acting on the instruction, it may additionally suspend the implementation of the instruction until the parties have found a mutually agreed solution.

2.3 The Processor shall organize its internal operations in a manner that meets data protection requirements. In particular, it shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk for the Controller's data (Art. 32(1) GDPR). If personal data is processed in telework and homeworking, it is obligated to notify the Controller of this. It shall implement these technical and organizational measures in such a way that the confidentiality, integrity, availability, and resilience of the systems and services related to processing are permanently ensured. The relevant technical and organizational measures are set out in the Technical and Organizational Measures (TOMs) in Annex 2. This annex forms part of this Agreement. Changes to the technical and organizational measures are permissible provided they do not fall below the contractually agreed level of protection. The Processor documents such changes and ensures that they continue to meet the requirements of Art. 32 GDPR. Material changes affecting the security concept will be communicated to the Controller in advance.

2.4 The Processor shall, insofar as possible, assist the Controller with appropriate technical and organizational measures in fulfilling its obligation to respond to requests from data subjects for the exercise of their rights listed in Chapter III of the GDPR (Art. 28(3)(e) GDPR), and shall support the Controller, taking into account the information available to it, in complying with the obligations set out in Art. 32 to 36 GDPR, such as data protection impact assessments where required (Art. 28(3)(f) GDPR).

2.5 The Processor shall ensure that employees engaged in processing the Controller's data and other persons acting for the Processor are prohibited from processing the data outside the scope of the instruction. The Processor further ensures that persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of secrecy (Art. 28(3)(b) GDPR). The confidentiality/secrecy obligation continues after termination of the Order.

2.6 The Processor shall notify the Controller without undue delay, generally within 24 hours of becoming aware, of any personal data breach within the meaning of Art. 4 No. 12 GDPR.

The notification shall contain at least the information specified in Art. 33(3) GDPR to the extent available to the Processor.

2.7 The Processor shall inform the Controller of contact persons for instructions arising in connection with the contract and of any data protection officer. In the event of a change or long-term unavailability of contact persons, the contact details of a new, responsible contact person or of any data protection officer shall be notified to the Controller without undue delay.

Contact person of the Processor
Hendrik Scherer, Head of B2B Partnerships, 0541 40659977, privacy@lambus.com

2.8 The Processor shall correct, delete, or restrict the data subject to the Agreement if instructed to do so by the Controller and if this is covered by the scope of instructions, unless the instruction conflicts with any statutory retention obligations.

2.9 Upon termination of the Order, data (including existing copies), data carriers, and other materials shall, at the Controller's request and at its option, either be returned or deleted within at most 30 days of the end of the contract, unless Union or Member State law provides for an obligation to continue storing the personal data (Art. 28(3)(g) GDPR). The Processor shall confirm to the Controller upon request, in writing or in electronic form, the proper deletion or return of the data. If immediate deletion of certain data sets is not possible for technical reasons, in particular due to backup or archive systems, such data will be restricted until final deletion and will not be processed further.

2.10 In the event of the Controller being held liable by a person in connection with any claims for damages pursuant to Art. 82 GDPR, the Processor undertakes to support the Controller in defending against such claims to the extent of its capabilities.

2.11 The Processor shall ensure by appropriate technical and organizational measures that personal data of different controllers is processed in a logically separate manner. The use of productive personal data for testing or development purposes is carried out exclusively in anonymized or pseudonymized form.

3. Rights and Obligations of the Controller

3.1 The Controller is responsible, within the framework of this Agreement, for compliance with the statutory provisions of data protection laws, in particular for assessing the lawfulness of processing pursuant to Art. 6(1) GDPR, the transfer of data to the Processor, and for safeguarding the rights of data subjects pursuant to Art. 12 to 22 GDPR ("Controller" within the meaning of Art. 4 No. 7 GDPR).

3.2 The Controller shall notify the Processor without undue delay if it identifies errors or irregularities with respect to data protection provisions in the results of the Order.

3.3 In the event of the Processor being held liable by a person in connection with any claims for damages pursuant to Art. 82 GDPR, the Controller undertakes to support the Processor in defending against such claims to the extent of its capabilities.

3.4 The Controller shall inform the Processor of persons authorized to issue instructions in connection with the contract and of the data protection officer(s). In the event of a change or long-term unavailability of contact persons, the contact details of a new, responsible contact person or data protection officer shall be notified to the Processor without undue delay.

Persons authorized to issue instructions on behalf of the Controller within the meaning of this Agreement are the administrators registered in the Controller's organizational account on Lambus for Business. Any changes to authorized persons shall be notified to the Processor without undue delay via the platform or by email to privacy@lambus.com.

3.5 The Controller is obligated to treat all knowledge of trade secrets and data security measures of the Processor acquired in the context of the contractual relationship as confidential. This obligation continues after termination of this Agreement. The powers of the supervisory authorities, in particular pursuant to Art. 58(1) GDPR, remain unaffected.

4. Requests from Data Subjects

If a data subject asserts their rights pursuant to Art. 15 et seq. GDPR against the Processor, the Processor will refer the data subject to the Controller, provided that an assignment to the Controller is possible based on the information provided by the data subject. In accordance with Section 2.4 of this Agreement, the Processor shall, insofar as possible, assist the Controller with appropriate technical and organizational measures in fulfilling requests from data subjects for the exercise of the rights listed in Chapter III of the GDPR.

5. Inspection Rights of the Controller

5.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR, insofar as these are required in the context of an external audit (Art. 28(3)(h) GDPR).

5.2 The Controller is entitled to satisfy itself, before the commencement of and during processing, that the technical and organizational measures implemented by the Processor and the obligations set out in this Agreement are being complied with. This and measures pursuant to Section 5.4 are not precluded by the submission of evidence pursuant to Section 5.1.

5.3 Inspections by the Controller or an auditor appointed by the Controller shall in principle be conducted after prior notification with reasonable advance notice during normal business hours. Inspections shall be conducted with due regard to the Processor's legitimate trade and operational secrets and in accordance with the principle of proportionality. They are generally limited to an appropriate extent and frequency. The Processor shall make the inspection conditional upon the signing of a confidentiality declaration if there is a possibility that the Controller or an auditor appointed by it may gain access to data processed by the Processor on behalf of another controller during the inspection. The Controller shall ensure that an auditor appointed by it is not in a competitive relationship with the Processor.

6. Sub-processors (Further Processors)

6.1 A sub-processing relationship exists when the Processor engages further processors with all or part of the services agreed in the contract. In selecting a sub-processor, the Processor shall take particular care to ensure that the sub-processor provides sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that processing meets the requirements of the General Data Protection Regulation.

Services that the Processor obtains from third parties as ancillary services to support the performance of the Order are not to be understood as sub-processing within the meaning of this provision. These include, for example, telecommunications services, maintenance and user services (where access to the Controller's personal data is excluded), cleaning staff, and auditors. The Processor shall conclude written agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures and reserves the right to exercise control measures to ensure the protection and security of the Controller's data.

6.2 The Processor shall not engage any sub-processor without prior separate or general written authorization. The Processor shall notify the Controller in advance of sub-processing relationships already existing at the time of conclusion of this Agreement. The sub-processing relationships existing at the commencement of the contract are listed in Annex 1 to this Agreement. These shall be deemed approved from the commencement of the Order.

6.3 Further Sub-processors

The Controller hereby grants the Processor general authorization within the meaning of Art. 28(2) GDPR to engage further sub-processors. The Processor shall notify the Controller in good time, in text form, of intended changes regarding the addition or replacement of sub-processors. The Controller may object to such changes in writing within 30 days of receipt of the notification on important data protection grounds. If no mutually agreed solution is reached, the Controller is entitled to terminate the main contract with extraordinary notice insofar as the data processing is affected thereby.

6.4 The agreement with the sub-processor must be in writing, which may also be in an electronic format (Art. 28(4) and (9) GDPR). The agreement with the sub-processor must effectively impose on it the same data protection obligations as those set out in the present Agreement. The Controller is entitled to verify or have verified, through the Processor, compliance with the data protection obligations imposed on the sub-processor.

6.5 The Processor shall be liable to the Controller for the sub-processor's compliance with the data protection obligations contractually imposed on it by the Processor in accordance with this Section (Art. 28(4)(2) GDPR).

6.6 The engagement of sub-processors in third countries shall only take place in compliance with the requirements of Art. 44 et seq. GDPR. If general authorization has been granted pursuant to Section 6.3, the information and objection rights set out therein also apply to third-country transfers.

7. Liability and Damages

The contracting parties shall be liable in accordance with the relevant statutory provisions or to data subjects pursuant to Art. 82 GDPR. Insofar as a contracting party is responsible for a data protection breach, it shall indemnify the other contracting party in their internal relationship from third-party claims insofar as the breach falls within its area of responsibility. The allocation of liability is otherwise governed by Art. 82 GDPR.

8. Final Provisions

8.1 The Processor shall notify the Controller without undue delay if the Controller's data is at risk from seizure or confiscation, insolvency or composition proceedings, or other events or measures by third parties affecting the Processor. The Processor shall notify all parties involved without undue delay that ownership of the data rests exclusively with the Controller.

8.2 Amendments and additions to this Agreement and all its components, including any representations by the Processor, require a written or electronically formatted agreement that expressly indicates that it constitutes an amendment or addition to this Agreement. This is without prejudice to the Processor's unilateral right of amendment pursuant to Section 8.5.

8.3 Should any provision of this Agreement be wholly or partially invalid or unenforceable, the validity of the remaining provisions shall not be affected. In this case, the parties shall reach a mutually agreed new provision or supplement the existing provision that replaces or supplements the invalid or unenforceable provision in a manner that most closely approximates the provision originally intended by the parties when drafting this Annex, had they considered the invalidity or unenforceability. This also applies to any gaps in the Agreement.

8.4 If the Processor receives requests from authorities or other third parties for the disclosure of the Controller's personal data, it shall notify the Controller without undue delay, insofar as it is legally permitted to do so. The Processor shall only disclose the data if it is legally obligated to do so.

8.5 The Processor is entitled to amend this Agreement with effect for the future, provided this is required for legal, technical, or organizational reasons.

The Controller will be notified of amendments in text form. If the Controller does not object within 30 days of receipt of the notification, the amendments shall be deemed accepted. The Processor shall expressly draw the Controller's attention to the significance of the objection period in the notification.

In the event of a timely objection, both parties are entitled to terminate the contractual relationship with extraordinary notice.

This Agreement is concluded electronically by the Controller via the Lambus for Business platform (Art. 28(9) GDPR). The time of acceptance and the accepted contract version are logged electronically and can be evidenced upon request.