Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service and Service Agreement between:

1.1  This DPA governs the processing of personal data by QLIO on behalf of the Client in connection with the delivery of the QLIO reservation panel service.

1.2  This DPA applies exclusively to personal data of the Client’s end-customers (venue guests) processed through the booking panel.

1.3  This DPA is governed by Article 28 of the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) and, where applicable, the UK GDPR.

QLIO agrees to:

Process Personal Data only on documented instructions from the Client, as set out in this DPA and the Service Agreement.

Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.

Implement appropriate technical and organizational measures, including:

• Encryption of Personal Data in transit (TLS/HTTPS) and at rest
• Access controls limiting staff access to Personal Data on a need-to-know basis
• Regular testing and evaluation of security measures
• Procedures for detecting, reporting, and investigating Security Incidents

Not engage any new Sub-processor without informing the Client in advance (14 days notice). See Section 6 for current Sub-processor list.

Assist the Client in responding to requests from Data Subjects exercising their rights under GDPR. QLIO will forward any such requests received directly to the Client without undue delay.

Assist the Client in ensuring compliance with GDPR obligations regarding security, breach notification, and data protection impact assessments.

Upon termination, delete or return all Personal Data to the Client. Data will be made available for export for 30 days following termination.

Make available all information necessary to demonstrate compliance with this DPA and allow for audits on reasonable notice.

The Client agrees to:

• Ensure there is a valid legal basis for processing Personal Data before instructing QLIO to process it
• Provide clear and sufficient privacy notices to Data Subjects about how their data is processed, including QLIO’s role as Processor
• Ensure that any instructions given to QLIO comply with applicable data protection laws

6.1  The Client grants QLIO general authorization to engage Sub-processors, subject to the conditions in this Section.

6.2  Current Sub-processors:

6.3  QLIO will inform the Client of any intended changes (additions or replacements) with at least 14 days notice. The Client may object within that period on reasonable grounds.

6.4  All Sub-processors are bound by data processing agreements imposing equivalent obligations to this DPA.

7.1  Personal Data of venue guests is retained for as long as necessary to fulfill the booking and for 12 months thereafter.

7.2  The Client may request earlier deletion by contacting support@qliopanel.com.

7.3  Upon expiry of the retention period, Personal Data is securely and permanently deleted.

8.1  QLIO will notify the Client without undue delay, and in any event within 72 hours of becoming aware of a Security Incident.

8.2  The notification will include: nature of the incident, categories and number of affected Data Subjects, likely consequences, and measures taken.

8.3  The Client is responsible for notifying the relevant supervisory authority and affected Data Subjects where required under GDPR.

9.1  EU/UK customers: Personal Data is processed on servers in the EU (Poland). Any transfer outside the EEA/UK is covered by EU Standard Contractual Clauses (SCCs) or UK IDTAs.

9.2  US customers: Personal Data is processed on servers in the United States. Transfers from the EU to the US are governed by EU Standard Contractual Clauses.

This DPA is governed by the laws of Poland and interpreted in accordance with the GDPR.

This DPA enters into force on the date the Service Agreement is accepted and terminates automatically upon termination of the Service Agreement, subject to the deletion obligations in Section 7.