1. In the execution of this agreement, there is a relationship between the person in charge and the person responsible for the treatment for the provision of services offered by Chekin, which aims to manage and store the entry forms of travelers to tourist accommodation and facilitate their registration and communication of guests’ data to the police on behalf of the accommodation in compliance with Order INT / 1922/2003, of July 3, on registration books and traveler entry parts in hotel and other similar establishments and, in if the accommodation accepts it, facial recognition through guest biometrics to carry out the pre-checkin and its segmentation for statistical purposes.
2. By virtue of the provision of services mentioned in the previous point, the CLIENT will become the Controller for the treatment of those data of their guests captured through the different services offered by Chekin.
3. Chekin will access and process personal data on behalf of the Controller and under the responsibility of the latter, with respect to whose treatment Chekin will be considered the data Processor for the purposes of the applicable regulations. To these effects:
a) The object and nature of the treatment order is determined by the provisions of Chekin’s Terms of Service and Privacy Policy.
b) The purpose of the treatment to be carried out by the Processor is to manage and store the entry of travelers in the Controller’s establishments, the sending of information about the guests to the police on behalf of the Controller and, where appropriate, the pre-checkin of travelers through biometrics and segmentation for statistical purposes.
c) Personal data are enormously varied and include, among others: identification data, contact data, personal characteristics data (date of birth) and, in case of activation of the pre-check-in possibility, biometric data (facial recognition through of a selfie and comparison with a photograph of the identity document). For their part, the main categories of interested parties are guests of the Controller.
4. The Processor must process the data referred to in this text in accordance with the services contracted by the owners of the accommodation with Chekin, in accordance with the Chekin Terms of Service and the Chekin Privacy Policy, and always under the instructions that the Controller provides and in any case will adopt organizational and technical measures that are consistent with the type of data to be processed, the purposes and risks of the processing and will carry out specific privacy actions from the design and by default on those treatments to be carried out.
5. Chekin must follow the instructions provided by the Controller, including with respect to data transfers to countries outside the European Economic Area or international organizations, unless it is obliged to do so by virtue of any European Union standard or legislation. of any applicable Member State, in which case it is obliged to notify the Controller.
6. Chekin will refrain from applying or using the personal data accessed for purposes other than those agreed with the Controller, nor will it communicate them, not even for their conservation, to other people, unless such communication has been previously and expressly authorized by the Controller. In the event that Chekin uses the data for different purposes, it will be considered Controller for the treatment in accordance with the provisions of the applicable regulations.
7. Chekin must assist the Controller so that it can comply with its obligations to care for the interested parties when they exercise any of the rights that, with respect to their personal data, the regulations recognize. In this sense, Chekin undertakes to immediately notify the owner of the accommodation in question of the exercise of rights by the interested parties, in order to be able to attend to them and comply with their legal obligations in this regard.
8. Likewise, Chekin will be obliged to make available to the Controller all the information and documentation that is pertinent in order to demonstrate compliance by its part of the obligations set forth in this text, as well as to allow audits, inspections, evaluations, etc. that may be required by the Controller or a third party authorized or designated by him, collaborating in whatever is necessary. This obligation implies that the Processor must inform the Controller in case of detecting that, in his opinion, any instruction or measure implemented in relation to the collection and / or processing of personal data referred to in this text violates any Union regulation. European and / or any applicable Member State.
9. Chekin undertakes to keep secrecy regarding the personal data being processed, and to maintain absolute confidentiality and reserve on any data that it may learn on the occasion of the performance of the services provided, guaranteeing that it will extend this obligation to all the personnel of its organization authorized to access the personal data object of the Controller. This duty of secrecy and confidentiality will subsist without any time limit.
10. The Controller authorizes Chekin to subcontract to third parties for the provision of any service that involves the processing of personal data under its responsibility. The execution of certain services may require the subcontracting by Chekin of certain services to other companies; currently such services will be provided, among others, by:
- Amazon Web Services EMEA SARL. 38 avenue John F. Kennedy, L-1855 Luxembourg. VAT Number: LU 26888617.
- DigitalOcean, 101 Avenue of the Americas, 10th Floor New York, NY 10013. VAT Number: EU 528002224.
11. The data processing carried out by the subcontractor will also comply with the instructions of the Processor. In this sense, the Processor will have given instructions to treat the data in conditions similar to those provided in this text.
12. The parties agree that the sub-Processor may be replaced in his obligations by another service provider, without the need for Chekin to notify the Controller. The provider who, if applicable, succeeds the sub-Processor, will be substituted in the position he occupies.
13. Once the relationship between the Chekin and their client is concluded, the personal data must be deleted or returned to the Controller, at the latter’s choice, deleting any copies of the same.
14. The foregoing, unless there is any regulation of the European Union and / or of any of the Member States that is applicable by virtue of which the conservation of personal data is required. In this case, Chekin must proceed to return the data, guaranteeing its conservation to the Controller.
15. The duration of personal data processing to be carried out by Chekin will be determined by the duration of the relationship between Chekin and the owner of the accommodation.
16. Chekin must notify the Controller, without undue delay, and in any case before the maximum period of 48 hours, the notifications of security violations by sending an email to said Controller.
17. The basic content that the security violation notification should have will be the following:
- Description of the nature of the security breach, and, if possible, the approximate number of those affected, the data categories and the number of data records affected.
- Obligation to make available the contact details of the Data Protection Delegate or other contact point that allows information to be obtained.
- Describe the possible consequences of the breach of personal data security.
- Explain the security measures adopted or proposed by the data Controller to alleviate or stop the security breach.
18. For its part, other obligations for Chekin are the following:
to. Provide the Data Controller with access to the data referred to in this text and / or allow such access.
b. Ensure compliance with the regulations on data protection in the development of their functions.
c. Allow inspections and audits on data protection when previously warned 72 hours in advance.
19. In any case, the Controller is responsible for informing their guests of the processing of their data. For this purpose, the Controller is obliged to provide guests with its privacy policy, or to use the generic one contained in Chekin’s Terms of Service, and to report on each of the treatments carried out through it.
20. In this regard, Chekin is not liable for damages that may arise out of or in connection with the use of the services that Chekin offers. This includes, but is not limited to: direct loss, loss of business or profits, damage caused to your device and the data contained therein, as well as any other direct or indirect, consequential and incidental damage.
20.1 Chekin is not responsible for the data provided during the pre-check-in or check-in processes, as well as for the data provided in the different profiles of the owners of the accommodation or for its veracity. Verification that this information is correct corresponds to the owner of the accommodation by whatever means it considers.
20.2 Chekin is not responsible for the Particular Conditions (price, services, cancellation, etc.) that are agreed between accommodations and guests, as well as for their modification.