Legal Hub
      Back to home
      1. Knowledge Base
      2. Legal Hub

      Data Processing Agreement

      1. INITIAL PROVISIONS

      This Data Processing Agreement (the "DPA") is an integral part of the Agreement between likeMagic and the Customer.



      2. DEFINITIONS

      Any capitalized terms not specifically defined in this DPA shall have the meanings assigned to them in the Agreement. Additional definitions relevant to this DPA are specified below.

      "Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by likeMagic under this DPA.

      "Data Protection Legislation" means all laws and regulations of the European Union, Switzerland, and the United Kingdom applicable to the Processing of Personal Data under the Agreement, including, where applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (the "UK GDPR"); (iii) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances ("Swiss FADP"); (iv) the EU e-Privacy Directive (Directive 2002/58/EC); and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii), (iii), (iv).

      "Personal Data" means any information that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by likeMagic on behalf of Customer in the course of providing the Services, as more particularly described in Annex A of this DPA.

      "Sub-processor" means any third party engaged by likeMagic to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as Processor.

      The terms "Controller", "Processor", "Process", "Processing" and "Data Subject" shall have the same meanings given to them under the Data Protection Legislation. 

       

      3. RELATIONSHIP AND ROLES OF THE PARTIES

      The Parties acknowledge and agree that, with respect to the Processing of Personal Data, the Customer (or a third party on whose behalf the Customer is authorized to instruct likeMagic) is the Controller and likeMagic acts as a Processor (or sub-Processor, as applicable to the Customer's use of the Services). 

       

      4. LIKEMAGIC'S OBLIGATIONS

          4.1  Permitted Purposes. likeMagic shall Process Personal Data for the permitted purposes described in Annex A of this DPA (the "Permitted Purposes").

          4.2  Compliance with Customer Instructions. likeMagic shall Process Personal Data in accordance with Customer's documented lawful instructions, except where otherwise required by laws that are compatible with applicable Data Protection Legislation. The Agreement, including this DPA, along with the Customer's configuration of any settings or options in the Services, constitute Customer's complete and final instructions to likeMagic regarding the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of the Agreement and this DPA. likeMagic shall inform the Customer if it becomes aware that Customer's instructions infringe Data Protection Legislation (but without obligation to actively monitor Customer's or, where applicable its Controller's,  compliance with Data Protection Legislation). 
          4.3  Technical and Organizational Measures. likeMagic shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect data, including the Personal Data, from Data Breaches and to preserve security and confidentiality of Personal Data, in accordance with the measures identified in Annex C of this DPA ("Technical and Organizational Measures"). Customer acknowledge that the Technical and Organizational Measures are subject to technical progress and development and that likeMagic may update or modify the Technical and Organizational Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.

          4.4  Personnel Confidentiality and Training. likeMagic shall ensure that any person likeMagic authorizes to Process the Personal Data (including likeMagic's staff, agents, and sub-processors) ("Personnel") is under appropriate obligations of confidentiality (whether a contractual or statutory duty), has received proper training, is informed about the confidential nature of the Personal Data and their obligations related to it, and has access to Personal Data only on a need-to-know basis. likeMagic shall ensure that Personnel Processes the Personal Data only as necessary for the Permitted Purposes.

          4.5  Data Deletion or Return upon Termination. Upon termination or expiration of the Agreement, likeMagic shall delete or return to the Customer all Personal Data in its possession or control, except for one copy for archival and compliance purposes.

          4.6  Data Protection Impact Assessment. To the extent required by Data Protection Legislation, likeMagic shall provide reasonable cooperation regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation.

          4.7  Request for Disclosure. likeMagic shall promptly notify the Customer about any legally binding request for disclosure of the Personal Data by a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry and to assist the Customer accordingly (at Customer's expense).

          4.8  Data Subject Rights. To the extent that the Customer is unable to access the relevant Personal Data within the Services independently, likeMagic shall, taking into account the nature of the Processing, provide assistance (including by appropriate technical and organizational measures) to provide reasonable cooperation to the Customer in order to (i) respond to any requests from a Data Subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Data (collectively "Correspondence"). In the event that any such Correspondence is made directly to likeMagic, it shall promptly notify the Customer and shall not respond directly unless legally compelled to do so. If likeMagic is required to respond to such Correspondence, likeMagic shall promptly notify the Customer and provide it with a copy of the request, unless legally prohibited from doing so. 

       

      5. CUSTOMER'S RIGHTS

          5.1  Audit Rights. The Customer shall have the right to conduct an audit to verify likeMagic's compliance with its obligations under Data Protection Legislation and in this DPA.  likeMagic shall permit the Customer to carry out the audit under the following conditions:  (i) the Customer requests to carry out the audit via a written notice at least 30 (thirty) days in advance; (ii) the Customer will specify the agenda for such audit in such notice; (iii) the audit shall not take place more than once a year; (iv) all associated costs and expenses shall be borne by the Customer or reimbursed to likeMagic on demand; and (v) the audit shall last no longer than the equivalent of 1 working day (8 hours) of likeMagic's representative. On the request of the Customer, likeMagic will provide the Customer with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by the Customer.

          5.2  Independent Audit by External Licensed Auditor. In case the Customer requests the audit by an independent party – external licensed auditor, likeMagic may object to an external licensed auditor appointed by the Customer to conduct the audit if the auditor is, in likeMagic's reasonable opinion, not suitably qualified or independent, a competitor of likeMagic, or otherwise manifestly unsuitable. Any such objection will require the Customer to appoint another auditor. 

       

      6. CUSTOMER'S OBLIGATIONS
          6.1  Customer's Processing of Personal Data. The Customer shall, in its use of the Services, Process Personal Data in accordance with Data Protection Legislation. The Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and how the Customer acquired Personal Data.

          6.2  Customer's Compliance. The Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to likeMagic; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorizations (as applicable) under Data Protection Legislation for likeMagic to Process Personal Data for the Permitted Purposes; (iii) it shall be responsible for providing any notices required by Data Protection Legislation to its permitted users and other relevant Data Subjects with respect to sharing their Personal Data with likeMagic; (iv) it has fulfilled (or shall fulfil) all registration or notification obligations to which the Customer is subject to under the Data Protection Legislation; and (v) it is responsible for its own Processing of Personal Data, including integrity, security, maintenance, and appropriate protection of Personal Data under Customer's control.

          6.3  Technical and Organizational Measures. Without prejudice to likeMagic's obligations under Section 4.3 (Technical and Organizational Measures), the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services, and taking any appropriate technical, organizational, and security measures to securely encrypt or backup any Personal Data uploaded to the Services. The Customer is also responsible for the use of the Services by any person the Customer authorized to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if the Customer did not authorize such use. The Customer agrees to, immediately upon awareness, notify the likeMagic of any unauthorized use of the Services or of any other breach of security involving the Services. 

       

      7. DATA BREACHES
          7.1  Data Breach Notification. Upon becoming aware of a Data Breach, likeMagic shall notify the Customer without undue delay and provide timely information and cooperation as the Customer may reasonably require to fulfill its data breach reporting obligations under Data Protection Legislation. This includes details about the type of data affected and the identity of the affected person(s) as soon as such information becomes known or available to likeMagic.

          7.2  Disclaimer of Fault or Liability in Data Breach Notifications. The Customer agrees that any notification provided by likeMagic to the Customer in relation to a Data Breach shall not be construed or understood as an acknowledgment of any fault or liability.

          7.3  Mitigation. likeMagic shall take all reasonable measures and actions to remedy or mitigate the effects of any Data Breach. likeMagic shall also keep the Customer informed of all developments related to the Data Breach.

          7.4  Customer Caused Data Breaches. If a Data Breach is caused or materially contributed to by the Customer, likeMagic will cooperate in the investigation of the Data Breach subject to Customer's obligation to compensate likeMagic for its expenses and costs.

       

      8. SUB-PROCESSING
          8.1  Authorized Sub-processors. The Customer provides a general authorization for likeMagic to engage Sub-processors to Process Personal Data on Customer's behalf. The Sub-processors currently engaged by likeMagic are specified in Annex B to this DPA.

          8.2  New Sub-processors. likeMagic shall provide prior written notice to the Customer before engaging any new Sub-processor, either at the email address associated with the Customer’s Account or via a pop-up window through the Services, as decided by likeMagic at its sole discretion.

          8.3  Objections. The Customer may reasonably object to the engagement of a new sub-processor by sending an email to privacy@likemagic.tech. If the Customer does not send any objection to likeMagic within ten (10) days of receiving the notification, it will be deemed to have consented to the new sub-processor and waived its right to object. If the Customer timely objects, the Parties agree to negotiate to resolve the matter in good faith.

          8.4  Liability for Sub-processors. likeMagic remains liable for any breach of this DPA caused by an act, error, or omission of its Sub-processors.

       

      9. DATA TRANSFERS 

      The Customer agrees and authorizes likeMagic to transfer Personal Data to third countries only in accordance with Data Protection Legislation and only if adequate data protection is ensured, such as through the use of standard contractual clauses or binding corporate rules on data protection recognized by the competent data protection authorities.

       

      10. LIMITATION OF LIABILITY

      To the maximum extent permitted by law, each party and its Affiliates' aggregate liability to the other party arising out of or in relation to this DPA, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability (including any agreed aggregate financial cap) set forth under the Agreement. 

       

      11. FINAL PROVISIONS
          11.1  Third-Party Beneficiaries. Data Subjects are the sole third-party beneficiaries of the, and there are no other third-party beneficiaries to this DPA, unless specified to the contrary in the Agreement.

          11.2  Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation.

          11.3  Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA.

          11.4  Term. This DPA will remain in effect for the term of the Agreement plus the period from the expiry of the Agreement until likeMagic ceases to process Personal Data on behalf of the Customer (the "Processing Term"). 

       

      Annex A

      Description of the Data Processing 

      Categories of data subjects:
      • Hotel guests;
      • Hotel employees and additional aides of the Controller.

      Categories of personal data: 

      Hotel Guests:

      • Contact information (e.g. name, address, email address, phone number);
      • Identification data (copy of passport, copy of identity cards);
      • Booking details (conclusion of contract, payment history, additional services, etc.);
      • Communication data (e.g. telephone, email, SMS);
      • History of the hotel guests;
      • Billing data 
      • Data regarding the use of the hotel infrastructure (e.g. door opening);
      • Guest data on the stay (check-in, consumption, etc.)
      • Log data (technical log files of the system integrations that are erased after 30 days).

      Hotel Employees and Additional Associates of the Controller:

      • Name and email address;
      • (Digital) messages between hotel employees and guests (via digital communication channel, selected by the guest);
      • Time of (digital) door opening.

      ‌Sensitive data:

      Sensitive data such as disability and dietary requirements may be processed if data subjects decide to share information of such nature. 

      Frequency of the transfer:

      Continuous basis depending on the use of the Services. 

      Nature and subject matter of processing:

      The Personal Data may be subject to the following processing activities:

      • storage (hosting) and other processing necessary to provide, maintain and improve the Services provided to Customer under the Agreement,
      • technical support provided to the Customer on a case by case basis,
      • disclosures in accordance with the Agreement and the DPA, as compelled by law, and
      • collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

      Duration of the processing:  

      Subscription Term 

      Purpose(s) of the data processing: 
      • Processing to provide, maintain, support, and improve the Services provided to the Customer in accordance with the Agreement; 
      • Processing initiated by the Permitted users in their use of the Services; 
      • Processing to comply with other documented reasonable instructions provided by the Customer (e.g., via email) where such instructions are consistent with the Agreement (including this DPA)
      • Processing to comply and fulfill legal obligations. 

      Retention period (or, if not possible to determine, the criteria used to determine that period): 

      Processing Term

       

      Annex B

      List of Approved Sub-processors

      The list of approved Sub-processors is as follows: 

      Name of Sub-processor

      Purpose

      Data Location: 

      Google Cloud Platform / Google Ireland Limited, Dublin

      Cloud infrastructure vendor

      Switzerland

      Bird

      Messaging

      EU

      Prismic

      Content Management

      USA

       

      Annex C

      Technical and Organizational Measures

      INTRODUCTION

      This document describes the technical and organizational measures (TOMs) on protecting personal data during the processor’s activities based on the data processing agreement between the controller and the processor. 

      The technical and organizational measures shall be continuously adapted to the current legal situation of data protection and shall be state of the art. 

      Personal data shall be processed by the processor in a manner that

        1. preserves confidentiality (only authorized parties obtain access) 
        2. preserves integrity (only authorized parties may carry out changes) 
        3. ensures availability (if personal data is saved due to contractual reasons, this data remains available as stipulated contractually). 

      The processor and all of the processor’s employees shall adhere to the guidelines of this document regarding the technical-organizational measures for protecting personal data and the applicable security standards. The processor shall immediately inform the controller in the event that the processor or the processor’s employees are unable to comply with these technical and organizational measures and/or the applicable security standards.

      By signing their respective employment contracts, all employees of the processor undertake in writing to maintain data confidentiality. 

       

      TECHNICAL AND ORGANIZATIONAL MEASURES 

      The following sections define the latest technical-organizational measures that shall be adhered to by the processor and the processor’s employees. 

       

      1. Confidentiality (GDPR 32 I lit. b)

          1.1  Admission Control 
      Unauthorized parties shall be denied access to buildings or rooms with data processing systems that are used to process or utilize personal data. The likeMagic platform is operated in external data centers (hosting) and using external services (software as a service). The respective supplier ensures access control.

          1.2  Access Control
      Access control includes measures that prevent data processing systems from being usable by unauthorized parties. 

      Technical measures: 

        • Login with username and password
        • Encrypted storage of passwords
        • Anti-virus software for servers/clients/mobile devices
        • Timed automatic logout for each device
        • Firewall for hardware and software
        • Intrusion Detection System (IDS)
        • Encryption of data media
        • Security-related software updates are regularly added to existing software

      Organizational measures:

        • Management of user permissions (permissions are not issued without authorization)

        • Creation of use profiles

        • Centralized password assignment

        • Guidelines that stipulate secure passwords

        • Clean desk policy

        • Revocation of access rights from employees who depart the company

          1.3  Data Access Control

      Data access control ensures that those authorized to use a data processing system may access only data that is subject to their access authorization and that personal data cannot be read, copied, amended, or removed during processing, usage and after storage without authorization.

       

      Technical measures: 

        • Use of a paper shredder (secure document destruction)

        • Logging access to applications, specifically when entering, amending, and erasing data.

      Organizational measures:

        • A general security concept exists

        • Use of authorization concepts for access to data

        • Individual access rights for users/access to personal, confidential, or otherwise sensitive information is limited to people who require this access to render their services.

        • Regular review of access authorizations

        • The number of administrators is kept to a minimum

        • Only administrators manage user permissions

        • Data secrecy is explained to the processor’s employees and, upon signing the employment contracts, the processor’s employees undertake in writing to comply with this obligation. Furthermore, the processor’s employment contracts contain an explicit reference to this obligation. 

        • The application’s security for processing personal, confidential, or otherwise sensitive data is reviewed on a regular basis. To that end, the processor conducts internal and external security reviews and penetration tests for IT systems.

        • The processor shall prohibit the installation of personal software and software not authorized by the processor on company devices and to that end uses proven client management software, among other things. 

        • Pseudonymization (GDPR 25 I; 32 I lit. a): If possible for the respective data processing, the primary identification characteristics of the personal data are removed and stored separately in the respective data application. 

        • The processor works with the classification schemes that can be subdivided into the “secret/confidential/internal” and “public” or comparable categories. 


          1.4  Separation Control

      Separation control ensures that the collected data may be processed separately. It also ensures that data may be processed only for the purposes that are explicitly stated by contract.

      Technical measures: 

        • Separation of the productive and test environment

        • Physical separation of data carriers

        • Multi-client capability of relevant applications

      Organizational measures:

        • Use of authorization concepts for access to data

        • Determination of permissions for accessing data

        • Data sets are tagged with purpose attributes

       

      2. Integrity (GDPR 32 I lit. b)

          2.1  Transfer Control
      Transfer control ensures that personal data is not read, copied, changed, or erased during its electronic transfer or while being transported or saved on data carriers and that it is possible to verify and determine where personal data is intended to be transferred using data transfer equipment. 

      Technical measures:

        • Encrypted data transfer when transferring to external networks

        • Logging the accesses and retrievals, inputs, changes, and removal of data

      Organizational measures:

        • The processor allows only authorized persons to access personal data as part of their work task.

        • Access to customer systems is recorded in log files during the support processes.

        • There is a strict authorization concept that enables the input, alteration, and deletion of data only for user IDs that have been established for that purpose. 


          2.2  Input Control

      Input control ensures that it may be subsequently verified and detected whether and by whom personal data has been entered into, amended, or removed from data processing systems.

        • Technical logging of the input, changing and deleting of data

        • Manual or automatic log control



      3. Availability and Resilience (DSG 7; GDPR 32 I lit. b)

          3.1  Availability Check
      The availability check ensures that personal data is protected against accidental destruction or loss. All of our data is currently stored on Google Cloud in Switzerland. Google takes measures to ensure the availability and recoverability of personal data.



      4. Process on Regular Review, Assessment, and Evaluation (GDPR 32 I lit. d; GDPR 25 I)

          4.1  Data Protection Management
      Measures that enable data protection processes to be managed and demonstrably ensure compliance with data protection guidelines.


      Organizational measures:

        • There is a security concept that (also) governs data protection.

        • In-house Data Protection Officer (DPO) (Cyril Gabathuler / Company: likeMagic a SV Group Corporate Venture / Contact information: cyril@likemagic.tech)

        • Employees are trained in and obliged to confidentiality/data secrecy

        • Regularly raising awareness among employees, at least every year

        • Internal/external information security officer (ISO) (Cyril Gabathuler / Company: likeMagic a SV Group Corporate Venture / contact information: cyril@likemagic.tech)

        • The data protection impact assessment (DPIA) is carried out as needed.

        • The processor complies with the information obligations according to Art. 13 and 14 GDPR.

        • A formalized procedure for processing information requests by data subjects is available.


          4.2  Incident Response Management

      Technical measures:

        • Use of firewalls and regular update

        • Use of spam filters and regular updates

        • Use of virus scanners and regular updates

        • Intrusion Detection System (IDS)

        • Intrusion Prevention System (IPS)

      Organizational measures:

        • Documented process for detecting and reporting security incidents/data breaches (including with regard to the reporting obligation towards the supervisory authorities)

        • Documented procedure on handling security incidents

        • Involvement of DPO (Data Protection Officers) and ISO (Information Security Officers) in security incidents and data breaches

        • Documentation of security incidents and data breaches 

        • Formal process and responsibilities for following up on security incidents and data breaches.

        • Default Settings Friendly to Data Protection (GDPR 25 II)

        • Only the personal data that is required for the particular purpose is collected.

        • Technical measures ensure that the data subject may easily exercise the right to object

       

      5. Outsourcing to Third Parties

      The processor shall guarantee that any subcontractors that process data on the processor’s behalf comply with at least the same security measures as the processor himself. 

      Organizational measures:

        • Prior review of the security measures taken by the processor and its documentation

        • Selection of the subcontractor using aspects of diligence (particularly with regard to data protection and data security)

        • Conclusion of the necessary data processing agreement and/or EU standard contractual clauses with the subcontractor

        • Obligation of the subcontractor’s employees to preserve data secrecy

        • Obligation of the subcontractor to appoint a data protection officer if there is an obligation to appoint one

        • Stipulation of the processor’s effective control rights towards the subcontractor

        • Rule to use additional subcontractors

        • Ensuring the deletion of data after termination of the contract/subcontract

        • In case of longer collaboration: Ongoing review of the subcontractor and the subcontractor’s level of protection