2. Can you please attach an agreement template between a data processor and sub-processor?
3. Does the privacy notice need to be displayed by the data controller to his customer? Or by us to each individual user?
4. The same as 3 but regarding the use website cookies
5. Users rights – does the right to be forgotten/deleted/export should be available to the end user or should it only be controlled by the “data controller”? Seeing we are the data processors, do we need to allow end users this right?
6. Data retirement – We are storing data for reporting and operational purposes, for example, a traveler can view his past trips, are we obligated to retire data after a certain period of time or should this have controlled by the “data controller”?
7. Personal data encryption – We are using user email address as our username to access the site, and this field can’t be encrypted, is this acceptable? Also, user first name and last name can’t be encry pted.
please advise what’s the best course of action
1. The content providers for flights, hotels, cars, ground transportation, and rail (nor the providers of the services themselves such as airlines, hotels, car rental companies etc.) would be your sub processors as you well pointed out. These providers should be instructed by you how the personal data they receive should be processed and protected. Usually, as you are processor you would receive instructions from your customers acting as controllers. The instruction you receive from your customers (data controllers) would need to be “back to back” with the ones you impose on your sub processors.
2. Unless you receive specific requirements from your respective controllers you could use the attached document as a template. Is basically the same Supplier Data Processing Agreement but tweaked a little bit to accommodate the processor – sub processor relation.
3. The Privacy Notice would need to be provided to the end user by the controller. The Notice could be presented similar to the way you would present the Terms & Conditions of your product.
5. The controllers are the ones responsible for making sure that the data subjects can exercise their rights. You as a processor need to inform the controller if you receive such requests form the data subjects as well as to provide the controllers the means of complying with those requests. Basically you just need to enable the controllers to analyze and decide on the requests and only if specifically instructed you may answer them on behalf of the controller.
6. The controllers are the ones that determine the retention period in most cases. For your particular situation I would advise you to leave this up to them meaning the controllers should be able to delete the data whenever they want. Here I am referring to your travel agents and company customers not necessarily the individuals doing the travel as they unless the travel agents or company customers (controllers) instruct you to provide this choice to the individuals (end users).
7. Encryption means in this case for securing your communications for example using https instead of http for the account authentication page. Also, the database where you store the travel related information could be encrypted to prevent unauthorized access. Consider also implementing strong passwords to protect you against brute force attacks.
8. Yes, you can grant access rights to a limited number of employees for specific purposes. Make sure that you log all the actions they perform to be used as a proof that there was no tampering with the data in storage.
You can get more knowledge about the EU GDPR by accessing our free online training GDPR Foundations Course: https:…less…Like