1. Purpose and application of these instructions

These instructions on the processing of Personal Data (hereinafter also the "Data Protection Appendix") are an integral part of the service or other contract or order ("Main Agreement") agreed with the Customer or a company belonging to the same group as the Customer ("Customer") and the Supplier.

The Customer and the Supplier have agreed in this Privacy Appendix that the Customer, as the Controller, defines the purposes and means of the processing of Personal Data and the Supplier, as the Processor of the Personal Data, processes the Personal Data in accordance with the instructions given by the Customer.

This Data Protection Appendix constitutes a written agreement between the Contracting Parties on the processing of Personal Data in accordance with the EU Data Protection Regulation The provisions and instructions of this Privacy Appendix apply whenever the Supplier processes the Customer's Personal Data. If the terms of this Data Protection Addendum and the Main Agreement conflict with each other, the terms of this Data Protection Addendum shall apply first.

2. Definitions used

Personal information means all information related to an identified or identifiable natural person or other personal information defined in the Data Protection Legislation.

Personal data processor (hereinafter also "Processor") means the Supplier who processes personal data on behalf of the controller and in accordance with the instructions.

Processing means an activity or activities that the Supplier performs on behalf of the Customer on the basis of an agreement between the contracting parties and which are applied to personal data or data sets containing Personal Data, either using automatic data processing or manually, or other Personal Data processing defined in the Data Protection Legislation.

Controller means the Customer who, alone or together with others, defines the purposes and means of Personal Data processing.

3. Nature and purpose of personal data processing

The personal data processed within the scope of this agreement are Personal Data stored by the Customer in its personal data registers and which the Customer hands over to the Supplier, e.g. for the following uses:

* Matters related to trips and other services organized by the customer

* Matters related to the participants of trips organized by the customer.

The object, nature and purpose of the processing are defined in more detail separately in the Main Agreement.

4. Type of personal data

The personal data processed by the supplier can be:

* Personal data of registered persons stored by the customer in their registers, such as: Name, date of birth, address, phone number, email address and other necessary contact information, as well as the registered person's work duties, profession, position and position in organizations.

* Content produced by the registrant himself, as well as additional information provided by him, such as wishes related to trips and other services, satisfaction information, interests and other similar information.

5. General obligations

1. Obligations of the customer The customer is responsible for ensuring that it has the necessary legal basis and consents for the processing of Personal Data in accordance with the Main Agreement and that the data subjects have been given sufficient information about the processing of Personal Data.

It is the customer's responsibility to determine the purpose and means of processing Personal Data. The Customer provides the Supplier with sufficiently comprehensive, written and legal instructions on the processing of Personal Data for the purpose of performing the services in accordance with the Main Agreement.

2. Responsibilities of the supplier

The Supplier must inform the Customer immediately if the Supplier considers that the Customer's instructions violate data protection legislation. In this case, the Supplier must request detailed instructions.

The supplier maintains the statement required by the EU data protection regulation on the processing of personal data (Data protection statement).

The Supplier must process Personal Data in accordance with the Customer's instructions. The work related to following the instructions is included in the services of the main contract.

6. Data security

The supplier implements appropriate technical and organizational measures to protect the Customer's Personal Data, taking into account the risks inherent in the processing, especially the unintentional or illegal destruction, disposal, alteration, unauthorized disclosure or access to Personal Data of transferred, stored or otherwise processed Personal Data.

The customer can give more detailed instructions regarding data security in the processing of Personal Data. In the transfer of data between the Customer and the Supplier, the data transfer methods specified by the Customer are followed.

3. Notification of data security breaches

The Supplier must notify the Customer immediately (within 36 hours max.) in writing of all data security breaches targeting Personal Data and other events on the basis of which the data security of the Personal Data processed on behalf of the Customer may have been compromised.

At the Customer's request, the Supplier shall without undue delay provide the Customer with all relevant information related to the data security breach. To the extent that the information in question is available to the Supplier, the Supplier must, in the notification to the Customer, describe at least: a) the data security breach that has occurred, b) where possible, the groups and estimated numbers of registrants and the groups and estimated numbers of Personal Data types, c) a description of the likely consequences caused by the data security breach, and d) a description corrective measures that the Supplier has taken or will take to prevent data security breaches in the future, as well as, if necessary, measures to minimize the adverse effects of a data security breach.

The supplier documents and reports the results of the investigation and the performed measures to the Customer. The customer is responsible for the necessary notifications to data protection authorities and data subjects.

7. Assistance and notification obligation

The Supplier immediately informs the Customer of all requirements and inquiries of data subjects, data protection commissioners or other authorities. When requested, the Supplier assists the Customer in clarifying matters concerning, for example, information security, reporting information security breaches, and responding to requests related to the use of registered rights.

8. Processing time and destruction of personal data

The Supplier is obliged to destroy and/or return the information and materials in its possession from the Customer in accordance with the Main Agreement, as well as the personal data and data warehouses it has created under the Main Agreement no later than three (3) months after the measures agreed or necessary for the service to be delivered have been completed. The destruction and/or restoration of data also applies to subcontractors and all backups.

9. Transfer and processing of personal data outside

The EU / EEA area The Supplier and its subcontractors may process personal data outside the EU/EEA area without the Customer's written consent. In this case, each Contracting Party ensures compliance with the requirements and restrictions of the Data Protection Legislation regarding the processing of personal data.

10. Confidentiality

The contracting parties undertake to keep confidential the materials and information they receive from the other contracting party, which are marked as confidential or which must be understood as such, and not to use them for purposes other than those in accordance with the agreement. However, the confidentiality obligation does not apply to material or information, (a) which is generally available or otherwise public, (b) which the receiving contracting party has received from a third contracting party without a confidentiality obligation, (c) which was in the receiving contracting party's possession without a confidentiality obligation regarding them before receiving them from the other contracting party, (d) which the receiving contracting party has independently developed without utilizing the material or information received from the other contracting party, or (e) which the receiving contracting party is obliged to hand over based on the law or official order.

The Supplier must immediately stop using the confidential material and information received from the Customer and, upon request, return or dispose of the said material in a reliable manner, including all copies, when the Main Agreement ends or the Supplier no longer needs the said material or the said information for the purposes of the Main Agreement. However, the contracting party has the right to keep the material required by law or official order or copies thereof.

The contracting parties agree that their employees and other companies belonging to the same group and their subcontractors will comply with the confidentiality provisions of this Privacy Appendix.

11. Other conditions

1. The Supplier informs the Customer in writing of any changes that may affect its ability or possibilities to comply with this Privacy Notice and the written instructions given by the Customer.

2. Confidentiality obligations and other obligations, which due to their nature are intended to remain in force regardless of the expiration of this Data Protection Addendum, remain in effect after the end of the Main Agreement and the Data Protection Addendum.