This appendix is an integral and indivisible part of Hopoti’s general terms of agreement for Sellers (hereinafter referred to as “Agreement”). This appendix and these conditions for data protection shall apply in the event that and insofar as Hopoti fulfils the role of a processor of personal data and the Seller has outsourced a certain portion of the processing of the personal data it possesses as a controller, as defined in the EU General Data Protection Regulation (2016/679), to Hopoti.
​
​

The terms used in this appendix shall have the same meaning as given to them in the European Union regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “General Data Protection Regulation” or “GDPR”). Such key terms include controller, processor of personal data, personal data, data subject, processing and personal data breach.
​
​

Hopoti provides Sellers with a booking service that includes a Stable-specific website for the Seller’s stable. The Seller has outsourced the Stable-specific website to be hosted by Hopoti (hereinafter referred to as “Hosting service”). This appendix states that the parties agree that Hopoti shall be the processor of personal data with regard to the Stable-specific website (hereinafter referred to as “Data processor”) and that it shall process personal data on behalf of the Seller, the Controller, for the duration of the validity of the Agreement.

The Data processor shall have the right to process Personal data only for the purposes of providing Hosting services in accordance with this Agreement and any instructions provided by the Seller.
​
​

More specific details concerning the processing, including the nature of processing, the type of personal data and categories of data subjects are described below.
​
​

The Data processor shall have the right to use the services of subcontractors without an advance written authorisation from the Controller.

Subcontractors shall be obligated to comply with the principles of data processing and obligations defined in this Agreement. Subcontractors shall be provided with written instructions regarding the processing of personal data by the Data processor, and the Data processor shall be as responsible for the work performed by subcontractors as for the work performed by the Data processor. The Data processor shall provide the Controller with a written notification before the Data processor changes or acquires new subcontractors that participate in the processing of personal data without undue delay. In the event that the Controller does not approve changing or acquiring new subcontractors, the Data processor shall have the right to terminate the Agreement with a notice period of thirty (30) days.
​
​

Personal data may be transferred outside the European Union or the European Economic Area in accordance with data protection legislation. The Seller authorises the Data processor to implement the standard clauses regarding transferring data outside the EU adopted by the Commission on the Seller’s behalf whenever necessary. The Controller shall have the right to obtain information regarding the location of the processing of personal data from the Data processor at any time.
​
​

All personal data processed by the processor of personal data on behalf of the Controller shall be considered confidential, and the processor of personal data agrees that it shall maintain the confidentiality of the data and that it shall not transfer or disclose these data to a third party or use the data for other purposes than the agreed purposes. The processor of personal data also agrees that it shall not transfer or disclose the personal data to other employees or persons within its organisation (including any possible subcontractors) than those for whom the said data is necessary to be disclosed or transferred to for the purpose of fulfilling the agreed purpose or those who are obligated to maintain the confidentiality of the data due to a service or another agreement or legislation. The confidentiality clauses shall remain valid even in the event that the Agreement is terminated.
​
​

​

The Data processor agrees that it shall ensure that it implements all the appropriate technical and organisational measures aimed to prevent the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The measures must be designed with due regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The Data processor shall grant the Controller the rights necessary for compliance with data protection law to perform audits on the Data processor. Both parties shall bear the costs of inspections for their own part.
​
​

In the event that the Data processor becomes aware of a personal data breach, it must notify the Controller of the personal data breach in writing immediately. The Controller shall report to the authorities and the parties concerned of a personal data breach within 72 hours from becoming aware of the personal data breach.
​
​

The Data processor affected by the personal data breach must provide the Controller at least with the following details of the personal data breach:
​
​

a) a description of the personal data breach
​
​

b) a description of the likely consequences of the personal data breach; and
​
​

c) a description of the actions suggested by the party in question or the actions it has performed due to the personal data breach and, where applicable, the actions to mitigate the possible adverse effects of the breach.
​
​

Whenever possible, the Data Processor shall assist the Controller with appropriate technical and organisational measures to fulfil the Controller’s obligations to respond to the requests concerning the exercise of the rights of data subjects laid down in the General Data Protection Regulation. The rights of data subjects include the right of access to personal data, the right to have the data rectified, the right to prohibit processing, the right to erasure, the right to restriction of processing and the right to have the data transferred from one system to another. If such requests are submitted directly to the Data processor, the Data processor shall notify the Controller of these requests.
​
​

The Data processor shall have the right to charge a fee for the time used in assisting the Controller with a time-based rate according to the current price list.
​
​

Other terms specified in the Agreement shall apply.
​
​

The nature of data processing: The processing of personal data is related to the Stable-specific website’s Hosting service provided by Hopoti.

The typical categories of personal data to be processed in connection with the provision of the Hosting service submitted by the Controller’s client include the following: