DATA PROCESSING AGREEMENT

Between [a company or private owner], hereinafter referred to as “the Data Controller”,

and

Guest Admin Servicios, with address at Plaza Villa de Castelldefels 4. Picasso Business Center, Oficina AFZ, 29006 Málaga, Spain represented by Alexander Peter Simmons, with NIE number Y5478355E, hereinafter referred to as “the Data Processor”,

CLÁUSULAS / CLAUSES

1. PURPOSE

This agreement regulates the access to and processing of personal data by the Processor on behalf of the Controller, in order to provide guest registration services and transmit information to the competent authorities in accordance with Real Decreto 933/2021 and the applicable data protection regulations, specially Reglamento UE 2016/79, hereinafter GDPR.

2. DURATION

This agreement shall remain in force for the duration of the services provided by the Processor.

3. PURPOSE OF PROCESSING

The purpose of the processing is to comply with the Controller’s legal obligations regarding guest registration, including the collection, storage, and communication of personal data to the competent authorities, in accordance with Royal Decree 933/2021.

4. PROCESSOR’S OBLIGATIONS

4.1 Process data only according to the Controller’s documented instructions.

4.2 Do not use the data for own purposes or disclose it to third parties without prior authorization.

4.3 Ensure confidentiality of authorized personnel.

4.4 Implement appropriate technical and organizational measures (Art. 32 GDPR).

4.5 Delete or return data upon termination of services.

5. CONTROLLER’S OBLIGATIONS

5.1 Properly inform data subjects pursuant to Articles 13 and 14 of the GDPR.

5.2 Ensure the lawfulness of the processing.

5.3 Supervise compliance with this agreement.

6. RETENTION OF GUEST DATA

The Processor shall retain, on behalf of the Controller, guest personal data for a period of three (3) years, in accordance with Article 6 of Royal Decree 933/2021, ensuring its availability, integrity, and confidentiality through appropriate security measures. Retention shall be solely for the fulfilment of the Controller’s legal obligations, and the Processor shall not use the data for any other purpose.

7. DELIVERY OF PRIVACY NOTE TO THE GUEST

The Data Controller expressly delegates to the Data Processor the delivery of the privacy notice to guests, in accordance with Article 13 of GDPR.

The Processor agrees to deliver this notice—previously provided or validated by the Controller—at the time of booking or check-in, on behalf of the Controller.

This clause does not constitute a transfer of the legal responsibility for informing the data subject, which remains with the Controller.

8. PRICE OF THE DATA PROCESSING SERVICES

The Data Processor shall be remunerated for the data processing services provided under this agreement in accordance with the terms separately agreed upon between the parties.

This remuneration shall cover all activities necessary for the proper performance of the services described herein, including but not limited to data management, technical support, and compliance with applicable data protection regulations.

Unless otherwise agreed in writing, invoicing and payment terms shall be established and communicated by the Data Processor to the Data Controller in advance.

Any additional services not covered by this agreement that may be requested by the Data Controller shall be subject to a separate quotation and mutual agreement.

8. Sub-processors

The Processor may not subcontract any processing without the prior and express authorization of the Controller.

9. INTERNATIONAL TRANSFERS

No international data transfers shall be made without the Controller’s express authorization and in compliance with the GDPR.

10. CONFIDENTIALITY

Both parties agree to maintain confidentiality regarding the data processed.

9. APPLICABLE LAW AND JURISDICTION

This agreement shall be governed by Spanish law. The parties submit to the jurisdiction of the courts at Málaga City, Spain