Appendix A

Contents

Personal Data

  1. Definitions

    All capitalized terms used but not defined in this Appendix shall have the same meaning as set forth in the Terms. Lower case terms used but not defined in this Appendix, such as “personal data”, “personal data breach”, “processing”, “controller”, “processor”, “supervisory authority” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR.

  2. Scope and Roles

    This Appendix applies to the processing of personal data by Supplier on behalf of VistaJet or any VistaJet affiliate under the P.O. In this context, VistaJet and any VistaJet affiliate is the controller of such personal data and Supplier is the processor of such personal data.

  3. Processing

    1. Where Supplier is carrying out processing on behalf of VistaJet, Supplier shall implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and this Appendix and ensure the protection of the rights of the data subject.
    2. Supplier shall not engage another processor without prior specific or general written authorisation of VistaJet. In the case of general written authorisation, Supplier shall inform VistaJet of any intended changes concerning the addition or replacement of other processors, thereby giving VistaJet the opportunity to object to such changes in the manner more specifically set forth herein.
    3. Processing by Supplier shall be governed by this Appendix. In particular, Supplier shall:
      1. process the personal data only on documented and written instructions from VistaJet, including with regard to transfers of personal data to a country outside Europe (for purposes of this Appendix the term “Europe” means, all the countries forming part of the European Economic Area (EEA), Switzerland, and the United Kingdom in the event that the United Kingdom is no longer part of the EEA) or to an international organisation, unless required to do so by any applicable law; in such a case, Supplier shall inform VistaJet of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
      2. ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      3. take all measures required pursuant to Article 32 of the GDPR;
      4. respect the conditions referred to in paragraphs 2 and 4 in this Section C for engaging another processor;
      5. taking into account the nature of the processing, assist VistaJet by appropriate technical and organisational measures, for the fulfilment of VistaJet’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
      6. assist VistaJet in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Supplier;
      7. make available to VistaJet all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR;
      8. at the request of VistaJet submit its data processing facilities for audit of the processing activities covered by this Appendix which audit shall be carried out by VistaJetor an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by VistaJet, where applicable, in agreement with the supervisory authority;
      9. at the request of the supervisory authority, submit its data processing facilities for audit of the processing activities covered by this Appendix by the supervisory authority;
      10. collect, access, maintain, use, and process personal data solely for the purpose of performing Supplier’s obligations under the P.O.;
      11. ensure that the accuracy of the personal data held on Supplier’s systems and hosting infrastructure is preserved in the state in which it is received (subject to any of Supplier’s obligations to correct such data set out in the P.O. and/or the Terms);
      12. ensure that there is at all times a nominated employee(s) of Supplier responsible for ensuring compliance with Supplier’s obligations under this Appendix, and Supplier shall ensure that it has adequate resources to perform its obligations under this Appendix;
      13. make available to VistaJet all information necessary to demonstrate compliance with the obligations laid down in this Appendix;
      14. in the event of an investigation by a supervisory authority, provide VistaJet with reasonable assistance and support in responding to such investigation;
      15. promptly notify VistaJet about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and,
      16. maintain a record in wriitng or electronic form of all categories of processing activities carried out on behalf of VistaJet, containing:
        1. the name and contact details of, Supplier, of each processor it has engaged (as authorised by VistaJet) to process personal data under the P.O. and the Terms, and of Supplier’s nominated employee(s) responsible for ensuring compliance with Supplier’s obligations under this Addendum;
        2. the categories of processing carried out on behalf of VistaJet;
        3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards
        4. where possible, a general description of the technical and organisational security measures referred to in Section G below.
    4. Where Supplier engages another processor (subject to first having obtained written authorisation from VistaJet to any such engagement as set out in Section 2 above) for carrying out specific processing activities on behalf of Supplier, the same data protection obligations as set out in this Appendix shall be imposed on that other processor by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Supplier shall remain fully liable to VistaJet for the performance of that other processor’s obligations. Supplier shall provide to VistaJet, upon VistaJet’s request, copies of any contracts entered into by Supplier with any other processor pursuant to this Section 4 (Supplier shall have the right to remove any commercial information from the contracts so disclsoed to VistaJet). Supplier hereby acknowledges that the supervisory authority has the right to conduct an audit of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of Service Proivder under the GDPR.
  4. Processing Details

    The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of VistaJet are set forth in the P.O. and/or the Terms, including this Addendum, in particular:

    1. The subject-matter of the processing under this Addendum is the personal data provided by VistaJet to Supplier in respect of the Deliverables under the P.O. and the Terms.
    2. The duration of the processing is the duration of the provision of the Deliverables under the P.O. and the Terms.
    3. The nature and purpose of the processing is in connection with the provision of the Deliverables under the P.O. and the Terms.
    4. The types of personal data processed under the P.O. may include (without limitation) full name, email addresses, home postal addresses, office/institution postal address, social media handles, telephone, mobile phone numbers, business cards and job titles, work section, username and passwords for accessing and using the Deliverables, education, certifications, professional background and training; gender, photographs, audio and videos; credit card data, bank account data; government-issued identification, including passport numbers; date of birth; place of birth; goods, services or content provided; usage data and statistics; connection data; other unique identifiers such as IP addresses or device IDs; results data from the products and services which may include other third party data and other types of personal data identified in the GDPR, and/or documents, images or other content containing personal data submitted by or at the direction of VistaJet as part of the Deliverables.
    5. The categories of data subjects may include employees, contractors, agency and temporary personnel (and their respective relatives and guardians), of VistaJet and its affiliates and subsidiaries, and VistaJet’s or its subsidiaries’ or affiliates’ clients, prospective clients, suppliers and other individuals about whom personal data is submitted to Supplier by or at the direction of VistaJet as part of the Deliverables.
    6. The personal data processed under the P.O. and the Terms may include special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health.
  5. Data Subject Rights

    Supplier shall promptly (but in any case not later than 3 calendar days from the initial receipt of the request), notify VistaJet of any data subject requests (including but not limited to “opt-out” specifications, information access requests, information rectification requests and all like requests) received by Supplier, and work with VistaJet to promptly and effectively handle such requests, and shall not respond to any such requests unless expressly authorized to do so by VistaJet (save that nothing in this Section shall require the Supplier to comply with this Section insofar as to do so would contravene any applicable legislation).

  6. Transfer of Personal Data

    1. Supplier will ensure that no personal data originating from Europe is transferred by it to a country or territory outside Europe without VistaJet’s express written consent and subject to any conditions imposed by VistaJet on such transfer if necessary.
    2. If as a result of the P.O., personal data will be transferred by VistaJet to Supplier from the EEA, to any country or territory outside the EEA not deemed by the European Commission as providing an adequate level of protection for personal data, then the applicable model contract for the transfer of personal data to third countries issued by the European Commission (‘Model Contract’) shall apply to such personal data and such Model Contract shall be incorporated into this P.O. and Terms upon the execution and submission of the Model Contract by the Parties in accordance with its terms. The Supplier shall not raise any objection whatsoever to the execution of such Model Contract and the Supplier hereby acknowledges and accepts that the Model Contract cannot be modified save where otherwise stated in the Model Contract itself. In the event of any conflict between these Terms and/or the P.O. on the one hand and the terms in the Model Contract on the other hand, the terms in the Model Contract shall prevail. Once a Model Contract has been executed, VistaJet may thereafter from time to time, by at least 30 days written notice to Supplier, make any variations to the Model Contract so executed which are required, as a result of any change in, or decision of a competent authority under, the GDPR, to allow such transfers of personal data to be made (or continue to be made) without breach of the GDPR; and the Supplier shall not raise any objection whatsoever to any such variations so required.
  7. Security of Processing

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
      1. the pseudonymisation and encryption of personal data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
      5. the use of reasonable user identification or password control requirements and other security procedures in relation to personal data, including strong passwords, and session time-outs;
      6. the maintenance of firewalls to segregate Supplier’s internal networks from the internet, and employing appropriate intrusion detection, monitoring, and logging capabilities to enable detecting and responding to potential security breach attempts;
      7. the performance of third party network vulnerability assessments;
      8. the maintenance of the software on Supplier’s internal networks to ensure that the software is free from vulnerabilities;
      9. the application of all manufacturer-recommended security updates to all infrastructure storing, processing or transiting personal data in a timely manner;
      10. the maintenance and enforcement of policies and procedures to ensure that all of the following requirements are met: (a) up to date virus protection software shall be installed on all computer systems attached to Supplier’s networks; (b) access to Supplier’s computer resources and networks (including wireless networking and remote access) shall be limited to approved configurations utilizing appropriate identification and authentication methods;(c) personal data shall be stored only on devices located within Supplier’s secure facilities, shall only be used for the purposes of performing Supplier’s obligations under the P.O. and the Terms, and shall not be distributed, repurposed or shared across other applications, environments or Supplier’s business units; and,
      11. ensuring that all electronic mail (email) communications pertaining to the Deliverables are conducted to and from an email domain that is owned by Supplier.
    2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
    3. Supplier shall take steps to ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from VistaJet, unless he or she is required to do so by any applicable law.
  8. Personal Data Breach

    In the case of a personal data breach, Supplier shall without undue delay and, not later than 24 hours after having become aware of it, notify the personal data breach to VistaJet. Such notification shall at least:

    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by Supplier to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

    Supplier shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

    Supplier shall also respond to VistaJet’s request for further information so that VistaJet may fulfil its obligations under Articles 33 and 34 of the GDPR., and Supplier shall assist VistaJet in the event that VistaJet is legally bound to communicate the personal data breach to the affected data subjects.

    If any personal data breach or other unauthorized access, acquisition or disclosure of personal data occurs as a result of an act or omission of Supplier, Supplier will, at Supplier’s sole expense, undertake remedial measures in accordance with VistaJet’s instructions. This shall be without prejudice to VistaJet’s rights under Section K below.

  9. Audit

    The rights set out in Section C.(3)(h) are subject to the notice, confidentiality and other requirements for conducting audits that may be set forth in the Terms. In the absence of such requirements in the Terms, the following shall apply: Audits shall be:

    1. subject to the execution of appropriate confidentiality undertakings or relying on similar obligations in the Terms;
    2. conducted at a mutually agreed upon time and in an agreed upon manner; and,
    3. at the expense of VistaJet; provided however, that, if audit results find that Supplier is not in compliance with the requirements of this Appendix, then Supplier agrees to work with VistaJet to identify reasonable remediation actions and to promptly take action at Supplier’s expense to correct those matters or items mutually agreed upon by Supplier and VistaJet that are identified in any such audit that require correction. This shall be without prejudice to VistaJet’s rights under Section K below.
  10. Title

    Supplier shall have no right, title or interest in personal data obtained by it from VistaJet and/or from VistaJet’s subsidiaries and/or affiliates as a result of the P.O., and such personal data shall be considered confidential information of VistaJet.

  11. Compliance and Changes

    1. Notwithstanding any contrary provision in the P.O. and/or the Terms, in the event that Supplier is unable to comply with the obligations stated in this Appendix then Supplier shall promptly notify VistaJet, and VistaJet may, in its sole and absolute discretion, take any one or more of the following actions:
      1. suspend the transfer of personal data to Supplier;
      2. require Supplier to cease processing personal data;
      3. demand the secure return or destruction of the personal data; or
      4. immediately terminate the P.O. without any form of liability on the part of VistaJet.
    2. VistaJet may, from time to time, propose to the Supplier any variations to this Appendix which VistaJet reasonably considers to be necessary to address the requirements of the GDPR; Provided however, that, any such proposed variations shall only become effective upon the mutual written consent of both Parties.
  12. Return or Destruction of Personal Data

    Without prejudice to any other rights of VistaJet under the P.O. or the Terms, upon termination or expiry (whichever comes first) of the P.O. for any reason, Supplier shall promptly contact VistaJet for instructions regarding the return, destruction or other appropriate action with regard to personal data. Upon termination or expiry (whichever comes first) of the P.O. for any reason, or at any time at the request of VistaJet, Supplier shall:

    1. return personal data to VistaJet, and ensure that all electronic copies of such personal data are deleted from Supplier’s (and where applicable, its sub-processors’) systems; or
    2. if requested by VistaJet in writing, promptly destroy, delete and render unrecoverable all tangible and electronic instances of personal data from Supplier’s (and where applicable, its sub-processors’) systems. If requested by VistaJet, Supplier shall provide VistaJet with written confirmation of its compliance with the requirements of this Section.
  13. Privacy Policy

    Supplier shall act consistently with the latest version of VistaJet Privacy Policy (the ‘Policy’), issued by VistaJet and made available at https://www.vistajet.com/privacy-policy/, and shall ensure at all times that Supplier shall not commit any act or omission that may result in VistaJet being in breach of the Policy. The latest version of the Policy is incorporated into this Appendix by reference. It is the responsibility of the Supplier to access the aforementioned website and read the latest version of the Policy from time to time. In the event of any conflict between this Appendix and the Policy, the terms and conditions of this Appendix shall prevail.

  14. Indemnity

    Notwistahdning any contrary provsiion in the P.O. and/or the Terms, the Parties agree that if VistaJet is held liable for a violation of any of the Sections in this Appenidx committed by the Supplier, then the Supplier will, to the extent to which it is liable, indemnify VistaJetfor any cost, charge, damages, expenses or loss it has incurred. Indemnification is contingent upon:

    1. VistaJet promptly notifying the Supplier of a claim; and
    2. the Supplier being given the possibility to cooperate with VistaJetin the defence and settlement of the claim.

    This indemnity obligation survives the expiry or termination of the P.O.


Version control

Date Version Description
22nd September, 2017 1 Effective Date
16th May, 2018 2 Revision of version 1