Counsel-reviewed template for the seven mandatory data clauses under GDPR Art. 28, with a 2021 EU SCCs Module Two annex outline and a Schrems II Transfer Impact Assessment scaffold. Free, no email gate.
This addendum sits alongside the main hotel contract. Insert the parties' details in the placeholders, complete Annex 1 (data categories), Annex 3 (sub-processor list), and Annex 4 if any non-EEA transfer occurs. The seven clauses below match the framework set out in the companion article. Where a clause says [placeholder], fill in the relevant detail before signature.
This Data Processing Addendum (the "Addendum") is entered into on [date] between:
[Planner legal entity name], a company registered in [jurisdiction] with registered office at [address] (the "Controller"); and
[Hotel legal entity name], a company registered in [jurisdiction] with registered office at [address] (the "Processor").
This Addendum forms part of the Hotel Services Agreement between the parties dated [date] (the "Main Agreement"). To the extent of any inconsistency, this Addendum prevails over the Main Agreement on data-protection matters.
Terms used and not defined here have the meaning given in Regulation (EU) 2016/679 ("GDPR") and, where applicable, the United Kingdom General Data Protection Regulation. "Attendee Personal Data" means personal data of event attendees and Controller staff disclosed by the Controller to the Processor for the performance of the Services, as described in Annex 1.
The Controller is the controller of the Attendee Personal Data. The Processor is the processor. The Processor is a separate controller for any data it collects directly from a guest at check-in for its own contractual purposes with that guest, processed under the Processor's own privacy notice and outside this Addendum.
The Processor shall process Attendee Personal Data only for the purpose of providing the services described in the Main Agreement (the "Services") and only on the documented instructions of the Controller. The Processor shall not use Attendee Personal Data for: (a) marketing or promotional purposes, including loyalty programme enrolment; (b) profiling or automated decision-making; (c) onward transfer outside the sub-processor regime in clause 6; (d) any purpose for which the Processor would itself become a controller under GDPR Art. 4(7). Any processing outside this clause constitutes a material breach.
The categories of personal data and data subjects, the nature and purpose of the processing, and the duration are set out in Annex 1. The Processor shall process only the categories listed; any new category requires a written amendment to Annex 1.
The Controller grants the Processor general written authorisation to engage sub-processors to perform the Services, subject to: (a) the Processor maintaining an up-to-date list (Annex 3) of sub-processors processing Attendee Personal Data and providing it on request and at least 30 days before any new sub-processor begins processing; (b) the Processor ensuring each sub-processor is bound by data-protection terms no less protective than this Addendum; (c) the Controller having the right to object on reasonable grounds; if the objection cannot be resolved within 30 days, the Controller may terminate this Addendum and the Main Agreement insofar as it depends on the affected sub-processor, with full refund of pre-paid sums attributable to undelivered services.
Where the Processor transfers Attendee Personal Data outside the European Economic Area to a country without a European Commission adequacy decision, the parties shall enter into the 2021 EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) using Module Two (Controller-to-Processor), attached at Annex 4. The Processor shall cooperate with the Controller in the Schrems II Transfer Impact Assessment per EDPB Recommendations 01/2020, including by providing local-law information on request. For UK-origin transfers to a non-adequate third country, the parties shall use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs as applicable. For transfers to the United States, the Processor may rely on the 2023 EU-US Data Privacy Framework only where it is currently certified for the relevant data categories, and shall notify the Controller within five business days of any withdrawal or change in certification scope.
The Processor shall notify the Controller without undue delay and in any event within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting Attendee Personal Data. The notification shall be in writing to the Controller's DPO at [contact] and shall include, to the extent known: (a) the nature of the breach, the categories and approximate number of data subjects and records affected; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate adverse effects; (d) the name and contact details of the Processor's DPO or equivalent privacy contact. The Processor shall provide updated information as it becomes available and shall cooperate with the Controller in any notification to the competent supervisory authority under Art. 33(1) and to data subjects under Art. 34.
Within thirty (30) days of the end of the Services, the Processor shall, at the written choice of the Controller, return or delete all Attendee Personal Data from production systems. Backups shall be overwritten in normal cycle and the data effectively unrecoverable within ninety (90) days. The Processor shall provide a written certification of completion. Any retention required by Union or Member State law (tax law, accounting law, tourism-registration law for foreign guests) shall be identified, the legal basis cited, the data categories specified, the retention period stated, and the retained data segregated from operational systems.
The Controller has: (a) documentary audit rights on demand and at least annually, including the right to request policy summaries, the sub-processor list, training records, and any current ISO 27001 or SOC 2 Type II reports; (b) the right to conduct on-site inspections once per year on 30 days written notice, with reasonable scope; (c) immediate audit rights, on shorter notice, after a Personal Data Breach or credible evidence of non-compliance. The Processor may substitute current ISO 27001 and SOC 2 Type II reports for some documentary elements where they cover the relevant property and scope. Documentary audits are at the Processor's cost. On-site audits are at the Controller's cost, save where they reveal material non-compliance, in which case the Processor bears the cost.
The Processor's DPO or equivalent privacy contact is named in Annex 5. Any change shall be notified to the Controller within five (5) business days.
Each party shall indemnify the other against losses (including regulatory fines under GDPR Art. 83) arising from that party's breach of GDPR or this Addendum, subject to the liability cap in the Main Agreement and to the apportionment principles in Art. 82.
This Addendum terminates with the Main Agreement, save for the survival of clauses 7 and 8 until completion of return or deletion and provision of the written certification.
This Addendum is governed by the law and subject to the jurisdiction set out in the Main Agreement. Where the Main Agreement is silent, this Addendum is governed by the law of the Controller's Member State.
Signed for the Controller: ________________________ Date: _________
Signed for the Processor: ________________________ Date: _________
Data subjects: attendees of the event; Controller staff with operational roles.
Categories of personal data (tick all that apply):
Subject matter, nature, purpose: delivery of the contracted MICE services (room block, F&B, AV, meeting rooms).
Duration: the duration of the event plus a 30-day post-event tail for billing reconciliation.
Confidentiality: access on a need-to-know basis; signed confidentiality undertakings for staff handling Attendee Personal Data; segregation of guest-data systems from event-data systems.
Integrity: change control on event-data systems; integrity controls on BEO and room-list documents; redaction of named BEOs distributed to operational departments.
Availability and resilience: backup and restore procedures; documented business-continuity plan for the event window.
Encryption: data in transit over public networks encrypted (TLS 1.2 minimum); data at rest in central reservation systems encrypted at the storage layer.
Pseudonymisation: applied where feasible (e.g. dietary preferences keyed to anonymous attendee IDs in kitchen lists).
Testing: annual penetration test of the central reservation system; ISO 27001 or SOC 2 Type II certification where applicable, attached.
The Processor's sub-processors processing Attendee Personal Data are:
Updated: [date]. The Processor shall maintain this list and provide 30 days notice of changes.
Where required by clause 6, the parties enter into the 2021 EU Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor). The body of the SCCs is incorporated by reference; the parties complete the Annexes below.
Annex I.A — Parties:
Annex I.B — Description of the transfer: Attendee Personal Data as in Annex 1 above, transferred on a continuous basis for the duration of the Services and the 30-day post-event tail; data subjects = attendees; transfer for the purpose of delivering the contracted MICE services.
Annex I.C — Competent supervisory authority: the data-protection authority of the Controller's Member State.
Annex II — Technical and organisational measures: as set out in Annex 2 of this Addendum.
Annex III — Sub-processors: as set out in Annex 3 of this Addendum.
Per EDPB Recommendations 01/2020, six steps:
Controller DPO / privacy contact:
Processor DPO / privacy contact:
| Clause | Status | Counsel note |
|---|---|---|
| 1 · Purpose limitation | ||
| 2 · Data categories | ||
| 3 · Sub-processors | ||
| 4 · International transfers | ||
| 5 · Breach notification | ||
| 6 · Return / delete | ||
| 7 · Audit rights |