For any questions regarding the protection of your personal data, or for any request for modification or deletion, please contact our Data Protection Officer (DPO), Islam ZOUKHAIEV (islam@mobeetravel.com). All requests will be processed within 48 hours.

Purpose
The purpose of this document is to define the conditions under which the Agency (hereinafter referred to as the “Processor”) undertakes, on behalf of the Client, acting as data controller (hereinafter referred to as the “Client”), to carry out the personal data processing operations defined below.
As part of their contractual relationship, the parties undertake to comply with the applicable regulations relating to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable as of 25 May 2018 (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”).

Description of the processing subject to subcontracting
The Processor is authorized to process, on behalf of the Client, the personal data necessary to provide the service(s) for which it has been engaged.

Services provided:
Airline ticket bookings and other means of transport
Issuance and cancellation of airline tickets and other means of transport
Accommodation reservations
Issuance and cancellation of accommodation bookings
Traveler assistance during travel

Nature of processing operations carried out:
Issuance and sending of all messages related to bookings
Analytical accounting exports
Transmission of national identity data to suppliers and competent authorities
Monitoring, management, and validation of travel arrangements
Transmission of data required for reservations to suppliers

Purpose(s) of processing: Management of the Client’s travel arrangements

Personal data processed:
Last name
First name
Date of birth
Gender
Professional email address
Passport or national identity card number
Passport or national identity card expiration date
Phone number
Client mobility requirements

Categories of data subjects: All individuals who book a trip or submit a request via www.coast-organisation.com

Obligations of the Processor towards the Client
The Processor undertakes to:

1. Process personal data solely for the purpose(s) specified above.

2. Process personal data in accordance with the instructions set out in this annex.
   If the Processor considers that an instruction constitutes a violation of the GDPR or any other applicable data protection law of the European Union or of a Member State, it shall immediately inform the Client.
   If the Processor is required to transfer data to a third country or to an international organization under EU law or the law of the Member State to which it is subject, it shall inform the Client prior to processing, unless such law prohibits such information on important public interest grounds.

3. Ensure the confidentiality of personal data processed under this annex.

4. Ensure that persons authorized to process personal data under this contract:
   – commit themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality
   – receive the necessary training in personal data protection, in particular regarding the GDPR

5. Take into account, with regard to its tools, products, applications, or services, the principles of “Privacy by Design” and “Privacy by Default”.

6. In the event of further subcontracting, if the Processor intends to engage another processor (hereinafter the “Sub-Processor”), it shall inform the Agency in writing in advance, clearly indicating the processing activities subcontracted, the identity and contact details of the Sub-Processor, and the duration of the subcontracting agreement.
   The Client shall have a maximum period of one (1) month from receipt of such information to raise objections. After this period and in the absence of objections, the Processor may proceed with the further subcontracting.
   The Sub-Processor shall be bound by the same obligations as those set out in this contract and shall act solely on the Client’s instructions. The Processor shall ensure that the Sub-Processor provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures in accordance with the GDPR.
   In the event of a failure by the Sub-Processor to comply with its data protection obligations, the Processor shall remain fully liable to the Client for the performance of its obligations.

Right to information of data subjects
It is the Client’s responsibility to inform data subjects of the processing operations carried out on their personal data at the time of data collection.

Exercise of data subject rights
The Processor shall use its best efforts to assist the Client in fulfilling its obligation to respond to requests from data subjects wishing to exercise their rights: right of access, rectification, erasure, and objection, right to restriction of processing, right to data portability, and the right not to be subject to automated individual decision-making (including profiling).
Where data subjects submit requests for the exercise of their rights directly to the Processor, the Processor shall forward such requests to the Client by email upon receipt.

Notification of personal data breaches
The Processor shall notify the Client of any personal data breach within a maximum period of twenty-four (24) hours after becoming aware of it. This notification shall be made by email and by registered letter with acknowledgment of receipt.
Such notification shall be accompanied by all relevant documentation necessary to enable the Client, where appropriate, to notify the competent supervisory authority. Where there is a high risk to the rights and freedoms of a natural person, the Client shall inform the data subject of the personal data breach as soon as possible.

Assistance to the Client
The Processor assists the Client in complying with its obligations, including, where applicable, prior consultation with the supervisory authority.

Security measures
In order to ensure an adequate level of security, the Processor undertakes to implement appropriate security measures, including in particular:
Pseudonymization and encryption of personal data
Implementation of physical security measures, including access monitoring and fire protection
Implementation of logical security measures, including firewalls, antivirus software, and intrusion detection systems
Implementation of access rights and user authorization management procedures
Implementation of measures to secure personal data exchanges (including network security)
Means to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Means to restore the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident
A procedure to regularly test, analyze, and evaluate the effectiveness of technical and organizational measures to ensure processing security

Fate of the data
All personal data shall be returned to the Client or transferred to a processor designated by the Client.
Such return or transfer shall be accompanied by the destruction of all existing copies in the Processor’s information systems. Once destroyed, the Processor shall provide written confirmation of the destruction of the data.

Data Protection Officer
The Processor shall provide the Client with the name and contact details of its Data Protection Officer, if one has been appointed in accordance with Article 37 of the GDPR. Failing this, the Processor shall provide the contact details of a person responsible for personal data processing.

Record of processing activities
The Processor declares that it maintains a written record of all categories of processing activities carried out on behalf of the Client, including:
The name and contact details of the Client, any subprocessors, and the Data Protection Officer
The categories of processing activities carried out on behalf of the Client
Transfers of personal data to a third country or an international organization, including identification of such country or organization and documentation evidencing appropriate safeguards
Where possible, a general description of the technical and organizational security measures implemented

Audits
The Agency reserves the right to carry out any verification it deems necessary to assess the Processor’s compliance with its contractual obligations, in particular through audits. The Processor undertakes to respond to audit requests made by the Client, whether carried out by the Client directly or by a trusted third party appointed by the Client, recognized as an independent auditor with appropriate qualifications, and free to provide audit findings and conclusions to the Client.
Audits shall enable verification of compliance with data protection regulations, including review of all security measures implemented by the Processor, examination of data location, copying and deletion logs, analysis of measures implemented to delete data, prevent unlawful data transfers to non-adequate jurisdictions, or prevent transfers to countries not authorized by the Client. Audits shall also ensure that security and confidentiality measures cannot be bypassed without detection and notification.

Documentation
The Processor shall make available to the Client all documentation necessary to demonstrate compliance with its obligations and to enable audits, including inspections, by the data controller or another auditor appointed by it, and shall contribute to such audits.

Obligations of the Client towards the Processor
The Client undertakes to:

1. Provide the Processor with the data referred to in these clauses.

2. Document in writing any instruction relating to the processing of data by the Processor.

3. Ensure, prior to and throughout the duration of the processing, that the Processor complies with its obligations under the GDPR.