Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the agreement between RetreatBoss (also RetreaMatch.com and retreatboss.com) and the customer that agrees (or the customer on whose behalf an Administrator agrees) to the Retreatmatch and Retreatboss Terms and Conditions (the “Customer”) in relation to the transfer and processing of Covered Data in connection with the performance of the Services.

  1. DEFINITIONS
    1.1Capitalized terms used but not defined within this DPA will have the meaning set forth in the Retreatmatch and Retreatboss Terms and Conditions. The following capitalized terms used in this DPA will be defined as follows:

    “Agreement” means the agreement between RetreatBoss and RetreatMatch and Customer comprising the Retreatmatch and Retreatboss Terms and Conditions.

    “Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR, Canadian Laws,  Swiss Data Protection Laws and the US Data Protection Laws.

    “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.

    “Contract Administration and Marketing Data” means the Personal Data collected by Retreatmatch and Retreatboss directly from Administrators, as further described in Part 2 of Schedule 1.

    “Controller Purposes” means the purposes identified in Part 2 of Schedule 1.

    “Covered Data” means Personal Data that is: (a) provided by or on behalf of Customer to Retreatmatch and Retreatboss in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Retreatmatch and Retreatboss  or its agents or subcontractors, for the purposes of providing the Services, in each case as further described in Part 1 of Schedule 1.

    “Data Subject” means a natural person whose Personal Data is Processed.

    “Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.

    “EEA” means the European Economic Area including the European Union (“EU”).

    “GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR”, as defined in section 3 of the Data Protection Act 2018 or, where applicable, the equivalent provision under Swiss data protection law.

    “Member State” means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein.

    “Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.

    “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
    “Process”, “Processes” and “Processed” will be interpreted accordingly.


    “Prohibited Personal Data” means: (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and any other special categories of Personal Data identified in Article 9 of the GDPR or Personal Data that is otherwise sensitive Personal Data under Applicable Data Protection Laws; (b) biometric identifiers or templates; (c) financial information (including, without limitation, billing information and cardholder or sensitive authentication data, as those terms are defined under the Payment Card Industry Data Security Standard); (d) personally identifiable financial information, as defined by and subject to the Gramm-Leach-Bliley Financial Modernization Act of 1999; (e) national identification numbers (including, without limitation, Social Security Numbers, Social Insurance Numbers, driver’s license or passport numbers or other governmentally-issued identification numbers); (f) information relating 
    to individuals under the age of 13; (g) education records, as defined under the Family Educational Rights and Privacy Act of 1974; (h) protected health information as defined by, and subject to, the Health Insurance Portability and Accountability Act.

    “Security Incident” means an actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.


    “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

    “Sub-processor” means an entity appointed by RetreatBoss and RetreatMatch to Process Covered Data on its behalf.

    “Swiss Data Protection Laws” means the Swiss Federal Act Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force for time to time.

    “UK” means the United Kingdom.

    “US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).

    “Usage and Feedback Data” means the Personal Data collected by RetreatBoss and RetreatMatch directly from Administrators and Authorized Users, as further described in Part 2 of Schedule 1.
    1.2 The terms “Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processing” will have the meanings given to them in Applicable Data Protection Laws.

  2. INTERACTION WITH THE AGREEMENT
    2.1This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.

  3. ROLE OF THE PARTIES
    3.1
    The Parties acknowledge and agree that:
    1. save as set out in sections 3.1(b) and 3.1(c)(b), RetreatBoss and RetreatMatch acts as a processor or service provider in the performance of its obligations under the Agreement and this DPA and Customer acts as a controller or business;
    2. RetreatBoss and RetreatMatch acts as a controller or business with respect to its Processing of Contract Administration and Marketing Data for the Controller Purposes; and
    3. for the purposes of the GDPR and Swiss Data Protection Laws, RetreatBoss and RetreatMatch acts as a controller with respect to its Processing of Usage and Feedback Data for the Controller Purposes.
  4. DETAILS OF DATA PROCESSING
    4.1The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
    4.2RetreatBoss and RetreatMatch shall comply with its obligations under Applicable Data Protection Laws. Save as set out in sections 3.1(b) and 3.1(c), RetreatBoss and RetreatMatch will only Process Covered Data on behalf of and under the instructions of Controller and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall constitute Customer’s instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA.
    4.3
    Without limiting the foregoing, save as set out in sections 3.1(b) and 3.1(c), RetreatBoss and RetreatMatch shall not:
  5. except as otherwise permitted by Applicable Data Protection Laws, combine Covered Data with Personal Data that RetreatBoss and RetreatMatch receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
    4.4
    RetreatBoss and RetreatMatch will:
    1. provide Customer with information to enable Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws; and
    2. promptly inform Customer if, in its opinion, an instruction from Customer or Customer’s Controller infringes the Applicable Data Protection Laws.

      5.COMPLIANCE
      5.1 Customer shall comply with its obligations as a controller, business or equivalent term under the Applicable Data Protection Laws, and shall:
      1. provide such information to Data Subjects regarding the Processing of their Covered Data in connection with the Customer’s use of the Services as required under Applicable Data Protection Laws;
      2. to the extent required for the lawful Processing of Covered Data under Applicable Data Protection Laws, obtain valid consents from Data Subjects for such Processing in the form required under Applicable Data Protection Laws;
      3. implement appropriate technical and organisational measures to give effect to Data Subject rights under Applicable Data Protection Laws, and shall comply with requests from Data Subjects to exercise their rights under Applicable Data Protection Laws within the timeframe and subject to any exemptions prescribed in the Applicable Data Protection Laws; and
  6. CONFIDENTIALITY AND DISCLOSURE
  7. 6.1
    RetreatBoss and RetreatMatch shall:
    1. limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and
    2. ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.

7.SUB-PROCESSORS

  1. 7.1 RetreatBoss and RetreatMatch may Process Covered Data anywhere that RetreatBoss and RetreatMatch or its Sub-processors maintain facilities, subject to the remainder of this section 7.
  2. 7.2 Customer grants RetreatBoss and RetreatMatch general authorisation to engage any of the Sub-processors listed in Schedule 5, as amended in accordance with section 7.4 (the “Authorised Sub-processors”), to Process Covered Data.
  3. 7.3
    RetreatBoss and RetreatMatch shall:
    1. enter into a written agreement with each Authorised Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than RetreatBoss and RetreatMatch’s obligations under this DPA; and
    2. remain liable for each Authorised Sub-processor’s compliance with the obligations under this DPA.
  4. 7.4RetreatBoss and RetreatMatch will provide Customer with at least thirty (30) days’ notice of any proposed changes to the Authorised Sub-processors. Customer shall notify RetreatBoss and RetreatMatch if it objects to the proposed change to the Authorised Sub-processors (including, where applicable, when exercising its right to object under clause 9(a) of the SCCs) by providing RetreatBoss and RetreatMatch with written notice of the objection within thirty (30) days after RetreatBoss and RetreatMatch has provided notice to Customer of such proposed change (an “Objection”).

7.5In the event Customer submits an Objection to RetreatBoss and RetreatMatch and Customer shall work together in good faith to find a mutually acceptable resolution to address such Objection. If RetreatBoss and RetreatMatch and Customer are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, Customer may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to RetreatBoss and RetreatMatch.

  • 8.DATA SUBJECT RIGHTS REQUESTS
  • 8.1RetreatBoss and RetreatMatch will promptly notify Customer of any request received by RetreatBoss and RetreatMatch or any Authorised Sub-processor from a Data Subject to assert their rights in relation to Covered Data under Applicable Data Protection Laws (a “Data Subject Request”).

8.2Other than in respect of the Processing referred to in sections 3.1(b) and 3.1(c), as between the Parties, Customer will have sole discretion in responding to the Data Subject Request, and RetreatBoss and RetreatMatch shall not respond to the Data Subject Request, save that RetreatBoss and RetreatMatch may advise the Data Subject that their request has been forwarded to Customer.

8.3RetreatBoss and RetreatMatch will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

  • 9.SECURITY
  • 9.1RetreatBoss and RetreatMatch will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorised or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.
  • 9.2When assessing the appropriate level of security, RetreatBoss and RetreatMatch shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

9.3RetreatBoss and RetreatMatch will implement and maintain as a minimum standard the measures set out in Schedule 2.

10.INFORMATION AND AUDITS

  1. 10.1RetreatBoss and RetreatMatch shall notify Customer promptly if RetreatBoss and RetreatMatch determines that it can no longer meet its obligations under Applicable Data Protection Laws.
  2. 10.2
    Customer may take reasonable and appropriate steps to:
    1. ensure that RetreatBoss and RetreatMatch uses Covered Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws; and
    2. upon reasonable notice, stop and remediate unauthorized use of Covered Data.
  3. 10.3
    Customer may, not more than once a year, audit RetreatBoss and RetreatMatch’s compliance with this DPA. The Parties agree that all such audits will be conducted:
    1. upon reasonable written notice to RetreatBoss and RetreatMatch;
    2. only during RetreatBoss and RetreatMatch’s normal business hours; and
    3. in a manner that does not materially disrupt RetreatBoss and RetreatMatch’s business or operations.
  4. 10.4
    With respect to any audits conducted in accordance with section 10.3:

Customer may engage a third-party auditor to conduct the audit on its behalf;

  1. RetreatBoss and RetreatMatch shall not be required to facilitate any such audit unless and until the parties have agreed in writing on the scope and timing of such audit.
  2. 10.5Customer shall promptly notify RetreatBoss and RetreatMatch of any non-compliance discovered during an audit.
  3. 10.6The results of the audit shall be RetreatBoss and RetreatMatch’s Confidential Information.
  4. 10.7
    RetreatBoss and RetreatMatch may, in response to any audit request submitted by Customer to RetreatBoss and RetreatMatch, provide the following:
    1. data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or
    2. such other documentation reasonably evidencing the implementation of the technical and organisational data security measures in accordance with industry standards.
  5. 10.8
    If an audit requested by Customer is addressed in the documents or certification provided by RetreatBoss and RetreatMatch in accordance with section 10.7, and:
    1. the certification or documentation is dated within twelve (12) months of Customer’s audit request; and
    2. RetreatBoss and RetreatMatch confirms that there are no known material changes in the controls audited,
  6. Customer agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.

    11.SECURITY INCIDENTS
    11.1RetreatBoss and RetreatMatch shall notify Customer in writing without undue delay after becoming aware of any Security Incident.
    11.2RetreatBoss and RetreatMatch shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.

11.3RetreatBoss and RetreatMatch shall provide reasonable assistance with Customer’s investigation of any Security Incidents and any of Customer’s obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.
11.4RetreatBoss and RetreatMatch’s notification of or response to a Security Incident under this section 11 shall not be construed as an acknowledgement by RetreatBoss and RetreatMatch of any fault or liability with respect to the Security Incident.

12.TERM, DELETION AND RETURN

12.1This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, RetreatBoss and RetreatMatch’s deletion of all Covered Data as described in this DPA.

  • 12.2
    RetreatBoss and RetreatMatch shall:
    1. if requested to do so by Customer within thirty (30) days of expiry of the Agreement (the “Retention Period”), provide a copy of all Covered Data in such commonly used format as requested by Customer, or provide a self-service functionality allowing Customer to download such Covered Data; and

on expiry of the Retention Period, delete all copies of Covered Data Processed by RetreatBoss and RetreatMatch or any Authorised Sub-processors, other than any Contract Administration and Marketing Data and Usage and Feedback Data Processed for the Controller Purposes.

13.STANDARD CONTRACTUAL CLAUSES

13.1
The Standard Contractual Clauses shall, as further set out in Schedule 3, apply to the transfer of any Covered Data from Customer to RetreatBoss and RetreatMatch, and form part of this DPA, to the extent that:

    1. the GDPR or Swiss Data Protection Law applies to the Customer when making that transfer; or
    2. the Applicable Data Protection Laws that apply to the Customer when making that transfer (the “Exporter Data Protection Laws”) prohibit the transfer of Covered Data to the RetreatBoss and RetreatMatch under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
      1. the relevant authority with jurisdiction over the Customer’s transfer of Covered Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws; or
      2. such authority has issued guidance that entering into standard contractual clauses approved by the European

        1. Commission would satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
        2. established market practice in relation to transfers subject to the Exporter Data Protection Laws is to enter into standard contractual clauses approved by the European Commission to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
        1. the transfer is an “onward transfer” (as defined in the applicable module of the SCCs).
  1. 13.2The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.

    14.DEIDENTIFIED DATA
    14.1
    If RetreatBoss and RetreatMatch receives Deidentified Data from or on behalf of Customer, RetreatBoss and RetreatMatch shall:


15.GENERAL

15.1The Parties hereby certify that they understand the requirements in this DPA and will comply with them.

15.2The Parties agree that any limitations on either Party’s liability under the Agreement shall not apply to any claims, losses or damages arising in respect of a breach of the SCCs.

15.3The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

 

 

 

 

 

20 ways of marketing

Drop-in your email and we will send you the guide within 5 minutes.  

#BYDRMASTERCLASS

GET YOUR VIP PASS FOR ONLY $99

Sign in to this masterclass to learn how to plan a retreat, how to price and market, scale your business and travel the world by planning and leading retreats! Receive a Free Online registration form including medical registration and a Medical Release

    Get The Guide

    Drop-in your email and we will send you the guide within 5 minutes.  

    ld 10 cover scaled