Version: 22.12.2025
Annex GTC-DP
(Legally non-binding English translation of the German version)
- Subject, type and purpose of data processing, type of data and categories of data subjects
- Subject of data processing
The Contractor processes personal data collected from the Client for the purpose of fulfilling the main contract (e.g., personal data of application users). This data is required in particular to process ticket bookings, payments, and, if applicable, cancellations and refunds, and to inform the Client about product updates to the software provided for booking, rebooking, and canceling transportation and accommodation services for business trips (hereinafter referred to as the "SaaS application").
- Type and purpose of data processing
The processing by the Contractor encompasses all types of processing within the meaning of Article 4 No. 2 GDPR, in particular the collection, recording, storage, retrieval, and transmission of personal data. The purpose of the processing is the provision of the services agreed upon in the main contract by the Contractor, in particular the collection and transmission of personal data for booking travel services, and the recording, querying, and transmission of personal data within the scope of the support service for booking, rebooking, or canceling travel services.
- Type of data
Data category | List of specifically processed data |
Personal data required for the user account of the SaaS application | Name, first name(s), gender, date of birth, business contact details (email address, mobile phone number), assigned user role in the SaaS application, organizational assignment (e.g. cost centers, assigned travel managers) |
Personal data that can be stored optionally or in connection with travel. | Title, employee number, initials, private contact details (email address, mobile phone number), ID or passport details (date of birth, place of birth, ID card or passport number, passport type, nationality, country of residence, country of issue, issue date, expiry date), visa or entry-relevant data (e.g., Alien Registration Number, Known Traveler Number, Redress Number), private or business bonus and discount cards, preferences (e.g., home or office address), email address, Airbnb account |
Personal travel data | Personal data relating to, for example, travel inquiries, booking data, travel requests, rebooking’s, cancellations, service requests, receipts, daily allowances, mileage allowances, invoices |
Personal user data | Access and usage-related personal data (e.g., login and log data) as well as video and audio recordings of web meetings after separate consent of the data subjects for each recording (e.g., implementation dates for the SaaS application) |
Special categories of personal data | Health data voluntarily provided by the user (e.g., food intolerances when booking accommodation, requests for accessible travel services) |
- Circle of those affected:
Affected group | Description | Examples |
Employees of the Client / the person in charge | The Client's own employees / the person responsible, who administer the user account of the software or are set up as users of the software. | Employees, trainees, former employees |
Other third parties | Other third parties, provided the Client books travel services for these persons. | Business contacts, relatives and other private individuals |
- Recipient of instructions at the Contractor
Dr. Veit Blumschein, Managing Director, +49 89 21540710, [email protected]
- Data Protection Officer
Dominik Fünkner, Proliance GmbH, Leopoldstraße 21, 80802 Munich
[email protected] , Tel: 089/250039222
- Technical and Organizational Measures
The term ‘IT systems’ used in this No. 4 refers to the data processing systems used by the Contractor for the purpose of order processing, such as the SaaS application and supporting IT applications.
4.1 Measures for pseudonymization (Art. 32 para. 1 lit. a GDPR)
- Fundamental review before changes to procedures or before the introduction of new procedures, to determine the extent to which personal data can be pseudonymized.
- Fundamental review of data flows to determine the extent to which personal data can be pseudonymized.
4.2 Encryption measures (Art. 32 para. 1 lit. a GDPR)
- Regulations and measures for the use of cryptographic methods.
- Encryption of computer data storage devices.
- Use of transport encryption methods for data transmissions.
- Fundamental review before changes to procedures or before the introduction of new procedures, to determine the extent to which (personal) data can be encrypted.
4.3 Measures to ensure the confidentiality, integrity, availability and resilience of the systems and services (Art. 32 para. 1 lit. b GDPR)
- Operating an information security management system in accordance with ISO/IEC 27001.
- Regulations and measures for physical security, access control and visitor regulations for the office areas.
- Operating the SaaS application on company-owned hardware in highly secure external data centers in Germany (co-location approach).
- Restricted access to the infrastructure required for the operation of the SaaS application.
- Regulations and measures for identity, user and access management for all IT systems.
- Regulations and measures for secure authentication on IT systems.
- Regulations and measures for handling confidential authentication information.
- Established role and authorization concepts for IT systems, taking into account the need-to-know principle.
- Regulations and measures for the restrictive granting of extended or administrative permissions in IT systems.
- Regulations and measures for the effective separation of customer data.
- Use of firewall systems.
- Regulations and measures for information classification and the handling of classified information.
- Regulations and measures for the protection of confidential data in the workplace.
- Regulations and measures for managing service providers.
- Regulations and measures for the management, use and disposal of equipment.
- Regulations and measures for patch and vulnerability management for IT systems.
- Regulations and measures for logging and monitoring the SaaS application.
- Regulations and measures for the safe development of the SaaS application.
4.4 Measures to ensure the ability to quickly restore availability (Art. 32 para. 1 lit. c GDPR)
- Maintaining redundancies to increase resilience and ensure a quick resumption of operations in failure scenarios.
- Regulations and measures for data backup and system and data recovery of the SaaS application.
- Regulations and measures for security incident management.
- Regulations and measures for business continuity management.
4.5 Measures for reviewing, assessing and evaluating the effectiveness of the measures (Art. 32 para. 1 lit. d GDPR)
- Regulations and measures for measuring and monitoring the information security management system.
- Regulations and measures for conducting internal audits.
- Continuous review and further development of technical and organizational measures.
4.6 Supplementary measures
- Establishment of an internal data protection, quality and information security organization.
- Appointment of a data protection officer.
- Consideration of the principles of “privacy by design” and “privacy by default” in the design and further development of the SaaS application.
- Implementation of awareness-raising and training measures.
- Commitment to data secrecy and confidentiality.
- Subcontractor
The Client's subcontractors are:
Subcontractor | Processed Data categories | Description of the Activity | Location of Data Processing |
Aircall SAS, | See note 4.5 | Telecommunications software for customer support | France |
Amadeus IT Group, | See notes 4, 5, 6, 7 | Travel aggregator for transport and accommodation services | Spain |
Callattack SL, | See notes 4, 5, 6 | Service providers for the preparation and billing of accommodation services | Spain |
CloudTalk sro, | See note 4.5 | Telecommunications software for customer support | Slovakia |
Demodesk GmbH, | See note 4 | Service provider for web meetings | Germany |
Distribusion Technologies GmbH, | See notes 4, 5, 6, 7 | Travel aggregator for transportation services | Germany |
ehotel AG, | See notes 4, 5, 6, 7 | Travel aggregator for accommodation services | Germany |
Expedia Inc., | See notes 4, 5, 6, 7 | Travel aggregator for transport and accommodation services | USA |
Event Logic Digital Solutions Europe AB, | See notes 4, 5, 6, 7 | Accommodation service providers for group travel | Sweden |
Google Cloud EMEA Limited, | See notes 4, 5, 6, 7 | Service provider for office applications and map services | Ireland |
Katanox BV, | See notes 4, 5, 6, 7 | Travel aggregator for accommodation services | Netherlands |
Maesn GmbH, Kasernenstraße 67, 40213 Düsseldorf | See note 4.6 | Service provider for interfaces to accounting systems 8 | Germany |
refundrebel GmbH, | See notes 4, 5, 6 | Service providers for rail travel compensation 8 | Germany |
Trainline.com Limited, | See notes 4, 5, 6, 7 | Travel aggregator for rail journeys | United Kingdom |
Travelfusion Ltd., | See notes 4, 5, 6, 7 | Travel aggregator for flights | United Kingdom |
Typeform SL, | See note 4 | Creation of online forms and surveys | Spain |
Twilio Sendgrid, | See notes 4, 5, 6, 7 | Sending transactional emails | USA |
Zendesk Inc., | See notes 4, 5, 6, 7 | Software for customer support requests | USA |
Notes :
1. An adequacy decision pursuant to Art. 45 para. 3 GDPR has been issued.
2. The subcontractor is certified according to the EU-US Data Privacy Framework .
3 Agreement on standard contractual clauses pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021
4. Professional contact details as well as work and organizational data (if required for booking)
5. Private contact and identification details (if required for booking)
6 Transaction data
7 Special categories of personal data
8 Only after prior authorization by the customer