General Terms and Conditions For The Online-Reservation-Tool

Hospitality Digital GmbH Metro-Strasse 1, 40235 Düsseldorf ("H.d") offers companies from the hotel and restaurant industry (" Principal") free services that are provided exclusively through the Internet and that are described in further detail below (" Services"). Some Services may only become available once the Principal has registered.

1. Scope of Application

1.1 H.d shall provide the Services and other benefits only based on the terms and conditions below ("GTC").

1.2 Any deviating terms and conditions of the Principal shall not apply, even if H.d does not specifically reject these and/or provides the Services and/or other benefits without reservation in full knowledge of the contrary and/or deviating terms and conditions of the Principal.

2. Scope of Services

2.1 The Services include the following benefits provided by H.d for the term of the agreement:

(a) H.d shall provide the Principal with hosted storage space to be used on the systems of H.d, which the Principal may access via the Internet (" Hosted Storage Space"), see section 4.

(b) H.d shall grant the Principal online access to software that enables the Principal to manage, implement and use the Online-Reservation-Tool on its website, ("Software"), see section 5 and to store the data collected in connection with the Online-Reservation-Tool in the Hosted Storage Space.

2.2 H.d may adjust the Services and other benefits to the state of the art and technical developments or necessities, provided the respective adjustment is within reason for the Principal. H.d may discontinue the Services and other benefits with a reasonable notice period. H.d shall inform the Principal about the discontinuation of the Services in a timely manner.

3. Principal's Obligations

3.1 The Principal shall keep the business and contact information provided at the conclusion of the agreement current for the entire term of the agreement and shall promptly inform H.d of any changes. The Principal shall furthermore ensure that the e-mail address provided to H.d is regularly accessed in order to obtain information that is relevant for the agreement.

3.2 The Principal shall protect all access information received by the Principal from H.d against any access from unauthorized third parties. The Principal shall inform H.d as soon as the Principal has a reasonable suspicion or knowledge of a potential misuse of the access information provided.

3.3 The Principal is aware that his use of the Online-Reservation-Software may be associated with H.d. Therefore, the Principal shall take all steps necessary to keep the services offered by Principal and the services offered by H.d or third parties separate in terms of their content.

3.4 Should the Principal find out that their use of the Services or other benefits lead to a violation of the law, the Principal shall be required to immediately cease and desist from violating the law and delete any illegal content.

4. Special Hosted Storage Space Provisions

4.1 The Hosted Storage Space is provided to the Principal free of charge. Consequently, H.d cannot guarantee a particular availability of the Hosted Storage Space. Furthermore, the Hosted Storage Space shall be unavailable during necessary maintenance work. H.d shall strive to keep any impairment caused by maintenance work as low as possible. H.d shall provide the Principal with the other performance specifications of the Hosted Storage Space prior to the conclusion of the agreement.

4.2 The Principal undertakes and warrants that all files, including HTML and other documents, texts, pictures, graphics, fonts, videos, etc., (" Content") shall be stored, published, and/or made available on the Hosted Storage Space and/or with the help of the Software in accordance with applicable law. The Principal shall specifically only store Content on the Hosted Storage Space and/or with the help of the Software for which the Principal holds the required rights, including use and exploitation rights under copyright law, and that such Content does not infringe any personal rights of third parties. Furthermore, the Principal shall not store, publish, and/or make available on the Hosted Storage Space and/or with the help of the Software any Content that is of an immoral, in particular pornographic, racist, or discriminatory nature. H.d shall be entitled to delete any Content that is stored on the Hosted Storage Space and/or with the help of the Software in violation of this section 4 and of which H.d is informed by government agencies, courts, the holder of rights, or other third parties or of which it gains knowledge in another way.

4.3 The Principal shall grant H.d the necessary rights to all Content that the Principal stores, publishes, and/or makes publicly available on the Hosted Storage Space and/or with the help of the Software, in particular the rights required to store the Content, to make technical adjustments to it, to make it publicly available, and to copy it. H.d may only have access to the Principal's Content on the Hosted Storage Space to the extent this is technically necessary to provide and/or publish the Content and to the extent this corresponds to the contractually granted authorizations.

4.4 Furthermore, the Principal may not run or arrange to run any automated processes, scripts, software or other data and/or Content on the Hosted Storage Space and/or or take any steps or have any steps taken (with the help of the Software), which would more than even insignificantly impair systems, networks, and/or other hardware and software such as network components of H.d and/or third parties. In the event that H.d learns of such impairment, H.d shall be entitled to stop such impairment and/or prevent it.

4.5 The Principal shall perform data backups on a daily basis in order to be able to recover the Content of the Hosted Storage Space without any additional cost.

4.6 As the Principal acts as a responsible party to the user/end user, the Principal is obliged to keep an imprint on his website, which contains all mandatory information.

5. Special Software Provisions

The Principal may not access or use the Software on behalf of a third party or for other purposes. The Principal shall specifically not be authorized to copy the Software, to make it available to third parties, to disassemble the Software, or to modify it in any other way.

6. Conclusion of the Agreement, Duration, Termination

6.1 The agreement shall be deemed as concluded when the Principal accepts the offer for the conclusion of an agreement governing the Services and other benefits by H.d. Acceptance generally takes place by H.d commencing with the provision of the Services.

6.2 This agreement shall be concluded for an indefinite period and may be terminated by the Principal at any time and by H.d with a notice period of two (2) weeks.

6.3 H.d shall communicate terminations either in writing or by email. The Principal generally terminates by selecting in the Software the respective option to delete its content and then confirming it.

6.4 This shall not affect the Parties' rights to terminate the agreement without notice for good cause. Good cause is given in particular if the Principal does not meet one of the obligations set forth in sections 3, 4, 5, 6, 10.2, and 10.3.

6.5 Upon having terminated the agreement, regardless of the grounds, H.d shall delete all data stored by the Principal on the Hosted Storage Space within the context of the contractual relationship within thirty (30) days, unless the Principal performs the deletion themselves with the help of the Software.

7. Warranty and Liability, Indemnification

7.1 With regard to the Services and benefits that H.d provides to the Principal free of charge, H.d shall reimburse the Principal only for damages incurred by the Principal due to fraudulently concealed defects. H.d shall not bear any further liability for defects of title and/or material defects for Services and benefits provided free of charge.

7.2 H.d, their vicarious agents, or their legal representatives shall be liable for the Services and benefits provided by H.d to the Principal free of charge only in cases of intent, gross negligence, or a culpable loss of life, bodily injury, or damage to health as well as for fraudulently concealed defects. In the event of lost data, the liability of H.d shall, however, only be limited to the recovery costs that would have been incurred if the data had been backed up on a daily basis. Liability pursuant to the German Product Liability Act and the Minimum Wage Act shall remain unaffected.

7.3 Only the Principal shall be responsible for the Content. Therefore, the Principal shall upon first request indemnify and hold H.d, their vicarious agents and legal representatives, and all companies affiliated with H.d pursuant to Sec. 15 of the German Stock Corporation Act (AktG) harmless of any third-party claims asserted against H.d, their vicarious agents, legal representatives and/or companies affiliated with H.d due to or in connection with the Services and other benefits. This shall specifically apply for all trademark, copyright, data protection, and competition violations. This indemnification shall comprise the necessary legal costs including costs for arbitration proceedings as well.

8. Data Protection, Confidentiality

8.1 H.d is responsible for the processing of the personal data collected by the Principal. H.d processes the personal data exclusively for the execution of this agreement, for example to establish contact and to provide the services. Without the provision of this personal data, the execution of the agreement is not possible. This processing of personal data is based on Article 6 Para. 1 Clause 1 (b) of the General Data Protection Regulation (GDPR). The personal data of the Principal will be deleted after termination of the agreement, unless there are legal obligations that require the personal data to be stored for a longer period. In this case, the personal data cannot be used for other purposes and then is deleted as soon as the statutory retention period has expired. For the purposes of agreement implementation, H.d uses the support of service providers, for example in the field of hosting, for maintenance and other services. These service providers may be external companies as well as companies affiliated with H.d in accordance with Section 15 et seqq. of the German Stock Corporation Act (AktG) through contractual agreements with the service providers, H.d ensures that this personal data is processed in accordance with the requirements of the GDPR. This also applies if the personal data should be processed outside the EU/EEA. To exercise the rights of the Principal in accordance with the GDPR,

· Information about the processing of his personal data as well as a copy of this data (Art. 15 GDPR),

· Correction of incorrect data and completion of incomplete personal data (Art. 16 GDPR),

· Deletion of his personal data and, if made public, that H.d informs other persons responsible about the deletion request (Art. 17 GDPR),

· Limitation of the processing of his personal data (Art. 18 GDPR),Data portability, so that his personal data is given to him in a structured, common and machine-readable format and the right to transfer this data to another responsible person without hindrance by H.d (Article 20 GDPR) and

· to appeal against data processing (Art. 21 GDPR)

the customer can contact the data protection officer of H.d (privacy@hd.digital) at any time. The client also has the right to complain to the competent supervisory authority, as far as the client considers the data processing as incompatible with the GDPR (Art. 77 GDPR)

8.2 In respect of third parties, the Principal shall be exclusively responsible for compliance with the respective data protection provisions, which includes compliance with existing obligations to furnish information in connection with the website that the Principal created with the Software.

8.3 The Parties shall not make any confidential information accessible to third parties for the duration of the agreement and two years thereafter and shall not use it for any purposes that do not serve the agreement. All information pertaining to technical information and know-how provided to the Principal as well as information that is identified by one of the Parties as confidential and that is of economic value shall be considered as confidential.

8.4 The duty to confidentiality shall not extend to information that became known to the other party without one of the Parties breaching confidentiality or that became or already is public knowledge or that must be made available to third parties due to statutory provisions, a court order, or an administrative order or that is reviewed by an obligated third party, who has been sworn to secrecy, intending to purchase one of the companies.

9. Remuneration

9.1 The Principal shall not owe any remuneration for the provision of the Services by H.d. The Services shall be provided free of charge.

9.2 Any third party services provided within the context of expanded services shall not be affected by section 9.1.

10. Miscellaneous Provisions

10.1 H.d may have a part of or the entire performance they owe within the provisions of this agreement, in particular the Services, rendered by subcontractors. H.d intends to have these Services rendered by their subsidiary Hospitality. Systems GmbH.

10.2 H.d may amend these GTC upon prior notification of the Principal, including intended amendments. H.d may only amend these GTC to the extent that this is reasonable for the Principal, such amendment does not apply to one of the main contractual obligations orto the extent that the Principal is not put in an overall inferior situation by the amendment. The already intended transferal of rights and obligations of H.d described herein to their subsidiary Hospitality. Systems GmbH shall be deemed as reasonable. The Principal may challenge an amendment of the GTC within four (4) weeks from receipt of the notification or terminate the agreement without notice. Should the Principal not challenge the amendment of the GTC or not within the notice period, their consent to the amendment of the GTC shall be assumed. H.d shall inform the Principal of the consequences of a failure to challenge and the right to terminate the agreement without notice in all notifications applicable to an amendment of the GTC.

10.3 Should a provision of this agreement be or become, either in full or in part, invalid, ineffective, impracticable, or unenforceable (" Erroneous Provision"), the effectiveness and enforceability of the other provisions of this agreement shall not be affected. Instead, the Parties already now undertake to agree in place of the Erroneous Provision to such a provision, which, to the extent permitted by law, comes closest to what the Parties had wanted in accordance with the sense and purpose of the agreement, if they had recognized the error of the provision. If the provision is erroneous due to the extent of the service or the time, (deadline or due date) determined therein, the provision should be agreed with an extent permitted by law that comes closest to the original extent. The same shall apply to any loopholes in this agreement. It is the expressed intention of the Parties that this severability clause does not result in a mere reversal of the burden of proof, but that Sec. 139 of the German Civil Code (BGB) as a whole shall not apply.

10.4 This agreement and all claims and rights based on or in connection with this agreement shall exclusively be governed by German law and shall be interpreted and enforced under German law. The conflict of laws provisions shall not apply. The United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply.

10.5 The exclusive place of jurisdiction for all disputes arising from or in connection with this agreement, its conclusion, or its execution shall be Düsseldorf - to the extent this is permitted under the law.

Stand: Mai 2018/AG

ORDER PROCESSING

By confirming the above General Terms and Conditions, the Principal ("Person Responsible") and H.d ("Processor"), collectively referred to as "Parties", individually as "Party", also enter into the following Data Processing Agreement ("DPA").

Preamble

In the context of its business activities and in accordance with the above General Terms and Conditions, the Processor receives personal data for which the Person Responsible is accountable. The Parties agree on the provisions of this DPA ,in order to comply with the data protection obligations of the parties in accordance with European data protection law, in particular the General Data Protection Regulation (Article 28 GDPR).

1. Definitions

1.1 Personal Data means any information relating to an identified or identifiable natural person ("Person Concerned"). A natural person is considered to be identifiable when they can be directly or indirectly identified in particular by association with an identifier, such as a name, an identification number, location data, an online identifier or one or more special features that express the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person (hereinafter "Data").

1.2 Data processing on behalf of someone is the collection, processing, or use of data by the Processor on behalf of the Person Responsible.

2. Subject and content of the order

2.1 Subject and duration of the order

The details and the duration of the order result from the above General Terms and Conditions.

2.2 Type of data

The type of data is described in more detail in the General Terms and Conditions and in the Privacy Policy.

2.3 Purpose of the collection, processing, or use of the data

The purpose of the collection, processing, or use of data is described in more detail in the General Terms and Conditions and Privacy Policy.

2.4 Nature and extent of the collection, processing, or use of the data

The nature and extent of the collection, processing, or use of the data is described in more detail in the General Terms and Conditions and Privacy Policy.

2.5 Category of Persons Concerned

(a) Own data of the Principal

(b) Clients

2.6 Technical and organizational measures

(a) The technical and organizational measures to be implemented by the processor shall be set out in the Annex (see below) to this DPA. The Processor will regularly adapt these measures to the prior art at his own expense, provided that the agreed level of protection is not lowered and the Persons Responsible are immediately informed.

(b) The Processor is required to allow the Person Responsible to verify on-site compliance with the technical and organizational measures before commencing the processing activities under this contract. The audit right of the Person Responsible according to Number 2.10 remains unaffected.

(c) The processor shall ensure that the data processing systems used in the framework of the DPA comply with the standards of "privacy by design" and "privacy by default" in accordance with the prior art.

2.7 Correction, deletion and blocking of data, right to data portability, and right to object

(a) The rights of the persons involved in the processing of data by the processor, in particular rectification, erasure and blocking, data portability, and opposition shall be asserted against the controller. He alone is responsible for the protection of these rights.

(b) In the course of his work for the Person Responsible, the Processor is obliged to forward any request addressed to him by affected persons to the person responsible for proper processing without delay. If the Person Responsible and the Processor jointly act as external persons responsible, the Processor is entitled to answer this request independently.

(c) The Processor is also required to assist the Person Responsible with appropriate technical and organizational measures to comply with his obligation to reply to the persons concerned.

(d) In accordance with the instructions of the Person Responsible, the Processor shall rectify, suspend and/or erase data immediately, but no later than within five (5) days, and inform the Processor by that deadline.

2.8 Duties of the Processor

(a) The Processor may collect, process, and use data only in the context of the order and the documented instructions of the Person Responsible.

(b) The Processor has to comply with the technical and organizational measures, as defined in Clause 2.6 of this DPA at regular intervals and submit it on request.

(c) The Data Protection Officer is named as contact person for data protection at the Processor. This can be reached at privacy@hd.digital. If necessary, the Processor also appoints a representative in accordance with the requirements of Art. 27 GDPR.

(d) The Processor is responsible for maintaining confidentiality.. Any person at the Processor authorized to access the data of the Person Responsible shall be required to be bound by a duty of confidentiality or subject to reasonable professional secrecy and must be informed of the special data protection obligations arising from this DPA, as well as, the existing instructions and purpose. The Processor will document these obligations in writing and provide them at the request of the Person Responsible.

2.9 Justification of subcontracting conditions

(a) The justification for subcontracting relationships is permitted. The Processor shall inform the Person Responsible about the corresponding change in advance. The Person Responsible has a right to object.

(b) In the case of a commissioning from other processors, the Processor shall contractually ensure that the obligations of the Processor assigned under this DPA also apply in accordance with the other Processor.

(c) The Processor shall control the technical and organizational measures taken by the other processors on an ad hoc and regular basis during the subcontracting period to protect the data he has provided. The transfer of data is only permitted if the other Processor has implemented the necessary technical and organizational measures at least in accordance with the specifications of this DPA.

(d) The Processor shall be fully liable for the subcontractors he employs.

2.10 Audit rights of the Person Responsible

The Person Responsible is authorized to verify compliance with applicable data protection regulations and the DPA during normal business hours. The Processor agrees to provide the Person Responsible with all information reasonably necessary to carry out the inspection within a reasonable period of time. Where the Person Responsible considers that an on-site audit is required of the Processor, the Processor shall ensure that the person responsible for carrying out the audit has access to the Processor's office and an on-site inspection of the stored data and the data processing programs. The Person Responsible is entitled to have the test carried out by a third party (examiner) to be named in individual cases. The Person Responsible must announce the execution of such an audit in writing at least twenty (20) working days in advance. The cost of carrying out the audit and the costs incurred by the Processor at normal market rates are borne by the Person Responsible.

2.11 Notifications of Violations by the Processor

(a) The Processor shall notify the Person Responsible without delay, and at the latest within forty-eight (48) hours of such discovery, of all cases in which the Processor or persons or subcontractors employed by him/her have infringed the rules governing the protection of the data of the Person Responsible or the conditions set out in this DPA.

(b) The Person Responsible shall be notified of any incidents of loss or unlawful transmission or receipt by third parties, regardless of the cause. The Processor shall, in consultation with the Person Responsible, take appropriate measures to safeguard the data and to mitigate the possible adverse consequences for the persons concerned. To the extent that the persons responsible meet the notification obligations, the Processor shall assist the Person Responsible in fulfilling these obligations.

2.12 Instructions by the Person Responsible

(a) The processing of data of the Person Responsible by the Processor shall be carried out solely in the context of the DPA and the specific instructions reported by the Processor.

(b) The Processor shall, without delay, comply with (individual) instructions concerning the nature, extent and method of processing, or, if applicable, within the time limit set by the Person Responsible.

(c) The Processor shall notify the Person Responsible without delay if, in the opinion of the Processor, instructions issued by the Person Responsible violate data protection regulations. The Processor shall be entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by a Person Responsible.

2.13 Deletion after completion of the order

After completion of the contractual work, the Processor must hand over all data that he has processed for the Person Responsible or, with the prior consent of the Person Responsible, destroy it according to data protection or delete it in accordance with the prior art. A right of retention is excluded with regard to the documents, data, processing, and usage results and the associated data carriers, unless the law of the European Union or of an EU member state requires the data to be stored.

3. Further obligations of the Processor

3.1 The Processor uses the data provided for data processing for no other purpose. Copies or duplicates without knowledge and without the prior written consent of the Person Responsible may not be created, unless this is due to the services ordered in the DPA. The Processor shall ensure that the data processed by him for the Person Responsible is separated from other data. A transmission of data of the Person Responsible by the Processor to third parties does not take place without the written consent of the Person Responsible.

3.2 The Processor shall provide reasonable assistance to those responsible in defending against claims based on a purported or actual breach of data protection requirements. The Person Responsible will, for his part, investigate the complaints of data subjects in the context of the data protection responsibility of the Person Responsible in an appropriate manner and process complaints from data subjects.

3.3 The Processor acknowledges that information is given to affected persons on the basis of a right to information exclusively via the Person Responsible or a person authorized by the Person Responsible. The Processor is obliged to provide the Person Responsible with the required information in good time and to support the Person Responsible. If the Processor himself also acts as the external Person Responsible, these inquiries can also be answered accordingly and the Person Responsible informed accordingly.

3.4 The Processor shall assist the controller in the preparation of necessary procedure indexes, where applicable.

3.5 The Processor shall assist the Person Responsible in carrying out data protection impact assessments when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.

3.6 The Processor agrees to inform the Person Responsible without delay of the results of inspections by the data protection supervisory authorities, insofar as these are related to this DPA. The Processor will inform those responsible about any complaints by the data protection supervisory authorities that relate to the area of ​​responsibility of the Processor and will remedy any identified complaints as required by law.

4. Liability

4.1 The Person Responsible is responsible for the permissibility of the data processing, as well as, for the protection of the rights of the data subjects.

4.2 By derogation from section 4.1, the Processor is responsible for claims of data subjects due to violations of the applicable legal provisions or the provisions of the DPA.

4.3 In relation to the Person Responsible, the Processor is only liable for intent and gross negligence within the scope of the legally permissible exclusion of liability and limitations.

5. Final provisions

5.1 The Controller shall inform the Processor immediately and in full if he finds errors or irregularities in the processing of the data by the Processor during the audit.

5.2 This DPA may be modified and terminated under the same terms and conditions as the above General Terms and Conditions.

5.3 The invalidity of one or more provisions of this DPA does not affect the effectiveness of the DPA. In the case of the ineffectiveness of one or more provisions of this DPA, the Parties shall take a legally effective substitute provision as economically as possible in the case of the ineffective provision. The same applies in case of a loophole.

5.4 The DPA is subject to the same right as the above General Terms and Conditions.

5.5 In case of contradictions between the DPA and other agreements between the parties, the provisions of this DPA prevail.

Status: 2018/ AG


Technical and organizational measures

Taking into account the prior art, the implementation costs and the nature, scope, circumstances, and purposes of the processing and the different likelihood and severity of the risk to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk; These measures include, inter alia, the following:

• the pseudonymisation and encryption of the data;

• the ability to permanently ensure the confidentiality, integrity, availability, and resilience of processing systems and services;

• the ability to rapidly restore data availability and accessibility in the event of a physical or technical incident;

• a process for the periodic review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing.

Without prejudice to the foregoing, the following specific measures will be taken:

1. Access control

Measures to prevent unauthorized persons from gaining access to the data processing system used to process the data:

• Specification of the authorized group of persons and corresponding documentation;

• Electronic access control;

• Issuance of access IDs;

• Introduction of guidelines for external individuals;

• Alarm or security outside working hours;

• Distribution of properties into different security zones;

• Introduction of guidelines for handling keys (cards);

• Security doors (electronic door opener, ID reader, CCTV);

• Introduction of measures for on-site security (e.g. intrusion detection/notification).

2. Access control

Measures to prevent unauthorized persons from using the data processing system and procedures:

• Definition of the group of people who have access to data processing systems;

• Introduction of guidelines for external individuals;

• Password protection for personal computers.

3. Access control

Measures to ensure that persons authorized to use the data-processing techniques can only access the data subject to their authorization:

• Introduction of limited access rights based on the respective data and functions;

• Obligation to identify to data processing equipment (e.g. through ID and authentication);

• Introduction of policies about access and user roles;

• Evaluation of protocols in case of a harmful event.

4. Transfer control

Measures to ensure that the data cannot be read, copied, altered, or removed during electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine at which points a transmission of the data by means of data transmission is provided.

• Encryption

5. Entry control

Measures to ensure that it is possible to subsequently verify and determine whether and by whom the data has been entered, altered, or removed from IT systems.

• Recording of data entries.

6. Order control

Measures to ensure that data processed on order can only be processed in accordance with the instructions of the Person Responsible.

• Documentation of the different competences and obligations between the Person Responsible and the Processor;

• Formal commissioning;

• Control of the work results.

7. Availability control

Measures to ensure that the data is protected against accidental destruction or loss.

• Implement a plan for regular backups;

• Secure storage of data backups in fire and water-resistant safety cabinets;

• Introduction and regular control of an emergency power system and a surge protection system;

• Introduction of an emergency plan;

• Protocol on the introduction of crisis and/or emergency management.

8. Separation control

Measures to ensure that data collected for different purposes can be processed separately.

• Separation of the data of the Processor’s respective clients.

Status: May 2018/ AG