Check In Scan Logo
Login

ANNEX II: AGREEMENT FOR THE PROCESSING OF PERSONAL DATA

INTRODUCTION

This Personal Data Processing Agreement regulates the terms of access to and processing of personal data by CHECK-IN SCAN within the framework of the provision of services to the CLIENT, under the terms detailed in the General Contract Conditions, to which this Agreement is attached and of which it forms part.

 

  1. DEFINITIONS

For a better understanding of this Personal Data Processing Agreement, the following concepts are detailed below:

GDPR : Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, or any other legislation enacted by the European Union on the same subject in the future

Data protection regulations in European Union countries, the European Regulation and all national laws and regulations that supplement that Regulation; any guidelines or codes of conduct drawn up by local regulators responsible for ensuring compliance with and enforcement of personal data protection legislation. In countries outside the European Union, it means any similar or equivalent legislation or regulation whose purpose is to protect the privacy and security of personal data of natural persons.

Personal data : Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Interested Party: A person who can be identified directly or indirectly. Notwithstanding the foregoing, and in relation to this Agreement, the term “Interested Party” is interpreted as referring to the CLIENT's guests who use the Check-In Scan .

Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Agreement, the CLIENT is considered the Data Controller.

Data Processor CHECK-IN SCAN is designated as the Data Processor .

Security Incident : An eventuality in which Check-In Scan or its subcontractors, in the course of operations involving the use, storage or transmission of Personal Data, have well-founded reasons to believe that the security of such Personal Data is or may be compromised or that access to it by an unauthorized person has occurred or may occur.

Processing : Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; as described in the European Regulation or in applicable Data Protection Laws.

Confidential Information : All information, documentation or data that either party provides to the other in the development and execution of the Service, under the terms provided in these General Conditions.

 

  1. OBJECT

The purpose of this Agreement is to define the conditions under which CHECK-IN SCAN will process the personal data to which it has access during the provision of the agreed services. CHECK-IN SCAN undertakes to process the aforementioned personal data with due diligence and according to its best professional judgment and dedication.

 

  1. PURPOSE OF PROCESSING PERSONAL DATA

CHECK-IN SCAN undertakes to process personal data solely for the purpose of providing the CLIENT with the services indicated in the General Terms and Conditions of Contract and, where applicable, in the Special Terms and Conditions, in accordance with the CLIENT's instructions. If CHECK-IN SCAN considers that any of the instructions infringe any data protection provision, it will inform the CLIENT immediately.

CHECK-IN SCAN acts in accordance with the applicable legal regulations in force at any given time, limiting itself to carrying out the actions necessary to correctly develop the agreed services, and will not apply or use them for a purpose other than that stipulated in this contract, nor communicate them, even for their preservation, to other people.

The CLIENT is the one who determines the purposes of the Processing and use of the Personal Data transferred to CHECK-IN SCAN in the context of the provision of the Services.

CHECK-IN SCAN processes guests' Personal Data in accordance with the CLIENT's instructions and only to the extent that such processing is necessary for the proper provision of the Services or to comply with the legislation applicable in each case.

CHECK-IN SCAN processes the CLIENT's guests' Personal Data respecting its integrity and accuracy, which may involve correcting, deleting or blocking it to the extent that the functionalities of the Services do not allow the CLIENT to implement actions to ensure the integrity and accuracy of the Personal Data.

CHECK-IN SCAN will notify the customer if it believes that an instruction from the customer may contravene the data protection legislation applicable to the specific case.

CHECK-IN SCAN as the Data Processor, will communicate to the CLIENT, without undue delay, any notification or requirement it receives from any competent data regulatory authority (if such communication is permitted) in relation to the CLIENT's Personal Data.

 

  1. IDENTIFICATION OF ACCESSED PERSONAL INFORMATION

For the execution of the services derived from the fulfillment of the purpose of this order, CHECK-IN SCANwill have access to the personal information of guests and, where applicable, of the CLIENT's employees and Agents, with the scope and purposes established in the General Conditions of Contract and, where applicable, in the Special Conditions that may apply.

 

  1. CONFIDENTIALITY

The information accessed by CHECK-IN SCAN is strictly confidential. CHECK-IN SCAN is responsible for not disclosing to third parties any information accessed as a result of this relationship. CHECK-IN SCAN undertakes to:

  1. Maintain the duty of secrecy regarding the personal data to which he/she has had access by virtue of this assignment, even after its purpose has ended.
  2. Ensure that persons authorized to process personal data expressly and in writing commit to respecting confidentiality and complying with the corresponding security measures, which must be duly communicated to them.

Confidential Information does not include information that:

  1. Whether it is in the public domain at the time of disclosure or subsequently enters the public domain without this resulting from a breach of the terms of this Agreement;
  2. CHECK-IN SCAN was developed independently without using or gaining access to Confidential Information.

 

  1. GUEST INFORMATION

CHECK-IN SCANwill provide the CLIENT with a template of the legal notice to inform guests during the check-in process about the processing of their personal data. This legal notice is drafted by CHECK-IN SCAN in compliance with the requirements established in the European General Data Protection Regulation (GDPR). However, this legal notice is subject to the CLIENT's prior approval, and the CLIENT assumes responsibility for its content towards the Guest. The CLIENT must complete the legal notice template to include their identification and contact information, as well as the postal/email address designated for exercising their rights.

 

  1. LEGALITY OF GUESTS' PERSONAL DATA

CHECK-IN SCAN will request from the Guest only the data required by applicable regulations during the traveler registration process, acting in all cases on behalf of and for the CLIENT. In this context, identification data, contact information, accommodation details, and transaction information will be collected, as well as the Guest's signature, which will be obtained by signing with their finger or an electronic pen in the touchscreen signature area provided by the application. The identifier, access code, and touchscreen signature provided by the Guest will be considered an electronic signature for all purposes. It will have the same legal validity with respect to the data recorded in the generated electronic documents as a handwritten signature has with respect to data recorded on paper.

 

  1. DATA COMMUNICATIONS TO THIRD PARTIES

CHECK-IN SCAN undertakes not to disclose data to third parties, unless expressly authorized by the CLIENT, in legally permissible cases, or when necessary for the proper provision of the contracted services. In this context, CHECK-IN SCAN may disclose Guests' personal data to:

  1. Competent authorities, when such communication is required by law or for the proper provision of services to the CLIENT.
  2. Other data processors for the CLIENT, in accordance with the CLIENT's instructions. In this case, the CLIENT will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated, and the security measures to be applied to proceed with the communication.
  3. CHECK IN SCAN providers, provided that the specifications indicated in this Agreement are met in the event of subcontracting of services that involves access to personal data.

If CHECK-IN SCAN needs to transfer personal data to a third country or an international organization, under Union or Member State law applicable to it, it will inform the CLIENT of that legal requirement in advance, unless such law prohibits it for important reasons of public interest.

 

  1. EXERCISE OF RIGHTS

CHECK-IN SCAN will assist the CLIENT by providing support in responding to the exercise of the following rights:

  • Access,
  • Rectification,
  • Suppression,
  • Opposition,
  • Limitation,
  • Portability,
  • Not to be subject to automated individual decision-making (including profiling).

However, the CLIENT will be solely responsible for the response provided to the GUEST in response to the requests received.

 

  1. SECURITY MEASURES

CHECK-IN SCAN adopts the technical and organizational measures to guarantee the security of the information processed, based on the criteria established by the Data Protection legislation applicable to each case, to protect the Personal Data provided to prevent its improper disclosure or alteration or unauthorized access to it, taking into account the state of technology, the nature of the data stored and the risks to which it is exposed, whether they come from human action or from the physical or natural environment.

The CLIENT understands and accepts that technical and organizational security measures are subject to technological progress and development. Therefore, Check-In Scan is expressly permitted to implement alternative security measures or use facilities in different locations, provided that the applied security levels are maintained and compliance with current legislation is maintained. In the event of material and significant changes in the application of technical and organizational measures Check-In Scan will notify the CLIENT and provide the appropriate documentation explaining these changes.

  • The Check-in Scan application as a whole, including the connection to the user's web control panel and any of its mobile applications on iOS and Android, connects using the highest security HTTPS, specifically an Extended Validation (EV) SSL certificate. Data in transit will be encrypted with 2048 bits.
  • CHECK-IN SCAN encrypts all traveler data stored in the database using 1024-bit encryption. We do not disclose specific encryption details to protect our systems, but you can contact us if you require further information.
  • CHECK-IN SCAN performs daily backups of your web application and database (on-site).
  • CHECK-IN SCAN performs daily backups of your web application and database (off site ftp).
  • Data transmitted by CHECK-IN SCAN over the internet in the context of providing the Services will be encrypted to protect the CLIENT. However, the parties acknowledge that complete security cannot be guaranteed for data transmission over the internet.
  • In the case of PMS integration, our systems use secure integration methods to enable data communication without compromising security and confidentiality. The CHECK-IN SCAN integration system guarantees encryption, authentication, and least privilege policies, so that only authorized parties can access and exchange your data.

CHECK-IN SCAN is not responsible for CLIENT access made via the Internet or for any alterations or loss of data that occur via the Internet. If a security threat originating from an Internet connection is suspected, CHECK-IN SCAN may immediately suspend the provision of Services via the Internet until an investigation determines the seriousness of said threat; such suspension will always be subject to sending a suspension notice to the CLIENT as soon as reasonably possible and to taking all reasonable steps to restore the provision of Services via the Internet.

 

  1. RECORD OF TREATMENT ACTIVITIES

CHECK-IN SCAN undertakes to manage the maintenance, in writing, of a record of all categories of processing activities carried out on behalf of the CLIENT, which contains:

  1. The identification and contact details of the CLIENT on whose behalf CHECK-IN SCANacts.
  2. The categories of treatments carried out on behalf of the CLIENT.
  3. In your case, transfers of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1), second subparagraph of the GDPR, documentation of appropriate safeguards.
  4. An overview of the technical and organizational security measures relating to:
  5. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of treatment systems and services.
  6. The ability to quickly restore the availability and access to personal data in the event of a physical or technical incident.
  7. The process of regularly verifying, evaluating and assessing the effectiveness of technical and organizational measures to ensure the safety of the treatment.

 

  1. INCIDENT MANAGEMENT

CHECK-IN SCAN will notify the CLIENT in writing, without undue delay and in any event no later than 48 hours, of any personal data breaches under its responsibility of which it becomes aware, together with all relevant information for documenting and reporting the incident. Notification will not be required when it is unlikely that such a breach poses a risk to the rights and freedoms of natural persons. If available, the following information will be provided as a minimum:

  1. Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
  2. The name and contact details of the data protection officer or other contact point where further information can be obtained.
  3. Description of the possible consequences of a personal data security breach.
  4. Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible adverse effects.

If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay. It is the CLIENT's responsibility to report data security breaches to the supervisory authority and, where applicable, to the data subjects, as soon as possible when the breach is likely to pose a high risk to them. However, the parties may agree otherwise in cases where the breach affects CHECK-IN SCAN's internal operations beyond the scope of the engagement.

 

  1. DATA PROTECTION OFFICER

CHECK-IN SCAN will appoint a Data Protection Officer and will communicate their identity and contact details to the CLIENT when the appointment of this figure is mandatory.

 

  1. COOPERATION AND SUPPORT

CHECK-IN SCAN will support the CLIENT in carrying out the necessary preliminary consultations with the supervisory authority, where applicable, as well as in carrying out the necessary data protection impact assessments, where applicable.

Additionally, CHECK-IN SCAN will keep available to the CLIENT the documentation proving compliance with the obligations established in the previous sections.

 

  1. DESTINATION OF THE DATA ONCE THE SERVICES END

This Agreement will remain in effect for the duration of the service provision. The termination, rescission, or expiration of the relationship between the CLIENT and CHECK-IN SCANwill obligate the latter to delete the personal data provided by the CLIENT. CHECK-IN SCAN must return the data to the CLIENT. Notwithstanding the foregoing, CHECK-IN SCAN may retain the strictly necessary data, duly blocked, for as long as any liabilities may arise from its relationship with the CLIENT, and only for the period during which legal action may be taken. Once this period has elapsed, CHECK-IN SCANwill destroy any information it may still retain.

 

  1. SUBCONTRACTING

CHECK-IN SCAN reserves the right to engage external suppliers and subcontractors, including sub-processors. The CLIENT accepts the exercise of this right by Check-In Scan provided that CHECK-IN SCAN complies with the following conditions:

  1. that CHECK-IN SCAN subjects its external suppliers and subcontractors to a due diligence process and is responsible in accordance with the terms of the Agreement for the correct provision of the portion of the Services that they are in charge of and for compliance by CHECK-IN SCAN and said external suppliers and subcontractors with the data protection legislation applicable to a sub-Processor (or its equivalent legal figure) in the jurisdictions where they operate;
  2. that CHECK-IN SCAN enables access to guests' Personal Data only to those subcontractors and external providers who have direct involvement in the provision of the Services, solely and exclusively for that purpose and only to the extent that such access is strictly necessary for the provision of the part of the Services that has been subcontracted;
  3. that, subject to prior request from the CLIENT, Check-In Scan shall provide the CLIENT with details, within reasonable limits and without prejudice to the confidentiality obligations that the subcontractor and CHECK-IN SCAN owe each other, to identify the subcontractors and external suppliers of CHECK-IN SCAN that participate in the provision of the Services described in the Contract and to identify the Personal Data flows associated therewith;
  4. that CHECK-IN SCAN ensures that its subcontractors take reasonably appropriate measures, as prescribed by applicable personal data protection legislation, to maintain the integrity and security of the Personal Data to which they have access.
  5. that, subject to prior request from the CLIENT, Check-In Scan will provide the CLIENT with reasonable assistance to help the CLIENT comply with the obligations required by applicable data protection legislation in relation to CHECK-IN SCAN use of subcontractors or external suppliers.
  6. In cases where the CLIENT acts as a Data Processor and processes data on behalf of and for the account of a third party, CHECK-IN SCAN will assume the role of sub-processor. In these cases, the CLIENT will be solely responsible for obtaining prior authorization from the Data Controller to subcontract the services to CHECK-IN SCAN. Additionally, the CLIENT acknowledges that in these cases, CHECK-IN SCAN will fulfill its obligations as a sub-processor, provided it complies with the instructions set forth in this Agreement.

 

  1. CHEK IN SCAN RESPONSIBILITY

In the event of non-compliance by CHECK-IN SCAN with any of the stipulations of this contract, it will be considered the Data Controller, and will be responsible for the infringements it has personally incurred.

 

  1. CUSTOMER RESPONSIBILITY

The CLIENT states that:

  1. has proceeded to collect the Personal Data subject to this Agreement in accordance with the laws applicable to said process in each jurisdiction where this contract is operational and is duly authorized to transfer said personal data to CHECK-IN SCAN for its Processing as provided for in this Agreement;
  2. has obtained the necessary consents, both from the guests and from the competent authorities, so that CHECK-IN SCAN can use the Personal Data of the guests in the context of providing services to the CLIENT;

 

  1. APPLICABLE LAW AND COMPETENT COURTS

In matters not covered by this contract, as well as in the interpretation and resolution of any disputes that may arise between the parties as a result thereof, Spanish law shall apply. For the resolution of any controversy that may arise from this contract, both parties submit to the jurisdiction of the courts of Málaga, expressly waiving any other jurisdiction that may correspond to them.

And to attest to this, and as proof of agreement by both parties, this document is signed in duplicate at the place and date indicated in the heading.

 

 

Last modified: 02/04/2025

 

 

 

Check in scan logo
app store spain

FAQs Blog Support About Us Contact How it Works Check-in Scan

SES.HOSPEDAJES Travelers Section Integrations Events Press Work with us
Referral program

Hotel, Hostel, Tourist Accommodation , Camping, Rural Accommodation Bed & Breakfast Hostels and Lodges

Self Check-in Automated Check-in Online Check-in In-Person Check -in Web Check-in Legal Control Panel Traveler Registration
Check in scan logo
+34 951 82 98 60 info@checkinscan.com
app store spain
Help
FAQs Blog Support About Us Contact Pricing How it Works Check-in Scan
Links of Interest
Part of the SES.HOSPEDAJES Guide Integrations Events Press Work with us Referral program
Newsletter
I accept the privacy policy*
© 2026 Check-in Scan.
Legal Notice.
Privacy Policy.
Cookies Policy.
Sitemap.
Made in Mijas, Malaga with