Legal

Data Processing Agreement

Data Processing agreement

Valid from 8 October 2025 onwards.

1. Background and Purpose

1.1. This Data Processing Agreement (“DPA”) sets out the terms and conditions for the processing of Personal Data by Cocouz Oy (“MeetingPackage”) on behalf of Partner. This DPA shall be applied to the agreement regarding the provision of electronic platform and/or related reservation and booking services by MeetingPackage (“Services”) entered into by and between the Parties (“Agreement”).

1.2. Agreement referred to in this DPA may be either:

  • (i) Booking Engine Service Agreement based on which MeetingPackage processes Personal Data on behalf of Partner by storing details of the customers’ reservations, including Personal Data (name, email address, phone number, company name and possible additional information provided by the customers themselves) for the purposes of providing software services for Partner; or

  • (ii) Service Provider Agreement based on which MeetingPackage processes Personal Data on behalf of Partner by transferring details of the customers’ reservations, including Personal Data (name, email address, phone number, company name and possible additional information provided by the customers themselves) to the Service Provider for the purposes of providing services for Customers; or

  • (iii) Partner License Agreement based on which MeetingPackage processes Personal Data on behalf of Partner by providing a customized platform through which customers can book meetings services, hotel rooms, venues and other products. The Personal Data about customers processed on behalf of the Partner may include name, email address, phone number, company name and possible additional information provided by the customers themselves or additional information asked from time to time by Partner.

Further details and information concerning the details of the processing of the Personal Data are provided under Appendix 1 (Description of the Processing of Personal Data).

1.3. Notwithstanding what is stated in the Agreement, in the event of conflict between this DPA and the Agreement the terms and conditions of this DPA shall prevail.

1.4. “Data Protection Regulation” shall in this DPA mean any applicable data protection legislation as amended from time to time (including but not limited to the General Data Protection Regulation, “GDPR” (2016/679/EU)).

1.5. MeetingPackage acts as a processor and Partner acts as a controller, the concepts of which are further defined in GDPR. An individual whose Personal Data is being processed by MeetingPackage under this DPA and the Agreement will act as a Data Subject, the concept of which is further defined in the Data Protection Regulation.

2. Definitions

Any terms not defined in this DPA or the Agreement shall be given the meaning allocated to them in Data Protection Regulation from time to time.

3. The Purpose of the Processing of Personal Data

MeetingPackage shall process Personal Data on behalf of Partner and in accordance with the terms and conditions of the DPA for the purpose of providing the Services under the Agreement.

4. Rights and Responsibilities of Partner

Partner shall:

  • (i) process Personal Data in accordance with good data processing practices and in compliance with Data Protection Regulation and all applicable laws;

  • (ii) give documented instructions to MeetingPackage on the processing of Personal Data, which instructions shall be binding on both Partner and MeetingPackage after the written approval of MeetingPackage.

5. Responsibilities of MeetingPackage

5.1. General Principles Applying to the Processing of Personal Data

MeetingPackage shall process the Personal Data only in accordance with the Data Protection Regulation, the Agreement and this DPA as well as the approved documented instructions from Partner, unless otherwise required in applicable laws and regulations to which MeetingPackage is subject. In such case, MeetingPackage shall inform Partner of such requirement under applicable laws and regulations before processing of Personal Data, unless the applicable laws and regulations prohibit such notification.

5.2. Assistance of Partner

MeetingPackage shall, taking into account the nature of the processing of Personal Data under this DPA:

  • (i) assist Partner by appropriate technical and organizational measures in Partner’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR; and

  • (ii) assist Partner in ensuring compliance with its legal obligations pursuant to Articles 32 to 36 of the GDPR.

The assistance performed by MeetingPackage under this section 5.2 shall be charged in accordance with the pricing and payment terms in the Agreement.

5.3. Data Security

MeetingPackage shall implement technical, physical and organizational measures, as further explained under Appendix 1 (Description of the Processing of Personal Data), to comply with the obligations regarding security of processing under the GDPR.

5.4. Confidentiality

MeetingPackage shall ensure that the Personal Data processed are kept confidential. MeetingPackage shall ensure that any person MeetingPackage has authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.5. Reporting and Notification Obligation

MeetingPackage shall make available to Partner all information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR.

MeetingPackage shall maintain a record of processing activities under this DPA in accordance with the GDPR (“Record”). MeetingPackage shall provide Partner with the Record if requested by Partner.

5.6. Personal Data Breach Notification

In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, MeetingPackage shall notify Partner via email or telephone without undue delay after becoming aware of the personal data breach.

5.7. Returning or Destruction of Personal Data

Upon termination of the applicable purpose of the processing of Personal Data, or upon Partner’s written request, MeetingPackage shall either destroy or return to Partner all Personal Data unless otherwise required by law.

MeetingPackage shall be entitled to destroy all Personal Data processed under this DPA if Partner has not requested MeetingPackage to return the Personal Data within ten (10) days from the date when the applicable purpose of the processing of Personal Data has terminated.

6. Transfers of Personal Data

The Partner accepts that MeetingPackage has the right to transfer Personal Data outside the EU or the EEA. If Personal Data is transferred to any country outside the EU or the EEA that is not recognized by the European Commission as providing an adequate level of protection for Personal Data, MeetingPackage shall ensure that appropriate safeguards for the protection of the Personal Data are in place as required under Chapter 5 of the GDPR as well as relevant case law.

7. Subcontractors

7.1. The Partner gives its general authorization to allow MeetingPackage to engage subcontractors as subprocessors to process Personal Data.

7.2. MeetingPackage shall ensure that the subcontractors comply with the same level of confidentiality, data security and other obligations as specified in this DPA. MeetingPackage is fully liable for the performance of the subcontractor’s obligations.

7.3. MeetingPackage shall inform Partner of possible forthcoming changes regarding the subcontractors in which case Partner may object to such change by notifying MeetingPackage within five (5) days of such notice. The Partner may not object to the changes without a grounded reason. In case of Partner’s legitimate objection of a change of a subcontractor, either Party shall have the right to terminate the Agreement and this DPA.

8. Auditing

8.1. At any time during the term of the DPA, Partner or a recognized, independent third-party auditor appointed by Partner with proven experience and procedures shall have the right to audit MeetingPackage’s technical and organizational security measures as well as compliance with other data protection obligations agreed under this DPA. Partner shall give a prior written notice to MeetingPackage, such notice to be given at least sixty (60) calendar days prior to any audit.

8.2. MeetingPackage shall assist Partner in the execution of an audit and charge such assistance in accordance with the pricing and payment terms defined in the Agreement.

9. Limitation of Liability

The limitation of liability agreed in the Agreement shall be applied to this Agreement.

10. Term

This DPA shall become effective when duly signed by both Parties and shall automatically terminate upon termination of the applicable purpose of processing of Personal Data under the Agreement.

11. Applicable Law and Dispute Resolution

This DPA shall be governed by the laws of Finland without regard to its principles and rules on conflict of laws and shall be subject to dispute resolution in accordance with the Agreement.

*As of 8 October 2025, this DPA will take precedence and govern.*

Appendix 1: Description of the Processing of Personal Data

This appendix describes in more detail the Personal Data processed by MeetingPackage on behalf of Partner. The Parties may also agree in this appendix in more detail upon, for example, the data security measures taken by the Supplier to secure the Personal Data.

Services, Nature and Purpose of the Processing of Personal Data

Purpose: enable the provision of Services, Customer Support, improve the quality of the service and fix issues within the Services.

Types of Personal Data and Categories of Data Subjects

MeetingPackage processes the following categories of data subjects: end-customers (the bookers), client employees (hotel admins, staff), accounts of hotel customers (agencies or corporates), account contacts of hotel customers (employees/users of such accounts).

MeetingPackage processes the following types of Personal Data: name, email, phone number, address, membership number, reference ID to external systems such as CRM.

Applicable Data Security Measures

Compliance with ISO-27001, including encryption of data in transit and at storage using current industry standard protocols and role-based access control.

Duration of the Processing of Personal Data

For the term of the Agreement or as otherwise agreed with the Partner.

Valid from 8 October 2025 onwards.

1. Background and Purpose

1.1. This Data Processing Agreement (“DPA”) sets out the terms and conditions for the processing of Personal Data by Cocouz Oy (“MeetingPackage”) on behalf of Partner. This DPA shall be applied to the agreement regarding the provision of electronic platform and/or related reservation and booking services by MeetingPackage (“Services”) entered into by and between the Parties (“Agreement”).

1.2. Agreement referred to in this DPA may be either:

  • (i) Booking Engine Service Agreement based on which MeetingPackage processes Personal Data on behalf of Partner by storing details of the customers’ reservations, including Personal Data (name, email address, phone number, company name and possible additional information provided by the customers themselves) for the purposes of providing software services for Partner; or

  • (ii) Service Provider Agreement based on which MeetingPackage processes Personal Data on behalf of Partner by transferring details of the customers’ reservations, including Personal Data (name, email address, phone number, company name and possible additional information provided by the customers themselves) to the Service Provider for the purposes of providing services for Customers; or

  • (iii) Partner License Agreement based on which MeetingPackage processes Personal Data on behalf of Partner by providing a customized platform through which customers can book meetings services, hotel rooms, venues and other products. The Personal Data about customers processed on behalf of the Partner may include name, email address, phone number, company name and possible additional information provided by the customers themselves or additional information asked from time to time by Partner.

Further details and information concerning the details of the processing of the Personal Data are provided under Appendix 1 (Description of the Processing of Personal Data).

1.3. Notwithstanding what is stated in the Agreement, in the event of conflict between this DPA and the Agreement the terms and conditions of this DPA shall prevail.

1.4. “Data Protection Regulation” shall in this DPA mean any applicable data protection legislation as amended from time to time (including but not limited to the General Data Protection Regulation, “GDPR” (2016/679/EU)).

1.5. MeetingPackage acts as a processor and Partner acts as a controller, the concepts of which are further defined in GDPR. An individual whose Personal Data is being processed by MeetingPackage under this DPA and the Agreement will act as a Data Subject, the concept of which is further defined in the Data Protection Regulation.

2. Definitions

Any terms not defined in this DPA or the Agreement shall be given the meaning allocated to them in Data Protection Regulation from time to time.

3. The Purpose of the Processing of Personal Data

MeetingPackage shall process Personal Data on behalf of Partner and in accordance with the terms and conditions of the DPA for the purpose of providing the Services under the Agreement.

4. Rights and Responsibilities of Partner

Partner shall:

  • (i) process Personal Data in accordance with good data processing practices and in compliance with Data Protection Regulation and all applicable laws;

  • (ii) give documented instructions to MeetingPackage on the processing of Personal Data, which instructions shall be binding on both Partner and MeetingPackage after the written approval of MeetingPackage.

5. Responsibilities of MeetingPackage

5.1. General Principles Applying to the Processing of Personal Data

MeetingPackage shall process the Personal Data only in accordance with the Data Protection Regulation, the Agreement and this DPA as well as the approved documented instructions from Partner, unless otherwise required in applicable laws and regulations to which MeetingPackage is subject. In such case, MeetingPackage shall inform Partner of such requirement under applicable laws and regulations before processing of Personal Data, unless the applicable laws and regulations prohibit such notification.

5.2. Assistance of Partner

MeetingPackage shall, taking into account the nature of the processing of Personal Data under this DPA:

  • (i) assist Partner by appropriate technical and organizational measures in Partner’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR; and

  • (ii) assist Partner in ensuring compliance with its legal obligations pursuant to Articles 32 to 36 of the GDPR.

The assistance performed by MeetingPackage under this section 5.2 shall be charged in accordance with the pricing and payment terms in the Agreement.

5.3. Data Security

MeetingPackage shall implement technical, physical and organizational measures, as further explained under Appendix 1 (Description of the Processing of Personal Data), to comply with the obligations regarding security of processing under the GDPR.

5.4. Confidentiality

MeetingPackage shall ensure that the Personal Data processed are kept confidential. MeetingPackage shall ensure that any person MeetingPackage has authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.5. Reporting and Notification Obligation

MeetingPackage shall make available to Partner all information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR.

MeetingPackage shall maintain a record of processing activities under this DPA in accordance with the GDPR (“Record”). MeetingPackage shall provide Partner with the Record if requested by Partner.

5.6. Personal Data Breach Notification

In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, MeetingPackage shall notify Partner via email or telephone without undue delay after becoming aware of the personal data breach.

5.7. Returning or Destruction of Personal Data

Upon termination of the applicable purpose of the processing of Personal Data, or upon Partner’s written request, MeetingPackage shall either destroy or return to Partner all Personal Data unless otherwise required by law.

MeetingPackage shall be entitled to destroy all Personal Data processed under this DPA if Partner has not requested MeetingPackage to return the Personal Data within ten (10) days from the date when the applicable purpose of the processing of Personal Data has terminated.

6. Transfers of Personal Data

The Partner accepts that MeetingPackage has the right to transfer Personal Data outside the EU or the EEA. If Personal Data is transferred to any country outside the EU or the EEA that is not recognized by the European Commission as providing an adequate level of protection for Personal Data, MeetingPackage shall ensure that appropriate safeguards for the protection of the Personal Data are in place as required under Chapter 5 of the GDPR as well as relevant case law.

7. Subcontractors

7.1. The Partner gives its general authorization to allow MeetingPackage to engage subcontractors as subprocessors to process Personal Data.

7.2. MeetingPackage shall ensure that the subcontractors comply with the same level of confidentiality, data security and other obligations as specified in this DPA. MeetingPackage is fully liable for the performance of the subcontractor’s obligations.

7.3. MeetingPackage shall inform Partner of possible forthcoming changes regarding the subcontractors in which case Partner may object to such change by notifying MeetingPackage within five (5) days of such notice. The Partner may not object to the changes without a grounded reason. In case of Partner’s legitimate objection of a change of a subcontractor, either Party shall have the right to terminate the Agreement and this DPA.

8. Auditing

8.1. At any time during the term of the DPA, Partner or a recognized, independent third-party auditor appointed by Partner with proven experience and procedures shall have the right to audit MeetingPackage’s technical and organizational security measures as well as compliance with other data protection obligations agreed under this DPA. Partner shall give a prior written notice to MeetingPackage, such notice to be given at least sixty (60) calendar days prior to any audit.

8.2. MeetingPackage shall assist Partner in the execution of an audit and charge such assistance in accordance with the pricing and payment terms defined in the Agreement.

9. Limitation of Liability

The limitation of liability agreed in the Agreement shall be applied to this Agreement.

10. Term

This DPA shall become effective when duly signed by both Parties and shall automatically terminate upon termination of the applicable purpose of processing of Personal Data under the Agreement.

11. Applicable Law and Dispute Resolution

This DPA shall be governed by the laws of Finland without regard to its principles and rules on conflict of laws and shall be subject to dispute resolution in accordance with the Agreement.

*As of 8 October 2025, this DPA will take precedence and govern.*

Appendix 1: Description of the Processing of Personal Data

This appendix describes in more detail the Personal Data processed by MeetingPackage on behalf of Partner. The Parties may also agree in this appendix in more detail upon, for example, the data security measures taken by the Supplier to secure the Personal Data.

Services, Nature and Purpose of the Processing of Personal Data

Purpose: enable the provision of Services, Customer Support, improve the quality of the service and fix issues within the Services.

Types of Personal Data and Categories of Data Subjects

MeetingPackage processes the following categories of data subjects: end-customers (the bookers), client employees (hotel admins, staff), accounts of hotel customers (agencies or corporates), account contacts of hotel customers (employees/users of such accounts).

MeetingPackage processes the following types of Personal Data: name, email, phone number, address, membership number, reference ID to external systems such as CRM.

Applicable Data Security Measures

Compliance with ISO-27001, including encryption of data in transit and at storage using current industry standard protocols and role-based access control.

Duration of the Processing of Personal Data

For the term of the Agreement or as otherwise agreed with the Partner.