Data Processing Agreement (DPA) – BookYou

Last updated: March 16, 2026

This DPA is an addendum to the agreement between BookYou (“Processor”) and the Customer (“Controller”), in compliance with GDPR/AVG and Dutch law.

1. Definitions

  • GDPR/AVG: EU General Data Protection Regulation 2016/679.
  • Personal Data: information about an identifiable natural person.
  • Controller: Customer determining purposes and means of processing.
  • Processor: BookYou processing personal data on behalf of the Controller.
  • Sub-processor: third party engaged to process data on behalf of BookYou.

2. Processing Purpose

Processor may process Personal Data only to:

  • Provide and manage BookYou service
  • Manage accounts and bookings
  • Customer support
  • Security and fraud prevention
  • Comply with legal obligations

3. Categories of Data & Data Subjects

  • Types of Data: names, emails, phone numbers, addresses, bookings, payment info.
  • Data Subjects: Customer’s clients, employees, and end-users.

4. Processor Obligations

  • Process data only on Controller instructions.
  • Implement appropriate security measures: encryption, access control, monitoring, backups.
  • Assist Controller with data subject rights.
  • Notify Controller promptly in case of a data breach.

5. Sub-processors

  • BookYou may engage Sub-processors with written agreements enforcing equal protections.
  • Customers are notified of any Sub-processors.
  • BookYou remains fully liable for Sub-processor actions.

6. International Transfers

  • Transfers outside the EEA are safeguarded via Standard Contractual Clauses or adequate protections.
  • Controller is informed of the countries involved.

7. Data Retention

  • Data is stored only as necessary.
  • Upon termination, data is returned or deleted per Controller’s instructions unless legally required to retain.

8. Data Subject Rights

  • BookYou assists Controller with access, rectification, deletion, restriction, portability, and objection rights.

9. Audit & Inspection

  • Controller may audit BookYou or engage auditors to verify compliance.
  • BookYou provides full cooperation and information.

10. Liability

  • BookYou is liable for breaches of this DPA and GDPR.
  • Liability is limited to direct damages and the fees paid in the last 12 months, unless higher liability is required by law.

11. Changes

  • BookYou may update this DPA for legal compliance or best practices.
  • Latest version applies to all active agreements.

12. Governing Law

  • This DPA is governed by Dutch law.
  • Disputes fall under the competent courts in the Netherlands.

13. Contact

BookYou
Email: customer.services@bookyou.com
Website: www.bookyou.com