ClaimMyBag

Data Processing Agreement (DPA)

Last updated: October 26, 2025

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is an addendum to the main service agreement ("Agreement") between:

  • ClaimMyBag.com (the "Data Controller")
  • AND
  • [Vendor / Service Provider Name] (the "Data Processor")

(Hereinafter referred to collectively as the "Parties")

This DPA governs the processing of Personal Data that Data Processor may perform on behalf of the Data Controller.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Data Processor on behalf of the Data Controller. This includes, but is not limited to, the data provided by the Data Controller's users (e.g., names, email addresses, flight information, details of lost luggage).

"Data Controller" means the entity which determines the purposes and means of the processing of Personal Data (i.e., ClaimMyBag.com).

"Data Processor" means the entity which processes Personal Data on behalf of the Data Controller (i.e., [Vendor / Service Provider Name]).

"Processing" means any operation or set of operations performed on Personal Data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or destruction.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including but not limited to the GDPR (General Data Protection Regulation (EU) 2016/679).

2. Roles and Responsibilities

2.1. Data Controller: The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for processing in accordance with the Agreement.

2.2. Data Processor: The Data Processor shall:

  • Only process Personal Data on documented instructions from the Data Controller, including with regard to transfers of Personal Data to a third country.
  • Immediately inform the Data Controller if, in its opinion, an instruction infringes on Applicable Data Protection Law.
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3. Security Measures

The Data Processor shall implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including but not limited to:

  • Pseudonymization and encryption of Personal Data.
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of the security measures.

4. Sub-processing

The Data Processor shall not engage any other processor (a "Sub-processor") without prior specific or general written authorization from the Data Controller. In the case of general written authorization, the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Data Controller the opportunity to object to such changes.

Where the Data Processor engages a Sub-processor, it shall do so only by way of a written agreement that imposes on the Sub-processor the same data protection obligations as set out in this DPA.

5. Data Subject Rights

The Data Processor shall, to the extent legally permissible, promptly notify the Data Controller if it receives a request from a Data Subject to exercise their rights (e.g., access, rectification, erasure). The Data Processor shall provide reasonable assistance to the Data Controller, by appropriate technical and organizational measures, for the fulfillment of the Data Controller's obligation to respond to such requests.

6. Personal Data Breach

In the event of a Personal Data Breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of it. The notification shall, at a minimum:

  • Describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
  • Communicate the name and contact details of the data protection officer or other contact point.
  • Describe the likely consequences of the Personal Data Breach.
  • Describe the measures taken or proposed to be taken to address the breach.

7. Data Deletion or Return

Upon termination of the Agreement, or upon the Data Controller's request, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and delete existing copies unless applicable law requires storage of the Personal Data.

8. Audits and Inspections

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

9. Data Transfers

The Data Processor shall not transfer Personal Data to any country outside the European Economic Area (EEA) without the prior written consent of the Data Controller and only if appropriate safeguards (e.g., Standard Contractual Clauses) are in place.

10. Term

This DPA shall remain in effect for as long as the Data Processor processes Personal Data on behalf of the Data Controller under the Agreement.