DATA PROCESSING AGREEMENT (DPA) OVERVIEW

Below is a structural overview suitable for internal compliance documentation.

Data Processing Agreement – Overview

1. Parties

• Controller: Arctic Tours AS
• Processor: Third-party service provider (Rezdy, Netsons)

2. Subject Matter

Processing of personal data necessary for:

• Booking management
• Website hosting
• Payment processing
• Marketing communications

3. Duration

For the duration of the service agreement between the parties.

4. Nature and Purpose

Processing includes:

• Collection
• Storage
• Organization
• Transmission
• Deletion

5. Types of Personal Data

• Identification data
• Contact data
• Booking details
• Technical data

6. Categories of Data Subjects

• Customers
• Website users
• Newsletter subscribers

7. Processor Obligations

The Processor shall:

• Process data only on documented instructions
• Ensure confidentiality
• Implement appropriate security measures (Art. 32 GDPR)
• Assist with data subject rights
• Notify of data breaches without undue delay
• Delete or return data upon termination

8. International Transfers

Processors outside the EEA must implement:

• Standard Contractual Clauses
• Supplementary safeguards where required

9. Audit Rights

Controller retains the right to audit or receive documentation demonstrating compliance.