DPA

Under GDPR Article 28, any vendor that processes personal data on a hotel's behalf must operate under a written data processing agreement. The DPA defines processing purposes, security measures, sub-processors, retention periods, transfer mechanisms for data leaving the EEA, and the vendor's obligations on breach notification and audit. A good DPA is published openly without requiring an NDA. A bad DPA tends to use vague clauses that fold all processing into one undefined category.