Call our experts today: 0330 124 3188

Data Protection Agreement

BETWEEN
1. The Travel Franchise Limited incorporated and registered in England and Wales with company
number 8196678 whose registered office is at Unit 54 Basepoint, Aviation Park, West Hurn,
Christchurch, Dorset BH23 6NX (TTFL)
2. Not Just Travel (Agency) Limited incorporated and registered in England and Wales with company
number 5631549 whose registered office is at Unit 56 Basepoint, Aviation Park, West Hurn,
Christchurch, Dorset BH23 6NX (NJTA)
3. The Franchisee – The Consultant

Recitals’:
1. This Data Protection Agreement (DPA) sets out the new Terms and Conditions in relation to General
Data Protection Regulation (EU) 2016/679
2. This DPA supersedes section 25 of the Franchise Agreement, and will continue to, unless the National
Laws of Data Protection change, or Franchise Agreement is Terminated, whichever comes first.
3. The Franchisee is agreeing they will comply with The Company Policies and Procedures, that form part
of the Franchise Agreement, to perform the obligations of GDPR, and of the Franchise Agreement
4. The Franchisee is agreeing, upon investigation, if found to be in breach of these terms, GDPR, the
Franchise Agreement and policies and procedures, they will be suspended, pending further
investigation, in accordance to clause relating to Termination of the Franchise Agreement.
5. The Franchisee is agreeing they will comply with the new rules set out in the GDPR, as defined below
6. The terms of this Agreement are confidential between NJTA, TTFL and the Consultant and the
Consultant shall not disclose or otherwise use the terms of this Agreement except for the purposes of
compliance with the terms set out herein.

Definitions:
1. The terms “controller”, “data subject”, “processing” and “processor” have the meanings set out in
the GDPR (and related terms such as “process” have corresponding meanings).
2. Agreement shall mean, the Franchise Agreement between the parties
3. Consultant: Is the Franchisee of the Agreement
4. The Company: NJTA and TFFL, as incorporated and registered in the UK

1) Data protection
1.1 The Consultant agrees that it shall, in relation to personal data processed in connection with this
Agreement (Personal Data):
1.1.1 Process the Personal Data in accordance with GDPR and any other applicable Data Protection
legislation;
1.1.2 Process the Personal Data only so far as is necessary for the purpose of performing its obligations under
the Agreement;
1.1.3 Not disclose Personal Data to or allow access to it other than by employees or third parties engaged by
the Consultant to perform the obligation imposed on the Consultant by the Agreement, and ensure
that such employees or third parties are subject to written contractual obligations, which will be
provided by The Company, upon request, concerning the Personal Data which are no less onerous than
those imposed on the Consultant by this Agreement;
1.2 Assist The Company to comply with such obligations as are imposed on them by the GDPR. This includes
the obligation to:
1.2.1 Provide The Company with reasonable assistance in complying with any subject access request served
on The Company
1.2.2 The Consultant agrees to inform, within 12 hours, The Company about the receipt of any subject access
request received by the Consultant;
1.2.3 Not disclose or release any Personal Data in response to a subject access request without first
consulting with and obtaining the consent of The Company; and
1.2.4 inform any Consultant whose personal data may be processed under the Agreement (including
prospective customers as well as those with whom the Consultant enters into contracts) of such
processing. This includes informing such Consultants that, on the termination of this Agreement,
personal data relating to them (including personal data contained in any customer list) shall be retained
by or, as the case may be, transferred to The Company. In addition, the Consultant shall obtain any
necessary consents for such processing under GDPR. To ensure that The Company obligations within
GDPR are complied with, the Consultant agrees to allow The Company to approve and, if The Company
deems necessary, amend any such notice.
1.3 Where the Consultant acts as data processor on behalf of The Company in relation to the Personal Data,
the Consultant shall:
1.3.1 Maintain technical and organisational security measures sufficient to comply at least with the
obligations imposed on The Company under GDPR1
1.3.2 Be of at least the minimum standard required by the Privacy Laws;
1.3.3 Be of a standard no less than the standards compliant with good industry practice for the protection of
Personal Data; and
1 Further imposed obligations can be found in The Company Operations Manual, Policies and Procedures, of
which can be found on the NJT Hub.

1.3.4 Be compliant with any reasonable minimum standards and/or requirements that The Company may
provide to the Consultant from time to time in writing.
1.4 The consultant agrees to inform The Company of any security breach as defined in GDPR, immediately,
but no later than 24 hours of discovery.
1.4.1 The consultant will assist The Company to complete its investigation under the obligations set under
GDPR1
1.5 Process Personal Data for and on behalf of The Company only for the purpose of performing its obligations
under, and in accordance with, the Agreement and only on written instructions from The Company to
ensure compliance with GDPR.

2) Marketing and Consent
2.1 Consent shall have the same meaning as set out in GDPR.
2.2 The consultant agrees to follow the guidelines and obligations set out by the GDPR1 for the purposes of
any marketing activities, that are conducted by the Consultant.
2.3 The Consultant agrees to follow the obligations as defined by GDPR1, to ensure they are fully compliant
is the process of Opt in and Opt out consent requests, for the purposes of the Agreement
2.4 The consultant agrees, should it seek and engage in any marketing activities carried out by third parties
(Sub Processors) , that it will do so under the express permission of The Company. The Company will
not withhold consent unreasonably.
2.5 Consent will be given once The Company are satisfied, the consultant and the third party (Sub
Processor) have a written contractual agreement for the protection and processing of personal data,
to ensure compliance of the obligations in GDPR1.

3) SUBPROCESSORS
4.1 The Consultant must seek The Company’s prior written approval before using any Sub-Processor to
process Personal Data in connection with the Agreement.
4.2 The Company will not withhold consent unreasonably. Consent will be granted if it can be satisfied the
consultant and the third party have a written contractual agreement (DPA) for the protection and
processing of personal data, to ensure compliance of the obligations in GDPR1,
4.3 The Data Register will specify any Sub-Processors that The Company agrees may be used by the
consultant in order to provide the Services and the location where the Sub-Processor is based.
4.4 The consultant shall immediately notify The Company within 24 hours of any investigation, litigation,
arbitrated matter or other dispute relating to its Sub-Processors’ information security or privacy
practices.
4.5 The Consultant shall take, and shall instruct any Sub-Processors to take, such steps in the processing of
Personal Data on behalf of the consultant are communicated to The Company as being reasonably
necessary for the performance of the Agreement and consistent with applicable Privacy Laws.
4.6 Instructions given by consultant to any Sub-Processor must be within the scope and in furtherance of
instructions provided by The Company
4) Transfer of personal Data
4.1 The Consultant shall not transfer any Personal Data outside of the European Economic Area unless
the prior written consent of The Company has been obtained and the following conditions are
fulfilled:
4.1.1 The Company and the consultant have provided appropriate safeguards in relation to the
transfer;
4.1.2 the data subject has enforceable rights and effective legal remedies;
4.1.3 the Consultant complies with its obligations under the Data Protection Legislation by
providing an adequate level of protection to any Personal Data that is transferred; and
4.1.4 the Consultant complies with reasonable instructions notified to it in advance by The
Company with respect to the processing of the Personal Data;

5) Liabilities
5.1 The Consultant shall indemnify The Company against all claims and proceedings and all liability, loss, costs
and expenses incurred by The Company as a result of any claim made or brought by any person in respect
of any loss, damage or distress caused to them as a result of the Consultant’s unauthorised processing,
unlawful processing, destruction of and/or damage to any Personal Data processed by the Consultant, its
employees or agents.
5.2 The Company shall indemnify the Consultant against all claims and proceedings and all liability, loss, costs
and expenses incurred by the Consultant as a result of any claim made or brought by any person in respect
of any loss, damage or distress caused to them as a result of The Company unauthorised processing,
unlawful processing, destruction of and/or damage to any Personal Data processed by The Company, their
employees or agents.

Newsletter Signup

Get the best exclusive deals, discounts, and offers from our dedicated team.
Enter your email and name below and stay tuned!