A Data Processing Agreement (DPA) is the contract required by GDPR Article 28 between a data controller and a processor, setting out the subject matter, duration, nature, and purpose of processing as well as the obligations and rights of both parties.
A Data Processing Agreement, abbreviated DPA, is a legally binding contract between a data controller and a data processor governing how personal data is handled. Under GDPR Article 28, the controller must only use processors that provide sufficient guarantees of appropriate technical and organisational measures, and the relationship must be governed by a contract or another legal act. The DPA must specify the subject matter and duration of the processing, the nature and purpose, the type of personal data, the categories of data subjects, and the controller's documented instructions. Without a valid DPA, the engagement of a processor is itself a breach of GDPR.
In hospitality, the hotel is normally the controller of guest data and signs DPAs with every processor it engages: the PMS vendor, the booking engine, the email provider, the analytics tool, the WhatsApp BSP, and any guest messaging platform. Each DPA should reflect the actual data flows between the parties, list the sub-processors, set out security measures, define breach notification timelines, and clarify how data subject rights such as access, rectification, and erasure are supported. Hotels integrating a CRM or AI assistant should request a DPA before any production data is shared.
A DPA is not a formality. It defines who is liable when something goes wrong, what the processor may and may not do with the data, and how quickly the hotel must be notified of an incident. Generic templates are a poor substitute for a DPA tailored to the actual processing, particularly where AI features generate derived data such as conversation summaries or guest insights. The DPA should also align with the hotel's own privacy notice and with applicable GDPR compliance obligations.
Viqal provides a standard DPA to every customer, available at /data-processing-agreement. The agreement formalises the controller-processor relationship, lists the sub-processors used to deliver the service, describes the technical and organisational measures in place, and sets out breach notification and data return obligations. Combined with Viqal's role-based team inbox, configurable retention, and encryption controls, the DPA gives hotels a clear contractual basis for using AI-driven guest messaging automation at scale.
GDPR Article 28 requires a DPA whenever a controller engages a processor to handle personal data on its behalf. For hotels in the EU or those processing EU residents' data, that means a DPA is required with every vendor that touches guest data, including PMS, CRM, email tools, BSPs, and messaging platforms.
Article 28(3) lists the mandatory elements: subject matter and duration, nature and purpose of processing, type of personal data and categories of data subjects, controller's instructions, confidentiality obligations, security measures, sub-processor rules, support for data subject rights, breach notification, and arrangements for return or deletion of data at the end of the contract.
No. A privacy policy is a notice from the controller to data subjects, explaining how their data is processed. A DPA is a contract between the controller and a processor governing the operational handling of that data. The two documents serve different audiences and different legal purposes.
Whoever is the controller of the personal data signs the DPA with the processor. For an independent hotel that is the property itself; for a managed or franchised hotel it depends on which entity decides the means and purposes of processing. A clear allocation of controller responsibility is the first step before negotiating the DPA.
A processor may only engage sub-processors with the controller's authorisation, either specific or general. The DPA must list current sub-processors or include a process for notifying the controller of changes, and the processor remains fully liable for the sub-processor's compliance with the same obligations.
Viqal publishes its standard DPA at viqal.com/data-processing-agreement. Hotels can review and execute it as part of onboarding, and tailored amendments are possible for enterprise customers with specific requirements.
.avif){kind=spacer}
