1. Roles
The Client acts as Data Controller. HospitalityFinance Consultancy ("Consultant") acts as Data Processor and processes personal data only on documented instructions from the Client, as set out in the engagement letter and these terms.
Legal
Data Processing Agreement
Article 28 GDPR data processing terms applicable to every outsourced finance engagement with hotel and restaurant clients.
How this works: these terms are incorporated by reference into every engagement letter. A standalone, countersigned DPA is provided on request for clients whose internal compliance policy requires one.
2. Subject Matter and Duration
Processing is performed for the duration of the engagement and any agreed transition or audit-support period. Subject matter: bookkeeping, payroll support, controllership, budgeting, audit support, internal controls and related finance services.
3. Categories of Data and Data Subjects
Personal data may include: identification data, contact details, payroll and tax identifiers, bank account details, time and attendance, expense claims, and limited guest data appearing in revenue exports. Data subjects: Client employees, contractors, suppliers, and where applicable guests.
4. Nature and Purpose of Processing
Storage, organisation, structuring, consultation, retrieval, transmission to authorised recipients (e.g. tax authority, auditors), reconciliation, reporting, and erasure — all strictly to deliver the contracted finance services.
5. Sub-processors
The Client authorises the Consultant to use the sub-processors listed on the GDPR & Data Security page (cloud hosting, accounting platform, secure file storage). The Consultant will give thirty (30) days' notice of any change and remains liable for sub-processor performance.
6. Security Measures
The Consultant implements appropriate technical and organisational measures, including: encryption in transit (TLS) and at rest, role-based access, multi-factor authentication, least-privilege principle, audit logging, segregated client workspaces, and secure deletion. Detailed measures are described in the GDPR & Data Security page.
7. Confidentiality
All personnel authorised to process Client personal data are bound by written confidentiality obligations of equivalent strength to the mutual NDA.
8. Assistance to the Controller
The Consultant assists the Client, taking into account the nature of processing, with: data subject requests, data protection impact assessments, prior consultations, security obligations, and breach notifications under Articles 32–36 GDPR.
9. Personal Data Breach
The Consultant notifies the Client without undue delay and in any event within seventy-two (72) hours of becoming aware of a personal data breach, providing all information required for the Client to comply with its own notification duties.
10. International Transfers
Personal data is hosted in the European Economic Area by default. Any transfer outside the EEA is performed only under an adequacy decision or appropriate safeguards (Standard Contractual Clauses), notified in advance.
11. Audit Rights
The Client may, on reasonable notice and not more than once per year (except following a breach), audit the Consultant's compliance, either itself or through an independent auditor bound by confidentiality.
12. Return or Deletion
On termination the Consultant returns or, at the Client's choice, securely deletes all personal data within ninety (90) days, except where retention is required by law (e.g. statutory accounting retention).
13. Liability and Order of Precedence
In case of conflict between these terms and the engagement letter, these data processing terms prevail with respect to personal data processing.