Privacy Annex for Booker Subscription Services

Last Updated: February 22, 2019

This Privacy Annex (“Annex”) is an annex to the overhead agreement which refers to this Annex as being applicable between the Parties (“Agreement”). If there are any conflicts or inconsistencies between this Annex and the Agreement, the provisions of this Annex prevail. To the extent that BOOKER acts as a Processor to you as a Controller, in relation to Company Data originating from the EEA, the following terms apply.

1. Compliance with your instructions

BOOKER may only process Personal Data in connection with its performance of BOOKER Services pursuant to the Agreement, or as otherwise instructed by you or required by applicable law. The subject-matter, duration, nature and purpose of the Processing, types of Personal Data and categories of individuals will be the same as for the relevant Subscription Services to which the Processing relates. BOOKER may aggregate or anonymize Company Data for the purpose of product or service improvements, data science and reporting.

2. Security

BOOKER will implement commercially reasonable technical and organizational measures for the Subscription Services that are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, disclosure or access. As of the Effective Date, BOOKER has implemented the measures set out in its Security Policy. BOOKER will notify you of a Personal Data Breach as required under applicable law.

3. Audits

Upon your request, up to once a year, BOOKER will provide to you a copy of a self-certification confirming that BOOKER complies with the material requirements set out in this Annex. Such self-certification will be BOOKER’s Confidential Information. The Parties acknowledge and agree that such self-certification, where applicable, will satisfy clause 5 (f) of the Controller to Processor Standard Contractual Clauses and Article 28.3(h) of the GDPR.

4. Assistance

BOOKER will provide you reasonable assistance to allow you, at your sole costs, to demonstrate your compliance with obligations pursuant to this Annex in respect of notifying Personal Data Breaches to a Supervisory Authority and individuals and conducting Data Protection Impact Assessments.

5. Individuals

BOOKER will notify you of requests received directly from individuals in relation to the Processing of their Personal Data, unless prohibited from doing so under applicable law. BOOKER may, but is not required to, acknowledge receipt of such request and ask additional questions to determine the identity and nature of the request, or may refer such request and individual to you directly, and provide you with reasonable assistance in meeting the request in a timely manner.

You are solely responsible for providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the Processing of Personal Data pursuant to the Agreement and this Annex.

6. Sub-Processors

You agree that BOOKER may use Sub-Processors to assist BOOKER in Processing Personal Data for the performance of the Subscription Services, provided that:

(a) BOOKER imposes no less stringent duties on such Sub-Processors regarding security and confidentiality of Personal Data as those set out in this Annex;

(b) BOOKER remains responsible to you for the performance of the relevant Subscription Services by the Sub-Processor; and

(c) BOOKER maintains a list of such Sub-Processors in Section 22 of its Privacy Policy. In order to receive notice of any change to this list, you must subscribe to the Sub-Processor Notification List by clicking here. You accept that your failure to join the list may result in missing the deadline to object to new Sub-Processors. You may within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor on objective justifiable grounds related to the ability of such Sub-Processor to protect the Personal Data or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processors’ compliance.

7. Transfers

To the extent that the Subscription Services involve a transfer of Personal Data originating from the EEA, the Controller to Processor Standard Contractual Clauses, which are herein incorporated by reference, will apply and BOOKER will comply, as the Processor, with the obligations therein to facilitate such transfers. The Appendices of such Controller to Processor Standard Contractual Clauses (the “Appendices”) are appended to this Annex and are incorporated herein by reference. Your click-through acceptance of the Agreement constitutes your signature to and acceptance of the Controller to Processor Standard Contractual Clauses and the Appendices.

Notwithstanding the foregoing, BOOKER may exchange the Controller to Processor Standard Contractual Clauses for any other EEA-approved transfer mechanism in its sole discretion. Please consult our current Privacy Policy for information regarding our data handling practices and what transfer mechanisms are being used.

8. Return and Deletion of Personal Data

Upon termination or expiration of the Subscription Services, BOOKER will make available to you Personal Data maintained by BOOKER for a duration of three (3) months to allow you to retrieve where reasonably technically feasible your Personal Data in a commonly used format set out by BOOKER. After such period, BOOKER will destroy or otherwise render inaccessible, at our discretion, such Personal Data from the production environment of the Subscription Services, except as may be required by law. Actions set out in this section are at your sole cost.

9. Changes

We may make changes to this Annex, including the Appendices, from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our websites. If you continue using the Subscription Services after any changes, it means you have accepted them. If you do not agree to any material changes, you must stop using the Subscription Services, and you can terminate your account by emailing

10. Key definitions.

Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement or the Privacy Policy.

10.1 “Controller”, “Personal Data Breach”, “Data Protection Impact Assessment”, “Process/Processing”, “Processor”, and “Supervisory Authority” have the meaning set out in the GDPR. 

10.2 “Controller to Processor Standard Contractual Clauses” means Standard Contractual Clauses adopted by the EU Commission pursuant to its decision C(2010)593 located at (as updated or replaced from time to time). 

10.3 “EEA” means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland;

10.4 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

10.5 “Parties” means you and BOOKER.

10.6 “Personal Data” means Company Data to the extent that it relates to an identified or identifiable natural person.

10.7 “Sub-Processors” means third party organizations that BOOKER engages for the Processing of the Personal Data and which do not act under BOOKER’s direct authority.

Appendix 1 to the Controller to Processor Standard Contractual Clauses (description of transfer)

This Appendix forms part of the Controller to Processor Standard Contractual Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data Exporter and Data Importer

You transfer, and BOOKER receives, Personal Data in relation to the supply of BOOKER Services as set out in the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects:

Employees, including temporary employees, existing and prospective (customers’) customers, and other categories as relevant to the BOOKER Services.

Categories of data

Data as necessary for the Services, including contact and other personal details (name, address, telephone or mobile number, fax number, email, education and background, etc.), billing and financial details, electronic data (including IP address, application, device, Internet, network and browser data), sales and marketing data (including prospects, membership and mailing list participation), advantages, benefits and rewards, demographic or geographic information, service account data and technical support data, and other data as relevant to the BOOKER Services as defined in BOOKER’s Privacy Policy located at

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Data regarding physical health or mental condition, (including allergy and medication data) and other sensitive information as relevant to the Services.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Processing operations are limited to the extent necessary to provide the BOOKER Services as specified under the Agreement.

Appendix 2 to the Controller to Processor Standard Contractual Clauses

This Appendix forms part of the Controller to Processor Standard Contractual Clauses.

1. Physical Security Controls

Processor must implement appropriate physical security controls within its premises to prevent unauthorized persons from gaining access to data and systems. For this, Processor has implemented the following measures:

 Identification card for all members of staff
 Visitor access procedure
 Locked entry gates at all external doors
 Data center access limited to authorized personnel
 Entry security systems 24x7 (e.g., smart card reader, code locks)
 Clear-Desk Policy
 Monitoring devices (e.g., camera)

2. Access Control
Processor must prevent unauthorized access to data processing systems. Processor has implemented the following measures for electronic access control:

 Access control system (User ID and Strong Password)
 Screen logs that activate after period of inactivity
 Encryption of data transmitted via unsecure networks
 URL Filtering
 Penetration testing
 Automated vulnerability scans
 Documented Security Incident Response Plan

3. Authorization Process

Processor must ensure that authorized members of staff have access only to the data which they require in the course of their work duties and to which they have a right of access and must prevent any unauthorized access outside of the granted permissions. Processor has implemented the following measures:

 Documented request process for the introduction of new hardware and software
 Documented authorization process to grant only the minimum access required for each member of staff to perform his/her work duties
 Regular controls of authorizations granted and change process to reflect termination of employment, contract, agreement, or change of roles
 Privileged access limited to essential administration personnel
 Authentication process (User ID and Strong Password)
 Audit logs for servers, applications and network devices
 Secured interfaces
 Disk management
 Encryption of data transmitted via unsecure networks

4. Transmission Control

Processor shall ensure that personal data are protected against any unauthorized reading, modification, copying, or removal during electronic transmission or transport. Measures must be in place to verify to which recipient’s transfers are envisaged. Processor has implemented the following measures during transport, transfer, and transmission or storage on data carriers:

 Encryption of data transmitted via unsecure networks
 Encryption of storage media in transport
 Personal Firewalls

5. Input Control

Processor shall ensure that it is possible to verify what personal data were entered into processing systems, modified, or removed, at what time, and by whom. Processor has implemented the following to allow for retrospective review of whether and by whom personal data are entered, modified, or removed:

 Access logs and analysis
 Authentication process (User ID and Strong Password)
 Documented Incident Response Plan

6. External Parties

Processor shall ensure that, in the case of sub-contracting personal data will be processed only in accordance with the instructions of the Controller and will maintain:

 Written contractual arrangements/instructions with all sub-contractors
 Access controls to restrict access to what is required to perform the specific services

7. Availability Control

Processor shall take measures to protect personal data against accidental loss or destruction. Processor has implemented the following measures for availability control:

 Daily automated Back-up
 Redundant power feeds
 Temperature and humidity controls and monitoring
 Encryption of data transmitted via unsecure networks

8. Data Segregation

The data of the Controller are to be separated from the data of other customers and the Processor. Personal data collected for different purposes must be processed separately. Some measures taken by Processor for separation control are:

 Customer data and systems are separated from internal systems
 Separation of production and test systems
 Defined roles and responsibilities including appropriate segregation of duties amongst member of staff 

Mindbody Logo

Booker is now part of the MINDBODY family. Learn more here.