Data Processing Addendum (DPA)

Effective Date: 17th April 2025

This Data Processing Addendum (“DPA”) forms part of the agreement between Shikisha Tours and Travel Limited (“Shikisha”, “we”, “us”, or “our”) and any customer, partner, or organisation (“Customer”, “you”, or “your”) that engages us to provide travel and related services which involve the processing of personal data.

This DPA is intended to meet the requirements of applicable data protection laws, including the General Data Protection Regulation (GDPR), POPIA, and other similar regulations where applicable.

1. Roles of the Parties

For the purposes of this DPA and applicable data protection laws:

• The Customer is the Data Controller (or equivalent term).
• Shikisha is the Data Processor (or equivalent term) when processing personal data on your behalf.

Where Shikisha determines the purposes and means of processing for its own business (for example, managing guest records, marketing, and compliance), Shikisha acts as an independent data controller, as described in our Privacy Policy.

2. Subject Matter, Nature and Purpose of Processing

Shikisha processes personal data solely for the purpose of delivering the agreed travel and tourism services, including but not limited to:

• Managing tour, safari, transport, and accommodation bookings
• Coordinating flights and ground services
• Communicating with travellers and Customer representatives
• Providing support before, during, and after travel
• Carrying out necessary administrative, accounting, and compliance tasks

3. Duration of Processing

Shikisha will process personal data:

• For the duration of the underlying service agreement and any active bookings; and
• Thereafter, only as required to comply with legal, regulatory, or contractual obligations (for example, tax and audit requirements).

4. Categories of Data Subjects

Categories of data subjects may include:

• Travellers and guests
• Employees or agents of the Customer
• Family members or group members linked to a booking
• Emergency contacts where provided

5. Types of Personal Data

Personal data processed may include, as applicable:

• Identification details (name, title, date of birth where required)
• Contact details (email address, phone number, address)
• Travel itinerary details (dates, destinations, accommodation, activities)
• Passport, visa, and travel document information where required for bookings
• Special requests (dietary requirements, mobility needs, celebration notes)
• Health-related information limited to what is strictly necessary for travel arrangements, where provided by the Customer or traveller

The Customer undertakes not to provide more personal data than is reasonably necessary for the relevant travel services.

6. Instructions from the Customer

Shikisha will process personal data only:

• On the documented instructions of the Customer, as set out in the service agreement and this DPA; or
• Where required by applicable law, in which case Shikisha will inform the Customer (unless prohibited by law).

7. Confidentiality

Shikisha will ensure that any person authorised to process personal data (including employees, agents, and contractors) is subject to a duty of confidentiality and processes such data only for the purposes set out in this DPA.

8. Security of Processing

Shikisha implements appropriate technical and organisational measures to protect personal data, including:

• Access controls and role-based permissions
• Secure storage and transmission practices
• Regular backups and monitoring
• Staff awareness and training on data protection

The Customer is responsible for implementing suitable security measures within its own systems, including the secure transfer of personal data to Shikisha.

9. Sub-Processors

Shikisha may engage third-party service providers (“Sub-Processors”) to support delivery of travel services (for example, airlines, hotels, ground operators, IT providers).

• Sub-Processors will only process personal data as necessary to provide their services.
• Shikisha will ensure Sub-Processors are bound by data protection obligations equivalent to those in this DPA.

Where required by law or contract, Shikisha will provide the Customer with information on key Sub-Processors upon request.

10. International Transfers

Due to the nature of travel services, personal data may be transferred to or accessed from countries outside the country of origin and, in some cases, outside the European Economic Area (EEA) or similar jurisdictions.

Shikisha will take appropriate steps to ensure that such transfers comply with applicable data protection laws, including (where relevant) the use of recognised data transfer mechanisms.

11. Assistance with Data Subject Rights

Taking into account the nature of the processing, Shikisha will provide reasonable assistance to the Customer, upon request, to respond to data subject requests relating to:

• Access, rectification, or erasure of personal data
• Restriction or objection to processing
• Data portability where applicable

The Customer remains responsible for identifying and authenticating data subjects and for responding to requests in accordance with applicable law.

12. Data Breach Notification

In the event of a personal data breach affecting personal data processed on behalf of the Customer, Shikisha will:

• Notify the Customer without undue delay once the breach has been identified; and
• Provide available information to help the Customer meet any legal obligations to notify authorities or affected individuals.

The Customer is responsible for any regulatory or data subject notifications, unless otherwise agreed in writing.

13. Data Protection Impact Assessments

Where the Customer is required to carry out a Data Protection Impact Assessment (DPIA) or consult with a supervisory authority, Shikisha will provide reasonable cooperation and assistance, to the extent that the processing by Shikisha is relevant to such assessment.

14. Return or Deletion of Data

Upon termination or expiry of the services, and at the Customer’s written request, Shikisha will:

• Return personal data to the Customer; or
• Delete personal data, unless retention is required by law or legitimate business necessity (e.g., tax, audit, or legal defence).

Where full deletion is not technically or legally feasible, Shikisha will ensure that any retained data remains subject to appropriate protections and is used only for limited lawful purposes.

15. Audit and Compliance

Upon reasonable prior written notice and subject to confidentiality obligations, Shikisha will:

• Provide information necessary to demonstrate compliance with this DPA; and
• Cooperate with audits or inspections initiated by the Customer or its appointed auditor, where required by law.

Audits shall be conducted during normal business hours and in a manner that avoids undue disruption to Shikisha’s operations.

16. Relationship to Main Agreement and Privacy Policy

This DPA supplements and forms part of the main agreement between Shikisha and the Customer. In case of any conflict between the main agreement and this DPA regarding data protection, this DPA shall prevail to the extent of the inconsistency.

For more information on how Shikisha processes personal data as an independent controller, please refer to our Privacy Policy.

17. Changes to this DPA

Shikisha may update this DPA from time to time to reflect legal, operational, or service-related changes. Material updates will be communicated to Customers, and continued use of our services after such updates constitutes acceptance of the revised DPA.

18. Contact

For questions about this DPA or data protection matters, please contact:

Email: privacy@shikishatoursandtravels.co.ke
General enquiries: info@shikishatoursandtravels.co.ke