Expedia Group Privacy and Data Handling Requirements

Expedia Group takes the security and privacy practices of companies it does business with extremely seriously, and we expect our vendors and other business partners to do the same. The purpose of these Expedia Group Privacy and Data Handling Requirements is to establish those minimum information security standards and data privacy requirements that must be adhered to by any Company performing services for an Expedia Group company (“Expedia”) or who otherwise has access to Expedia Information.

Part 1 – Scope and Definitions Part 2 – Security Measures PART 3 – BUSINESS CONTINUITY MANAGEMENT PART 4 – PROCESSOR DATA PROCESSING AGREEMENT (INCLUDING THE SCCS) PART 5 - CONTROLLER TO CONTROLLER AGREEMENT (INCLUDING THE SCCS) Part 6 – Controller & Controller Agreement (No data sharing between Company and Expedia)

Part 1 – Scope and Definitions

1.1 SCOPE OF REQUIREMENTS: These Requirements are supplemental to the master services agreement, framework services agreement, SAAS agreement or any other contract (the “Agreement”) between Expedia and Company referencing or otherwise incorporating these Requirements.

Any non-Expedia Group party handling data as part of Services provided to Expedia (“Company”) must handle, treat, and otherwise protect Expedia Information in accordance with these Requirements and any contractual agreement (the “Agreement”) between such Company and Expedia. 

1.3 Requirements Table

The sections of these Requirements that apply to Company are determined in accordance with the following:

  1. If Company accesses Expedia Personal Data, Expedia Critical Information, networks, or facilities, Section 1 of Part 2 (Security Measures) and Part 3 (Business Continuity) of these Requirements apply.
  2. If Company provides code or develops systems that access, process, or store Expedia Information, Section 2 of Part 2 (Security Measures) of these Requirements applies.
  3. If Company accesses or otherwise receives Expedia employee or customer Cardholder Data, or provides Cardholder processing software to Expedia, Section 3 of Part 2 (Security Measures) of these Requirements applies.
  4. If Company is processing personal data as part of the Services in the capacity of a Processor on behalf of Expedia (as identified in the Agreement), Part 4 (Processor Data Processing Agreement) of these Requirements applies.
  5. If Company is processing personal data as part of the Services in the capacity of a Controller (as identified in the Agreement) and personal data is shared between the Parties as part of the Services, Part 5 (Controller to Controller Agreement) of these Requirements applies.
  6. If Company is processing personal data as part of the Services in the capacity of a Controller (as identified in the Agreement) but no personal data is shared between the Parties as part of the Services, Part 6 (Controller & Controller Agreement) of these Requirements applies.

All requirements in a section that applies to Company must be met.

1.4 DEFINTIONS

Terms not defined in these Requirements will have the meaning given to them in the applicable Agreement, and:

1.4.1 Privacy/ Data Protection Definitions:

controller”, “data subject” “personal data”, “process/processing”, “processor”, and “supervisory authority” and (or reasonably equivalent terms) will have the meanings given to them in the Applicable Data Protection Law.

Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as attached to SCCs for the purposes of UK Transfers in accordance with Part 4 or Part 5 of these Requirements.

Annex 1” means, as the context requires, the Annex 1 that forms part of Part 4 (Processor Data Processing Agreement) or the Annex 1 that forms part of Part 5 (Controller to Controller Agreement), in each case, together with the applicable sections of the relevant Appendix of the Agreement.

Annex 2” means (a) in relation to the Company, Part 2 (Security Measures), Part 3 (Business Continuity) and Section 8 of Part 4 (Processor Data Processing Agreement) of the Requirements; and (b) where specified as applying, the Expedia Security Measures set out in Annex II of Part 5 of these Requirements.

Annexes” means Annex 1 and Annex 2 collectively.

Appendix” means, as the context requires, the relevant Processor or Controller Processing Overview attached as an Appendix to the Agreement.

Applicable Data Protection Law” means all privacy and data protection law to which a party is subject in any relevant jurisdiction or that is otherwise applicable to the Expedia Personal Data, including, where applicable and without limitation, GDPR and/or CRPA.

Controller Personal Data” means as applicable, Expedia Personal Data processed by the Parties in connection with the Agreement in their respective capacities as independent and autonomous controllers.

CPRA” means the California Privacy Rights Act signed into law on November 3, 2020, as amended, supplemented or replaced from time to time.

EU-U.S DPF” means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated.

European Territories” means collectively (i) the European Economic Area, namely the European Union Member States and Iceland, Lichtenstein and Norway, (ii) the United Kingdom, and (iii) Switzerland.

Expedia Personal Data” means any personal data that:

  1. is provided to Company by Expedia (or its Affiliates or a third party on Expedia’s behalf) for processing; or
  2. (Company (or any of its subcontractors) generates, collects, hosts, transmits or otherwise processes,

in each case in connection with the provision of the Services.

GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended, supplemented or replaced from time to time.

Permitted Purpose” means as necessary for (i) provision of the Services; (ii) creation of aggregated and anonymized internal reports for analytic, business intelligence and business reporting; and (iii) to comply with legal obligations which do not conflict with Applicable Data Protection Laws. 

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Expedia Personal Data transmitted, stored or otherwise processed, whether between or among Company’s subsidiaries and affiliates or any other person or entity acting on behalf of Company.

Personnel” means in relation to a Party, its employees, independent contractors, consultants, agents and other representatives.

Processor Personal Data” means Expedia Personal Data processed by Company in its capacity as a Processor on behalf of Expedia.

Requirements” means these Expedia Group Privacy and Data Handling Requirements.

Sensitive Data” means a sub-category of personal data that is marked as sensitive and requiring higher protections, as set out in Article 10 of the GDPR or as defined in Applicable Data Protection Law. This includes race & ethnicity; political views; religion, spiritual or philosophical beliefs; biometric data for ID purposes; health data, sex life data; sexual orientation; and genetic data; and precise location data.

Standard Contractual Clauses/ SCCs” means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en

Subprocessor” means any third party other than Company, including Company’s Affiliates and subcontractors, appointed by Company as a processor to process Expedia Personal Data.

Technical and Organizational Security Measures” means appropriate technical and organizational security measures as defined in the GDPR, and shall include implementing best industry protections and include physical, electronic and procedural safeguards to protect the personal data supplied to Company against any Personal Data Breach, and any security requirements, obligations, specifications or event reporting procedures set forth in any schedule, order or statement of work or similar document attached or entered into pursuant to the applicable Agreement.

1.4.2 Additional Security Measures Definitions:

Expedia Critical Information” means any data, plus the infrastructure containing or providing direct access to that data, which has legal, financial or compliance implications for Expedia. Examples of such data include but are not limited to personal data of Expedia customers, employees, end-users, partners and suppliers, and other individuals; privileged administrative accounts and credentials; financial data including data subject to PCI DSS; critical security vulnerability and gap reports; and material non-public legal and intellectual property documents.

Expedia Information” is all non-public data and includes all Expedia Critical Information and Expedia Personal Data on any media format which is acquired from, owned by, stored on behalf of, or otherwise the responsibility and/or property of, Expedia.

Highly Sensitive Information” is that subset of personal data whose unauthorized disclosure or use could reasonably entail enhanced potential risk for the data subject. Highly Sensitive Information includes, without limitation, U.S. Social Security Number (“SSN”), or credit or debit card number (“Cardholder Data”), and/or account authentication data, such as passwords or PINs.

PA-DSS” means the Payment Application Data Security Standard, its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorization or settlement.

Payment Card Brands” means American Express, Discover, Mastercard and Visa.

PCI DSS” means the Payment Card Industry (PCI) Data Security Standard (DSS), its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

Protected Environment” means any segregated network environment, network storage device, individual servers and/or devices which are secured through logical or physical access control to industry best-practice standards.

back to top

Part 2 – Security Measures

SECTION 1: ACCESS TO EXPEDIA PERSONAL DATA, EXPEDIA CRITICAL INFORMATION, NETWORKS, OR FACILITIES

SCOPE OF SECTION 1: If Company has access to Expedia Personal Data; Expedia Critical information; Expedia networks (including without limitation, if Expedia is providing a data feed or other information to Company via the Internet or vice-versa); or Expedia facilities (e.g., Company Personnel will be performing services at an Expedia facility), Company will, at a minimum, comply with the provisions in Section 1:

1.1 INFORMATION SECURITY PROGRAM

1.1.1 INFORMATION SECURITY RISK MANAGEMENT PROCESS

Company must have an established process that periodically assesses information security risk within the organization that has access to Expedia Information.

1.1.2 INFORMATION SECURITY POLICY

Company must have a documented information security policy, approved by appropriate management or governance committee and reviewed periodically, which defines responsibilities for protecting information assets. Policies shall be based upon industry best practices, addressing areas such as asset management, Personnel security, physical, environmental, equipment, and media security, communications and operations management, access controls, information systems development and maintenance, incident management, business continuity management, and compliance.

1.1.3 ORGANIZATION OF INFORMATION SECURITY

Company must document, adopt, and enforce compliance with Company information security requirements, policies, standards, and procedures. Company must provide Expedia a point-of-contact for escalation of all information security matters. If Company is contractually permitted to allow third-party access to Expedia Information, Company must define procedures that ensure that downstream third-party and outsourced service providers comply with this Agreement when working with Expedia Information on behalf of Company.

1.2 ASSET MANAGEMENT, CLASSIFICATION, AND HANDLING

1.2.1 ASSET MANAGEMENT AND CLASSIFICATION

Company must have a managed and up-to-date inventory of Company assets that have access to Expedia Information. Company must define and maintain an information classification process that specifies appropriate security and handling controls based upon defined classifications. Company must anonymize and/or pseudonymize Expedia Personal Data as required by applicable laws and regulations or by Expedia utilizing industry standard practices. If Company utilizes non-Expedia owned equipment to connect with Expedia networks, Expedia has the right to review and approve all such equipment in order to determine compliance with Expedia connectivity requirements. Assets that satisfy these requirements will be granted access to Expedia networks. Assets may require modifications by Company to meet Expedia’s security compliance requirements including, but not limited to, custom configurations and settings, O/S hardening, patching, security agents and mobile security code (such as anti-virus and authentication certificates).

1.2.2 HANDLING EXPEDIA INFORMATION

  1. All Expedia Information must be encrypted in transit.
  2. Expedia Highly Sensitive Information and Sensitive Data must be encrypted both in transit and at rest.
  3. All other Expedia Information must be encrypted or secured in a Protected Environment with limited access when at rest.

1.3 PERSONNEL AND HUMAN RESOURCES SECURITY

1.3.1 BACKGROUND AND SCREENING CHECK

To the extent allowed by local law and prior to employment, Company must conduct employee and contingent staff background screening commensurate with the level of access provided, including criminal, financial, and/or employment background screening. Background checks must be completed, and the results deemed satisfactory by Company, prior to the employee or contractor being assigned to perform services for Expedia where those services will involve having access to Expedia Information. Individuals whose background checks reveal convictions for violations including but not limited to computer crimes, fraud, theft, identity theft, or excessive financial defaults MUST not be permitted access to Expedia Information. Upon request and to the extent allowed by local law, Company will provide written confirmation that screening has been conducted and the results deemed satisfactory.

1.3.2 SECURITY AWARENESS AND EDUCATION

Anyone who has access to Expedia Information must complete information security awareness training, annually. The training must educate employees and contingent staff on all applicable policies, procedures, and standards and the responsibility to secure confidential information such as Expedia Information. Company shall be responsible for providing and verifying successful training of all Company employees and contingent staff. Expedia’s online information security awareness training is available to anyone with an account on the Expedia corporate network; successful completion of the Expedia training is a requirement for continued access to the network, unless evidence of equivalent training is provided. Company must require employees to acknowledge, in writing or electronically, that they have completed all required training, and have read, understand, and agree to abide by all applicable security policies and procedures. Upon request, Company must provide written confirmation that training has been completed.

1.4 PHYSICAL, ENVIRONMENTAL, EQUIPMENT, AND MEDIA SECURITY

1.4.1 Company must implement controls that restrict unauthorized physical access to areas containing equipment used to access Expedia Information. Company must monitor all areas containing equipment used to access Expedia Information for attempts at unauthorized access. All secure areas must be enclosed by a perimeter that will deter unauthorized Personnel from gaining access. Personnel working in secure areas must be easily identified as authorized to work in that area. Company must implement and maintain processes to verify that only authorized Personnel with an approved business need may be permitted to work in secure areas. Company must not allow visitors access to secure areas unescorted. Company must ensure proper disposal of all Expedia Information using appropriately secured containers for shredding or other approved means.

1.4.2 Company must only store Expedia Information in locations that will be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heat or cooling, and power failures or outages. Company must implement controls to prevent or detect the removal of any equipment involved in accessing Expedia Information. For purposes of clarity, this provision relates only to permanent storage facilities. Portable media controls are listed below.

1.4.3 If Company is contractually permitted to take Expedia Information off-site in any format, soft or hard copy, Company must in all cases take steps to protect such Expedia Information from unauthorized disclosure. Expedia Information must not be transmitted to unauthorized external services/companies for transfer, storage, or backup. When not in use, Expedia Information must be secured or locked away.

1.4.4 When the use of Company-supplied removable or portable data storage media is authorized by Expedia to store or access Expedia Information, the media must be encrypted to industry-standard levels or similarly protected.

1.4.5 Company must configure a password-protected inactivity timeout of fifteen (15) minutes, maximum, on workstations or laptops used to store or access Expedia Information.

1.4.6 Company must have processes in place to return or completely destroy Expedia Information upon request, in any format in which it is stored, soft or hard copy, and must not allow Personnel to discard any media containing Expedia Information except by secure methods that completely destroy the data.

1.5 COMMUNICATIONS AND OPERATIONS MANAGEMENT

1.5.1 OPERATIONAL SYSTEM SECURITY

On all Company IT systems used to access, process, or store Expedia Information:

  1. Company must follow documented change management procedures. Company must ensure thorough testing of changes to IT systems to prevent negative security impacts.
  2. Company must establish repeatable controls to ensure secure configuration and system hardening, including changing default passwords and settings, and disabling of all unnecessary services/daemons, ports, and network traffic on all systems that connect to Expedia networks or access Expedia Information.
  3. Company must establish and maintain a patch management process for software (including open-source software and firmware) covering network devices, servers, and desktop/laptop computers, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Company must deploy patches in a period of time that is commensurate with the criticality of the patch and sensitivity of Expedia Information accessed. Critical security patches must be installed within one month of their release.

1.5.2 MALWARE PROTECTION

Company must deploy, enable, and keep up to date malware protection that detects, removes, and protects against all known types of malicious software on all IT systems that access, process, or store Expedia Information. Company must ensure malware protection technology is configured to enable upon boot-up, set both automatic updates and periodic scans, and have logging enabled. Infected systems must be removed from the network until verified as virus-free.

1.5.3 NETWORK, OPERATING SYSTEM, AND APPLICATION CONTROL

All systems or networks connecting to Expedia networks and/or accessing Expedia Information must employ safeguard controls capable of monitoring and blocking unauthorized network traffic. Company must enable logging on network activity for audit, incident response, and forensic purposes. Where such controls are not available, systems or networks used to access Expedia Information must be physically or logically separate from other Company networks.

1.5.4 LOGGING OF SYSTEM USE

  1. Company must configure all Company systems used to access, process, or store Expedia Information to enable basic forensic accountability. In the case of an information security incident involving Company-supplied laptops, desktops, or removable or portable data storage media used to access, process, or store Expedia Information, Company must conduct a forensic analysis and provide the results to Expedia or Expedia’s representatives upon request except when the incident involves the actual loss or destruction of the equipment or media.
  2. Company servers used to access, process, or store Expedia Information must maintain sufficient audit logging to enable forensic analysis, including logging of security events, connectivity to services and sessions, and modification to user and configuration settings. Audit logs must be maintained for a minimum of three months. In the case of an information security incident involving Company servers used to access, process, or store Expedia Information, Company must conduct a forensic analysis and provide the results to Expedia or Expedia’s representatives upon request.

1.6 ACCESS CONTROL

1.6.1 EXPEDIA-MANAGED ENVIRONMENTS

Access to Expedia Information must be restricted to authorized users, only. When the data resides physically or logically within Expedia-managed environments, Company access will be subject to Expedia’s access management policies and procedures. Expedia must authorize all decisions for access to Expedia Information residing within Expedia-managed, where applicable, its landlords’ or service providers’ managed environments. Company may not extend access to Expedia Information residing within Expedia-managed environments to third parties without prior written consent. Expedia reserves the right to monitor all systems used to access Expedia-managed environments. If Expedia provides equipment such as laptops used to access Expedia Information, the equipment will be subject to Expedia’s configuration and access management policies and procedures. Company must immediately notify Expedia in writing if a Company employee or Company subcontractor with access to Expedia-managed systems terminates, no longer requires access to the Expedia account, or requires changes to the user account. Notification must include name and User ID of the accounts or systems the person has access to.

1.6.2 REMOTE ACCESS CONTROL

Remote network connectivity to Expedia-managed environments must always use Expedia-approved methods such as SSL VPN when connecting. Expedia’s Host Checker policy will not allow connection from equipment without the capability of meeting Expedia’s security requirements for remote management, encryption, and authentication. Host Checker will verify equipment configurations such as current system patch levels, anti-virus software signatures and scanning engines, and personal firewalls. If Company is contractually permitted to remotely access Expedia-managed environments with Company-supplied equipment, Expedia will provide Company with a list of current configuration requirements upon request. Company shall be responsible for maintaining Company-supplied equipment configurations.

1.6.3 OUTSIDE OF EXPEDIA-MANAGED ENVIRONMENTS

If Company is contractually permitted to access, process, or store Expedia Information outside of Expedia-managed environments, Company must have an access management process that includes account authorization and management, password management and authentication, and remote access controls. Company must not provide access to Expedia Information to any third party (including, without limitation, Company’s subsidiaries and affiliates, subcontractors, and any person or entity acting on behalf of Company) unless the access is necessary to carry out Company’s obligations under this Agreement; such third party is bound by the obligations that are at least of the same level as those set out in this Agreement, and, for personal data, such obligations must comply with the requirements of the applicable privacy laws including the GDPR. Company shall remain responsible for any breach of the obligations set forth in this Agreement to the same extent as if Company caused such breach.

1.6.4 COMPANY USER ACCESS MANAGEMENT

Expedia authorizes access to Expedia Information on a need-to-know basis. All user accounts used to access Expedia Information must be unique and clearly associated with an individual user. Company must ensure unique assignment of user IDs, tokens, or physical access badges provided to employee or contingent staff granted access to Expedia Information outside of Expedia-managed environments. Company must ensure all user/system/service/administrator accounts and passwords are never shared. Company is responsible for reviewing authorization privileges assigned to its employees and contingent staff on a monthly basis to ensure that access is appropriate for the user’s functioning role. Access authorization should follow “principles of least privilege.” Company must provide and ensure that IT administrators use separate and unique accounts for administration and non-administration responsibilities. Company must ensure that procedures exist for prompt modification or termination of access rights in response to organizational changes.

1.6.5 PASSWORD MANAGEMENT AND AUTHENTICATION CONTROLS ON COMPANY SYSTEMS

Company must ensure that systems with access to Expedia Information require complex passwords with reasonable expiration, reuse, and lock-out controls. Company must prohibit its users from sharing passwords. Company must encrypt authentication credentials during storage and transmission. Company must change passwords immediately for accounts suspected of compromise.

1.7 UNAUTHORIZED ACCESS TO EXPEDIA INFORMATION

Company shall not attempt to access, or allow access to, any Expedia Information which they are not authorized to access under this Agreement or associated Schedules/Statements of Work. If such access is attained, Company shall immediately terminate such access, report such incident to Expedia, describe in detail the accessed Expedia Information and return or destroy any copied or removed Expedia Information upon Expedia’s instruction.

1.8 INFORMATION SECURITY INCIDENT MANAGEMENT

1.8.1 Company must establish and maintain procedures that ensure appropriate response to security incidents. Management procedures should address monitoring, investigation, response, and notification. Company must securely save evidence such as security logs for forensic analysis. Incident response plans must include methods to protect evidence of activity from modification or tampering, and allow for the establishment of a proper chain of custody for evidence.

1.8.2 Company must notify Expedia without undue delay, and in no event later than twenty-four (24) hours after becoming aware of a verified Personal Data Breach ; within forty-eight (48) hours of a suspected Personal Data Breach ; and within seventy-two (72) hours of any suspected compromise of information security, system abuse, and/or violation of information security policy involving Expedia Information; and must, at Company’s cost and expense, assist and cooperate with Expedia concerning any disclosures to affected parties and/or data protection authorities, and other remedial measures as requested by Expedia or required under applicable law.

1.8.3 Security notifications should be reported to Expedia Group Security via the Relationship Manager and via email to ERSSOC@expedia.com. 

1.9 COMPLIANCE

Company information security policies and practices must comply with all applicable laws and regulations and contractual obligations to Expedia. Where local laws appear to prevent compliance with Expedia Information Security requirements, Company is responsible for notifying Expedia Group Security to determine appropriate compensating controls.

1.10 RIGHT TO AUDIT

1.10.1 Expedia shall have the right to conduct, at Expedia’s cost, inspections, assessments and/or audits (e.g. questionnaires, phone interviews, and onsite reviews), upon ten (10) days advance notice to Company, at a maximum of one (1) time per year, to evaluate compliance with these Requirements. Company agrees to cooperate with Expedia or its assigned agents regarding such inspections, assessments and/or audits. Company, at its own cost, will promptly correct deficiencies in the Technical and Organizational Security Measures identified by Company or by Expedia.

1.10.2 In addition to Expedia’s annual compliance audit, in the event of a verified Personal Data Breach involving Expedia Personal Data, Company agrees, at its sole expense, to provide a mutually agreed upon independent third-party auditor, and any governmental authority acting pursuant to statutory powers, access for inspections, assessments and/or audits (e.g. via questionnaires, phone interviews, and onsite reviews), and with no less than ten (10) days advance notice to Company, including access to Company’s facilities, systems, records, procedures and business practices to the extent related to the Personal Data Breach and the contracted products and services. The third-party auditors shall execute a mutually agreed-upon nondisclosure agreement with Company prior to commencing an audit. Any such audit may take place during the term of the Agreement and for a period of two years thereafter, shall occur during normal business hours and shall not unreasonably interfere with Company’s normal business operations. Company shall cooperate with third-party auditor’s agents regarding such inspections, assessments and/or audits. Any such audit reports shall be shared with Expedia, subject to redaction of information reasonably considered highly sensitive and therefore confidential by Company.

1.11 DELETION OR RETURN

Unless Expedia requests return of Expedia Personal Data prior to termination of expiry of the Agreement (whereupon such personal data shall be promptly returned to Expedia in machine readable format), upon such expiry or termination, Company will immediately delete all copies of Expedia Personal Data, save that, in the event that Company is unable to destroy Expedia Personal Data (due to backup or legal reasons), Company shall (a) continue to extend the protections of these Requirements to such data until such time that such Expedia Personal Data can be destroyed; and (b) immediately terminate any further processing of that Expedia Personal Data without Expedia’s express prior written consent, except where and to the extent required by applicable law.

PART 2 SECTION 2

SECTION 2: CODE OR SYSTEMS DEVELOPMENT AND MAINTENANCE

SCOPE OF SECTION 2: If Company’s services to Expedia include code that Expedia consumes or hosts, or where Company is providing Expedia with development services Company will comply with the provisions in Section 2:

1.1 APPLICATION SECURITY

Company must not allow Expedia production data in any development, test, quality assurance (“QA”), or other non-production environment. If production-quality data is required for development or testing purposes, it must first be pseudonymized and/or anonymized to ensure the removal of all personal data elements, including name, SSN or equivalent, credit card numbers, etc. Company must ensure protection of Personal Data and Expedia Critical information that is stored in cache or cookies.

1.1.1 CRYPTOGRAPHIC CONTROLS

Where applicable, Company must use commercially available cryptographic algorithms and all deployed encryption solutions must follow best practices in key management. Encryption keys must be protected against disclosure and misuse and must be rotated on a regular basis as defined by the level of sensitivity of information. Retired keys must be destroyed.

1.1.2 SYSTEM SECURITY

Company must establish and maintain configuration standards for all network devices and hosts accessing, processing, or storing sensitive Expedia Information, addressing currently known security vulnerabilities and industry best security practices. Company must ensure that software (including open-source software and firmware) used in operational systems maintain current level of patching support by its supplier.

1.1.3 SECURE DEVELOPMENT AND SUPPORT

All software development done on behalf of Expedia must follow a documented software development process or life cycle (SDLC) with appropriate security checkpoints. Company must validate and test firmware, software, and application source code against vulnerabilities and weaknesses before deploying code to production. If Company develops software, it may be required to demonstrate the effectiveness of security controls prior to software acceptance. All software deployed to a production status in Expedia’s environment must adhere to and utilize Expedia’s change control process.

1.2 SECURITY AWARENESS AND EDUCATION

Company shall be responsible for providing and verifying successful completion of secure development training based upon industry best-practice standards for all Company developers working with the applicable code or systems. Expedia’s online secure developer training is available to all developers with an account on the Expedia corporate network; successful completion of the Expedia training is a requirement for applicable Company developers, unless evidence of equivalent training is provided. Upon request, Company must provide evidence and reports of training completion to Expedia.

PART 2 SECTION 3

SECTION 3: CARDHOLDER AND FINANCIAL/PAYMENT ACCOUNT DATA

SCOPE OF SECTION 3: If Company has access to or otherwise receives Expedia employee or customer financial/payment account numbers, including without limitation Cardholder Data, or provides Cardholder processing software to Expedia, Company will comply with the provisions in Section 4:

1.1 Company represents that it is presently in compliance, and will remain in compliance with, the current PCI DSS. Company shall provide Expedia with a copy of its PCI DSS Attestation of Compliance annually at the time of filing, and immediately notify Expedia of any change in its PCI DSS compliance status.

1.2 Company acknowledges that Cardholder Data is owned exclusively by Expedia, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Expedia, and further acknowledges that such Cardholder Data may be used only on the instruction of Expedia and in accordance with this Agreement, applicable privacy and security laws, and the operating regulations of the Payment Card Brands.

1.3 Company agrees that, in the event of a Personal Data Breach involving Cardholder Data, Company shall afford full cooperation and access to Company’s premises, books, logs and records by a designee of the Payment Card Brands to the extent necessary to perform a thorough security review and to validate Company’s compliance with the PCI Standards.

1.4 If Company provides to Expedia software that processes any payments via a payment application, Company represents that software provided to Expedia has been assessed and complies with the PA-DSS, and agrees to provide Expedia with all documentation, including the PA-DSS Implementation Guide, necessary for Expedia to deploy the software in a manner consistent with PCI DSS. Company agrees to re-assess software following any changes determined to impact payment application security in accordance with the PA-DSS and provide updated documentation as necessary.

back to top

PART 3 – BUSINESS CONTINUITY MANAGEMENT

Company must maintain a comprehensive and current: business continuity plan (“BCP”) that completely covers, at a minimum, the contracted services and any infrastructure required to support them, documenting and implementing processes and procedures to ensure essential business functions continue to operate during and after a disaster; and disaster recovery plan (“DRP”) that documents technical plans for specific restoration of Expedia Information, ensuring there is no reduction of security in a disaster. Key Personnel must be knowledgeable about the BC/DR Plans referenced herein.

If Company is allowed to store or process Expedia Information within its environment, the following Business Continuity Management requirements apply:

1.1 BACKUP

At least once weekly, Company shall perform a complete backup of Expedia Information using highest industry standard backup procedures. This backed-up data will be maintained at a Company colocation center in the US on US based servers (or such other location as may be approved in writing by Expedia). In addition, Company will perform incremental daily backups. On at least a monthly basis, Company will make a copy of Expedia Information and store it at an off-site or at an alternate processing location in the US. Expedia may request a backup of the Expedia Information at any time, and Company shall provide the backup within five (5) business days in a mutually agreed upon format. Company shall (i) implement a Disaster Recovery Plan for the recovery of the Application, (ii) deliver a documented copy of such plan to Expedia within ten (10) days of the Effective Date, (iii) periodically update and test the operability of such plan at least once during each annual period of the Term, and (iv) implement such plan upon the occurrence of a disaster. In the event of a disaster, Company shall not increase its charges under this Agreement. If a disaster causes Company to allocate limited resources between or among Company’s customers, Expedia shall receive at least the same priority as such other customers in respect of such allocation.

1.2 BUSINESS CONTINUITY PLAN

1.2.1 Institute suitable business continuity targets and solutions for prioritized business activities required to continue or re-establish delivering products and services following a disruptive incident or crisis impacting Company facilities, services or staff.

1.2.2 Minimize risks of disruptive incidents to time-critical activities required to deliver Company products and services.

1.2.3 Define roles, responsibilities, and authorities.

1.2.4 Define and implement Business Continuity and Crisis Management Plans, Procedures, Business Impact Assessments, Risk Assessments, Tests, Exercises, Monitoring, Measurement, Analysis, Evaluation, and Continuous Improvement Plans.

1.2.5 Include business continuity/disaster recovery provisions in contracts with Third Parties who impact delivery of Company products and services. The provisions must require appropriate business continuity/disaster recovery policies as well as compliance with applicable laws or regulations regarding their business continuity/disaster recovery programs or plans.

1.2.6 Define notification requirements during an event impacting Company facilities, services or staff. Specifically, if Company experiences an outage disrupting its processes and services and determines that it will not be able to rectify this within one (1) business day, in addition to any other obligations herein, Company shall notify Expedia of the relevant issue and expected rectification period. Company will update Expedia in writing at least twice daily until such issue is resolved.

1.3 DISASTER RECOVERY PLAN

1.3.1 Re-establishment of Information Technology (“IT”) environment(s) following an unplanned event impacting the data center, infrastructure, data or applications/systems.

1.3.2 Policies and procedures necessary to minimize the risk of delay in establishing alternate recovery facilities and beginning the recovery process.

1.3.3 Crisis management plan, including standardized procedures for successfully responding to unplanned service outages due to disasters.

1.3.4 Comprehensive test strategy for the Disaster Recovery Plan.

1.3.5 Notification requirements during an event impacting Company IT systems, infrastructure or applications. Specifically, if Company experiences an outage disrupting IT systems, infrastructure or applications and determines that it will not be able to rectify this within one (1) business day, in addition to any other obligations herein, Company shall notify Expedia of the relevant issue and expected rectification period. Company will update Expedia in writing at least twice daily until such issue is resolved.

1.4 POWER BACKUP

All infrastructure in Company’s service location including desktops, servers, network, switch, quality monitoring and heating/lighting/ventilation must have a backup system (UPS and stand-by generators with fuel) with the ability to provide uninterrupted power for a minimum of seventy-two (72) hours. Power back-up systems should be tested at least once each month to ensure adequate operation.

1.5 BC/DR PLAN TESTING

The BC/DR Plan and related procedures must be tested and Business Impact Assessments and Risk Assessments performed at least once annually and evidence of testing maintained. The tests must demonstrate that Company approach is effective. A review of the BC/DR Plan will occur on at least an annual basis.

back to top

PART 4 – PROCESSOR DATA PROCESSING AGREEMENT (INCLUDING THE SCCS)

SCOPE: If and to the extent that the Company is processing personal data as part of the Services in the capacity of a Processor on behalf of Expedia, this global Expedia data processing agreement (“DPA”) is supplemental to and applies to the Agreement and any relevant processing undertaken in connection with the Agreement, and sets out additional terms, requirements and conditions on which the third-party service provider (referred to in this DPA as the “Company”) will process personal data when providing Services under the Agreement. In this DPA, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement. Where CPRA applies, Company will be deemed to be the Service Provider, as defined in CPRA.

1. DEFINITIONS AND INTERPRETATION

1.1 This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA, unless otherwise defined herein.

1.2 The Processor Processing Overview set out in the Appendix attached to the Agreement form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes that Appendix.

1.3 In the case of conflict or ambiguity between: 

  1. any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail to the extent of the subject matter of this DPA, save as expressly agreed otherwise between the Parties in the Agreement; and
  2. any of the provisions of this DPA and any executed SCC, the provisions of the executed SCCs will prevail.

2. RELATIONSHIP OF THE PARTIES AND DATA PROTECTION

2.1 Each of Expedia and the Company acknowledge that for the purpose of the Applicable Data Protection Law, Expedia is the controller and has appointed the Company as the processor to process Processor Personal Data in accordance with this DPA.

2.2 Each of Expedia and the Company will comply with the obligations that apply to it under Application Data Protection Law.

2.3 Expedia confirms that it has an appropriate lawful basis (to the extent required by Applicable Data Protection Law) for the transfer of Processor Personal Data to the Company (if any) and the processing activities carried out by the Company in accordance with this DPA.

2.4 Company acknowledges that where the Expedia contract party has self-certified its compliance to the EU-U.S. DPF, it has done so in respect of Expedia customer personal data only and not in respect of its own employee personal data. Company further acknowledges that to the extent EU-U.S. DPF applies to the Processor Personal Data, Expedia is required to flow down certain EU-U.S. DPF data protection requirements to Company under this Agreement.

3. INSTRUCTIONS

Company will only process the Processor Personal Data as a processor only for the Permitted Purpose and strictly in accordance with Expedia’s written instructions, unless otherwise required by EU or EU Member State law or Applicable Data Protection Law, in each case, to which the Company is subject, in which case, the Company shall promptly notify Expedia of that legal requirement before processing. The Company will not process the Processor Personal Data for its own purposes or those of any third party. The Company must promptly notify Expedia if, in its opinion, Expedia’s instruction infringes Applicable Data Protection Law or if the Company can no longer comply with an obligation under this DPA. The Processor Processing Overview attached as an Appendix to the Agreement describes the subject matter, duration, nature and purpose of processing and the personal data categories and data subject types relevant to the processing to be carried out by the Company to fulfil the Permitted Purpose.

4. INTERNATIONAL TRANSFERS

4.1 The Company will not transfer Processor Personal Data (nor permit the Processor Personal Data to be transferred) outside of its country of origin other than as necessary for a Permitted Purpose and only where the Company takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.

4.2 Where the Processor Personal Data is being transferred from the European Territories to outside of the European Territories, such measures include the following:

  1. transferring the Processor Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data;
  2. the Company participates in a valid cross-border transfer mechanism under the Applicable Data Protection Laws, so that the Company (and, where appropriate, Expedia) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR. The Company must identify in the relevant Appendix of the Agreement the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Company must immediately inform Expedia of any change to that status; or
  3. the transfer otherwise complies with the Applicable Data Protection Law for the reasons set out in the relevant Appendix.

4.3 EU-U.S. DPF: Where EU-U.S. DPF is identified in the relevant Appendix as being relied upon, the Company will provide at least the same level of protection for the Processor Personal Data as is required under the EU-U.S. DPF; and Company shall promptly notify Expedia if it makes a determination that it can no longer provide this level of protection. In such event, or if Expedia otherwise reasonably believes that Company is not protecting the Processor Personal Data to the standard required under the EU-U.S. DPF, Expedia may either: (i) instruct Company to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Company will promptly cooperate with Expedia in good faith to identify, agree and implement such steps; or (ii) terminate this DPA and the Agreement without penalty by giving notice to Company.

4.4 Company acknowledges that Expedia may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.

4.5 SCCs: Where the Parties have determined that any Processor Personal Data transfer between Expedia and the Company requires execution of SCCs in order to comply with Applicable Data Protection Law, the Parties hereby enter into the SCCs which are incorporated by reference into the Agreement on an unchanged basis save for the following selections:

  1. Modules 2 (Controller to Processor) and 4 (Processor to Controller) only of the SCCs apply.
  2. For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. The period of relevant period of days for prior notification of changes in subprocessors is fourteen (14) days.
  3. For the purposes of clause 11(a) of the SCCs, the optional language is deleted. Option 2 applies.
  4. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
  5. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
  6. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
  7. A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:

     

    Clause 19

    UK GDPR and DPA 2018

    The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a UK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.”

     

  8. A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:

     

    Clause 20

    Swiss – FADP

    The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as a Swiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”

     

4.6 Annex 1 (SCCs Processing Overview) of this Part 4 will constitute Annex 1 of the above SCCs.

4.7 Part 2 (Security Measures) and Part 3 (Business Continuity) of the Requirements and Section 8 of this DPA will constitute Annex 2 of Module 2 for the purposes of the SCCs as they relate to the Company.

4.8 Subject to the requirements set out in Clause 7 (Subprocessors) below, Expedia authorizes the Company to enter into further SCCs as required with a proposed Subprocessor. The Company will make the executed SCCs available to Expedia on request.

5.PERSONNEL AND CONFIDENTIALITY

The Company will ensure that any Personnel or any third party (legal or natural) (each an “Authorized Person”) it authorizes to process the Processor Personal Data have committed themselves to a strict duty of confidentiality (whether contractual or statutory) and shall not permit any person to process the Processor Personal Data who is not under such a duty of confidentiality. Company shall ensure that all Authorized Persons process the Processor Personal Data only as necessary for the Permitted Purpose.

6. SECURITY MEASURES

Company must at all times implement appropriate technical and organizational measures (as defined in the GDPR) to protect Processor Personal Data, including against a Personal Data Breach. Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures will include the security measures identified in Parts 2 and 3 of the Requirements.

7.SUBPROCESSORS

7.1 The Company may only authorize a third-party subcontractor (which includes the Company’s own Affiliates) to process the Processor Personal Data if:

  1. Expedia is provided with an opportunity to object to the appointment of each subcontractor within fourteen (14) days after the Company supplies Expedia with full details regarding such subcontractor (including the proposed name, address, location and processing) to the following mailbox: Subprocessorchangenotification@expediagroup.com . If Expedia object to any proposed Subprocessor on reasonable data protection grounds, then Company will not permit that subcontractor to process Processor Personal Data;
  2. the Company enters into a written contract with the subcontractor that contains terms substantially similar to those set out in this DPA; and
  3. Company remains fully liable to Expedia for any breach of this DPA that is caused by an act, error or omission of its Subprocesssor.

7.2 A list of approved existing Subprocessors as at date of the Agreement are set out in the Processor Processing Overview attached to the Agreement, including name, location and processing activities or alternatively a link has been provided to Expedia containing such information. Company confirms that it has satisfied requirements set out in paragraph (b) and (c) above in respect of each such Subprocessor. Company will maintain and provide, on request, updated copies of the Subprocessor list to Expedia.

7.3 The Parties consider the Company to be responsible for any Processor Personal Data processed by its subcontractors.

8. COOPERATION AND EXERCISE OF DATA SUBJECT RIGHTS

8.1 At no additional cost and taking into account the nature of the processing, Company must provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Expedia to enable Expedia to respond to:

  1. any request (a “Data Subject Request”) from a data subject to exercise its rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure and data portability, as applicable); and
  2. any other correspondence, enquiry or complaint received from a data subject, regulator or other third party,

 insofar as such request or communication relates to Processor Personal Data.

8.2 Company will notify Expedia promptly and in any event within two (2) working days if it (or its subcontractors) receives a Data Subject Request or other communication referred to in Clause 8.1(b) above.

8.3 Company will not directly respond to a Data Subject Request or other communication referred to in Clause 8.1(b) above other than at Expedia’s request or instruction or as provided for in this DPA.

9. DATA PROTECTION IMPACT ASSESSMENT

If Company believes or becomes aware that its processing of Processor Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Expedia. Company will provide Expedia with all such reasonable and timely assistance as Expedia may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant supervisory authority.

10. PERSONAL DATA BREACH

10.1 Upon becoming aware of a personal data breach, the Company will notify Expedia of such Personal Data Breach without undue delay and in any event, within 72 hours of becoming so aware.

10.2 When notifying Company either under Clause 10, Company will, without undue delay, provide Expedia with the following information:

  1. description of the nature of the Personal Data Breach, including the categories and approximate number of both data subjects and records concerned;
  2. the likely consequences; and
  3. description of the measures taken, or proposed to be taken, to address (i) and/or (ii), including measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the above information at the same time, the Company will provide such information in phases without undue delay, and keep Expedia informed of all related developments.

10.3 Immediately following any Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Company will reasonably co-operate with Expedia in Expedia’s handling of the matter, including, as reasonably deemed appropriate by Expedia:

  1. assisting with any investigation;
  2. permitting and assisting with security audits in accordance with Clause 13 (Audits);
  3. taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach; and
  4. The Company will not inform any third party of any Personal Data Breach without first obtaining Expedia’s prior written consent, except when expressly required to do so by law.

10.4 The Company agrees that Expedia has the sole right to determine:

  1. whether to provide notice of the Personal Data Breach to any data subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Expedia’s discretion, including the contents and delivery method of the notice; and
  2. whether to offer any type of remedy to affected data subjects, including the nature and extent of such remedy.

10.5 The Company will cover all of its own reasonable expenses associated with the performance of the obligations under this Clause and reimburse Expedia for actual reasonable expenses that Expedia incurs when responding to a Personal Data Breach attributable to the Processor, including all costs of notice and any remedy as set out in this Clause.

11. DELETION OR RETURN

The Company will comply with Section 1.11 of Part 2 (Deletion or Return) of the Requirements.

12. RECORDS AND EVIDENCE OF COMPLIANCE

12.1 The Company will keep detailed, accurate and up-to-date written records (Records) regarding any processing of Processor Personal Data it carries out for Expedia, including but not limited to, the access, control and security of the Processor Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of Processor Personal Data to a third country and related safeguards, and a general description of the technical and organizational security measures referred to in Clause 6. The Company will provide Expedia with copies of Records upon request.

12.2 The Company will make available to Expedia all information necessary (including but not limited to, Records) to enable Expedia to verify the Company’s compliance with its obligations under this DPA.

12.3 Company will promptly inform Expedia in writing of any material changes to its processing activities from time to time, for example, without limitation, a change to how or where Processor Personal Data is accessed, hosted or which otherwise processed.

13. AUDITS

The Company will comply with paragraph 1.10 of Section 1 of Part 2 (Right to Audit) of the Requirements.

14. DATA COLLECTION AND TRANSPARENCY

Where the Company is collecting personal data directly from data subjects on behalf of Expedia, the Company will only collect Processor Personal Data for Expedia using an Expedia privacy notice or method that Expedia specifically pre-approves in writing. The Company will not modify or alter the notice in any way without the Expedia’s prior written consent. Where consent is required to collect such personal data, the Company will collect such consent in accordance with Applicable Data Protection Law, including ensuring that it maintained records of the date, time and method by which such consent was collected for each data subject and make such records available to Expedia on request.

15. US SPECIFIC DATA PROTECTION OBLIGATIONS

15.1 For the purpose of this section, “sale/sell” and “share” will have the meaning given to in Applicable Data Protection Law in the United States.

15.2 To the extent that Processor Personal Data processed by the Company is within the scope of data protection laws of the United States:

  1. The Company will be deemed to be a “Service Provider” as that term is defined in the CPRA and references to processor shall be construed accordingly for such purposes.
  2. The Company will not process any Processor Personal Data outside of the direct business relationship between the Parties. Additionally, the Company will not combine Processor Personal Data it receives from or on behalf of Expedia with any personal information it receives from another entity or that it collects from its own interactions with individuals, except where allowed under Applicable Data Protection Laws. Expedia may take steps as reasonable and appropriate to remediate unauthorized use of Processor Personal Data outside of its instructions.
  3. If the Company has access to de-identified Processor Personal Data, it will publicly commit to maintain and use such de-identified data. The Company does not and will not allow any subprocessor to re-identify any de-identified Processor Personal Data unless so instructed in writing by Expedia.
  4. For the purposes of Applicable Data Protection Laws, the Company acknowledges and agrees that it is not permitted to sell, share or rent the Processor Personal Data. The Parties agree that the transfer of any Processor Personal Data in accordance with this Agreement does not constitute a sale or sharing.

16. TERM AND TERMINATION

16.1 This DPA will remain in full force and effect so long as:

  1. the Agreement remains in effect; or
  2. the Company retains any Processor Personal Data related to the Agreement in its possession or control (Term).

16.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Processor Personal Data will remain in full force and effect.

 

ANNEX 1

SCCs - Processing Overview

This is Annex 1 for the purposes of the Module 2 and 4 Standard Contractual Clauses to the extent the Parties agree that they apply to the Agreement. This Processing Overview should be read in conjunction with Processor DPA Processing Overview in the Agreement.

 

MODULE 2 – Controller to Processor

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Expedia Group parties

Expedia controllers acting as data exporters: Each of the Expedia entities identified as “Data Controllers for EU/EEA/UK” in the link here.

EU Representatives and UK Representatives: Each of the Expedia entities identified as such in the above link.

Addresses of all relevant parties can be found in the above link, as can details of any relevant DPOs.
Contact name, position & contact details for all Expedia Group parties

Account manager using email address notified to counterparty contact from time to time
Activities relevant to data transferred under SCCs for Controllers

Data exporter may contract services from time to time from the Data Importer(s) as set out in, and in accordance with, the contract into which this Annex is incorporated, any Statements of Works, and/or Orders entered into in connection with that agreement (Agreement)

Data importer(s): [Identity and contact details of the data importer(s) including any contact person with responsibility for data protection]

Party

The Company, as identified in the Agreement
Address

As specified in the Agreement
Role

Processor
Contact person’s name, position and contact details

Account manager using email address notified to Expedia contact from time to time
Activities relevant to the data transferred under these Clauses

Data importer may provide services from time to time to the Data Exporters as set out in, and in accordance with, the Agreement

B. DESCRIPTION OF TRANSFER

  • Categories of data subject
  • Categories of personal data
  • Sensitive data

See Section B1 (Transfer from Controller to Processor) of DPA Processing Overview attached to the Agreement
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous or ad hoc basis in accordance with the needs of Expedia’s business
Nature of the processing

All processing operations required to facilitate provision of services in accordance with the Agreement
Purpose(s) of the data transfer and further processing

See Section B1 (Transfer from Controller to Processor) of DPA Processing Overview attached to the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of the Company, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, the Data Company will continue to protect such personal data in accordance with the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Company to attach complete current list or insert link to such link in Section B1 (Transfer from Controller to Processor) of Processing Overview attached to the Agreement

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

IRISH DATA PROTECTION AUTHORITY

 

Module 4 – PROCESSOR TO CONTROLLER

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Party/ies

The data importer in Module 2 is the data exporter for the purposes of Module 4.

Contact, activities and role are as per Module 2.

Data importer(s): [Identity and contact details of the data importer(s) including any contact person with responsibility for data protection]

Parties

Expedia group controllers acting as data exporters in Module 2 act as the data importers for the purposes of Module 4.

Contact, activities, and role are as per Module 2.

B. DESCRIPTION OF TRANSFER

  • Categories of data subject
  • Categories of personal data
  • Sensitive data

See Section B2 (Transfer from Processor to Controller) of DPA Processing Overview attached to the Agreement
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

As per Section B1.
Nature of the processing

As per Section B1.
Purpose(s) of the data transfer and further processing

See Section B2 (Transfer from Processor to Controller) of DPA Processing Overview attached to the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of Expedia
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Not applicable.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs.

IRISH DATA PROTECTION AUTHORITY



International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1 Tables

Table 1: Parties

Start Date

The Date of the SCCs to which these are attached (EU SCCs).

Parties

Key Contact

Exporter: As per EU SCCs.

Importer: As per EU SCCs.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to.

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties

Annex 1B Description of Transfer

Annex II: Technical and organisational measures

As per EU SCCs

Table 4: Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19

Neither Party

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

back to top

PART 5 - CONTROLLER TO CONTROLLER AGREEMENT (INCLUDING THE SCCS)

SCOPE: If and to the extent that the Company (a) is processing personal data as part of the Services in the capacity of an independent and autonomous controller, and (b) there is sharing of personal data between the Company and Expedia, this global controller to controller agreement (“C2C Agreement”) is supplemental to and applies to the Agreement and any relevant processing undertaken in connection with the Agreement, and sets out additional terms, requirements and conditions on which the third-party service provider (referred to in this C2C Agreement as the “Company”) will process personal data when providing Services under the Agreement. In this C2C Agreement, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement.

1. DEFINITIONS AND INTERPRETATION

1.1 This C2C Agreement is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this C2C Agreement unless otherwise defined herein.

1.2 The C2C Processing Overview Appendix in the Agreement forms part of Annex 1 of this Part 5 and will have effect as if set out in full in the body of this C2C Agreement. Any reference to this C2C Agreement includes that Appendix.

1.3 In the case of conflict or ambiguity between: 

  1. any of the provisions of this C2C Agreement and the provisions of the Agreement, the provisions of this C2C Agreement will prevail to the extent of the subject matter of this C2C Agreement; and
  2. any of the provisions of this C2C Agreement and any executed SCC, the provisions of the executed SCCs will prevail.

2. RELATIONSHIP OF THE PARTIES AND DATA PROTECTION

2.1 Each of Expedia and the Company acknowledge that for the purpose of the Applicable Data Protection Law, each party is an autonomous and independent controller.

2.2 Company acknowledges that where the Expedia contract party has self-certified its compliance to the EU-U.S. DPF, it has done so in respect of Expedia customer personal data only and not in respect of its own employee personal data. Company further acknowledges that to the extent EU-U.S. DPF applies to the Expedia Personal Data, Expedia is required to flow down certain EU-U.S. DPF data protection requirements to Company under this C2C Agreement.

3. OBLIGATIONS

3.1 Each Party will collect and process Controller Personal Data to fulfil its respective rights and obligations under this Agreement, as well as under all applicable laws. As such, each Party will:

  1. process such Controller Personal Data as an independent and autonomous controller;
  2. comply with all Applicable Data Protection Laws applicable to controllers when processing such Controller Personal Data;
  3. ensure that it has an appropriate lawful basis under Applicable Data Protection Laws for its processing of Controller Personal Data, including for the sharing of Controller Personal Data to the other Party for use by that Party as an independent controller in accordance with this Agreement;
  4. implement and maintain all appropriate technical and organizational measures and safeguards to protect Controller Personal Data they each process from and against a Personal Data Breach, taking into account the risks represented by the processing and the nature of the Controller Personal Data;
  5. take all necessary measures to ensure that Controller Personal Data are transferred in accordance with Applicable Data Protection Laws;
  6. not share, distribute, sell or otherwise permit access to Controller Personal Data or otherwise collected for the purposes of this Agreement with any third party save for any data sharing that is necessary to fulfil the purposes of this Agreement or as otherwise agreed between the Parties in the Agreement; and
  7. release from liability the other Party for any claims or litigation arising from the processing of personal data carried out in its capacity as an independent and autonomous controller.

3.2 Company will not name any Expedia group company in any public or disclosure to an individual or to a Supervisory Authority or other legal body relating to privacy without obtaining prior written approval from Expedia, unless Company is legally prohibited from liaising with Expedia.

3.3 Where Company has received a request from government bodies in relation to surveillance activity, it will inform Expedia of such request where legally permitted to do so. In the event that the Company receives a government demand for access to Expedia Personal Data, Company shall i) provide a copy of the demand to Expedia unless legally prohibited from doing so; ii) consult with Expedia and agree response unless legally prohibited from doing so; iii) challenge such demand to the extent, in the reasonable opinion of Company, that such demand conflicts with Company’s obligations under Applicable Data Protection Laws and iv) shall only disclose or provide access to Expedia Personal Data in response to any demands where compelled to do so.

3.4 Where the Company is processing personal data of Expedia Personnel, Company will notify Expedia without undue delay of a verified personal data breach affecting personal data of Expedia Personnel and provide Expedia with all relevant information as Expedia requires. 

3.5 All types of data shared between Parties are to be considered Confidential Information. Therefore, those data can’t be shared without specific written authorization from the Party to which those data belong other than in accordance with this Agreement. Both Parties agree to use those data exclusively in accordance with the Agreement and not for any further purpose without express written consent of the Company. Parties are also held fully responsible for the conduct of their own employee/external contractors.

3.6 EU-U.S. DPF: Where EU-U.S. DPF is identified in the Agreement as being relied upon, the Company will provide at least the same level of protection for the Processor Personal Data as is required under the EU-U.S. DPF; and Company shall promptly notify Expedia if it makes a determination that it can no longer provide this level of protection. In such event, or if Expedia otherwise reasonably believes that Company is not protecting the Processor Personal Data to the standard required under the EU-U.S. DPF, Expedia may either: (i) instruct Company to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Company will promptly cooperate with Expedia in good faith to identify, agree and implement such steps; or (ii) terminate this C2C Agreement and the Agreement without penalty by giving notice to Company.

3.7 Company acknowledges that Expedia may disclose this C2C Agreement and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.

3.8 SCCs: Where the Parties have determined that any Controller Personal Data transfer between Expedia and the Company requires execution of SCCs in order to comply with Applicable Data Protection Law, the Parties hereby enter into the SCCs which are incorporated by reference into the Agreement on an unchanged basis save for the following selections:

  1. Module 1 (Controller to Controller) only of the SCCs apply.
  2. For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. Option 2 applies.
  3. For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
  4. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
  5. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
  6. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
  7. A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:

    8.  

    Clause 19

    UK GDPR and DPA 2018

    The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a UK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.

     

  8. A new clause 20 is added to cover transfers of personal data from Switzerland to outside of Switzerland as follows:

     

    “Clause 20

    Swiss – FADP

    The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as a Swiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”

     

3.9 Annex 1 of this Part 5 (C2C Processing Overview) will constitute Annex 1 for the purposes of the SCCs. Part 2 (Security Measures) and Part 3 (Business Continuity) will constitute Annex 2; and where the Company is data importer, Annex 2 to this Part 5 will constitute Annex 2 for the purposes of Expedia only, in each case for the purposes of the SCCs incorporated under this Part 5.

4. TERM AND TERMINATION

4.1 This C2C Agreement will remain in full force and effect so long as the Agreement remains in effect.

4.1 Any provision of this C2C Agreement that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Controller Personal Data will remain in full force and effect.

 

ANNEX 1

SCCs - Processing Overview

This is Annex 1 for the purposes of the Module 1 Standard Contractual Clauses/SCCs to the extent the Parties agree that they apply to the Agreement. This Processing Overview should be read in conjunction with C2C Processing Overview Appendix in the Agreement.

MODULE 1 – Controller to Controller (Expedia to Company)

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Expedia Group parties

Expedia controllers acting as data exporters: Each of the Expedia entities identified as “Data Controllers for EU/EEA/UK” in the link here.

EU Representatives and UK Representatives: Each of the Expedia entities identified as such in the above link.

Addresses of all relevant parties can be found in the above link, as can details of any relevant DPOs.
Contact name, position & contact details for all Expedia Group parties

Account manager using email address notified to counterparty contact from time to time
Activities relevant to data transferred under SCCs for Controllers

Data exporter may contract services from time to time from the Data Importer(s) as set out in, and in accordance with, the contract into which this Annex is incorporated, any Statements of Works, and/or Orders entered into in connection with that agreement (Agreement)

Data importer(s): [Identity and contact details of the data importer(s) including any contact person with responsibility for data protection]

Party

The Company, as identified in the Agreement.

Address

As specified in the Agreement
Role

Controller
Contact person’s name, position and contact details

Account manager using email address notified to Expedia contact from time to time
Activities relevant to the data transferred under these Clauses

Data importer may provide services from time to time to the Data Exporters as set out in, and in accordance with, the Agreement

B. DESCRIPTION OF TRANSFER

  • Categories of data subject
  • Categories of personal data
  • Sensitive data

See Section B1 (Transfer from Controller to Controller) of C2C Processing Overview attached to the Agreement
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous or ad hoc basis in accordance with the needs of Expedia’s business
Nature of the processing

All processing operations required to facilitate provision of services in accordance with the Agreement
Purpose(s) of the data transfer and further processing

See Section B1 (Transfer from Controller to Controller) of C2C Processing Overview attached to the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of the Company, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, the Data Company will continue to protect such personal data in accordance with the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Company to attach complete current list or insert link to such link in See Section B1 (Transfer from Controller to Controller) of C2C Processing Overview attached to the Agreement

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

IRISH DATA PROTECTION AUTHORITY

 

MODULE 1 – Controller to Controller (Expedia to Company)

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Party/ies

The data importers in Module 2 are the data exporters for the purposes of Module 4.

Contact, activities and role are as per Module 2.

Data importer(s): [Identity and contact details of the data importer(s) including any contact person with responsibility for data protection]

Parties

Parties 1-3 and 7 of the data exporters in Module 2 are the data importers for the purposes of Module 4.

Contact, activities and role are as per Module 2.

B. DESCRIPTION OF TRANSFER

  • Categories of data subject
  • Categories of personal data
  • Sensitive data

See Section B2 (Transfer from Controller to Controller) of C2C Processing Overview attached to the Agreement
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous or ad hoc basis in accordance with the needs of Expedia’s business.
Nature of the processing

All processing operations required to facilitate provision of services to Expedia in accordance with the Agreement
Purpose(s) of the data transfer and further processing

See Section B2 (Transfer from Controller to Controller) of C2C Processing Overview attached to the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of Expedia
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Not applicable.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs.

IRISH DATA PROTECTION AUTHORITY

 

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

 EXPEDIA MEASURES

Expedia Group importers will comply with the below measures for the purposes of Annex II of the SCCs.

Subject Measure
Measures of pseudonymisation and encryption of personal data
  • Expedia Group supports industry standard encryption protocols for data transmission based on Expedia Group’s Information Classification and Handling Standard.
  • Data handling requirements are based on a categorical basis. Depending on the data being handled, different security requirements are in place across Expedia Group. For example, credit card data is considered Highly Sensitive and required to be encrypted both in transit and at rest.
  • Personal data of the customer (and its employees) is pseudonymized (and anonymized) by Expedia Group when possible and as required according to EG’s Information, Classification and Handling Standards.
  • Credit card numbers are tokenized/pseudonymized to eliminate processing of cleartext credit card numbers.
  • Expedia Group utilizes encrypted connections through VPN, SSL, etc. and utilizes multi-factor authentication mechanisms.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Expedia Group maintains responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data.
  • The monitoring of key processing facilities is in place, with a robust SOX program where controls over data processing and integrity are tested and attested to on an ongoing basis.
  • Industry standard logging and monitoring is in place on EG’s systems to ensure and protect against unauthorized access, modification and/or deletion.
  • Expedia Group maintains service resilience through redundant architecture, data replication, and integrity checking.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Expedia Group’s systems are specifically designed to impede or prevent common attacks and ensure availability for operation, monitoring and maintenance. For this purpose, Expedia Group regularly carries out simulated tests and audits to confirm that its systems maintain availability.
  • Servers are patched against Expedia Group’s robust patching policy and protected by industry standard AV/AM programs. Additionally, vulnerability assessments, thorough testing, and network reviews are conducted to ensure EG’s systems are maintained.
  • Availability and reliability monitoring is in place to ensure Expedia sites remain online, with minimal interruptions of service.
  • Expedia Group maintains a Disaster Recovery Plan that accounts for emergencies and contingency plans to ensure that customer services are uninterrupted according to severity and are tested regularly to ensure viability.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Expedia Group’s technical and organizational measures are audited annually by external assessors as well as through robust internal testing.
  • EG conducts annual PCI assessments utilizing a third-party assessor and ensures ongoing compliance with PCI.
  • EG’s comprehensive internal testing function is comprised of quarterly vulnerability testing, internal and external penetration testing, network, system and firewall scanning and reviews. Additionally, an internal audit department conducts annual risk assessments to prioritize operational audits.
Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage
  • Expedia Group systems are aligned with industry best practices and have in place communication practices such as time-out sessions, lock-out protocols, and robust password and authentication controls.
  • Expedia Group maintains requirements for account provisioning and oversight to prevent unauthorized access or misuse of Expedia Group information and uses industry best practices as required, such as the Least Privilege Access principle, unique ID’s and multi factor authentication for strong authentication purposes. 
Measures for ensuring physical security of locations at which personal data are processed
  • A Security Operations Center provides 24x7 coverage, with a formal incident response plan reviewed and tested at least annually.
  • All systems are regularly controlled and tested by external service providers.
  • Each Expedia Group customer receives their own customer ID. All datasets of the respective customer are stored under this ID and all customer data is logically segregated. Due to administration rights and database structures, the customer can only access datasets which are assigned to that user ID and data centers/AWS controls.
  • Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system.
Measures for ensuring events logging
  • Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event.

Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products 
  • Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system. 
  • Expedia Group’s (EG) Information Security program is aligned with industry frameworks and standards, working through its risk management program to ensure a robust and comprehensive security posture. Expedia Group maintains secure operational processes to support the security, availability, integrity and confidentiality of the environment and customers’ data.
  • Expedia Group’s build standards only enable system components, services, and protocols that serve a business requirement. Operating Systems, databases, and off-the-shelf applications must be discoverable to satisfy legal and regulatory audit requirements, supports configuration management tools, or deploys configuration management that successfully enforces security controls, must enable encryption for all remote administrative access to a system, display proper use of the system, the system is being monitored to detect improper use and other illicit activity there is no expectation of privacy while using the system. 
  • Expedia Group takes a layered / defense-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly.
  • Expedia's systems are hosted on Amazon Web Services (AWS) and in Data Centers that provide Expedia Group with annual SOC 2 reports to ensure compliance.

Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention

Measures for ensuring accountability 
  • Minimisation: Expedia Group ensures only minimum amount of data is collected, processed and stored.   We only use identifiable format where necessary.
  • Retention: The Expedia Group data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished.
  • Quality: Expedia Group has a formalized, quality management program, the Customer Experience Management (CEM) program. We are always striving for improvement within EG’s environment and seeking to streamline processes for higher efficiencies resulting in consistent, high-quality services and interactions with our partners, clients and travelers.
  • Accountability: Expedia Group ensure accountability oversight with consistent implementation of policies, industry regulations/frameworks and legal requirements by maintaining a formalized Governance program, and Legal/Privacy body.
Measures for allowing data portability and ensuring erasure
  • Expedia Group is directly responsible for ensuring compliance with data protection laws (including in relation to requests from data subjects). Expedia Group responds to all subject requests, including Access, deletion and portability in accordance with applicable data protection law.
  • EG’s data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. In the event that Expedia Group is unable to destroy Personal Data, Expedia Group shall continue to extend relevant protections of the Agreement between the parties governing such personal data and terminate any further processing.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
  • Expedia group conducts due diligence into the information security practices of its vendors and requires vendors to meet comprehensive security requirements, including obligations requiring vendors to have in place and maintain appropriate technical and organisational measures.
  • Expedia Group has formalised a detailed Security Impact Assessment (“SIA”) process. All new vendors accessing data are screened prior to engagement and during the term where necessary.
  • Additionally, Expedia Group also has robust vendor processor terms that are imposed on all vendors, ensuring the flow down of obligations to any of their sub-processors.

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Table 1: Parties

Start Date

The Date of the SCCs to which these are attached ( EU SCCs).

Parties

Key Contact

Exporter: As per EU SCCs.

Importer: As per EU SCCs.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to.

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties

Annex 1B Description of Transfer

Annex II: Technical and organisational measures

As per EU SCCs

Table 4: Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19

Neither Party

back to top

Part 6 – Controller & Controller Agreement (No data sharing between Company and Expedia)

SCOPE: If and to the extent that the Company is (a) processing personal data as part of the Services in the capacity of an independent and autonomous controller, and (b) no personal data is shared between the Parties as part of the Services, this global controller & controller agreement (“C&C Agreement”) is supplemental to and applies to the Agreement and any relevant processing undertaken in connection with the Agreement, and sets out additional terms, requirements and conditions on which the third-party service provider (referred to in this C&C Agreement as the “Company”) will process personal data when providing Services under the Agreement. In this C&C Agreement, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement.

1. DEFINITIONS AND INTERPRETATION

1.2 This C&C Agreement is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this C&C Agreement.

1.3 The C&C Agreement Appendix forms part of this C&C Annex to this Part 6 and will have effect as if set out in full in the body of this C&C Agreement. Any reference to this C&C Agreement includes that Appendix.

1.4 In the case of conflict or ambiguity between any of the provisions of this C&C Agreement and the provisions of the Agreement, the provisions of this C&C Agreement will prevail to the extent of the subject matter of this C&C Agreement.

2. RELATIONSHIP OF THE PARTIES AND DATA PROTECTION

2.1 Each of Expedia and the Company acknowledge that for the purpose of Applicable Data Protection Law, each party is an autonomous and independent controller; and that no personal data shall be shared between the Parties in connection with the Agreement.

3. OBLIGATIONS

3.1 Each Party will collect and process Controller Personal Data to fulfil its respective rights and obligations under this Agreement, as well as under all applicable laws. As such, each Party will:

  1. process such Controller Personal Data as an independent and autonomous controller;
  2. comply with all Applicable Data Protection Laws applicable to controllers when processing such Controller Personal Data;
  3. ensure that it has an appropriate lawful basis under Applicable Data Protection Laws for its processing of Controller Personal Data;
  4. implement and maintain all appropriate technical and organizational measures and safeguards to protect Controller Personal Data they each process from and against a Personal Data Breach, taking into account the risks represented by the processing and the nature of the Controller Personal Data;
  5. take all necessary measures to ensure that Controller Personal Data are transferred in accordance with Applicable Data Protection Laws;
  6. not share, distribute, sell or otherwise permit access to Controller Personal Data or otherwise collected for the purposes of this Agreement with any third party save for any data sharing that is necessary to fulfil the purposes of this Agreement or as otherwise agreed between the Parties in the Agreement; and
  7. release from liability the other Party for any claims or litigation arising from the processing of personal data carried out in its capacity as an independent and autonomous controller.

3.2 Where the Company is processing personal data of Expedia Personnel, Company will notify Expedia without undue delay of a verified personal data breach affecting personal data of Expedia Personnel and provide Expedia with all relevant information as Expedia requires. 

4. TERM AND TERMINATION

4.1 This C&C Agreement will remain in full force and effect so long as the Agreement remains in effect.

4.2 Any provision of this C&C Agreement that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Controller Personal Data will remain in full force and effect.

 

back to top

Last Revised April 1, 2022