“controller”, “data subject” “personal data”, “process/processing”, “processor”, and “supervisory authority” and (or reasonably equivalent terms) will have the meanings given to them in the Applicable Data Protection Law.

“Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as attached to SCCs for the purposes of UK Transfers in accordance with Part 4 or Part 5 of these Requirements.

“Annex 1” means, as the context requires, the Annex 1 that forms part of Part 4 (Processor Data Processing Agreement) or the Annex 1 that forms part of Part 5 (Controller to Controller Agreement), in each case, together with the applicable sections of the relevant Appendix of the Agreement.

“Annex 2” means (a) in relation to the Company, Part 2 (Security Measures), Part 3 (Business Continuity) and Section 8 of Part 4 (Processor Data Processing Agreement) of the Requirements; and (b) where specified as applying, the Expedia Security Measures set out in Annex II of Part 5 of these Requirements.

“Annexes” means Annex 1 and Annex 2 collectively.

“Appendix” means, as the context requires, the relevant Processor or Controller Processing Overview attached as an Appendix to the Agreement.

“Applicable Data Protection Law” means all privacy and data protection law to which a party is subject in any relevant jurisdiction or that is otherwise applicable to the Expedia Personal Data, including, where applicable and without limitation, GDPR and/or CRPA.

“Controller Personal Data” means as applicable, Expedia Personal Data processed by the Parties in connection with the Agreement in their respective capacities as independent and autonomous controllers.

“CPRA” means the California Privacy Rights Act signed into law on November 3, 2020, as amended, supplemented or replaced from time to time.

“EU-U.S DPF” means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated.

“European Territories” means collectively (i) the European Economic Area, namely the European Union Member States and Iceland, Lichtenstein and Norway, (ii) the United Kingdom, and (iii) Switzerland.

“Expedia Personal Data” means any personal data that:

1. is provided to Company by Expedia (or its Affiliates or a third party on Expedia’s behalf) for processing; or
2. (Company (or any of its subcontractors) generates, collects, hosts, transmits or otherwise processes,

in each case in connection with the provision of the Services.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended, supplemented or replaced from time to time.

“Permitted Purpose” means as necessary for (i) provision of the Services; (ii) creation of aggregated and anonymized internal reports for analytic, business intelligence and business reporting; and (iii) to comply with legal obligations which do not conflict with Applicable Data Protection Laws. 

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Expedia Personal Data transmitted, stored or otherwise processed, whether between or among Company’s subsidiaries and affiliates or any other person or entity acting on behalf of Company.

“Personnel” means in relation to a Party, its employees, independent contractors, consultants, agents and other representatives.

“Processor Personal Data” means Expedia Personal Data processed by Company in its capacity as a Processor on behalf of Expedia.

“Requirements” means these Expedia Group Privacy and Data Handling Requirements.

“Sensitive Data” means a sub-category of personal data that is marked as sensitive and requiring higher protections, as set out in Article 10 of the GDPR or as defined in Applicable Data Protection Law. This includes race & ethnicity; political views; religion, spiritual or philosophical beliefs; biometric data for ID purposes; health data, sex life data; sexual orientation; and genetic data; and precise location data.

“Standard Contractual Clauses/ SCCs” means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-d…

“Subprocessor” means any third party other than Company, including Company’s Affiliates and subcontractors, appointed by Company as a processor to process Expedia Personal Data.

“Technical and Organizational Security Measures” means appropriate technical and organizational security measures as defined in the GDPR, and shall include implementing best industry protections and include physical, electronic and procedural safeguards to protect the personal data supplied to Company against any Personal Data Breach, and any security requirements, obligations, specifications or event reporting procedures set forth in any schedule, order or statement of work or similar document attached or entered into pursuant to the applicable Agreement.

“Expedia Critical Information” means any data, plus the infrastructure containing or providing direct access to that data, which has legal, financial or compliance implications for Expedia. Examples of such data include but are not limited to personal data of Expedia customers, employees, end-users, partners and suppliers, and other individuals; privileged administrative accounts and credentials; financial data including data subject to PCI DSS; critical security vulnerability and gap reports; and material non-public legal and intellectual property documents.

“Expedia Information” is all non-public data and includes all Expedia Critical Information and Expedia Personal Data on any media format which is acquired from, owned by, stored on behalf of, or otherwise the responsibility and/or property of, Expedia.

“Highly Sensitive Information” is that subset of personal data whose unauthorized disclosure or use could reasonably entail enhanced potential risk for the data subject. Highly Sensitive Information includes, without limitation, U.S. Social Security Number (“SSN”), or credit or debit card number (“Cardholder Data”), and/or account authentication data, such as passwords or PINs.

“PA-DSS” means the Payment Application Data Security Standard, its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

“Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorization or settlement.

“Payment Card Brands” means American Express, Discover, Mastercard and Visa.

“PCI DSS” means the Payment Card Industry (PCI) Data Security Standard (DSS), its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

“Protected Environment” means any segregated network environment, network storage device, individual servers and/or devices which are secured through logical or physical access control to industry best-practice standards.