PART 4 – PROCESSOR DATA PROCESSING AGREEMENT (INCLUDING THE SCCS)

SCOPE: If and to the extent that the Company is processing personal data as part of the Services in the capacity of a Processor on behalf of Expedia, this global Expedia data processing agreement (“DPA”) is supplemental to and applies to the Agreement and any relevant processing undertaken in connection with the Agreement, and sets out additional terms, requirements and conditions on which the third-party service provider (referred to in this DPA as the “Company”) will process personal data when providing Services under the Agreement. In this DPA, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement. Where CPRA applies, Company will be deemed to be the Service Provider, as defined in CPRA.

1. DEFINITIONS AND INTERPRETATION

1.1 This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA, unless otherwise defined herein.

1.2 The Processor Processing Overview set out in the Appendix attached to the Agreement form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes that Appendix.

1.3 In the case of conflict or ambiguity between: 

  1. any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail to the extent of the subject matter of this DPA, save as expressly agreed otherwise between the Parties in the Agreement; and
  2. any of the provisions of this DPA and any executed SCC, the provisions of the executed SCCs will prevail.

2. RELATIONSHIP OF THE PARTIES AND DATA PROTECTION

2.1 Each of Expedia and the Company acknowledge that for the purpose of the Applicable Data Protection Law, Expedia is the controller and has appointed the Company as the processor to process Processor Personal Data in accordance with this DPA.

2.2 Each of Expedia and the Company will comply with the obligations that apply to it under Application Data Protection Law.

2.3 Expedia confirms that it has an appropriate lawful basis (to the extent required by Applicable Data Protection Law) for the transfer of Processor Personal Data to the Company (if any) and the processing activities carried out by the Company in accordance with this DPA.

2.4 Company acknowledges that where the Expedia contract party has self-certified its compliance to the EU-U.S. DPF, it has done so in respect of Expedia customer personal data only and not in respect of its own employee personal data. Company further acknowledges that to the extent EU-U.S. DPF applies to the Processor Personal Data, Expedia is required to flow down certain EU-U.S. DPF data protection requirements to Company under this Agreement.

3. INSTRUCTIONS

Company will only process the Processor Personal Data as a processor only for the Permitted Purpose and strictly in accordance with Expedia’s written instructions, unless otherwise required by EU or EU Member State law or Applicable Data Protection Law, in each case, to which the Company is subject, in which case, the Company shall promptly notify Expedia of that legal requirement before processing. The Company will not process the Processor Personal Data for its own purposes or those of any third party. The Company must promptly notify Expedia if, in its opinion, Expedia’s instruction infringes Applicable Data Protection Law or if the Company can no longer comply with an obligation under this DPA. The Processor Processing Overview attached as an Appendix to the Agreement describes the subject matter, duration, nature and purpose of processing and the personal data categories and data subject types relevant to the processing to be carried out by the Company to fulfil the Permitted Purpose.

4. INTERNATIONAL TRANSFERS

4.1 The Company will not transfer Processor Personal Data (nor permit the Processor Personal Data to be transferred) outside of its country of origin other than as necessary for a Permitted Purpose and only where the Company takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.

4.2 Where the Processor Personal Data is being transferred from the European Territories to outside of the European Territories, such measures include the following:

  1. transferring the Processor Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data;
  2. the Company participates in a valid cross-border transfer mechanism under the Applicable Data Protection Laws, so that the Company (and, where appropriate, Expedia) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR. The Company must identify in the relevant Appendix of the Agreement the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Company must immediately inform Expedia of any change to that status; or
  3. the transfer otherwise complies with the Applicable Data Protection Law for the reasons set out in the relevant Appendix.

4.3 EU-U.S. DPF: Where EU-U.S. DPF is identified in the relevant Appendix as being relied upon, the Company will provide at least the same level of protection for the Processor Personal Data as is required under the EU-U.S. DPF; and Company shall promptly notify Expedia if it makes a determination that it can no longer provide this level of protection. In such event, or if Expedia otherwise reasonably believes that Company is not protecting the Processor Personal Data to the standard required under the EU-U.S. DPF, Expedia may either: (i) instruct Company to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Company will promptly cooperate with Expedia in good faith to identify, agree and implement such steps; or (ii) terminate this DPA and the Agreement without penalty by giving notice to Company.

4.4 Company acknowledges that Expedia may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.

4.5 SCCs: Where the Parties have determined that any Processor Personal Data transfer between Expedia and the Company requires execution of SCCs in order to comply with Applicable Data Protection Law, the Parties hereby enter into the SCCs which are incorporated by reference into the Agreement on an unchanged basis save for the following selections:

  1. Modules 2 (Controller to Processor) and 4 (Processor to Controller) only of the SCCs apply.
  2. For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. The period of relevant period of days for prior notification of changes in subprocessors is fourteen (14) days.
  3. For the purposes of clause 11(a) of the SCCs, the optional language is deleted. Option 2 applies.
  4. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
  5. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
  6. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
  7. A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:     
     

     

    Clause 19

    UK GDPR and DPA 2018

    The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a UK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.”

     

  8. A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:     
     

     

    Clause 20

    Swiss – FADP

    The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as a Swiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”

     

4.6 Annex 1 (SCCs Processing Overview) of this Part 4 will constitute Annex 1 of the above SCCs.

4.7 Part 2 (Security Measures) and Part 3 (Business Continuity) of the Requirements and Section 8 of this DPA will constitute Annex 2 of Module 2 for the purposes of the SCCs as they relate to the Company.

4.8 Subject to the requirements set out in Clause 7 (Subprocessors) below, Expedia authorizes the Company to enter into further SCCs as required with a proposed Subprocessor. The Company will make the executed SCCs available to Expedia on request.

5.PERSONNEL AND CONFIDENTIALITY

The Company will ensure that any Personnel or any third party (legal or natural) (each an “Authorized Person”) it authorizes to process the Processor Personal Data have committed themselves to a strict duty of confidentiality (whether contractual or statutory) and shall not permit any person to process the Processor Personal Data who is not under such a duty of confidentiality. Company shall ensure that all Authorized Persons process the Processor Personal Data only as necessary for the Permitted Purpose.

6. SECURITY MEASURES

Company must at all times implement appropriate technical and organizational measures (as defined in the GDPR) to protect Processor Personal Data, including against a Personal Data Breach. Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures will include the security measures identified in Parts 2 and 3 of the Requirements.

7.SUBPROCESSORS

7.1 The Company may only authorize a third-party subcontractor (which includes the Company’s own Affiliates) to process the Processor Personal Data if:

  1. Expedia is provided with an opportunity to object to the appointment of each subcontractor within fourteen (14) days after the Company supplies Expedia with full details regarding such subcontractor (including the proposed name, address, location and processing) to the following mailbox: Subprocessorchangenotification@expediagroup.com . If Expedia object to any proposed Subprocessor on reasonable data protection grounds, then Company will not permit that subcontractor to process Processor Personal Data;
  2. the Company enters into a written contract with the subcontractor that contains terms substantially similar to those set out in this DPA; and
  3. Company remains fully liable to Expedia for any breach of this DPA that is caused by an act, error or omission of its Subprocesssor.

7.2 A list of approved existing Subprocessors as at date of the Agreement are set out in the Processor Processing Overview attached to the Agreement, including name, location and processing activities or alternatively a link has been provided to Expedia containing such information. Company confirms that it has satisfied requirements set out in paragraph (b) and (c) above in respect of each such Subprocessor. Company will maintain and provide, on request, updated copies of the Subprocessor list to Expedia.

7.3 The Parties consider the Company to be responsible for any Processor Personal Data processed by its subcontractors.

8. COOPERATION AND EXERCISE OF DATA SUBJECT RIGHTS

8.1 At no additional cost and taking into account the nature of the processing, Company must provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Expedia to enable Expedia to respond to:

  1. any request (a “Data Subject Request”) from a data subject to exercise its rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure and data portability, as applicable); and
  2. any other correspondence, enquiry or complaint received from a data subject, regulator or other third party,

 insofar as such request or communication relates to Processor Personal Data.

8.2 Company will notify Expedia promptly and in any event within two (2) working days if it (or its subcontractors) receives a Data Subject Request or other communication referred to in Clause 8.1(b) above.

8.3 Company will not directly respond to a Data Subject Request or other communication referred to in Clause 8.1(b) above other than at Expedia’s request or instruction or as provided for in this DPA.

9. DATA PROTECTION IMPACT ASSESSMENT

If Company believes or becomes aware that its processing of Processor Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Expedia. Company will provide Expedia with all such reasonable and timely assistance as Expedia may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant supervisory authority.

10. PERSONAL DATA BREACH

10.1 Upon becoming aware of a personal data breach, the Company will notify Expedia of such Personal Data Breach without undue delay and in any event, within 72 hours of becoming so aware.

10.2 When notifying Company either under Clause 10, Company will, without undue delay, provide Expedia with the following information:

  1. description of the nature of the Personal Data Breach, including the categories and approximate number of both data subjects and records concerned;
  2. the likely consequences; and
  3. description of the measures taken, or proposed to be taken, to address (i) and/or (ii), including measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the above information at the same time, the Company will provide such information in phases without undue delay, and keep Expedia informed of all related developments.

10.3 Immediately following any Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Company will reasonably co-operate with Expedia in Expedia’s handling of the matter, including, as reasonably deemed appropriate by Expedia:

  1. assisting with any investigation;
  2. permitting and assisting with security audits in accordance with Clause 13 (Audits);
  3. taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach; and
  4. The Company will not inform any third party of any Personal Data Breach without first obtaining Expedia’s prior written consent, except when expressly required to do so by law.

10.4 The Company agrees that Expedia has the sole right to determine:

  1. whether to provide notice of the Personal Data Breach to any data subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Expedia’s discretion, including the contents and delivery method of the notice; and
  2. whether to offer any type of remedy to affected data subjects, including the nature and extent of such remedy.

10.5 The Company will cover all of its own reasonable expenses associated with the performance of the obligations under this Clause and reimburse Expedia for actual reasonable expenses that Expedia incurs when responding to a Personal Data Breach attributable to the Processor, including all costs of notice and any remedy as set out in this Clause.

11. DELETION OR RETURN

The Company will comply with Section 1.11 of Part 2 (Deletion or Return) of the Requirements.

12. RECORDS AND EVIDENCE OF COMPLIANCE

12.1 The Company will keep detailed, accurate and up-to-date written records (Records) regarding any processing of Processor Personal Data it carries out for Expedia, including but not limited to, the access, control and security of the Processor Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of Processor Personal Data to a third country and related safeguards, and a general description of the technical and organizational security measures referred to in Clause 6. The Company will provide Expedia with copies of Records upon request.

12.2 The Company will make available to Expedia all information necessary (including but not limited to, Records) to enable Expedia to verify the Company’s compliance with its obligations under this DPA.

12.3 Company will promptly inform Expedia in writing of any material changes to its processing activities from time to time, for example, without limitation, a change to how or where Processor Personal Data is accessed, hosted or which otherwise processed.

13. AUDITS

The Company will comply with paragraph 1.10 of Section 1 of Part 2 (Right to Audit) of the Requirements.

14. DATA COLLECTION AND TRANSPARENCY

Where the Company is collecting personal data directly from data subjects on behalf of Expedia, the Company will only collect Processor Personal Data for Expedia using an Expedia privacy notice or method that Expedia specifically pre-approves in writing. The Company will not modify or alter the notice in any way without the Expedia’s prior written consent. Where consent is required to collect such personal data, the Company will collect such consent in accordance with Applicable Data Protection Law, including ensuring that it maintained records of the date, time and method by which such consent was collected for each data subject and make such records available to Expedia on request.

15. US SPECIFIC DATA PROTECTION OBLIGATIONS

15.1 For the purpose of this section, “sale/sell” and “share” will have the meaning given to in Applicable Data Protection Law in the United States.

15.2 To the extent that Processor Personal Data processed by the Company is within the scope of data protection laws of the United States:

  1. The Company will be deemed to be a “Service Provider” as that term is defined in the CPRA and references to processor shall be construed accordingly for such purposes.
  2. The Company will not process any Processor Personal Data outside of the direct business relationship between the Parties. Additionally, the Company will not combine Processor Personal Data it receives from or on behalf of Expedia with any personal information it receives from another entity or that it collects from its own interactions with individuals, except where allowed under Applicable Data Protection Laws. Expedia may take steps as reasonable and appropriate to remediate unauthorized use of Processor Personal Data outside of its instructions.
  3. If the Company has access to de-identified Processor Personal Data, it will publicly commit to maintain and use such de-identified data. The Company does not and will not allow any subprocessor to re-identify any de-identified Processor Personal Data unless so instructed in writing by Expedia.
  4. For the purposes of Applicable Data Protection Laws, the Company acknowledges and agrees that it is not permitted to sell, share or rent the Processor Personal Data. The Parties agree that the transfer of any Processor Personal Data in accordance with this Agreement does not constitute a sale or sharing.

16. TERM AND TERMINATION

16.1 This DPA will remain in full force and effect so long as:

  1. the Agreement remains in effect; or
  2. the Company retains any Processor Personal Data related to the Agreement in its possession or control (Term).

16.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Processor Personal Data will remain in full force and effect.

 

ANNEX 1

SCCs - Processing Overview

This is Annex 1 for the purposes of the Module 2 and 4 Standard Contractual Clauses to the extent the Parties agree that they apply to the Agreement. This Processing Overview should be read in conjunction with Processor DPA Processing Overview in the Agreement.

 

MODULE 2 – Controller to Processor

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Expedia Group parties

Expedia controllers acting as data exporters: Each of the Expedia entities identified as “Data Controllers for EU/EEA/UK” in the link here.

EU Representatives and UK Representatives: Each of the Expedia entities identified as such in the above link.

Addresses of all relevant parties can be found in the above link, as can details of any relevant DPOs.

Contact name, position & contact details for all Expedia Group parties

Account manager using email address notified to counterparty contact from time to time

Activities relevant to data transferred under SCCs for Controllers

Data exporter may contract services from time to time from the Data Importer(s) as set out in, and in accordance with, the contract into which this Annex is incorporated, any Statements of Works, and/or Orders entered into in connection with that agreement (Agreement)

Data importer(s): [Identity and contact details of the data importer(s) including any contact person with responsibility for data protection]

Party

The Company, as identified in the Agreement

Address

As specified in the Agreement

Role

Processor

Contact person’s name, position and contact details

Account manager using email address notified to Expedia contact from time to time

Activities relevant to the data transferred under these Clauses

Data importer may provide services from time to time to the Data Exporters as set out in, and in accordance with, the Agreement

B. DESCRIPTION OF TRANSFER

  • Categories of data subject
  • Categories of personal data
  • Sensitive data

See Section B1 (Transfer from Controller to Processor) of DPA Processing Overview attached to the Agreement

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous or ad hoc basis in accordance with the needs of Expedia’s business

Nature of the processing

All processing operations required to facilitate provision of services in accordance with the Agreement

Purpose(s) of the data transfer and further processing

See Section B1 (Transfer from Controller to Processor) of DPA Processing Overview attached to the Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of the Company, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, the Data Company will continue to protect such personal data in accordance with the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Company to attach complete current list or insert link to such link in Section B1 (Transfer from Controller to Processor) of Processing Overview attached to the Agreement

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

IRISH DATA PROTECTION AUTHORITY

 

Module 4 – PROCESSOR TO CONTROLLER

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Party/ies

The data importer in Module 2 is the data exporter for the purposes of Module 4.

Contact, activities and role are as per Module 2.

Data importer(s): [Identity and contact details of the data importer(s) including any contact person with responsibility for data protection]

Parties

Expedia group controllers acting as data exporters in Module 2 act as the data importers for the purposes of Module 4.

Contact, activities, and role are as per Module 2.

B. DESCRIPTION OF TRANSFER

  • Categories of data subject
  • Categories of personal data
  • Sensitive data

See Section B2 (Transfer from Processor to Controller) of DPA Processing Overview attached to the Agreement

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

As per Section B1.

Nature of the processing

As per Section B1.

Purpose(s) of the data transfer and further processing

See Section B2 (Transfer from Processor to Controller) of DPA Processing Overview attached to the Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of Expedia

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Not applicable.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs. 

IRISH DATA PROTECTION AUTHORITY



 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1 Tables

Table 1: Parties

Start Date

The Date of the SCCs to which these are attached (EU SCCs).

Parties

Key Contact

Exporter: As per EU SCCs.

Importer: As per EU SCCs.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to.

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties

Annex 1B Description of Transfer

Annex II: Technical and organisational measures

As per EU SCCs

Table 4: Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19

Neither Party

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.