Fraud Prevention Service

Merchant Shield - Controller to Controller Agreement (including the SCCs) -

SCOPE: If and to the extent that Expedia (a) is processing personal data as part of providing services to a Company (as defined under the relevant agreement, “the Services”), and (b) there is sharing of personal data between the Company and Expedia as part of the Services, then this global controller to controller agreement (“C2C Agreement”) is supplemental to and applies to the agreement entered into between the parties in connection with the Services (the “Agreement”), and sets out additional terms, requirements and conditions on which Expedia will process personal data when providing Services under the Agreement. In this C2C Agreement, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement. “Company” refers to any third-party entity that contracts with Expedia for Services.

1.1 This C2C Agreement is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this C2C Agreement unless otherwise defined herein; and:

  1. controller”, “personal data”, “processed”, “personal data breach” and “supervisory authority” or their equivalent terms each have the meaning given to them in Applicable Data Protection Law(s).
  2. Applicable Data Protection Law(s)” means all protection and privacy laws that apply to personal data processed under the Agreement (including, where applicable, EU Data Protection Laws).
  3. EEA” means the European Economic Area.
  4. EEA Data” means any personal data processed by or on behalf of Expedia under the Agreement that relates to individuals who are located in the EEA.
  5. End Customer” means any individual whose personal data is processed as part of the provision of the Services;
  6. EU-U.S DPF” means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated.
  7. EU Data Protection Laws” means data protection laws in the European Union that apply to the End Customer Data processed under this Agreement (including, without limitation, EU Directive 2002/58/EC (as updated by Directive 2009/136/EC) (“PECR”) and EU Regulation 2016/679 (the “GDPR”) (each as amended, replaced or superseded)) and any applicable national legislation made under or in connection with the foregoing, including, upon exit of United Kingdom from the European Union, United Kingdom’s Data Protection Act 2018.
  8. Permitted Purpose” means the purpose (i) provision of the Services; (ii) improving the Services, including the underlying technology; (iv) creating internal reports for analytics, business intelligence and business reporting; (iii) responding to law enforcement requests; (vii) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); and (viii) otherwise complying with our obligations under the Agreement, Expedia’s privacy policy and applicable laws.
  9. Relevant Personal Data” means personal data collected or otherwise processed by us or you in connection with facilitating the provision of the Services.

1.2 In the case of conflict or ambiguity between:

  1. any of the provisions of this C2C Agreement and the provisions of the Agreement, the provisions of this C2C Agreement will prevail to the extent of the subject matter of this C2C Agreement; and
  2. any of the provisions of this C2C Agreement and any executed SCC, the provisions of the executed SCCs will prevail.

2.1 Each of Expedia and the Company acknowledge that for the purpose of the Applicable Data Protection Law, each party is an autonomous and independent controller.

2.2 Company acknowledges that where the Expedia contract party has self-certified its compliance to the EU-U.S. DPF, it has done so in respect of End Customer personal data only and not in respect of its own employee personal data. Company further acknowledges that to the extent PEU-U.S. DPF applies to the Relevant Personal Data, Expedia is required to flow down certain EU-U.S. DPF data protection requirements to Company under this C2C Agreement.

3.1 Each Party will collect and process Relevant Personal Data to fulfil its respective rights and obligations under this Agreement, as well as under all applicable laws. As such, each Party will:

  1. process such Relevant Personal Data as an independent and autonomous controller;
  2. comply with all Applicable Data Protection Laws applicable to controllers when processing such Relevant Personal Data;
  3. ensure that it has an appropriate lawful basis under Applicable Data Protection Laws for its processing of Relevant Personal Data, including for the sharing of Relevant Personal Data to the other Party for use by that Party as an independent controller in accordance with this Agreement;
  4. implement and maintain all appropriate technical and organizational measures and safeguards to protect Relevant Personal Data they each process from and against a Personal Data Breach, taking into account the risks represented by the processing and the nature of the Relevant Personal Data;
  5. take all necessary measures to ensure that Relevant Personal Data are transferred in accordance with Applicable Data Protection Laws; and
  6. not share, distribute, sell or otherwise permit access to Relevant Personal Data or otherwise collected for the purposes of this Agreement with any third party save for any data sharing that is necessary to fulfil the purposes of this Agreement or as otherwise agreed between the Parties in the Agreement.

3.2 Company will (a) ensure that all End Customers are made aware, via its privacy policy and by any other appropriate means, that their personal data will be shared with Expedia for the Permitted Purposes; and (b) direct End Customers to Expedia’s privacy policy for more information about Expedia’s handling of their personal data.

3.3 Neither Party will name the other in any public statement or disclosure to an individual or to a Supervisory Authority or other legal body relating to privacy without obtaining prior written approval from the other, unless legally prohibited from liaising with the other party.

3.4 Where Expedia has received a request from government bodies in relation to surveillance activity, it will inform Company of such request where legally permitted to do so. In the event thatExpedia receives a government demand for access to Relevant Personal Data, Expedia shall i) provide a copy of the demand to Company unless legally prohibited from doing so; ii) consult with Company and agree response unless legally prohibited from doing so; iii) challenge such demand to the extent, in the reasonable opinion of Expedia, that such demand conflicts with Expedia’s obligations under Applicable Data Protection Laws and iv) shall only disclose or provide access to Relevant Personal Data in response to any demands where compelled to do so.

3.5 In the event of a confirmed personal data breach affecting Relevant Personal Data which is reportable to a supervisory authority, Expedia will promptly notify Company, providing full details of the same. In such event, both parties shall cooperate reasonably and in good faith to remedy or mitigate the effects of such personal data breach, and the reasonable costs of such cooperation shall be borne by the party that suffered the personal data breach.

3.6 All types of data shared between Parties are to be considered Confidential Information. Therefore, those data can’t be shared without specific written authorization from the Party to which those data belong other than in accordance with this Agreement. Both Parties agree to use those data exclusively in accordance with the Agreement and not for any further purpose without express written consent of the Company. Parties are also held fully responsible for the conduct of their own employee/external contractors.

3.6 EU-U.S. DPF: Where and to the extent that EU-U.S. DPF is a valid and recognized basis for cross-border transfers of personal data, Expedia will rely on such EU-U.S. DPF for such transfers and provide at least the same level of protection for the Relevant Personal Data as is required under the EU-U.S. DPF; and Expedia shall promptly notify the Company if it makes a determination that it can no longer provide this level of protection. In such event, or if the Company otherwise reasonably believes that Company is not protecting the Relevant Personal Data to the standard required under the EU-U.S. DPF, Expedia may either: (i) instruct Company to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Company will promptly cooperate with Expedia in good faith to identify, agree and implement such steps; or (ii) terminate this C2C Agreement and the Agreement without penalty by giving notice to Company. If the Company indicates in the Agreement that it also elects to rely on EU-U.S. DPF in the Agreement, then the above provisions and those of Clause 3.7 below shall be deemed to be apply as if the obligations are two-way.

3.7 Company acknowledges that Expedia may disclose this C2C Agreement and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.

3.8 SCCs: Where the Parties have determined that any Relevant Personal Data transfer between Expedia and the Company requires execution of SCCs in order to comply with Applicable Data Protection Law, the Parties hereby enter into the SCCs which are incorporated by reference into the Agreement on an unchanged basis save for the following selections:

  1. Module 1 (Controller to Controller) only of the SCCs apply.
  2. For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. Option 2 applies.
  3. For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
  4. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
  5. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
  6. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
  7. A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:

Clause 19

UK GDPR and DPA 2018

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (aUK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.

 

  1. A new clause 20 is added to cover transfers of personal data from Switzerland to outside of Switzerland as follows:

“Clause 20

Swiss – FADP

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as aSwiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”

3.9 The relevant Annex 1 of this Part 2 for the purposes of the SCCs will be that identified in the Agreement. Annex 2 of this Part 2 will apply to both Parties for the purposes of the SCCs incorporated under this Part 2. The Addendum attached to this Part 2 constitutes the Addendum for the purposes of the SCCs.

4.1 This C2C Agreement will remain in full force and effect so long as the Agreement remains in effect.

4.1 Any provision of this C2C Agreement that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Relevant Personal Data will remain in full force and effect.

 

Merchant Shield - ANNEX I – SCCs PROCESSING OVERVIEW

MODULE ONE: Part 1: Controller to Controller (Company to Expedia)

 

Data exporter(s):

Party

The party/ies identified as the company, partner or similar in the Agreement “Company”) in the Agreement

Address

As specified in the Agreement

Contact name, position & contact details for all Expedia Group parties

Account manager using email address notified to Expedia contact from time to time

Activities relevant to data transferred under SCCs

Merchant Shield (“Merchant Shield”), Expedia’s fraud prevention services provided to Company under and in accordance with the Agreement

Role

Controller

 

Data importer(s):

Party

The non-EU parties identified as Expedia (“Expedia”) (as defined in the Agreement)

Address

As specified in the Agreement

Contact person’s name, position and contact details

Account manager using email address notified to Company contact from time to time

Activities relevant to the data transferred under these Clauses

Merchant Shield services provided to Company under and in accordance with the Agreement.

Role

Controller

B. DESCRIPTION OF TRANSFER 

Categories of data subject

Customers of Company

Categories of Personal Data

Customer Name

Customer Contact: Address (including Lat, Long), Email, Phone Number

Customer DOB or Age

Customer Financial Information: eg Bank Account/ Credit Card information

Customer Purchase or Travel History

Loyalty Program Numbers

User Site Interaction Data

IP Address

Routing Number

Screenshots of purchase confirmation pages

Sensitive Data

None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous or ad hoc basis in accordance with the needs of Company's business

Nature of the processing

All processing operations required to facilitate purposes set out below

Purpose(s) of the data transfer and further processing

Permitted Purposes, as defined in the Requirements

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of Expedia Group, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, the Data Company will continue to protect such personal data in accordance with the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

N/A

COMPETENT SUPERVISORY AUTHORITY 

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

IRISH DATA PROTECTION AUTHORITY

 

MODULE ONE: Part 2: Controller to Controller (Expedia to Company)

Data exporter(s):

The Party/ies identified as Data Importers in Module 1 above. See Module 1 for further details.

 

Data importer(s):

The Party/ies identified as Data Exporter(s) in Module 1 above. See Module 1 for further details.

C. DESCRIPTION OF TRANSFER

  • Categories of data subject
  • Categories of Personal Data
  • Sensitive Data

As per Module 1

  • Frequency of transfer
  • Nature of processing
  • Purposes

As per Module 1

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of Company

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Not applicable

 

D. COMPETENT SUPERVISORY AUTHORITY 

As per Module 1.

 

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES

The technical and organisational measures that apply to Expedia for the purposes of Module 2 are set out below. Company, as data importer, will be deemed to comply with the minimum standards set out below in its receipt of personal data from Expedia under these SCCs.

SubjectMeasure
Measures of pseudonymisation and encryption of personal data
  • Expedia Group supports industry standard encryption protocols for data transmission based on Expedia Group’s Information Classification and Handling Standard.
  • Data handling requirements are based on a categorical basis. Depending on the data being handled, different security requirements are in place across Expedia Group. For example, credit card data is consideredHighly Sensitiveand required to be encrypted both in transit and at rest.
  • Personal data of the customer (and its employees) is pseudonymized (and anonymized) by Expedia Groupwhen possibleand as required according to EG’s Information, Classification and Handling Standards.
  • Credit card numbers are tokenized/pseudonymized to eliminate processing of cleartext credit card numbers.
  • Expedia Group utilizes encrypted connections through VPN, SSL, etc. and utilizes multi-factor authentication mechanisms.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Expedia Group maintains responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data.
  • The monitoring of key processing facilities is in place, with a robust SOX program where controls over data processing and integrity are tested and attested to on an ongoing basis.
  • Industry standard logging and monitoring is in place on EG’s systems to ensure and protect against unauthorized access, modification and/or deletion.
  • Expedia Group maintains service resilience through redundant architecture, data replication, and integrity checking.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Expedia Group’s systems are specifically designed to impede or prevent common attacks and ensure availability for operation, monitoring and maintenance. For this purpose, Expedia Group regularly carries out simulated tests and audits to confirm that its systems maintain availability.
  • Servers are patched against Expedia Group’s robust patching policy and protected by industry standard AV/AM programs. Additionally, vulnerability assessments, thorough testing, and network reviews are conducted to ensure EG’s systems are maintained.
  • Availability and reliability monitoring is in place to ensure Expedia sites remain online, with minimal interruptions of service.
  • Expedia Group maintains a Disaster Recovery Plan that accounts for emergencies and contingency plans to ensure that customer services are uninterrupted according to severity and are tested regularly to ensure viability.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Expedia Group’s technical and organizational measures are audited annually by external assessors as well as through robust internal testing.
  • EG conducts annual PCI assessments utilizing a third-party assessor and ensures ongoing compliance with PCI.
  • EG’s comprehensive internal testing function is comprised of quarterly vulnerability testing, internal and external penetration testing, network, system and firewall scanning and reviews. Additionally, an internal audit department conducts annual risk assessments to prioritize operational audits.
Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage
  • Expedia Group systems are aligned with industry best practices and have in place communication practices such as time-out sessions, lock-out protocols, and robust password and authentication controls.
  • Expedia Group maintains requirements for account provisioning and oversight to prevent unauthorized access or misuse of Expedia Group information and uses industry best practicesas required,such as the Least Privilege Access principle, unique ID’s and multi factor authentication for strong authentication purposes.
Measures for ensuring physical security of locations at which personal data are processed
  • A Security Operations Center provides 24x7 coverage, with a formal incident response plan reviewed and tested at least annually.
  • All systems are regularly controlled and tested by external service providers.
  • Each Expedia Group customer receives their own customer ID. All datasets of the respective customer are stored under this ID and all customer data is logically segregated. Due to administration rights and database structures, the customer can only access datasets which are assigned to that user ID and data centers/AWS controls.
  • Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system.
Measures for ensuring events logging

Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event.

Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products
  • Expedia Group’s (EG) Information Security program is aligned with industry frameworks and standards, working through its risk management program to ensure a robust and comprehensive security posture. Expedia Group maintains secure operational processes to support the security, availability, integrity and confidentiality of the environment and customers’ data.
  • Expedia Group’s build standards only enable system components, services, and protocols that serve a business requirement. Operating Systems, databases, and off-the-shelf applications must be discoverable to satisfy legal and regulatory audit requirements, supports configuration management tools, or deploys configuration management that successfully enforces security controls, must enable encryption for all remote administrative access to a system, display proper use of the system, the system is being monitored to detect improper use and other illicit activity there is no expectation of privacy while using the system.
  • Expedia Group takes a layered / defense-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly.
  • Expedia's systems are hosted on Amazon Web Services (AWS) and in Data Centers that provide Expedia Group with annual SOC 2 reports to ensure compliance.
Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability
  • Minimisation: Expedia Groupensures only minimum amount of data is collected, processed and stored.  We only use identifiable format wherenecessary.
  • Retention: TheExpedia Groupdata retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. 
  • Quality: Expedia Group has a formalized, quality management program, the Customer Experience Management (CEM) program. We are always striving for improvement within EG’s environment and seeking to streamline processes for higher efficiencies resulting in consistent, high-quality services and interactions with our partners, clients and travelers.
  • Accountability: Expedia Group ensure accountability oversight with consistent implementation of policies, industry regulations/frameworks and legal requirements by maintaining a formalized Governance program, and Legal/Privacy body.
Measures for allowing data portability and ensuring erasure
  • Expedia Group is directly responsible for ensuring compliance with data protection laws (including in relation to requests from data subjects). Expedia Groupresponds to all subject requests, including Access, deletion and portabilityin accordance with applicable data protection law. 
  • EG’s data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. In the event that Expedia Group is unable to destroy Personal Data, Expedia Group shall continue to extend relevant protections of the Agreement between the parties governing such personal data and terminate any further processing.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able toprovide assistance tothe controller and, for transfers from a processor to a sub-processor, to the data exporter
  • Expedia groupconducts due diligence into the information security practices of its vendors and requires vendors to meet comprehensive security requirements, including obligations requiring vendors to have in place and maintain appropriate technical and organisational measures. 
  • Expedia Grouphasformaliseda detailed Security Impact Assessment (“SIA”) process. All new vendors accessing data are screened prior to engagement and during the term where necessary. 
  • Additionally,Expedia Groupalso has robust vendor processor terms that areimposed onall vendors, ensuring the flow downof obligationsto any oftheir sub-processors.

 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses 
(Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1 Tables

Table 1: Parties

Start Date

The Date of the SCCs to which these are attached (EU SCCs).

Parties

Key Contact

Exporter: As per EU SCCs.

Importer: As per EU SCCs.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to.

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties

Annex 1B Description of Transfer

Annex II: Technical and organisational measures

As per EU SCCs

Table 4: Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19

Neither Party

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.