Affiliate – Controller to Controller Agreement (including the SCCs)
SCOPE: Where Expedia and/or the Company is processing personal data directly or indirectly as part of an agreement (which may be in the form of online clickwrap terms) entered into with the other party (where the relevant activities or services that are the subject of such agreement are referred to herein as the “Relevant Activities”), then this global controller to controller agreement (“C2C Agreement”) is supplemental to and applies to the agreement entered into between the parties in connection with the Relevant Activities (the “Agreement”), and sets out additional terms, requirements and conditions on which Expedia and Company will each process personal data as part of Relevant Activities under the Agreement. In this C2C Agreement, “Expedia” refers to Expedia, Inc. and/or any other Expedia Group company/ies party to the Agreement. “Company” refers to one or more third-party entities that contract with Expedia for Relevant Activities (and all references to either Expedia or Company will be construed as plural terms to the extent required by the Agreement).
1. DEFINITIONS AND INTERPRETATION
1.1 This C2C Agreement is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this C2C Agreement unless otherwise defined herein; and:
- controller, personal data, processed, personal data breach and supervisory authority or their equivalent terms each have the meaning given to them in Applicable Data Protection Law(s).
- Annex 1 means the relevant Annex 1 to this Part 3 which is indicated as applying to the Company in the Agreement.
- Applicable Data Protection Law(s) means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Relevant Personal Data.
- EEA means the European Economic Area.
- EEA Data means any personal data processed by or on behalf of Expedia under the Agreement that relates to individuals who are located in the EEA, Switzerland or UK.
- End Customer means any individual whose personal data is processed as part of the provision of the Relevant Activities.
- EU-U.S DPF means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated (and in each case, includes the UK Extension to the EU-U.S. Data Privacy Framework and any other country extension to such framework that operates to extend the application of the EU-U.S. Data Privacy Framework to that country).
- Permitted Purpose means for the purpose of (i) facilitating the Relevant Activities; (ii) improving the provision of the Relevant Activities, including the underlying technology; (iii) creating internal reports for analytics, business intelligence and business reporting; (iv) responding to law enforcement requests; (v) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); and (vi) otherwise complying with our respective obligations under the Agreement and applicable laws.
- Relevant Personal Data means personal data collected or otherwise processed by us or you in connection with facilitating the provision of the Relevant Activities.
- 1.2 In the case of conflict or ambiguity between:
- any of the provisions of this C2C Agreement and the provisions of the Agreement, the provisions of this C2C Agreement will prevail to the extent of the subject matter of this C2C Agreement; and
- any of the provisions of this C2C Agreement and the SCCs incorporated by reference into them, the provisions of the executed SCCs will prevail.
2. RELATIONSHIP OF THE PARTIES AND DATA PROTECTION
2.1 Each of Expedia and the Company acknowledge that for the purpose of Applicable Data Protection Law, each party is an autonomous and independent controller.
GENERAL MUTUAL OBLIGATIONS
3.1 Each Party will ]:
- process such Relevant Personal Data as an independent and autonomous controller;
- comply with all Applicable Data Protection Laws applicable to controllers when processing such Relevant Personal Data;
- ensure that it has an appropriate lawful basis under Applicable Data Protection Laws for its processing of Relevant Personal Data, including for the sharing of Relevant Personal Data to the other Party for use by that Party as an independent controller in accordance with this Agreement;
- implement and maintain all appropriate technical and organizational measures and safeguards to protect Relevant Personal Data they each process from and against a personal data breach, taking into account the risks represented by the processing and the nature of the Relevant Personal Data;
- take all necessary measures to ensure that Relevant Personal Data are transferred in accordance with Applicable Data Protection Laws; and
- not share, distribute, sell or otherwise permit access to Relevant Personal Data or otherwise collected for the purposes of this Agreement with any third party save for any data sharing that is necessary to fulfil the purposes of this Agreement or as otherwise agreed between the Parties in the Agreement.
3.2 Transparency and disclosures. Each party will ensure that all End Customers are made aware in a timely manner, via its privacy policy and/or by any other appropriate means, that their personal data will be shared with the other party for the Permitted Purposes; and direct End Customers to the other party’s privacy policy (specifically or generally) for more information about their handling of their personal data.
3.3 Naming the other Party. Neither Party will name the other in any public statement or disclosure to an individual or to a supervisory authority or other legal body relating to privacy without obtaining prior written approval from the other, unless legally prohibited from liaising with the other party.
3.4 Where either Party (the Receiving Party) has received a request from government bodies in relation to surveillance activity, it will inform the other Party of such request where legally permitted to do so. In the event that a Party receives a government demand for access to Relevant Personal Data, that Party will (i) provide a copy of the demand to the other Party unless legally prohibited from doing so; (ii) consult with the other Party and agree on a response unless legally prohibited from doing so; (iii) challenge such demand to the extent, in the reasonable opinion of the Receiving Party, that such demand conflicts with that Party’s obligations under Applicable Data Protection Laws and (iv) shall only disclose or provide access to Relevant Personal Data in response to any demands where compelled to do so.
3.5 All types of data shared between Parties are to be considered Confidential Information. Therefore, those data can’t be shared without specific written authorization from the Party to which those data belong other than in accordance with this Agreement. Both Parties agree to use those data exclusively in accordance with the Agreement and not for any further purpose without express written consent of the other Party. Parties are also held fully responsible for the conduct of their own Staff.
3.6 Cross-border data transfers.
The Parties agree and acknowledge that in this clause 3.6, wherever the word ‘transfer’ is used, it includes access being provided by one controller/processor to another controller/processor and:
- General: neither Party will (and shall not permit any other party to) transfer Relevant Personal Data outside the territory of origination unless that Party takes any required compliance measures to enable such transfer legally in accordance with Applicable Data Protection Law.
- Asia-Pacific Region and CBPR:
The Parties agree and acknowledge that:
- a CBPR Party is bound by a legally enforceable set of obligations to provide comparable protection to Applicable Data Protections Laws; and
- Expedia is a CBPR Party.
Where Company is also a CBPR Party, the provisions of this paragraph (b) will be construed to apply two-way.
Subject to paragraph (iii) below, the Parties agree that where:
- Relevant Personal Data is being transferred from one CBPR Country to another CBPR Country; and
- the data importer is a CBPR Party,
then, to the extent that and for so long as the CBPR System is a recognized method of transfer by a relevant supervisory authority, the CBPR System shall be the agreed mechanism for cross-border transfers of Relevant Personal Data to such CBPR Party.
- The CBPR System will only apply for transfers that involve at least one of the Parties being located in an Asia-Pacific Region country that is also a CBPR Country.
- Expedia confirms that it will provide at least the same level of protection for the Relevant Personal Data as is required under the CBPR System; and it will promptly notify the other Party if it makes a determination that it can no longer provide this level of protection. In such event, or if the other Party otherwise reasonably believes that Expedia is not protecting the Relevant Personal Data to the standard required under the CBPR System, the other Party may either:
- instruct Expedia to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event the Parties will promptly cooperate in good faith to identify, agree and implement such steps;
- agree on an alternate safeguard that may apply to the processing under Applicable Data Protection Law; or
- if (A) and (B) fail to resolve the issue, terminate this C2C Agreement and the Agreement (or, at the other Party’s election, any affected portion thereof) without penalty by giving notice to Expedia.
DPF: The Parties agree that in respect of transfers of Restricted Transfer Data between the Parties to the United States or to a country which has not been deemed "adequate" under the Applicable Data Protection Laws of the originating Restricted Transfer Country:
- to the extent that and for so long as the DPF is a recognized method of transfer by a relevant authority, the DPF shall be the agreed mechanism for cross-border transfers of data originating from a Restricted Transfer Country to Expedia in the United States; and
- to the extent that and for so long as the DPF is not a valid method of transfer (including for transfers of Restricted Transfer Data to a country which has not been deemed "adequate" under the Applicable Data Protection Law of the originating Restricted Transfer Country),
the SCCs shall apply to such transfers and we will enter into them on the basis set out in paragraph (h) below. Where Company also holds a current DPF certification, transfers of Restricted Transfer Data to Company can similarly be made under the DPF with SCCs as a fallback mechanism as set out above.
- With regards to the DPF, Expedia agrees that it will provide the same level of protection as required by the DPF. If Company reasonably believes we are not protecting the Restricted Transfer Data to the standard required by the DPF, Expedia may either:
- rely on the SCCs as set out in paragraph (h) below;
- if SCCs are not a viable or appropriate solution, propose to Company reasonable and appropriate steps to stop and remediate any unauthorized processing, which we will in good faith implement using commercially reasonable efforts; or
- if the fallbacks in paragraphs (i) or (ii) above are not viable, terminate this C2C Agreement and the Agreement without penalty.
- If Company is certified under the DPF, Company will comply with the Notice and Choice Principles of the DPF (as defined in the EU-U.S. DPF). For the avoidance of doubt, if Company is not DPF-certified or accessing or receiving the Restricted Transfer Data in a country deemed ‘adequate’ by the European Commission, then the SCCs will be relied on for transfers of Restricted Transfer Data from Expedia to Company.
- The Parties agree that they may each disclose this C2C Agreement and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
- Extension of SCCs to Non-Restricted Transfer Countries: In relation to transfers of Relevant Personal Data between the Parties originating from a country that is not a Restricted Transfer Country but is otherwise subject to safeguards that, according to Applicable Data Protection Law, must be applied before a transfer can be made of that Relevant Personal Data outside of the country of origin (each a Non-Restricted Transfer Country), then the Parties agree that:
- the SCCs set out in paragraph (h) below shall be deemed to extend to such additional transfers to the extent that such deemed extension would satisfy the safeguards of that particular country; and/or
- where the measures set out in paragraph (h) below are insufficient or require supplementary measures, the parties agree to take such further measures, including, for example, execution of relevant documents, collection of consent, making of required filings, as may be required from to time in order to satisfy Applicable Data Protection Law.
3.7 SCCs: Subject to the paragraphs of clause 3.6 above, =, the Parties hereby agree to enter into the SCCs which are incorporated by reference into the Agreement on an unchanged basis save for the following selections:
- Where Company is located inside the European Economic Area or otherwise in a country deemed “adequate” in accordance with Article 45 of the GDPR, (Adequate Country) Module one (1) of the SCCs will apply one-way only in respect of transfers from Company to Expedia. Otherwise, Module one (1) applies two-way to cover transfers from both Company to Expedia and Expedia to Company.
- For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
- For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
- For the purposes of clause 17 of the SCCs, the governing law is Ireland.
- For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:
“Clause 19
UK GDPR and DPA 2018
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a UK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.”
A new clause 20 is added to cover transfers of personal data from Switzerland to outside of Switzerland as follows:
“Clause 20
Swiss – FADP
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as a Swiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”
A new clause 21 is added to the SCCs to cover transfers of personal data from Brazil to outside of Brazil as follows:
“Clause 21
Brazil – LGPD
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the Brazilian General Data Protection Law No. 13,709/18 (Lei Geral de Proteção de Dados) (LGPD) (referred to in this Clause as a Brazilian transfer). For the purposes of such Brazilian transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and Brazil’s National Data Protection Authority (ANPD) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Brazilian transfer as are deemed necessary by the ANPD to comply with the LGPD, and the Clauses shall be interpreted in accordance with the requirements for Brazilian transfers arising under those laws or as otherwise set out in guidance issued by the ANPD or other relevant Brazilian authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Brazilian transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the LGPD when engaging in Brazilian transfers.”
A new clause 22 is added to the SCCs to cover transfers of personal data from any other country not hitherto specified where the SCCs may be extended to ensure appropriate safeguards for transfers of personal data originating from that country to a party located outside of that country as follows:
“Clause 22
Other third country transfers
The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the any other applicable laws and regulations in any relevant jurisdiction, relating to the use or processing of personal data (Applicable Data Protection Laws) requiring terms and protections broadly equivalent to these Clauses in order to transfer personal data from that country to another (referred to in this Clause as a Third Country transfer). For the purposes of such Third Country transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the data protection authority or regulatory body of that country shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Third Country transfer as are deemed necessary by such supervisory authority to comply with the Applicable Data Protection Law of that country, and the Clauses shall be interpreted in accordance with the requirements for Third Country transfers arising under those laws or as otherwise set out in guidance issued by the relevant supervisory authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Third Country transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the Applicable Data Protection Law(s) when engaging in Third Country transfers.”
- 3.8 Annex 1 (SCCs Processing Overview) to this C2C Agreement constitutes Annex 1 of the SCCs. Annex 2 (Technical and Organizational Measures) to this C2C Agreement constitutes Annex 2 of the SCCs and applies only to Expedia where (a) only one-way SCCs apply for transfers of Restricted Transfer Data from Company to Expedia; or (b) Company has provided, and Expedia has accepted, adequate technical and organizational measures to satisfy Company’s Annex 2 requirements of the SCCs. Where the aforementioned conditions are not met, Annex 2 will be construed to apply to both parties and all references to Expedia and Expedia Group will be construed to reference either party accordingly. The Addendum to this C2C Agreement constitutes the UK Addendum for the purposes of the SCCs.
3. PCI Data
Each Party agrees that it will process, store, transmit and access any Relevant Personal Data that comprises payment information (including, without limitation, credit card, debit card, or financial account information) in compliance with the current Payment Card Information Data Security Standard (PCI DSS). In addition, where Company is the merchant of record and where Expedia possesses, stores, processes, or transmits Traveler’s cardholder data on Company’s behalf, or to the extent that Expedia could impact the security of Company’s cardholder data environment, Expedia acknowledges that Expedia is responsible for the security of cardholder data that Expedia possesses, stores, processes or transmits and will comply with the PCI DSS as issued by the PCI Security Standard Council, as updated from time to time.
5. TERM AND TERMINATION
5.1 This C2C Agreement will remain in full force and effect so long as the Agreement remains in effect.
5.2 Any provision of this C2C Agreement that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Relevant Personal Data will remain in full force and effect.
5.3 Any notices under this DPA will be deemed effective if delivered by email to the contact(s) provided by either Party to the other for these purposes in accordance with the notice provisions in the Agreement. In the case of Expedia, this will require an email being sent to the account/relationship manager from time to time and copied to the Expedia privacy mailbox provided from time to time.
AFFILIATES - ANNEX I – SCCs PROCESSING OVERVIEW
MODULE ONE: Part 1: Controller to Controller (Company to Expedia)
A. LIST OF PARTIES
Data exporter(s):
Party | The party/ies identified as the company, partner or similar in the Agreement (“Company”) in the Agreement |
Address | As specified in the Agreement |
Contact name, position & contact details for all Expedia Group parties | To account or relationship manager using email address provided to Company from time to time |
Activities relevant to data transferred under SCCs | Relevant Activities, being all processing activities required in connection with the Relevant Activities, and any other activities set out in the Agreement between the Parties |
Role | Controller |
Data importer(s):
Party | The non-EU parties identified as Expedia (“Expedia”) (as defined in the Agreement) |
Address | As specified in the Agreement |
Contact person’s name, position and contact details | Account manager using email address notified to Company contact from time to time |
Activities relevant to the data transferred under these Clauses | Relevant Activities as set out above. |
Role | Controller |
B. DESCRIPTION OF TRANSFER
Categories of data subject | End Customers, being individuals whose personal data is collected in connection with a Relevant Activity |
Categories of Personal Data |
|
Sensitive Data | None. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Continuous or ad hoc basis in accordance with the needs of each Party’s business |
Nature of the processing | All processing operations required to facilitate purposes set out below |
Purpose(s) of the data transfer and further processing | Permitted Purposes, as defined in the Requirements |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | In accordance with the retention policy of Expedia Group, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, the Data Company will continue to protect such personal data in accordance with the Agreement |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs
IRISH DATA PROTECTION AUTHORITY
MODULE ONE: Part 2: Controller to Controller (Expedia to Company)
D. LIST OF PARTIES
Data exporter(s):
The Parties identified as Data Importers in Module 1, Part 1 above. See Module 1, Part 1 for further details.
Data importer(s):
The Party/ies identified as Data Exporter(s) in Module 1, Part 1 above. See Module 1, Part 1 for further details.
E. DESCRIPTION OF TRANSFER
| As per Module 1, Part 1 |
| As per Module 1, Part 1 |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | In accordance with the retention policy of Company |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | Not applicable |
F. COMPETENT SUPERVISORY AUTHORITY
As per Module 1, Part 1
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES
The technical and organisational measures that apply to us/Expedia and you for the purposes of Module 1 are set out below.
SUBJECT | MEASURE |
---|---|
Measures of pseudonymisation and encryption of personal data |
|
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
|
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing |
|
Measures for user identification and authorisation; Measures for the protection of data during transmission; Measures for the protection of data during storage |
|
Measures for ensuring physical security of locations at which personal data are processed |
|
Measures for ensuring events logging | Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event. |
Measures for ensuring system configuration, including default configuration; Measures for internal IT and IT security governance and management; Measures for certification/assurance of processes and products |
|
Measures for ensuring data minimisation; Measures for ensuring data quality; Measures for ensuring limited data retention; Measures for ensuring accountability |
|
Measures for allowing data portability and ensuring erasure |
|
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter |
|
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1 Tables
Table 1: Parties | ||
Start Date | The Date of the SCCs to which these are attached (EU SCCs). | |
Parties Key Contact | Exporter: As per EU SCCs. | Importer: As per EU SCCs. |
Table 2: Selected SCCs, Modules and Selected Clauses | ||
Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is appended to. | |
Table 3: Appendix Information | ||
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in: | ||
Annex IA: List of Parties Annex 1B Description of Transfer Annex II: Technical and organisational measures | As per EU SCCs | |
Table 4: Ending this Addendum when the Approved Addendum changes | ||
Which Parties may end this Addendum as set out in Section 19 | Neither Party |
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.