Meso – C2C Agreement

Definitions and Interpretation
Relationship of the Parties
General mutual obligations
Transparency and disclosures
Naming the other Party
Cross-border data transfers
PCI Data
Term, termination and notices
Annex I SCCs Processing Overview
Annex II Technical and Organizational Measures
UK Addendum

Last updated: 0 March 2025

Scope: Where Expedia and/or the Advertiser is processing personal data directly or indirectly as part of an io (which may be in the form of online clickwrap terms) entered into with the other party (where the relevant activities or services that are the subject of such io are referred to herein as the “Relevant Activities”), then this global controller to controller io (“C2C Agreement”) is supplemental to and applies to the io entered into between the parties in connection with the Relevant Activities (the “IO”), and sets out additional terms, requirements and conditions on which Expedia and Advertiser will each process personal data as part of Relevant Activities under the IO. In this C2C Agreement, “Expedia” refers to Expedia Group Media Solutions as defined in the IO. “Advertiser” refers to one or more third-party entities that contract with Expedia for Relevant Activities (and all references to either Expedia or Advertiser will be construed as plural terms to the extent required by the IO).  

1. DEFINITIONS AND INTERPRETATION 

1.1 This C2C Agreement is subject to the terms of, and incorporated into, the IO by reference. Interpretations and defined terms set out in the IO apply to the interpretation of this C2C Agreement unless otherwise defined herein; and:  

  1. appropriate technical and organizational measures, controller, personal data, process, processor, personal data breach and supervisory authority or their equivalent terms each have the meaning given to them in Applicable Data Protection Law(s).
  2. Applicable Data Protection Law(s) means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Relevant Personal Data.
  3. CBPR Country means a country that is a full or associate member of the CBPR System.
  4. CBPR Party means an organization that holds a current certification under the CBPR System.
  5. CBPR System means the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System.
  6. DPF means the EU-U.S. Data Privacy Framework and/or Swiss-U.S Data Privacy Framework or any successor self-certification program operated by the U.S Department of Commerce and approved by the European Commission from time to time and which has not been invalidated (and in each case, includes the UK Extension to the EU-U.S. Data Privacy Framework and any other country extension to such framework that operates to extend the application of the EU-U.S. Data Privacy Framework to that country).
  7. DPF Country means a country in the EEA, United Kingdom, Switzerland and any other countries or regions whose relevant authorities have agreed to extend the operation of the DPF to that country/region.
  8. EEA means European Economic Area.
  9. Permitted Purpose means for the purpose of (i) measuring the conversion of advertising displayed on Expedia websites pursuant to the IO; (ii) generating reports for the other Party and any further processing required for reconciliation, complaints handling and similar activities connected with servicing the IO; (iii) creating reports for analytics, business intelligence and business reporting; (iv) fraud prevention; (v) responding to law enforcement requests and tax authority audit requests; (vi) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); and, (vii)otherwise complying with a Party’s obligations under the IO and applicable laws.
  10. Relevant Personal Data means personal data collected or otherwise processed by us or you in connection with facilitating the provision of the Relevant Activities.
  11. Restricted Transfer Country means any country in the European Economic Area, Switzerland, the United Kingdom, Brazil, Thailand and Saudi Arabia.
  12. Restricted Transfer Data means any Relevant Personal Data relating to a booking made via a point of sale intended by a Party to be accessed by Guests in a Restricted Transfer Country.
  13. SCCs means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, and as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found at  https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

2. In the case of conflict or ambiguity between: 

  1. any of the provisions of this C2C Agreement and the provisions of the IO, the provisions of this C2C Agreement will prevail to the extent of the subject matter of this C2C Agreement; and
  2. any of the provisions of this C2C Agreement and the SCCs incorporated by reference into them, the provisions of the executed SCCs will prevail.

2. RELATIONSHIP OF THE PARTIES 

2.1 Each of Expedia and Advertiser acknowledge that for the purpose of Applicable Data Protection Law, each party is an autonomous and independent controller

3. GENERAL MUTUAL OBLIGATIONS 

3.1 Each Party will: 

  1. process such Relevant Personal Data as an independent and autonomous controller.  

  2. comply with all Applicable Data Protection Law applicable to controllers when processing Relevant Personal Data;   

  3. ensure that it has an appropriate lawful basis under Applicable Data Protection Law for its processing of Relevant Personal Data, including for the sharing of Relevant Personal Data with the other Party use by that Party as an independent and autonomous controller for a Permitted Purpose in accordance with the IO; and   

  4. implement and maintain all appropriate technical and organizational measures and safeguards to protect Relevant Personal Data they each process from and against a personal data breach, taking into account the risks represented by the processing and the nature of the Relevant Personal Data.   

  5. not share, distribute, sell or otherwise permit access to Relevant Personal Data with any third party save for any data sharing that is necessary to fulfil a Permitted Purpose or as otherwise agreed between the Parties in the IO.   

3.2 Transparency and disclosures: Each party will ensure that all End Customers are made aware in a timely manner, via its privacy policy and/or by any other appropriate means, that their personal data will be shared with the other party for the Permitted Purposes (or such category of parties in general terms, if permitted under Applicable Data Protection Law); and will direct End Customers to the other party’s privacy policy (specifically or generally) for more information about their handling of their personal data.  

3.3 Naming the other Party:  Neither Party will name the other in any public statement or disclosure to an individual or to a Supervisory Authority or other legal body relating to privacy without obtaining prior written approval from the other, unless legally prohibited from liaising with the other party.  

3.5 Cross-border data transfers 

The Parties agree and acknowledge that in this clause 3.5, wherever the word ‘transfer’ is used, it includes access being provided by one controller/processor to another controller/processor and:  

  1. General: neither Party will (and shall not permit any other party to) transfer Relevant Personal Data outside the territory of origination unless that Party takes any required compliance measures to enable such transfer legally in accordance with Applicable Data Protection Law.
  2. Asia-Pacific Region and CBPR: 

    1. The Parties agree and acknowledge that:

      1. a CBPR Party is bound by a legally enforceable set of obligations to provide comparable protection to Applicable Data Protections Laws; and
      2. Expedia is a CBPR Party.

      Where the Advertiser is also a CBPR Party, the provisions of this paragraph (b) will be construed to apply two-way.

    2. Subject to paragraph (iii) below, the Parties agree that where:

      1. Relevant Personal Data is being transferred from one CBPR Country to another CBPR Country; and
      2. the data importer is a CBPR Party,

      then, to the extent that and for so long as the CBPR System is a recognized method of transfer by a relevant supervisory authority, the CBPR System shall be the agreed mechanism for cross-border transfers of Relevant Personal Data to such CBPR Party.

    3. The CBPR System will only apply for transfers that involve at least one of the Parties being located in an Asia-Pacific Region country that is also a CBPR Country.

    4. Expedia confirms that it will provide at least the same level of protection for the Relevant Personal Data as is required under the CBPR System; and it will promptly notify the other Party if it makes a determination that it can no longer provide this level of protection. In such event, or if the other Party otherwise reasonably believes that Expedia is not protecting the Relevant Personal Data to the standard required under the CBPR System, the other Party may either:

      1. instruct Expedia to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event the Parties will promptly cooperate in good faith to identify, agree and implement such steps;
      2. agree an alternate safeguard that may apply to the processing under Applicable Data Protection Law; or
      3. if (A) and (B) fail to resolve the issue, terminate this C2C Agreement and the IO (or, at the other Party’s election, any affected portion thereof) without penalty by giving notice to Expedia.

      If the other Party also holds a current CBPR System certification, then the above provisions will be deemed to apply as if the obligations are two-way.

  3. DPF: The Parties agree that in respect of transfers of Restricted Transfer Data between the Parties originating from a DPF Country to the United States or to a country which has not been deemed "adequate" under the Applicable Data Protection Laws of the originating Restricted Transfer Country:
    1. to the extent that and for so long as the DPF is a recognized method of transfer under Applicable Data Protection Law, the DPF shall be the agreed mechanism for cross-border transfers of data originating from a DPF Country to Expedia in the United States; and

    2. to the extent that and for so long as the DPF is not a valid method of transfer (including for transfers of Restricted Transfer Data to a country which has not been deemed "adequate" under the Applicable Data Protection Law of the originating Restricted Transfer Country),  

      the SCCs shall apply to such transfers and the Parties enter into them on the basis set out in paragraph (h) below. Where Advertiser also holds a current DPF certification, transfers of Restricted Transfer Data to Advertiser can similarly be made under the DPF with SCCs as a fallback mechanism as set out in this paragraph and all relevant paragraphs on the DPF will be construed to apply two-way. 

  4. With regards to the DPF, Expedia agrees that it will provide the same level of protection as required by the DPF. If Advertiser reasonably believe we are not protecting the Restricted Transfer Data to the standard required by the DPF, Expedia may either: 
    1. rely on the SCCs as set out in paragraph (h) below;
    2. if SCCs are not a viable or appropriate solution, propose to Advertiser reasonable and appropriate steps to stop and remediate any unauthorized processing, which we will in good faith implement using commercially reasonable efforts; or
    3. if the fallbacks in paragraphs (i) or (ii) above are not viable, terminate this C2C Agreement and the IO without penalty. 
  5. If Advertiser is certified under the DPF, Advertiser will comply with the Notice and Choice Principles of the DPF (as defined in the EU-U.S. DPF). For the avoidance of doubt, if Advertiser is not DPF-certified or accessing or receiving the Restricted Transfer Data in a country deemed ‘adequate’ by the European Commission, then the SCCs will be relied on for transfers of Restricted Transfer Data from Expedia to Advertiser. 
  6. The Parties agree that they may each disclose this C2C Agreement and any relevant privacy provisions in the IO to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality. 
  7. Extension of SCCs to Non-Restricted Transfer Countries: In relation to transfers of Relevant Personal Data between the Parties originating from a country that is not a Restricted Transfer Country but is otherwise subject to safeguards that, according to Applicable Data Protection Law, must be applied before a transfer can be made of that Relevant Personal Data outside of the country of origin (each a Non-Restricted Transfer Country), then the Parties agree that:
    1. the SCCs set out in paragraph (h) below shall be deemed to extend to such additional transfers to the extent that such deemed extension would satisfy the safeguards of that particular country; and/or
    2. where the measures set out in paragraph (h) below are insufficient or require supplementary measures, the parties agree to take such further measures, including, for example, execution of relevant documents, collection of consent, making of required filings, as may be required from to time in order to satisfy Applicable Data Protection Law.
  8. SCCs. Subject to the preceding paragraphs of clause 3.5, the Parties hereby agree to enter into the SCCs which are incorporated by reference on an unchanged basis save for the following selections:
    1. Where Advertiser is located inside the European Economic Area or otherwise in a country deemed “adequate” in accordance with Article 45 of the GDPR, (Adequate Country) Module one (1) of the SCCs will apply one-way only in respect of transfers from Advertiser to Expedia. Otherwise, Module one (1) applies two-way to cover transfers from both Advertiser to Expedia and Expedia to Advertiser.
    2. For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
    3. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
    4. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
    5. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.

    6. Restricted Transfer Data: A new clause 19 is added to the SCCs to cover transfers of personal data originating from the United Kingdom, Switzerland, Brazil, Saudi Arabia or Thailand to a country that is neither deemed adequate under the Applicable Data Protection Law of the originating country nor is otherwise exempt from requiring entry into standard contractual clauses as follows:

      “Clause 19 

      UK, Swiss, Brazilian, Saudi and Thai Transfers  

      The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of the Reference Privacy Law (referred to in this Clause as a Reference transfer). For the purposes of such Reference transfers, the governing law shall be deemed to be the relevant Reference Governing Law, the choice of forum shall be the Reference Country, and the Reference Supervisory Authority shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Reference transfer as are deemed necessary by the Reference Supervisory Authority to comply with the Reference Privacy Laws, and the Clauses shall be interpreted in accordance with the requirements for Reference transfers arising under those laws or as otherwise set out in guidance issued by the Reference Supervisory Authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Reference transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the Reference Privacy Laws when engaging in Reference transfers.   

      Country 

      Reference Privacy Law 

      Reference Transfer 

      Reference Governing Law 

      Reference Country 

      Reference Supervisory Authority 

      United Kingdom 

      UK GDPR Data Protection Act 2018 

      UK Transfer 

      United Kingdom 

      United Kingdom 

      Information Commissioner’s Office (ICO) 

      Switzerland 

      Federal Act of Data Protection (FAPD) 

      Swiss Transfer 

      Switzerland 

      Switzerland 

      Federal Data Protection and Information Commissioner (FDPIC) 

      Brazil 

      Brazilian General Data Protection Law No. 13,709/18 (Lei Geral de Proteção de Dados) 

      Brazilian Transfer 

      Brazil 

      Brazil 

      Brazil’s National Data Protection Authority (ANPD) 

      Saudi Arabia 

      Personal Data Protection Law (PDPL) 

      Saudi Transfer 

      Saudi Arabia 

      Saudi Arabia 

      Saudi Authority for Data and Artificial Intelligence (SDAIA) 

      Thailand 

      Personal Data Protection Act B.E. 2562 (2019) (PDPA) 

      Thai Transfer 

      Thailand 

      Thailand 

      Personal Data Protection Committee (PDPC) 

       

      and: 

      1. all references to Reference Privacy Law means the reference laws as amended, supplemented or replaced from time to time.
      2. all references to a Reference Supervisory Authority means the referenced authority or any successor body to it.
      3. in relation to the United Kingdom, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.”
    7. Third country transfers: A new clause 20 is added to cover transfers of personal data from any other country not hitherto specified where the SCCs may be extended to ensure appropriate safeguards for transfers of personal data originating from that country to a party located outside of that country in accordance with paragraph (b) above as follows:      

“Clause 20 

Other third country transfers 

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of any other applicable laws and regulations in any relevant jurisdiction, relating to the use or processing of personal data (Applicable Data Protection Laws) requiring terms and protections broadly equivalent to these Clauses in order to transfer personal data from that country (referred to in this clause as the Third Country) to another (referred to in this Clause as a Third Country transfer). For the purposes of such Third Country transfers, the governing law shall be deemed to be the law of the Third Country, the choice of forum shall be the Third Country and the data protection authority or other relevant regulatory body of that country shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Third Country transfer as are deemed necessary by such supervisory authority to comply with the Applicable Data Protection Law of that Third Country, and the Clauses shall be interpreted in accordance with the requirements for Third Country transfers arising under those laws or as otherwise set out in guidance issued by the relevant supervisory authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Third Country transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the Applicable Data Protection Law(s) when engaging in Third Country transfers.”  

3.6 In respect of the above SCCs, they will apply to the processing as follows:   

  1. each Party acting as data exporter or data importer under the SCCs will be deemed to have entered into the SCCs in its own name and on its own behalf.
  2. Annex 1 (SCCs Processing Overview) to this C2C Agreement constitutes Annex 1 of the SCCs.
  3. Annex 2 (Technical and Organizational Measures) to this C2C Agreement constitutes Annex 2 of the SCCs and applies only to Expedia where (a) only one-way SCCs apply for transfers of Restricted Transfer Data from Advertiser to Expedia; or (b) Advertiser has provided, and Expedia has accepted, adequate technical and organizational measures to satisfy Advertiser’s Annex 2 requirements of the SCCs. Where the aforementioned conditions are not met, Annex 2 will be construed to apply to both parties and all references to Expedia and Expedia Group will be construed to reference either party accordingly.
  4. the Addendum to this C2C Agreement constitutes the UK Addendum for the purposes of the SCCs.
  5. if there is any conflict between any clause of this IO and the SCCS, the SCCs will prevail.

5. TERM, TERMINATION AND NOTICES 

5.1 This C2C Agreement will remain in full force and effect so long as the IO remains in effect.  

5.2 Any provision of this C2C Agreement that expressly or by implication should come into or continue in force on or after termination of the IO in order to protect Relevant Personal Data will remain in full force and effect.               

5.3 Any notices under this C2C Agreement will be deemed effective if delivered by email to the contact(s) provided by either Party to the other for these purposes in accordance with the notice provisions in the IO. In the case of Expedia, this will require an email being sent to the account/relationship manager from time to time and copied to the Expedia privacy mailbox provided from time to time.                         
 

ANNEX I – SCCs PROCESSING OVERVIEW  

MODULE ONE (1), Part One (1): Controller to Controller (Advertiser to Expedia) 

A. LIST OF PARTIES

Data exporter(s):

Party

The party/ies identified as the Advertiser, partner or similar in the IO

Address

 

As specified in the IO

Contact name, position & contact details

Effective notice is deemed made when an email is sent to account/relationship manager email address provided to Expedia from time to time

Activities relevant to data transferred under SCCs

 

Relevant Activities, being all processing activities required in connection with the Relevant Activities, and any other activities set out in the IO between the Parties.

Role

Controller

 

 

Data importer(s):

Party

The parties identified as Expedia in the IO (unless based in a country deemed adequate or otherwise exempt under applicable data protection laws)

Address

As specified in the IO

Contact person’s name, position and contact details

Effective notice is deemed made when an email is sent to both (1) account/relationship manager; and (2) the Expedia privacy mailbox, in each case using email address(es) provided to Advertiser from time to time

Activities relevant to the data transferred under these Clauses

Relevant Activities as set out above.

Role

Controller

 

A. DESCRIPTION OF TRANSFER 

 

Categories of data subject

  • End Customers, being individuals, whose personal data is collected in connection with a Relevant Activity

Categories of personal data

Guests:

  • IP Address
  • Identification data, pseudonymised identifiers like click ID’s, device-related information, including but not limited to the device identifier, device type, and browser type.
  • Traveler booking data, including Traveler's history and preferences, including accessibility requirements; traveler group, pricing information, travel data, accommodation details and booking reference numbers.

Sensitive Data

  • None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous or ad hoc basis in accordance with the needs of each Party’s business.

Nature of the processing

All processing operations required to facilitate purposes set out below

Purpose(s) of the data transfer and further processing

Permitted Purposes, as defined in the C2C Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of Expedia Group, provided that to the extent that any personal data is retained beyond the termination of the IO for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the IO

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Google Floodlight

 

B. COMPETENT SUPERVISORY AUTHORITY. 

IRISH DATA PROTECTION AUTHORITY 

 

MODULE ONE (1): Part Two (2): Controller to Controller (Expedia to Advertiser) 

A. LIST OF PARTIES

Data exporter(s):

The Parties identified as Data Importers in Module one (1), Part one (1) above. See Module one (1), Part one (1) for further details.

 

Data importer(s):

The Party/ies identified as Data Exporter(s) in Module one (1), Part one (1) above. See Module one (1), Part one (1) for further details.

B. DESCRIPTION OF TRANSFER 

  • Categories of data subject
  • Categories of Personal Data
  • Sensitive Data

As per Module one (1), Part one (1)

  • Frequency of transfer
  • Nature of processing
  • Purposes

As per Module one (1), Part one (1)

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of Advertiser

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

To be provided upon request in the event that SCCs apply

 

C. COMPETENT SUPERVISORY AUTHORITY 

As per Module one (1), Part one (1)

 

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES   

The technical and organizational measures that apply to us/Expedia for the purposes of Annex one (1), Part one (1) are set out below.

SUBJECT

MEASURE

Measures of pseudonymisation and encryption of personal data 

  • Expedia Group (“EG”) supports industry standard encryption protocols for data transmission based on Expedia Group’s Information Classification and Handling Standard.
  • Data handling requirements are based on a categorical basis. Depending on the data being handled, different security requirements are in place across Expedia Group. For example, credit card data is considered Highly Sensitive and required to be encrypted both in transit and at rest.
  • Personal data of the customer (and its employees) is pseudonymized (and anonymized) by Expedia Group when possible and as required according to EG’s Information, Classification and Handling Standards.
  • Credit card numbers are tokenized/pseudonymized to eliminate processing of clear text credit card numbers.
  • Expedia Group utilizes encrypted connections through VPN, SSL, etc. and utilizes multi-factor authentication mechanisms.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services 

  • Expedia Group maintains responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data.
  • The monitoring of key processing facilities is in place, with a robust SOX program where controls over data processing and integrity are tested and attested to on an ongoing basis.
  • Industry standard logging and monitoring is in place on EG’s systems to ensure and protect against unauthorized access, modification and/or deletion.
  • Expedia Group maintains service resilience through redundant architecture, data replication, and integrity checking.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 

  • Expedia Group’s systems are specifically designed to impede or prevent common attacks and ensure availability for operation, monitoring and maintenance.  For this purpose, Expedia Group regularly carries out simulated tests and audits to confirm that its systems maintain availability.
  • Servers are patched against Expedia Group’s robust patching policy and protected by industry standard AV/AM programs.  Additionally, vulnerability assessments, thorough testing, and network reviews are conducted to ensure EG’s systems are maintained.
  • Availability and reliability monitoring is in place to ensure Expedia sites remain online, with minimal interruptions of service.
  • Expedia Group maintains a Disaster Recovery Plan that accounts for emergencies and contingency plans to ensure that customer services are uninterrupted according to severity and are tested regularly to ensure viability.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing 

  • Expedia Group’s technical and organizational measures are audited annually by external assessors as well as through robust internal testing.
  • EG conducts annual PCI assessments utilizing a third-party assessor and ensures ongoing compliance with PCI.
  • EG’s comprehensive internal testing function is comprised of quarterly vulnerability testing, internal and external penetration testing, network, system and firewall scanning and reviews. Additionally, an internal audit department conducts annual risk assessments to prioritize operational audits.

Measures for user identification and authorisation

Measures for the protection of data during transmission

Measures for the protection of data during storage

  • Expedia Group systems are aligned with industry best practices and have in place communication practices such as time-out sessions, lock-out protocols, and robust password and authentication controls.
  • Expedia Group maintains requirements for account provisioning and oversight to prevent unauthorized access or misuse of Expedia Group information and uses industry best practices as required, such as the Least Privilege Access principle, unique ID’s and multi factor authentication for strong authentication purposes.

Measures for ensuring physical security of locations at which personal data are processed 

  • A Security Operations Center provides 24x7 coverage, with a formal incident response plan reviewed and tested at least annually.
  • All systems are regularly controlled and tested by external service providers.
  • Each Expedia Group customer receives their own customer ID. All datasets of the respective customer are stored under this ID and all customer data is logically segregated. Due to administration rights and database structures, the customer can only access datasets which are assigned to that user ID and data centers/AWS controls.
  • Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system.

Measures for ensuring events logging

  • Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event.

Measures for ensuring system configuration, including default configuration

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products 

  • Expedia Group’s (EG) Information Security program is aligned with industry frameworks and standards, working through its risk management program to ensure a robust and comprehensive security posture. Expedia Group maintains secure operational processes to support the security, availability, integrity and confidentiality of the environment and customers’ data.
  • Expedia Group’s build standards only enable system components, services, and protocols that serve a business requirement. Operating Systems, databases, and off-the-shelf applications must be discoverable to satisfy legal and regulatory audit requirements, supports configuration management tools, or deploys configuration management that successfully enforces security controls, must enable encryption for all remote administrative access to a system, display proper use of the system, the system is being monitored to detect improper use and other illicit activity there is no expectation of privacy while using the system.
  • Expedia Group takes a layered / defense-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly.
  • Expedia's systems are hosted on Amazon Web Services (AWS) and in Data Centers that provide Expedia Group with annual SOC 2 reports to ensure compliance.

Measures for ensuring data minimisation

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

  • Minimisation: Expedia Group ensures only minimum amount of data is collected, processed and stored.   We only use identifiable format where necessary.
  • Retention: The Expedia Group data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished.
  • Quality: Expedia Group has a formalized, quality management program, the Customer Experience Management (CEM) program. We are always striving for improvement within EG’s environment and seeking to streamline processes for higher efficiencies resulting in consistent, high-quality services and interactions with our partners, clients and Guests. Travelers.
  • Accountability:  Expedia Group ensure accountability oversight with consistent implementation of policies, industry regulations/frameworks and legal requirements by maintaining a formalized Governance program, and Legal/Privacy body.

Measures for allowing data portability and ensuring erasure 

  • Expedia Group is directly responsible for ensuring compliance with data protection laws (including in relation to requests from data subjects). Expedia Group responds to all subject requests, including access, deletion and portability in accordance with applicable data protection law.
  • EG’s data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. In the event that Expedia Group is unable to destroy personal data, Expedia Group shall continue to extend relevant protections of the IO between the parties governing such personal data and terminate any further processing.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter 

  • Expedia Group conducts due diligence into the information security practices of its vendors and requires vendors to meet comprehensive security requirements, including obligations requiring vendors to have in place and maintain appropriate technical and organisational measures.
  • Expedia Group has formalised a detailed Security Impact Assessment (“SIA”) process. All new vendors accessing data are screened prior to engagement and during the term where necessary.
  • Additionally, Expedia Group also has robust vendor processor terms that are imposed on all vendors, ensuring the flow down of obligations to any of their sub-processors.

 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)   

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1 Tables

Table 1: Parties

Start Date

The Date of the Agreement incorporating the SCCs to which these are attached (Approved EU SCCs)

Parties

Key Contact

Exporter: As per Approved EU SCCs

 

Importer: As per Approved EU SCCs

 

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties

Annex 1B Description of Transfer

Annex II: Technical and organizational measures

As per Approved EU SCCs

Table 4: Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19

Neither Party

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.