TAAP Privacy Terms – Controller to Controller Agreement (Including the SCCs)

The original English version of this C2C Agreement may have been translated into other languages. In the event of an inconsistency or discrepancy between the English version and any other language version of this Agreement, the English language version shall prevail.

SCOPE: Where each of Expedia and you are processing personal data as part of an agreement (which may be in the form of online clickwrap terms) entered into with the other party (pursuant to which you have been appointed as a marketing partner under TAAP, and all relevant activities connected to such activity referred to herein as the “Relevant Activities”), then this global controller to controller agreement (“C2C Agreement”) is supplemental to and applies to such agreement entered into between the parties in connection with the Relevant Activities (the “Agreement”), and sets out additional terms, requirements and conditions on which Expedia and you will each process personal data in connection with the Agreement. In this C2C Agreement, “Expedia”, “we” and “us” refers to Expedia, Inc. and/or any other Expedia Group company/ies party to the Agreement. “You” refers to the named entity stated on the Application as described in the Agreement (and all references to either Expedia or you will be construed as plural terms to the extent required by the Agreement).

1. DEFINITIONS AND INTERPRETATION

1.1 This C2C Agreement is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set out in the Agreement apply to the interpretation of this C2C Agreement unless otherwise defined in this C2C Agreement; and:

  1. a. each of appropriate technical and organizational measures, controller, personal data, personal data breach, process/processing, and supervisory authority (or reasonably equivalent terms) shall have the meaning given to them in Applicable Data Protection Law;
  2. b. Applicable Data Protection Law(s) means any applicable laws and regulations in any relevant jurisdiction, relating to the use or processing of personal data;
  3. c. Permitted Purpose means the purpose of (i) fulfilling Bookings; (ii) providing support for Bookings; (iii) TAAP registration and account administration; (iv) payment of Commission and other amounts pursuant to the Agreement; (v) generating reports for you and any further processing required for reconciliation, complaints handling and similar activities connected with servicing the Agreement (vi) TAAP Account support; (vii) communications to TAAP Members and Sub-Users; (viii) improving our services, including optimizing the booking experience; (ix) creating reports for analytics, business intelligence and business reporting; (x) fraud prevention; (xi) responding to law enforcement requests and tax authority audit requests; (xii) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); and (xiii) otherwise complying with our obligations under the Agreement, Expedia’s privacy policy and applicable laws and (xiv) for the determination, calculation, reporting of Travel Taxes and other applicable taxation purposes as may be required from time to time;
  4. d. DPF means an EU-US Data Privacy Framework certification with the US Department of Commerce or any replacement or supplementary certification mechanism approved by the European Commission (or other relevant national authority) from time to time; and includes any supplementary adequacy decisions issued by any other country that permit the extension of the DPF between the US and that third country (for example, without limitation, the United Kingdom and Switzerland);
  5. e. Restricted Transfer Country means any country in the European Economic Area, Switzerland, the United Kingdom and Brazil;
  6. f. Restricted Transfer Data means Customer Data relating to a Booking made via a point of sale intended by us to be accessed by Customers in a Restricted Transfer Country;
  7. g. Standard Contractual Clauses/ SCCs means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found following this link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en ; and
  8. h. TAAP Personal Data means personal data provided to us by you via the TAAP Website or otherwise processed in connection with TAAP itself or facilitating Bookings made using the TAAP Website.
Relationship of the parties
  1. 1.2 You and we shall each collect and process personal data to fulfil our respective rights and obligations under the Agreement, as well as your and our respective responsibilities under applicable laws. As such, each of the parties shall: (i) process personal data as independent and autonomous controllers; (ii) comply with Applicable Data Protection Law; and (iii) be responsible for any of its acts or omissions in breach of Applicable Data Protection Law.

1.3 You must:

Your responsibilities
  1. a. satisfy a legal basis in order to make available any TAAP Personal Data to us to process for the Permitted Purposes;
  2. b. ensure that Customers are made aware, via your privacy policy and by any other appropriate means, that their personal data will be shared with us for the Permitted Purposes;
  3. c. direct Customers to our privacy policy for more information about our handling of their personal data; and
  4. d. cooperate with and provide reasonable assistance to us to assist us with our compliance with Applicable Data Protection laws in the course of our processing of TAAP Personal Data in connection with the Agreement.
Our responsibilities

1.4 We (and our Group Members, where applicable) shall:

  1. a. process TAAP Personal Data in connection only with a Permitted Purpose;
  2. b. not divulge the whole or any part of the TAAP Personal Data to any person, except in connection with a Permitted Purpose;
  3. c. cooperate with and provide reasonable assistance to you to assist you with your compliance with Applicable Data Protection Laws in the course of your Processing of TAAP Personal Data in connection with the Agreement; and
  4. d. display and comply with our lawful and up-to-date cookie notice (if required) and our privacy policy on the TAAP Website.
Customers and Third Parties

1.5 You acknowledge that we:

  1. a. may send emails to Customers relating to Bookings;
  2. b. may transfer TAAP Personal Data (including banking data) to our third-party service providers for the purposes of:
    1. i. administering, managing and supporting you and your Representatives and Sub-Users’ TAAP Accounts;
    2. ii. providing support for Bookings; and
    3. iii. paying Commission and other amounts pursuant to the Agreement.
Data security

1.6 Both parties, in their capacity as controllers, shall:

  1. a. maintain appropriate technical and organizational measures to protect the personal data they each process against a personal data breach; and
  2. b. in the event of a confirmed personal data breach within systems under that party’s possession or control, promptly notify the other party if the personal data breach both (i) affects TAAP Personal Data that is also processed by the other party under the Agreement; and (ii) is reportable to a supervisory authority, providing full details of the same. In such event, both parties shall cooperate reasonably and in good faith to remedy or mitigate the effects of the personal data breach, and the reasonable costs of such cooperation shall be borne by the party that suffered the personal data breach.
Cross-border transfers

1.7 Data Privacy Framework (DPF): You and we agree that in respect of transfers of Restricted Transfer Data between you and us to the United States or to a country which has not been deemed "adequate" under the Applicable Data Protection Laws of the originating Restricted Transfer Country (a) to the extent that and for so long as DPF is a recognized method of transfer by a relevant authority, DPF shall be the agreed mechanism for cross-border transfers of data originating from a Restricted Transfer Country to us in the United States, and (b) to the extent that and for so long as DPF is not a valid method of transfer (including for transfers of Restricted Transfer Data to a country which has not been deemed "adequate" under the Applicable Data Protection Laws of the originating Restricted Transfer Country), the SCCs shall apply to such transfers and we will enter into them on the basis set out in Clause 1.11 below. Where you also hold a current DPF certification, transfers of Restricted Transfer Data to you can similarly be made under the DPF with SCCs as a fallback mechanism as set out above.

1.8 DPF Flow-down Obligations: You agree that you will provide at least the same level of protection for the Restricted Transfer Data as is required under the DPF; and you shall promptly notify us if you make a determination that you can no longer provide this level of protection. In such event, or if we otherwise reasonably believes that you are not protecting the Restricted Transfer Data to the standard required under DPF, we may either: (a) instruct you to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event you will promptly cooperate with us in good faith to identify, agree and implement such steps; (b) agree an alternate safeguard that may apply to the processing under Applicable Data Protection Law; or (c) terminate this C2C Agreement and the Agreement (or, at our election, any affected portion thereof) without penalty by giving notice to you. If you also hold a current DPF certification, then the above provisions and those of Clause 1.9 below shall be deemed to be apply as if the obligations are two-way.

1.9 DPF Disclosure Obligations: You acknowledge that we may disclose this C2C Agreement and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.

1.10 Extension of SCCs to Non-Restricted Transfer Countries: In relation to transfers of TAAP Personal Data between you and us originating from a country that is not a Restricted Transfer Country but is otherwise subject to safeguards that, according to Applicable Data Protection Law, must be applied before a transfer can be made of that TAAP Personal Data outside of the country of origin (each a Non-Restricted Transfer Country), then you and we agree that (a) the SCCs set out in Clause 1.11 below shall be deemed to extend to such additional transfers to the extent that such deemed extension would satisfy the safeguards of that particular country; and/or (b) where the measures set out in Clause 1.11 are insufficient or require supplementary measures, the parties agree to take such further measures, including, for example, execution of relevant documents, collection of consent, making of required filings, as may be required from to time in order to satisfy Applicable Data Protection Law.

1.11 Subject to Clause 1.7 above, you and we hereby agree to enter into the SCCs on an unchanged basis save for the following selections::

  1. a. where you are located in a Restricted Transfer Country or otherwise in a country deemed “adequate” in accordance with Article 45 of the GDPR, Module one (1) only of the SCCs will apply one-way in respect of transfers from you to Expedia. Otherwise, Module One SCCs apply two-way to cover both transfers from us to you, and from you to us.
  2. b. For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
  3. c. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.”
  4. d. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
  5. e. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
  6. f. A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:

“Clause 19

UK GDPR and DPA 2018

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a UK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the Standard Contractual Clauses Version B1.0 (as amended, replaced, supplemented, or superseded from time to time) shall apply as set out in the form attached as the Addendum.”

  1. h. A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:

“Clause 20

Swiss – FADP

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as a Swiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”

  1. i. A new clause 21 is added to the SCCs to cover transfers of personal data from Brazil to outside of Brazil as follows:

“Clause 21

Brazil – LGPD

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the Brazilian General Data Protection Law No. 13,709/18 (Lei Geral de Proteção de Dados) (LGPD) (referred to in this Clause as a Brazilian transfer). For the purposes of such Brazilian transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and Brazil’s National Data Protection Authority (ANPD) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Brazilian transfer as are deemed necessary by the ANPD to comply with the LGPD, and the Clauses shall be interpreted in accordance with the requirements for Brazilian transfers arising under those laws or as otherwise set out in guidance issued by the ANPD or other relevant Brazilian authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Brazilian transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the LGPD when engaging in Brazilian transfers.”

  1. j. A new clause 22 is added to the SCCs to cover transfers of personal data from any other country not hitherto specified where the SCCs may be extended to ensure appropriate safeguards for transfers of personal data originating from that country to a party located outside of that country as follows:

“Clause 22

Other third country transfers

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the any other applicable laws and regulations in any relevant jurisdiction, relating to the use or processing of personal data (Applicable Data Protection Laws) requiring terms and protections broadly equivalent to these Clauses in order to transfer personal data from that country to another (referred to in this Clause as a Third Country transfer). For the purposes of such Third Country transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the data protection authority or regulatory body of that country shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Third Country transfer as are deemed necessary by such supervisory authority to comply with the Applicable Data Protection Law of that country, and the Clauses shall be interpreted in accordance with the requirements for Third Country transfers arising under those laws or as otherwise set out in guidance issued by the relevant supervisory authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Third Country transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the Applicable Data Protection Law(s) when engaging in Third Country transfers.”

1.12 Annex 1 (SCCs Processing Overview) to this C2C Agreement constitutes Annex 1 of the SCCs. Annex 2 (Technical and Organizational Measures) to this C2C Agreement constitutes Annex 2 of the SCCs and applies only to Expedia where you have provided, and we have accepted, adequate technical and organizational measures to satisfy your Annex 2 requirements of the SCCs or, where this is not the case, Annex 2 will be construed to apply to both parties and all references to Expedia and Expedia Group will be construed to reference either party accordingly. The Addendum to this C2C Agreement constitutes the UK Addendum for the purposes of the SCCs.

ANNEX I – SCCs PROCESSING OVERVIEW
MODULE ONE: Controller to Controller (you to us)
A. LIST OF PARTIES

Data exporter(s):

Party

The party/ies identified as “you”, TAAP Member or equivalent term

Address

As specified in the Agreement

Contact name, position & contact details for all Expedia Group parties

Account manager using email address notified to Expedia contact from time to time

Activities relevant to data transferred under SCCs

 

Bookings made via the TAAP Website made available by us to you in accordance with the Agreement

Role

Controller

Data importer(s):

Party

The non-EU parties identified as “us” or “Expedia” in the Agreement

Address

As specified in the Agreement

Contact person’s name, position and contact details

Account manager using email address notified to TAAP Member contact from time to time

Activities relevant to the data transferred under these Clauses

Bookings made via the TAAP Website made available by us to you in accordance with the Agreement

Role

Controller

 

B. DESCRIPTION OF TRANSFER

 

Categories of data subject

Customers and TAAP Members and their Sub-Users

Categories of Personal Data

Identification data:

  1. first and last names (both agent and traveler)
  2. date of birth
  3. gender
  4. login details (agent)

Contact details:

  1. postal address
  2. email address
  3. fax number
  4. other contact information
  5. date of birth (for flights)
  6. gender (for flights)
  7. nationality (from passport)
  8. TSA details

Financial details:

  1. bank account number
  2. bank details
  3. payment card details
  4. login details (agent)

Travel information: booking history and travel preferences

In the case of Tax Agents, only:

  1. Tax ID

Other information as requested by, and agreed with, the TAAP Member, including without limitation personal data required in connection with:

  1. Reporting, monitoring and analytics
  2. Single sign on, loyalty schemes

Sensitive Data

None, unless it is voluntarily provided by an individual to meet their accessibility needs for travel.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous or ad hoc basis in accordance with the needs of TAAP Member’s business

Nature of the processing

All processing operations required to facilitate purposes set out below

Purpose(s) of the data transfer and further processing

Permitted Purposes, as defined in the Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of the Expedia Group, provided that to the extent that any TAAP Personal Data is retained beyond the termination of the Agreement for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

as updated from time to time

 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

Irish Data Protection Authority

 

MODULE ONE: Controller to Controller (us to you)

A. LIST OF PARTIES

Data exporter(s):

The Party/ies identified as Data Importers in Module one (1) (you to us) above. See above for further details.

 

Data importer(s):

The Party/ies identified as Data Exporter(s) in Module one (1) (you to us) above. See above for further details.

B. DESCRIPTION OF TRANSFER

· Categories of data subject

· Categories of Personal Data

· Sensitive Data

As per Module (1)

· Frequency of transfer

· Nature of processing

· Purposes

As per Module (1)

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with the retention policy of TAAP Member

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Not applicable

 

C. COMPETENT SUPERVISORY AUTHORITY

As per Module one (1)

 

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES

The technical and organizational measures that apply for the purposes of Module one (1) are set out below.

SUBJECT

MEASURE

Measures of pseudonymisation and encryption of personal data  

· Expedia Group supports industry standard encryption protocols for data transmission based on Expedia Group’s Information Classification and Handling Standard. 

· Data handling requirements are based on a categorical basis. Depending on the data being handled, different security requirements are in place across Expedia Group. For example, credit card data is considered Highly Sensitive and required to be encrypted both in transit and at rest.  

· Personal data of the customer (and its employees) is pseudonymized (and anonymized) by Expedia Group when possible and as required according to EG’s Information, Classification and Handling Standards.

· Credit card numbers are tokenized/pseudonymized to eliminate processing of cleartext credit card numbers. 

· Expedia Group utilizes encrypted connections through VPN, SSL, etc. and utilizes multi-factor authentication mechanisms. 

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services 

· Expedia Group maintains responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data.  

· The monitoring of key processing facilities is in place, with a robust SOX program where controls over data processing and integrity are tested and attested to on an ongoing basis.  

· Industry standard logging and monitoring is in place on EG’s systems to ensure and protect against unauthorized access, modification and/or deletion.

· Expedia Group maintains service resilience through redundant architecture, data replication, and integrity checking. 

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

· Expedia Group’s systems are specifically designed to impede or prevent common attacks and ensure availability for operation, monitoring and maintenance. For this purpose, Expedia Group regularly carries out simulated tests and audits to confirm that its systems maintain availability.

· Servers are patched against Expedia Group’s robust patching policy and protected by industry standard AV/AM programs. Additionally, vulnerability assessments, thorough testing, and network reviews are conducted to ensure EG’s systems are maintained.

· Availability and reliability monitoring is in place to ensure Expedia sites remain online, with minimal interruptions of service.

· Expedia Group maintains a Disaster Recovery Plan that accounts for emergencies and contingency plans to ensure that customer services are uninterrupted according to severity and are tested regularly to ensure viability.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

· Expedia Group’s technical and organizational measures are audited annually by external assessors as well as through robust internal testing.

· EG conducts annual PCI assessments utilizing a third-party assessor and ensures ongoing compliance with PCI.

· EG’s comprehensive internal testing function is comprised of quarterly vulnerability testing, internal and external penetration testing, network, system and firewall scanning and reviews. Additionally, an internal audit department conducts annual risk assessments to prioritize operational audits.

Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage

· Expedia Group systems are aligned with industry best practices and have in place communication practices such as time-out sessions, lock-out protocols, and robust password and authentication controls.

· Expedia Group maintains requirements for account provisioning and oversight to prevent unauthorized access or misuse of Expedia Group information and uses industry best practices as required, such as the Least Privilege Access principle, unique ID’s and multi factor authentication for strong authentication purposes.

Measures for ensuring physical security of locations at which personal data are processed

· A Security Operations Center provides 24x7 coverage, with a formal incident response plan reviewed and tested at least annually.

· All systems are regularly controlled and tested by external service providers.

· Each Expedia Group customer receives their own customer ID. All datasets of the respective customer are stored under this ID and all customer data is logically segregated. Due to administration rights and database structures, the customer can only access datasets which are assigned to that user ID and data centers/AWS controls.

· Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system.

Measures for ensuring events logging

Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event.

Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products

· Expedia Group’s (EG) Information Security program is aligned with industry frameworks and standards, working through its risk management program to ensure a robust and comprehensive security posture. Expedia Group maintains secure operational processes to support the security, availability, integrity and confidentiality of the environment and customers’ data.

· Expedia Group’s build standards only enable system components, services, and protocols that serve a business requirement. Operating Systems, databases, and off-the-shelf applications must be discoverable to satisfy legal and regulatory audit requirements, supports configuration management tools, or deploys configuration management that successfully enforces security controls, must enable encryption for all remote administrative access to a system, display proper use of the system, the system is being monitored to detect improper use and other illicit activity there is no expectation of privacy while using the system.

· Expedia Group takes a layered / defence-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly.

· Expedia's systems are hosted on Amazon Web Services (AWS) and in Data Centers that provide Expedia Group with annual SOC 2 reports to ensure compliance.

Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability

· Minimisation: Expedia Group ensures only minimum amount of data is collected, processed and stored.   We only use identifiable format where necessary.

· Retention: The Expedia Group data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished.

· Quality: Expedia Group has a formalized, quality management program, the Customer Experience Management (CEM) program. We are always striving for improvement within EG’s environment and seeking to streamline processes for higher efficiencies resulting in consistent, high-quality services and interactions with our partners, clients and travelers.

· Accountability: Expedia Group ensure accountability oversight with consistent implementation of policies, industry regulations/frameworks and legal requirements by maintaining a formalized Governance program, and Legal/Privacy body.

Measures for allowing data portability and ensuring erasure

· Expedia Group is directly responsible for ensuring compliance with data protection laws (including in relation to requests from data subjects). Expedia Group responds to all subject requests, including Access, deletion and portability in accordance with applicable data protection law.

· EG’s data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. In the event that Expedia Group is unable to destroy Personal Data, Expedia Group shall continue to extend relevant protections of the Agreement between the parties governing such personal data and terminate any further processing.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter 

· Expedia group conducts due diligence into the information security practices of its vendors and requires vendors to meet comprehensive security requirements, including obligations requiring vendors to have in place and maintain appropriate technical and organisational measures.

· Expedia Group has formalised a detailed Security Impact Assessment (“SIA”) process. All new vendors accessing data are screened prior to engagement and during the term where necessary.

· Additionally, Expedia Group also has robust vendor processor terms that are imposed on all vendors, ensuring the flow down of obligations to any of their sub-processors.

 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1    Tables

Table 1: Parties

Start Date

The Date of the SCCs to which these are attached (EU SCCs).

Parties

Key Contact

Exporter: As per EU SCCs.

 

Importer: As per EU SCCs.

 

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to.

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties

Annex 1B Description of Transfer

Annex II: Technical and organisational measures

As per EU SCCs

Table 4: Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19

Neither Party

Part 3: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.