Email Marketing Services Processor Terms
SCOPE: Where (a) Partner has instructed Expedia to undertake email marketing activities; and (b) Expedia is processing personal data in connection with providing those services described under the relevant agreement entered into between the parties (the “Agreement”), herein collectively referred to as “Relevant Activities”), these security measures and global processor to controller agreement (“P2C Agreement”) is supplemental to and applies to such Agreement, and sets out additional terms, requirements and conditions on which Expedia will process personal data in connection with the Agreement. In this P2C Agreement, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement. “Partner” refers to one or more third-party airline that contracts with Expedia for Relevant Activities (and all references to either Expedia or Partner will be construed as plural terms to the extent required by the Agreement).
1. Definitions and Interpretation
For the purposes of this P2C Agreement, appropriate technical and organizational measures, controller, personal data, personal data breach, process/processing/processed, processor and supervisory authority (or reasonably equivalent terms) shall each have the meaning given to them in the Applicable Data Protection Law, and:
- (a) Partner Customer Data means Customer Data submitted by you that is processed by us;
- (b) Applicable Data Protection Law(s) means all data protection and privacy laws that apply to personal data processed under this Agreement;
- (c) Current Audit Report means a current version of the PCI DSS attestation of compliance and the SSAE 16 Audit Report, or its industry standard successor, for our data center providers;
- (d) Customer Data means personal data of a Customer processed pursuant to this Agreement;
- (e) Permitted Purpose means the purposes of (i) sending merchandising emails on behalf of Partner; (ii) sending event triggered emails on behalf of Partner; (iii) collecting consent for (i); (iv) processing Partner consent signals for (i) and (ii); (v) processing Customer unsubscribe requests (vi) creating aggregated and anonymized reports for analytics, business intelligence and business reporting; (vii) fraud prevention; (viii) responding to law enforcement requests; (ix) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); and, (x) otherwise complying with our obligations under this Agreement and applicable laws;
- (f) EU-U.S. DPF means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated;
- (g) Restricted Transfer Area means the European Economic Area, Switzerland or the United Kingdom;
- (h) Restricted Transfer Data means Customer Data relating to the Email Marketing Strategy Schedule gathered in a Restricted Transfer Area; and
- (i) Standard Contractual Clauses/ SCCs means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found following this link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
2. Relationship of the parties
You and we acknowledge that for the purpose of Applicable Data Protection Law we shall be processor and you shall be the controller. Appendix A and B of this P2C Agreement sets out the scope, nature and purpose, of processing by us as processor, the duration of the processing and types of personal data and categories of data subject depending on the services selected by Partner; and
2.1 Your responsibilities
You must in particular:
- (a) satisfy a legal basis in order to make available PartnerCustomer Data provided by you to us to process for the Permitted Purposes;
- (b) satisfy a legal basis to send any marketing communications to End Customers;
- (c) cooperate with and provide reasonable assistance to us to assist us with our compliance with Applicable Data Protection Law in the course of our processing of Customer Data in connection with this P2C Agreement; and
- (d) display and comply with your lawful and up-to-date cookie notice (if required) and your privacy policy that discloses your data processing relationship with us on each Partner Website. We give no warranties or representations with regards to the adequacy, effectiveness or compliance with applicable laws of your cookies and/or privacy policy. You shall be solely responsible for ensuring that your cookies and/or privacy policy at all times complies with applicable law.
2.2 Our responsibilities
In our capacity as a processor under this P2C Agreement we (and our Group Members, where applicable) shall:
- (a) process Customer Data only on your written instructions and you hereby confirm that your documented instructions are for us to process Customer Data as required in connection with the Permitted Purposes and otherwise in accordance with an executed Email Marketing Strategy Schedule. We shall inform you if, in our opinion, an instruction infringes Applicable Data Protection Laws;
- (b) unless otherwise requested in writing by you, within 30 days of termination or expiry of the Email Marketing Strategy Schedule or, where applicable, this P2C Agreement, delete such Customer Data save that, in the event that we are unable to destroy the Customer Data (due to backup or legal reasons), we shall continue to extend indefinitely the protections of these requirements and immediately terminate any further Processing of the Customer Data without your express prior written consent, except where and to the extent required by applicable law. Our obligations under these requirements to protect the security of Customer Data shall survive termination of the Email Marketing Strategy Schedule or, where applicable, this P2C Agreement. If you require return of the Partner Customer Data, you shall submit a request in writing and such partner Customer Data shall be returned to you in an agreed format;
- (c) ensure appropriate technical and organizational measures are in place to safeguard Customer Data against a personal data breach;
- (d) notify you without undue delay if we become aware of any personal data breach affecting Customer Data and shall provide you with reasonable information and cooperation so you can fulfil any data breach reporting obligations you may have under (and in accordance with the timescales required by) Applicable Data Protection Law;
- (e) establish policies and procedures to provide all reasonable and prompt assistance to you in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any Customer Data processed by us;
- (f) ensure that any person (including our staff, agents and sub-contractors) who is authorized to process Customer Data is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and shall not permit any person to process Customer Data who is not under such a duty of confidentiality;
- (g) upon written request, provide you with a Current Audit Report. In addition, upon written request and no more than once a year (or exceptionally upon the occurrence of a personal data breach affecting Customer Data), we shall complete a questionnaire of reasonable length and in accordance with regulatory requirements, provided by you or a third party on your behalf regarding our compliance with this paragraph, provided that we shall not be required to disclose information that is reasonably considered confidential to our business;
- (h) maintain a record of processing activities carried out on your behalf as required by Applicable Data Protection Law; and
- (i) assist you at your cost to conduct data protection impact assessments to the extent such assessments are required by the Applicable Data Protection Law, and if necessary, consult with relevant supervisory authorities or equivalent under Applicable Data Protection Law.
If we consider any request by you for support or assistance under this Section 1.4 to be excessive or unduly onerous, then we reserve the right to charge you for such support to a reasonable level.
2.3 Sub-processors
- (a) A list of sub-contractors who Process Customer Data is listed at our sub-processor website ( https://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time) and you hereby confirm your approval of our existing sub-processors. This sub-processor list shall contain a mechanism for you to subscribe to notifications of any new sub-processors or changes to the sub-processor list. To receive updates or changes to this list, you shall subscribe using the mechanism provided. You agree that we may appoint third party vendors or service providers as sub-processors of Customer Data where we:
- conclude written contracts with such sub-processors which provide for data protection terms that are no less protective than the terms set out in this P2C Agreement; and
- remain fully liable to you for any breaches of this P2C Agreement that are caused by the acts, errors and omissions of our sub-processors.
- Where you have reasonable data protection grounds to believe that a sub-processor appointed by us shall render us unable to fulfil our data protection obligations under this [SECTION REFERENCE] you may, within seven (7) days of receipt of notice of their appointment, object to our appointment of such sub-processor, in which case we shall not allow that sub-processor to access the Customer Data until you have agreed to the appointment or replacement of the sub-contractor or until you withdraw your objection.
- (j) Where you have reasonable data protection grounds to believe that a sub-processor appointed by us shall render us unable to fulfil our data protection obligations under this [SECTION REFERENCE] you may, within seven (7) days of receipt of notice of their appointment, object to our appointment of such sub-processor, in which case we shall not allow that sub-processor to access the Customer Data until you have agreed to the appointment or replacement of the sub-contractor or until you withdraw your objection.
- (a) A list of sub-contractors who Process Customer Data is listed at our sub-processor website ( https://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time) and you hereby confirm your approval of our existing sub-processors. This sub-processor list shall contain a mechanism for you to subscribe to notifications of any new sub-processors or changes to the sub-processor list. To receive updates or changes to this list, you shall subscribe using the mechanism provided. You agree that we may appoint third party vendors or service providers as sub-processors of Customer Data where we:
3. Cross-border data transfers
- transfer Customer Data outside the territory of origination unless we take any required compliance measures to enable such transfer legally in accordance with Applicable Data Protection Law; and
- you and we agree that in respect of transfers of Customer Data between you and us (a) to the extent that and for so long as EU-U.S. DPF is a recognized method of transfer by a relevant authority, EU-U.S. DPF shall be the agreed mechanism for cross-border transfers of data originating from a Restricted Transfer Area to us in the United States, and (b) to the extent and for so long as EU-U.S. DPF is not a valid method of transfer in relation to any Restricted Transfer Data, the SCCs shall apply to such transfers.
- We have self certified under the EU-U.S. DPF and our certification can be found here - https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2z3d0000001OeAAAU&status=Active. We agree to provide the level of privacy protection as required by the Principles and notify you if we can no longer meet this obligation. We further agree to provide you with a summary of the privacy provisions of agreements with sub-processors as required by the Accountability for Onward Transfer Priniciple.
- If SCCs are used for such transfers, you and we hereby agree to enter into the SCCs on an unchanged basis save for the following selections:
- Where Partner is located inside the Restricted Transfer Area or otherwise in a country deemed “adequate” in accordance with Article 45 of the GDPR, (“Adequate Country”) Module 2 only of the SCCs will apply. Where Partner is located outside of an Adequate Country, Modules two (2) (controller to processor) and four (4) (processor to controller) only of the SCCs apply.
- For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. The period of relevant period of days for prior notification of changes in sub-processors is seven (7) days.
- For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
- For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
- For the purposes of clause 17 of the SCCs, the governing law is Ireland.
- For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
- A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:
- A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:
4. Additional Obligations
- For the purpose of this section: “sale/sell” and “share” will have the meaning given to it in Applicable Data Protection Law in the United States.
- To the extent that Customer Data processed by us is within the scope of Applicable Data Protection Law of the United States, we will be deemed to be a “Service Provider” and references to processor in this P2C Agreeent shall be construed accordingly for such purposes.
- We will not process any Customer Data outside of the direct business relationship between the Parties as outlined in this Agreement. Additionally, we will not combine Customer Data we receive from or on behalf of you with any personal information we receive from another entity or that we collect from our own interactions with individuals, except where allowed under Applicable Data Protection Laws.
- If we have access to de-identified Customer Data, we will publicly commit to maintain and only use such de-identified data in such form. We will not, and will allow any sub-processor to, re-identify any de-identified Customer Data unless so instructed in writing by you.
- For the purposes of Applicable Data Protection Law, we acknowledge and agree that we are not permitted to sell, share or rent the Customer Data. You and we agree that the transfer of any Customer Data in accordance with this P2C Agreement does not constitute a sale or sharing.
MERCHANDISING EMAIL ANNEX I – Merchandising Email Processing Overview
MODULE TWO: Controller to Processor (you to us)
A. List of Parties
Data Exporter:
Party | The party/ies identified as “you”, or Partner |
Address | As specified in the Agreement |
Contact name, position & contact details for all Expedia Group parties | Account manager using email address notified to Expedia contact from time to time |
Activities relevant to data transferred under SCCs | Merchandising emails sent to customers who have booked through the White Label Template site |
Role | Controller |
Role | Controller |
B. Description of Transfer
Categories of data subject | Customers who visit the white label template site |
Categories of Personal Data | Customer Data including email address, consent choice, consent time stamp |
Sensitive Data | None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Based on selection made in the Email Marketing Strategy Schedule |
Nature of the processing | All processing operations required to facilitate purposes set out below |
Purpose(s) of the data transfer and further processing | Permitted Purposes, as defined in this P2C Agreement |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | In accordance with the retention policy of the Expedia group, provided that to the extent that any Customer Data is retained beyond the termination of the Agreement for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the P2C Agreement |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | https://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time |
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs
Irish Data Proteciton Authority
EVENT TRIGGERED EMAIL ANNEX I – Event Triggered Email Processing Overview
MODULE TWO: Controller to Processor (you to us)
D. List of Parties
Data Exporter:
Party | The party/ies identified as “you”, or Partner |
Address | As specified in the Agreement |
Contact name, position & contact details for all Expedia Group parties | Account manager using email address notified to Expedia contact from time to time |
Activities relevant to data transferred under SCCs | Event triggered emails sent to customers who have subscribed to marketing emails through Partner’s website |
Role | Controller |
Data Importer:
Party | The non-EU parties identified as “us” or “Expedia” and being relevant to the White Label Template site that we publish. |
Address | As specified in the Agreement |
Contact name, position & contact details for all Expedia Group parties | Account manager using email address notified to Expedia contact from time to time |
Activities relevant to data transferred under SCCs | Event triggered emails sent to customers who have subscribed to marketing emails through Partner’s website |
Role | Controller |
E. Description of Transfer
Categories of data subject | Customers who visit the white label template site |
Categories of Personal Data | Customer Data including email address, consent choice, consent time stamp |
Sensitive Data | None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Based on selection made in the Email Marketing Strategy Schedule |
Nature of the processing | All processing operations required to facilitate purposes set out below |
Purpose(s) of the data transfer and further processing | Permitted Purposes, as defined in this P2C Agreement |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | In accordance with the retention policy of the Expedia group, provided that to the extent that any Customer Data is retained beyond the termination of the Agreement for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the P2C Agreement |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | https://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time |
F. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs
Irish Data Proteciton Authority
Annex II – Technical and Organizational Measures
The technical and organizational measures that apply to us/Expedia for the purposes of Module 2 are set out below.
Subject | Measure |
Measures of pseudonymisation and encryption of personal data |
|
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
|
Nature of the processing | All processing operations required to facilitate purposes set out below |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing |
|
Measures for user identification and authorization. Measures for the protection of data during transmission. Measures for the protection of data during storage |
|
Measures for ensuring physical security of locations at which personal data are processed |
|
Measures for ensuring events logging |
|
Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products |
|
Measures for ensuring data minimization. Measures for ensuring data quality. Measures for ensuring limited data retention. Measures for ensuring accountability. |
|
Measures for allowing data portability and ensuring erasure |
|
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter |
|
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1 – Tables
Table 1 – Parties | |
Start Date | The date of the SCCs to which these are attached (EU SCCs) |
Parties | Exporter: As per EU SCCs Exporter: As per EU SCCs |
Table 2 – Selected SCCs, Modules, Selected Clauses | |
Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is attached to. |
Table 3 – Appendix Information “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in: | |
Annex IA: List of Parties Annex 1B Description of Transfer Annex II: Technical and organisational measures | As per EU SCCs |
Table 4 – Ending this Addendum when the Approved Addendum changes | |
Which Parties may end this Addendum as set out in Section 19 | Neither Party |
Part 2 – Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.