Email Marketing Services Processor Terms

SCOPE: Where (a) Partner has instructed Expedia to undertake email marketing activities; and (b) Expedia is processing personal data in connection with providing those services described under the relevant agreement entered into between the parties (the “Agreement”), herein collectively referred to as “Relevant Activities”), these security measures and global processor to controller agreement (“P2C Agreement”) is supplemental to and applies to such Agreement, and sets out additional terms, requirements and conditions on which Expedia will process personal data in connection with the Agreement. In this P2C Agreement, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement. “Partner” refers to one or more third-party airline that contracts with Expedia for Relevant Activities (and all references to either Expedia or Partner will be construed as plural terms to the extent required by the Agreement).

1. Definitions and Interpretation

For the purposes of this P2C Agreement, appropriate technical and organizational measures, controller, personal data, personal data breach, process/processing/processed, processor and supervisory authority (or reasonably equivalent terms) shall each have the meaning given to them in the Applicable Data Protection Law, and:

  • (a) Partner Customer Data means Customer Data submitted by you that is processed by us;
  • (b) Applicable Data Protection Law(s) means all data protection and privacy laws that apply to personal data processed under this Agreement;
  • (c) Current Audit Report means a current version of the PCI DSS attestation of compliance and the SSAE 16 Audit Report, or its industry standard successor, for our data center providers;
  • (d) Customer Data means personal data of a Customer processed pursuant to this Agreement;
  • (e) Permitted Purpose means the purposes of (i) sending merchandising emails on behalf of Partner; (ii) sending event triggered emails on behalf of Partner; (iii) collecting consent for (i); (iv) processing Partner consent signals for (i) and (ii); (v) processing Customer unsubscribe requests (vi) creating aggregated and anonymized reports for analytics, business intelligence and business reporting; (vii) fraud prevention; (viii) responding to law enforcement requests; (ix) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); and, (x) otherwise complying with our obligations under this Agreement and applicable laws;
  • (f) EU-U.S. DPF means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated;
  • (g) Restricted Transfer Area means the European Economic Area, Switzerland or the United Kingdom;
  • (h) Restricted Transfer Data means Customer Data relating to the Email Marketing Strategy Schedule gathered in a Restricted Transfer Area; and
  • (i) Standard Contractual Clauses/ SCCs means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found following this link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

2. Relationship of the parties

You and we acknowledge that for the purpose of Applicable Data Protection Law we shall be processor and you shall be the controller. Appendix A and B of this P2C Agreement sets out the scope, nature and purpose, of processing by us as processor, the duration of the processing and types of personal data and categories of data subject depending on the services selected by Partner; and

  • 2.1 Your responsibilities 

    You must in particular:

    • (a) satisfy a legal basis in order to make available PartnerCustomer Data provided by you to us to process for the Permitted Purposes;
    • (b) satisfy a legal basis to send any marketing communications to End Customers;
    • (c) cooperate with and provide reasonable assistance to us to assist us with our compliance with Applicable Data Protection Law in the course of our processing of Customer Data in connection with this P2C Agreement; and
    • (d) display and comply with your lawful and up-to-date cookie notice (if required) and your privacy policy that discloses your data processing relationship with us on each Partner Website. We give no warranties or representations with regards to the adequacy, effectiveness or compliance with applicable laws of your cookies and/or privacy policy. You shall be solely responsible for ensuring that your cookies and/or privacy policy at all times complies with applicable law.
  •  
  • 2.2 Our responsibilities 

    In our capacity as a processor under this P2C Agreement we (and our Group Members, where applicable) shall:

    • (a) process Customer Data only on your written instructions and you hereby confirm that your documented instructions are for us to process Customer Data as required in connection with the Permitted Purposes and otherwise in accordance with an executed Email Marketing Strategy Schedule. We shall inform you if, in our opinion, an instruction infringes Applicable Data Protection Laws;
    • (b) unless otherwise requested in writing by you, within 30 days of termination or expiry of the Email Marketing Strategy Schedule or, where applicable, this P2C Agreement, delete such Customer Data save that, in the event that we are unable to destroy the Customer Data (due to backup or legal reasons), we shall continue to extend indefinitely the protections of these requirements and immediately terminate any further Processing of the Customer Data without your express prior written consent, except where and to the extent required by applicable law. Our obligations under these requirements to protect the security of Customer Data shall survive termination of the Email Marketing Strategy Schedule or, where applicable, this P2C Agreement. If you require return of the Partner Customer Data, you shall submit a request in writing and such partner Customer Data shall be returned to you in an agreed format;
    • (c) ensure appropriate technical and organizational measures are in place to safeguard Customer Data against a personal data breach;
    • (d) notify you without undue delay if we become aware of any personal data breach affecting Customer Data and shall provide you with reasonable information and cooperation so you can fulfil any data breach reporting obligations you may have under (and in accordance with the timescales required by) Applicable Data Protection Law;
    • (e) establish policies and procedures to provide all reasonable and prompt assistance to you in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any Customer Data processed by us;
    • (f) ensure that any person (including our staff, agents and sub-contractors) who is authorized to process Customer Data is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and shall not permit any person to process Customer Data who is not under such a duty of confidentiality;
    • (g) upon written request, provide you with a Current Audit Report. In addition, upon written request and no more than once a year (or exceptionally upon the occurrence of a personal data breach affecting Customer Data), we shall complete a questionnaire of reasonable length and in accordance with regulatory requirements, provided by you or a third party on your behalf regarding our compliance with this paragraph, provided that we shall not be required to disclose information that is reasonably considered confidential to our business;
    • (h) maintain a record of processing activities carried out on your behalf as required by Applicable Data Protection Law; and
    • (i) assist you at your cost to conduct data protection impact assessments to the extent such assessments are required by the Applicable Data Protection Law, and if necessary, consult with relevant supervisory authorities or equivalent under Applicable Data Protection Law.

    If we consider any request by you for support or assistance under this Section 1.4 to be excessive or unduly onerous, then we reserve the right to charge you for such support to a reasonable level.

  • 2.3 Sub-processors

    • (a) A list of sub-contractors who Process Customer Data is listed at our sub-processor website ( https://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time) and you hereby confirm your approval of our existing sub-processors. This sub-processor list shall contain a mechanism for you to subscribe to notifications of any new sub-processors or changes to the sub-processor list. To receive updates or changes to this list, you shall subscribe using the mechanism provided. You agree that we may appoint third party vendors or service providers as sub-processors of Customer Data where we:
      1. conclude written contracts with such sub-processors which provide for data protection terms that are no less protective than the terms set out in this P2C Agreement; and
      2. remain fully liable to you for any breaches of this P2C Agreement that are caused by the acts, errors and omissions of our sub-processors.
      3. Where you have reasonable data protection grounds to believe that a sub-processor appointed by us shall render us unable to fulfil our data protection obligations under this [SECTION REFERENCE] you may, within seven (7) days of receipt of notice of their appointment, object to our appointment of such sub-processor, in which case we shall not allow that sub-processor to access the Customer Data until you have agreed to the appointment or replacement of the sub-contractor or until you withdraw your objection.
    • (j) Where you have reasonable data protection grounds to believe that a sub-processor appointed by us shall render us unable to fulfil our data protection obligations under this [SECTION REFERENCE] you may, within seven (7) days of receipt of notice of their appointment, object to our appointment of such sub-processor, in which case we shall not allow that sub-processor to access the Customer Data until you have agreed to the appointment or replacement of the sub-contractor or until you withdraw your objection.

3. Cross-border data transfers

  1. transfer Customer Data outside the territory of origination unless we take any required compliance measures to enable such transfer legally in accordance with Applicable Data Protection Law; and
  2. you and we agree that in respect of transfers of Customer Data between you and us (a) to the extent that and for so long as EU-U.S. DPF is a recognized method of transfer by a relevant authority, EU-U.S. DPF shall be the agreed mechanism for cross-border transfers of data originating from a Restricted Transfer Area to us in the United States, and (b) to the extent and for so long as EU-U.S. DPF is not a valid method of transfer in relation to any Restricted Transfer Data, the SCCs shall apply to such transfers.
    1. We have self certified under the EU-U.S. DPF and our certification can be found here - https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2z3d0000001OeAAAU&status=Active. We agree to provide the level of privacy protection as required by the Principles and notify you if we can no longer meet this obligation. We further agree to provide you with a summary of the privacy provisions of agreements with sub-processors as required by the Accountability for Onward Transfer Priniciple.
  3. If SCCs are used for such transfers, you and we hereby agree to enter into the SCCs on an unchanged basis save for the following selections:
    1. Where Partner is located inside the Restricted Transfer Area or otherwise in a country deemed “adequate” in accordance with Article 45 of the GDPR, (“Adequate Country”) Module 2 only of the SCCs will apply. Where Partner is located outside of an Adequate Country, Modules two (2) (controller to processor) and four (4) (processor to controller) only of the SCCs apply.
    2. For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. The period of relevant period of days for prior notification of changes in sub-processors is seven (7) days.
    3. For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
    4. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
    5. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
    6. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
    7. A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:
  4. A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:

4. Additional Obligations 

  1. For the purpose of this section: “sale/sell” and “share” will have the meaning given to it in Applicable Data Protection Law in the United States.
  2. To the extent that Customer Data processed by us is within the scope of Applicable Data Protection Law of the United States, we will be deemed to be a “Service Provider” and references to processor in this P2C Agreeent shall be construed accordingly for such purposes.
  3. We will not process any Customer Data outside of the direct business relationship between the Parties as outlined in this Agreement. Additionally, we will not combine Customer Data we receive from or on behalf of you with any personal information we receive from another entity or that we collect from our own interactions with individuals, except where allowed under Applicable Data Protection Laws.
  4. If we have access to de-identified Customer Data, we will publicly commit to maintain and only use such de-identified data in such form. We will not, and will allow any sub-processor to, re-identify any de-identified Customer Data unless so instructed in writing by you.
  5. For the purposes of Applicable Data Protection Law, we acknowledge and agree that we are not permitted to sell, share or rent the Customer Data. You and we agree that the transfer of any Customer Data in accordance with this P2C Agreement does not constitute a sale or sharing.

 


 

MERCHANDISING EMAIL ANNEX I – Merchandising Email Processing Overview

MODULE TWO: Controller to Processor (you to us)

A. List of Parties

Data Exporter:

PartyThe party/ies identified as “you”, or Partner
AddressAs specified in the Agreement
Contact name, position & contact details for all Expedia Group partiesAccount manager using email address notified to Expedia contact from time to time
Activities relevant to data transferred under SCCsMerchandising emails sent to customers who have booked through the White Label Template site
RoleController
RoleController


 

B. Description of Transfer

Categories of data subjectCustomers who visit the white label template site
Categories of Personal DataCustomer Data including email address, consent choice, consent time stamp
Sensitive DataNone
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Based on selection made in the Email Marketing Strategy Schedule
Nature of the processingAll processing operations required to facilitate purposes set out below
Purpose(s) of the data transfer and further processingPermitted Purposes, as defined in this P2C Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodIn accordance with the retention policy of the Expedia group, provided that to the extent that any Customer Data is retained beyond the termination of the Agreement for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the P2C Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processinghttps://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time


 

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

Irish Data Proteciton Authority


 

EVENT TRIGGERED EMAIL ANNEX I – Event Triggered Email Processing Overview

MODULE TWO: Controller to Processor (you to us)

D. List of Parties

Data Exporter:

PartyThe party/ies identified as “you”, or Partner
AddressAs specified in the Agreement
Contact name, position & contact details for all Expedia Group partiesAccount manager using email address notified to Expedia contact from time to time
Activities relevant to data transferred under SCCsEvent triggered emails sent to customers who have subscribed to marketing emails through Partner’s website
RoleController


 

Data Importer:

PartyThe non-EU parties identified as “us” or “Expedia” and being relevant to the White Label Template site that we publish.
AddressAs specified in the Agreement
Contact name, position & contact details for all Expedia Group partiesAccount manager using email address notified to Expedia contact from time to time
Activities relevant to data transferred under SCCsEvent triggered emails sent to customers who have subscribed to marketing emails through Partner’s website
RoleController


 

E. Description of Transfer

Categories of data subjectCustomers who visit the white label template site
Categories of Personal DataCustomer Data including email address, consent choice, consent time stamp
Sensitive DataNone
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Based on selection made in the Email Marketing Strategy Schedule
Nature of the processingAll processing operations required to facilitate purposes set out below
Purpose(s) of the data transfer and further processingPermitted Purposes, as defined in this P2C Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodIn accordance with the retention policy of the Expedia group, provided that to the extent that any Customer Data is retained beyond the termination of the Agreement for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the P2C Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processinghttps://support.ean.com/hc/en-us/articles/360000986389-EAN-Data-Services-Vendor-List, as updated from time to time


 

F. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

Irish Data Proteciton Authority

Annex II – Technical and Organizational Measures

The technical and organizational measures that apply to us/Expedia for the purposes of Module 2 are set out below.

SubjectMeasure
Measures of pseudonymisation and encryption of personal data
  • Expedia Group supports industry standard encryption protocols for data transmission based on Expedia Group’s Information Classification and Handling Standard.
  • Data handling requirements are based on a categorical basis. Depending on the data being handled, different security requirements are in place across Expedia Group. For example, credit card data is considered Highly Sensitive and required to be encrypted both in transit and at rest.
  • Personal data of the customer (and its employees) is pseudonymized (and anonymized) by Expedia Group when possible and as required according to EG’s Information, Classification and Handling Standards.
  • Credit card numbers are tokenized/pseudonymized to eliminate processing of cleartext credit card numbers.
  • Expedia Group utilizes encrypted connections through VPN, SSL, etc. and utilizes multi-factor authentication mechanisms.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Expedia Group maintains responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data.
  • The monitoring of key processing facilities is in place, with a robust SOX program where controls over data processing and integrity are tested and attested to on an ongoing basis.
  • Industry standard logging and monitoring is in place on EG’s systems to ensure and protect against unauthorized access, modification and/or deletion.
  • Expedia Group maintains service resilience through redundant architecture, data replication, and integrity checking.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Expedia Group’s systems are specifically designed to impede or prevent common attacks and ensure availability for operation, monitoring and maintenance. For this purpose, Expedia Group regularly carries out simulated tests and audits to confirm that its systems maintain availability.
  • Servers are patched against Expedia Group’s robust patching policy and protected by industry standard AV/AM programs. Additionally, vulnerability assessments, thorough testing, and network reviews are conducted to ensure EG’s systems are maintained.
  • Availability and reliability monitoring is in place to ensure Expedia sites remain online, with minimal interruptions of service.
  • Expedia Group maintains a Disaster Recovery Plan that accounts for emergencies and contingency plans to ensure that customer services are uninterrupted according to severity and are tested regularly to ensure viability.
Nature of the processingAll processing operations required to facilitate purposes set out below
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Expedia Group’s technical and organizational measures are audited annually by external assessors as well as through robust internal testing.
  • EG conducts annual PCI assessments utilizing a third-party assessor and ensures ongoing compliance with PCI.
  • EG’s comprehensive internal testing function is comprised of quarterly vulnerability testing, internal and external penetration testing, network, system and firewall scanning and reviews. Additionally, an internal audit department conducts annual risk assessments to prioritize operational audits.
Measures for user identification and authorization. Measures for the protection of data during transmission. Measures for the protection of data during storage
  • Expedia Group systems are aligned with industry best practices and have in place communication practices such as time-out sessions, lock-out protocols, and robust password and authentication controls.
  • Expedia Group maintains requirements for account provisioning and oversight to prevent unauthorized access or misuse of Expedia Group information and uses industry best practices as required, such as the Least Privilege Access principle, unique ID’s and multi factor authentication for strong authentication purposes.
Measures for ensuring physical security of locations at which personal data are processed
  • Security Operations Center provides 24x7 coverage, with a formal incident response plan reviewed and tested at least annually.
  • All systems are regularly controlled and tested by external service providers.
  • Each Expedia Group customer receives their own customer ID. All datasets of the respective customer are stored under this ID and all customer data is logically segregated. Due to administration rights and database structures, the customer can only access datasets which are assigned to that user ID and data centers/AWS controls.
  • Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system.
Measures for ensuring events logging
  • Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event.
Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products
  • Expedia Group’s (EG) Information Security program is aligned with industry frameworks and standards, working through its risk management program to ensure a robust and comprehensive security posture. Expedia Group maintains secure operational processes to support the security, availability, integrity and confidentiality of the environment and customers’ data.
  • Expedia Group’s build standards only enable system components, services, and protocols that serve a business requirement. Operating Systems, databases, and off-the-shelf applications must be discoverable to satisfy legal and regulatory audit requirements, supports configuration management tools, or deploys configuration management that successfully enforces security controls, must enable encryption for all remote administrative access to a system, display proper use of the system, the system is being monitored to detect improper use and other illicit activity there is no expectation of privacy while using the system.
  • Expedia Group takes a layered / defence-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly.
  • Expedia's systems are hosted on Amazon Web Services (AWS) and in Data Centers that provide Expedia Group with annual SOC 2 reports to ensure compliance.
Measures for ensuring data minimization. Measures for ensuring data quality. Measures for ensuring limited data retention. Measures for ensuring accountability.
  • Minimisation: Expedia Group ensures only minimum amount of data is collected, processed and stored. We only use identifiable format where necessary.
  • Retention: The Expedia Group data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. 
  • Expedia Group takes a layered / defence-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly.
  • Quality: Expedia Group has a formalized, quality management program, the Customer Experience Management (CEM) program. We are always striving for improvement within EG’s environment and seeking to streamline processes for higher efficiencies resulting in consistent, high-quality services and interactions with our partners, clients and travelers.
  • Accountability: Expedia Group ensure accountability oversight with consistent implementation of policies, industry regulations/frameworks and legal requirements by maintaining a formalized Governance program, and Legal/Privacy body.
Measures for allowing data portability and ensuring erasure
  • Expedia Group is directly responsible for ensuring compliance with data protection laws (including in relation to requests from data subjects). Expedia Group responds to all subject requests, including Access, deletion and portability in accordance with applicable data protection law. 
  • Expedia Group’s data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. In the event that Expedia Group is unable to destroy Personal Data, Expedia Group shall continue to extend relevant protections of the Agreement between the parties governing such personal data and terminate any further processing.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
  • Expedia group conducts due diligence into the information security practices of its vendors and requires vendors to meet comprehensive security requirements, including obligations requiring vendors to have in place and maintain appropriate technical and organisational measures.
  • Expedia Group has formalised a detailed Security Impact Assessment (“SIA”) process. All new vendors accessing data are screened prior to engagement and during the term where necessary. 
  • Additionally, Expedia Group also has robust vendor processor terms that are imposed on all vendors, ensuring the flow down of obligations to any of their sub-processors


 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1 – Tables

Table 1 – Parties
Start DateThe date of the SCCs to which these are attached (EU SCCs)
Parties

Exporter: As per EU SCCs

Exporter: As per EU SCCs

Table 2 – Selected SCCs, Modules, Selected Clauses
Addendum EU SCCsThe version of the Approved EU SCCs which this Addendum is attached to.

Table 3 – Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties

Annex 1B Description of Transfer

Annex II: Technical and organisational measures

As per EU SCCs
Table 4 – Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19Neither Party


 

Part 2 – Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.