Virtual Agent

OPENWORLD – VIRTUAL ASSISTANT – DATA PROCESSING AGREEMENT (INCLUDING THE SCCS)

SCOPE: If and to the extent that Expedia (a) is processing personal data as part of providing virtual assistant capabilities to a Company (as defined under the relevant agreement, “the Services”) as a processor on behalf of the Company then this data processing agreement (“DPA”) is supplemental to and applies to the agreement entered into between the parties in connection with the Services (the “Agreement”), and sets out additional terms, requirements and conditions on which Expedia will process personal data when providing Services under the Agreement. In this DPA, “Expedia” refers to Expedia, Inc. and/or any other Expedia group company/ies party to the Agreement. “Company”refers to any third-party entity that contracts with Expedia for Services.

Definitions

1.1 For the purposes of these Requirements, “us” means Expedia and “you” means the Company and:

appropriate technical and organizational measures, controller, personal data, personal data breach, process/processing/processed, processor and supervisory authority (or reasonably equivalent terms) shall have the meanings given to them in Applicable Data Protection Law;
Applicable Data Protection Law(s) means all data protection and privacy laws that apply to Virtual Assistant Data processed under the Agreement;
“CPRA” means the California Privacy Rights Act signed into law on November 3, 2020, as amended, supplemented or replaced from time to time;
Current Audit Report means a current version of the PCI DSS attestation of compliance and the SSAE 16 Audit Report, or its industry standard successor, for our data center providers;
“EU-U.S DPF” means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended, supplemented or replaced from time to time;
“Requirements” means the data processing requirements set out in this DPA;
Restricted Transfer Data means any Virtual Assistant Data Processed by or on behalf of us under the Agreement that relates to Virtual Assistant Customers who are located in the European Economic Area, Switzerland or United Kingdom;
Permitted Purpose means in relation to the Virtual Assistant Data, as necessary for the purpose of (i) providing the Services; (ii) (iii) improving our conversations platform offering, including optimizing the Service for Virtual Assistant Customers; (iv) creating internal, aggregated and anonymized reports for analytics, business intelligence and business reporting; (v) fraud prevention; (vi) responding to law enforcement requests; (vii) facilitating business asset transactions (which may extend to any mergers, acquisitions or asset sales); and (viii) otherwise complying with our obligations under this DPA and the Agreement and applicable laws.
“SCCs” means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, and as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
“Third Party Recipient” means a third-party recipient of the personal data to whom Expedia passes Virtual Assistant Data on behalf of the Company in order to facilitate the Services and who is either (a) an autonomous controller; or (b) a processor acting on behalf of the Company or another third party;
“Virtual Assistant” means our chatbot as configured by us you for your specified requirements;
“Virtual Assistant Customers” means users of our Virtual Assistant as part of the services offered by you to them; and
Virtual Assistant Data means personal data processed by us or on our behalf in connection and in accordance with the Agreement.

Relationship of the parties

You and we acknowledge that for the purpose of Applicable Data Protection Laws, in respect of Virtual Assistant Data, we shall be processor and you shall be the controller. Annex 1 of this Exhibit 1 (Processing Overview) sets out the scope, nature and purpose, of processing by us, the duration of the processing and types of personal data and categories of data subject.

Your responsibilities

You must in particular:

(a) satisfy a legal basis in order to make available the Virtual Assistant Data provided by you to us to process for the Permitted Purposes;

(b) satisfy a legal basis to send any marketing communications to Virtual Assistant Customers;

(d) cooperate with and provide reasonable assistance to us to assist us with our compliance with Applicable Data Protection laws in the course of our processing of Virtual Assistant Data in connection with this DPA and the Agreement; and

(e) display and comply with your lawful and up-to-date cookie notice (if required) and your privacy policy that discloses your data processing relationship with us on the relevant interface on which our Virtual Assistant is deployed. We give no warranties or representations with regards to the adequacy, effectiveness or compliance with applicable laws of your cookies and/or privacy policy. You shall be solely responsible for ensuring that your cookies and/or privacy policy at all times complies with applicable law.

Our responsibilities

In our capacity as a processor under the Agreement for Virtual Assistant Data, we (and our Group Members, where applicable) shall:
- process Virtual Assistant Data only on your written instructions and you hereby confirm that your documented instructions are for us to process Virtual Assistant Data as required in connection with the Permitted Purposes and otherwise in accordance with this DPA and the Agreement. We shall inform you if, in our opinion, an instruction infringes Applicable Data Protection Laws. We confirm that any machine-learning element of Virtual Assistant is trained on de-identified data only;
- unless otherwise requested in writing by you, within 30 days of termination or expiry of the Agreement, delete such Virtual Assistant Data save that, in the event that we are unable to destroy the Virtual Assistant Data (due to backup or legal reasons), we shall continue to extend indefinitely the protections of these requirements and immediately terminate any further Processing of the Virtual Assistant Data without your express prior written consent, except where and to the extent required by applicable law. Our obligations under these requirements to protect the security of Virtual Assistant Data shall survive termination of this DPA and the Agreement. If you require return of the Virtual Assistant Data, you shall submit a request in writing and such Virtual Assistant Data shall be returned to you in an agreed format;
- ensure appropriate technical and organizational measures are in place to safeguard the Virtual Assistant Data against a personal data breach;
- notify you without undue delay if we become aware of any personal data breach affecting Virtual Assistant and shall provide you with reasonable information and cooperation so you can fulfil any data breach reporting obligations you may have under (and in accordance with the timescales required by) Applicable Data Protection Laws;
- establish policies and procedures to provide all reasonable and prompt assistance to you in (responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any Virtual Assistant Data processed by us;
- ensure that any person (including our staff, agents and sub-contractors) who is authorized to Process the Virtual Assistant Data is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and shall not permit any person to process the Virtual Assistant Data who is not under such a duty of confidentiality;
- upon written request, provide you with a Current Audit Report. In addition, upon written request and no more than once a year (or exceptionally upon the occurrence of a personal data breach affecting Virtual Assistant Data), we shall complete a questionnaire of reasonable length and in accordance with regulatory requirements, provided by you or a third party on your behalf regarding our compliance with this paragraph, provided that we shall not be required to disclose information that is reasonably considered confidential to our business;
- with regard to Restricted Transfer Data, maintain a record of processing activities carried out on your behalf in accordance with Article 30 of the GDPR; and
- with regard to Restricted Transfer Data, assist you at your cost to conduct data protection impact assessments to the extent such assessments are required by the GDPR, and if necessary, consult with relevant supervisory authorities pursuant to Articles 35-36 of the GDPR.
If we consider any request by you for support or assistance under paragraph 1.4 above to be excessive or unduly onerous, then we reserve the right to charge you for such support to a reasonable level.

Sub-processors

The list of sub-contractors as at the date of the Agreement who process Virtual Assistant Data is affiliates of Expedia as required for a Permitted Purpose and as follows:

**	Location / storage of data	Description of services	Data elements they’ll process
AWS	Oregon, N. Virginia	Compute, storage, specialized services	All Conversation and VA related data
Azure	Washington	Intelligence services	Utterance-based Messages
Ably (AWS)	California, N. Virginia, Ireland, Frankfurt, Singapore, Sydney	Enables 2-way connectivity between user (VAC) and EG’s Conversation services	All VAC-based events (Messages, Typing Indicator, Conversation State, Participant State, etc.)
Confluent (AWS)	Oregon, N. Virginia	Event bus for CP	All kafka-based CP events
Looker	N. Virginia	Data visualization	Messages, VA Performance Metrics, Conversation Metrics

and you hereby confirm your approval of our existing sub-processors. We will notify you of any new sub-processors that we appoint to process the Virtual Assistant Data from time to time; and you agree that we may appoint third party vendors or service providers as sub-processors of the Virtual Assistant Data where we:

(a) conclude written contracts with such sub-processors which provide for data protection terms that are no less protective than the terms set out in these Requirements; and

(b) remain fully liable to you for any breaches of these Requirements that are caused by the acts, errors and omissions of our sub-processors.

Where you have reasonable data protection grounds to believe that a sub-processor appointed by us shall render us unable to fulfil our data protection obligations under these Requirements you may, within seven (7) days of receipt of notice of their appointment, object to our appointment of such sub-processor, in which case we shall not allow that sub-processor to access the Virtual Assistant Data until you have agreed to the appointment or replacement of the sub-contractor or until you withdraw your objection.
Third Party Recipient: the parties agree that to the extent that we are transferring personal data to a third party recipient in order to facilitate the provision of the Services, you and we agree that we do so as your processor and on your instruction only and not as the processor of that Third Party Recipient; and consequently any transfer of personal data from us to that third party is not subject to the requirement 1.6 and 1.7. above.

Cross-border data transfers

We shall not (and shall not permit any sub-processor to):
- transfer Virtual Assistant Data outside the territory of origination unless we take any required compliance measures to enable such transfer legally; and
- with regard to EEA Data, transfer such EEA Data to any territory outside of the European Economic Area (EEA) unless we take such measures to ensure that such transfer of EEA Data is consistent with the requirements of Chapter V of the GDPR. For the avoidance of doubt, such measures may include us (or sub-processor, as applicable):
  - ensuring that we Process the EEA Data in a country that has been deemed adequate by the European Commission pursuant to Article 45 of the GDPR;
  - processing the EEA Data pursuant to Standard Contractual Clauses (or “model clauses”) approved by a decision of the European Commission;
  - processing the EEA Data in compliance with Binding Corporate Rules that have been duly authorized by EEA data protection authorities that are competent for the EEA Data; and
  - with respect to transferring the EEA data to the United States, processing such data pursuant to such frameworks as applicable, including the EU-U.S. DPF, to the extent approved as an acceptable safeguard from time to time.
- You and we hereby agree that:
  - For so long as and to the extent that EU-U.S. DPF is a valid and recognised basis for transfers to the US, EU-U.S. DPF shall apply for transfers to us. In such event, the provisions of paragraph (b) below only apply only if and to the extent that our EU-U.S. DPF certification lapses or otherwise ceases to apply.
  - For so long as and to the extent that EU-U.S. DPF is not a valid and recognised basis for transfers from the EU to the US, you and we hereby agree to enter into the SCCs on an unchanged basis save for the following selections:
    - Modules two (2) (controller to processor) and four (4) (processor to controller) only of the SCCs apply.
    - For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. The period of relevant period of days for prior notification of changes in subprocessors is seven (7) days.
    - For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
    - For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
    - For the purposes of clause 17 of the SCCs, the governing law is Ireland.
    - For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
    - A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:

“Clause 19

UK GDPR and DPA 2018

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a UK transfer). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.”

A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:

“Clause 20

Swiss – FADP

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (FADP) (referred to in this Clause as a Swiss transfer). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (FDPIC) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”

Annex 1 (Processing Overview) to this Exhibit constitutes Annex 1 for for the purposes of the SCCs.
Annex 2 (Technical Organizational Measures) to this Exhibit constitutes Annex 2 for the purposes of the SCCs with respect to us.
Annex 3 (UK Addendum) to this Exhibit constitutes the UK Addendum for the purposes of the SCCs.

US Specific Privacy/ Data Protection Requirements

For the purpose of this section, “sale/sell” and “share” will have the meaning given to in Applicable Data Protection Law in the United States.
To the extent that Virtual Assistant Data is within the scope of data protection laws of the United States:
- We will be deemed to be a “Service Provider” as that term is defined in the CPRA and references to processor shall be construed accordingly for such purposes.
- We will not process any Virtual Assistant Data outside of the direct business relationship between the Parties. Additionally, we will not combine Virtual Assistant Data we receive from or on behalf of you with any personal information we receives from another entity or that we collects from our own interactions with individuals, except where allowed under Applicable Data Protection Laws. You may take steps as reasonable and appropriate to remediate unauthorized use of Virtual Assistant Data outside of your instructions.
- If we have access to de-identified Virtual Assistant Data, we will publicly commit to maintain and use such de-identified data. We do not and will not allow any subprocessor to re-identify any de-identified Virtual Assistant Data unless so instructed in writing by you.
- For the purposes of Applicable Data Protection Law, we acknowledge and agree that we are not permitted to sell, share or rent the Virtual Assistant Data. The Parties agree that the transfer of any Virtual Assistant Data in accordance with this DPA and the Agreement does not constitute a sale or sharing.

ANNEX I – PROCESSING OVERVIEW

MODULE TWO: Controller to Processor (you to us)

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Party	The party identified as “you” (“Company”) in the contract to which this Annex is attached (the Agreement)
Address	As specified in the Agreement
Contact name, position & contact details for all Expedia Group parties	Account/ relationship manager using email address notified to Expedia contact from time to time
Activities relevant to data transferred under SCCs	Services provided by us to you under and in accordance with the Agreement.
Role	Controller

Data importer(s):

Party	The non-EU parties identified as “us” (“Expedia”) and being relevant to the Services provided in the contract to which this Annex is attached (the Agreement)
Address	As specified in the Agreement
Contact person’s name, position and contact details	Account/relationship manager using email address notified to Partner contact from time to time
Activities relevant to the data transferred under these Clauses	Services provided by us to you under and in accordance with the Agreement.
Role	Processor

B.DESCRIPTION OF TRANSFER

Categories of data subject	Customers of the Company
Categories of Personal Data	· Contact information – name, address, room number, phone number, email and other relevant contact information as required. · Transaction Data – as required to facilitate a request by Virtual Assistant, including reservation number, dates, time (as entered into a query by a customer) · Age/gender – by exception if necessary for an activity and such other personal data (including queries and responses) as corresponds with the functionality/capabilities of CPAAS tool selected by the Company from time to time.
Sensitive Data	None, save as necessary and voluntarily submitted to Virtual Assistant by a Virtual Assistant Customer in order to facilitate a request of a Virtual Assistant Customer corresponding with the functionality/capabilities of Virtual Assistant selected by the Company from time to time.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).	Continuous or ad hoc basis in accordance with the needs of Company’s business
Nature of the processing	All processing operations required to facilitate purposes set out below.
Purpose(s) of the data transfer and further processing	Permitted Purposes, as defined in the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	In accordance with the retention policy of Expedia Group, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, Expedia will continue to protect such personal data in accordance with the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	The list of sub-contractors as at the date of the Agreement who process Virtual Assistant Data is affiliates of Expedia as required for a Permitted Purpose and as follows:
	Location / storage of data	Description of services	Data elements they’ll process
AWS	Oregon, N. Virginia	Compute, storage, specialized services	All Conversation and VA related data
Azure	Washington	Intelligence services	Utterance-based Messages
Ably (AWS)	California, N. Virginia, Ireland, Frankfurt, Singapore, Sydney	Enables 2-way connectivity between user (VAC) and EG’s Conversation services	All VAC-based events (Messages, Typing Indicator, Conversation State, Participant State, etc.)
Confluent (AWS)	Oregon, N. Virginia	Event bus for CP	All kafka-based CP events
Looker	N. Virginia	Data visualization	Messages, VA Performance Metrics, Conversation Metrics

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

IRISH DATA PROTECTION AUTHORITY

MODULE FOUR: Processor to Controller (us to you)

A. LIST OF PARTIES

Data exporter(s):

The Party/ies identified as Data Importers in Module 2 above. See Module 2 for further details.

Data importer(s):

The Party/ies identified as Data Exporter in Module 2 above. See Module 2 for further details.

B. DESCRIPTION OF TRANSFER

· Categories of data subject · Categories of Personal Data · Sensitive Data	As per Module 2
· Frequency of transfer · Nature of processing · Purposes	As per Module 2
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	In accordance with the retention policy of Company
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Not applicable

C.COMPETENT SUPERVISORY AUTHORITY

As per Module 2.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES

SUBJECT	MEASURE
Measures of pseudonymisation and encryption of personal data	· Expedia Group supports industry standard encryption protocols for data transmission based on Expedia Group’s Information Classification and Handling Standard. · Data handling requirements are based on a categorical basis. Depending on the data being handled, different security requirements are in place across Expedia Group. For example, credit card data is consideredHighly Sensitiveand required to be encrypted both in transit and at rest. · Personal data of the customer (and its employees) is pseudonymized (and anonymized) by Expedia Groupwhen possibleand as required according to EG’s Information, Classification and Handling Standards. · Credit card numbers are tokenized/pseudonymized to eliminate processing of cleartext credit card numbers. · Expedia Group utilizes encrypted connections through VPN, SSL, etc. and utilizes multi-factor authentication mechanisms.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	· Expedia Group maintains responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data. · The monitoring of key processing facilities is in place, with a robust SOX program where controls over data processing and integrity are tested and attested to on an ongoing basis. · Industry standard logging and monitoring is in place on EG’s systems to ensure and protect against unauthorized access, modification and/or deletion. · Expedia Group maintains service resilience through redundant architecture, data replication, and integrity checking.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	· Expedia Group’s systems are specifically designed to impede or prevent common attacks and ensure availability for operation, monitoring and maintenance. For this purpose, Expedia Group regularly carries out simulated tests and audits to confirm that its systems maintain availability. · Servers are patched against Expedia Group’s robust patching policy and protected by industry standard AV/AM programs. Additionally, vulnerability assessments, thorough testing, and network reviews are conducted to ensure EG’s systems are maintained. · Availability and reliability monitoring is in place to ensure Expedia sites remain online, with minimal interruptions of service. · Expedia Group maintains a Disaster Recovery Plan that accounts for emergencies and contingency plans to ensure that customer services are uninterrupted according to severity and are tested regularly to ensure viability.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing	· Expedia Group’s technical and organizational measures are audited annually by external assessors as well as through robust internal testing. · EG conducts annual PCI assessments utilizing a third-party assessor and ensures ongoing compliance with PCI. · EG’s comprehensive internal testing function is comprised of quarterly vulnerability testing, internal and external penetration testing, network, system and firewall scanning and reviews. Additionally, an internal audit department conducts annual risk assessments to prioritize operational audits.
Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage	· Expedia Group systems are aligned with industry best practices and have in place communication practices such as time-out sessions, lock-out protocols, and robust password and authentication controls. · Expedia Group maintains requirements for account provisioning and oversight to prevent unauthorized access or misuse of Expedia Group information and uses industry best practicesas required,such as the Least Privilege Access principle, unique ID’s and multi factor authentication for strong authentication purposes.
Measures for ensuring physical security of locations at which personal data are processed	· A Security Operations Center provides 24x7 coverage, with a formal incident response plan reviewed and tested at least annually. · All systems are regularly controlled and tested by external service providers. · Each Expedia Group customer receives their own customer ID. All datasets of the respective customer are stored under this ID and all customer data is logically segregated. Due to administration rights and database structures, the customer can only access datasets which are assigned to that user ID and data centers/AWS controls. · Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system.
Measures for ensuring events logging	Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event.
Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products	· Expedia Group’s (EG) Information Security program is aligned with industry frameworks and standards, working through its risk management program to ensure a robust and comprehensive security posture. Expedia Group maintains secure operational processes to support the security, availability, integrity and confidentiality of the environment and customers’ data. · Expedia Group’s build standards only enable system components, services, and protocols that serve a business requirement. Operating Systems, databases, and off-the-shelf applications must be discoverable to satisfy legal and regulatory audit requirements, supports configuration management tools, or deploys configuration management that successfully enforces security controls, must enable encryption for all remote administrative access to a system, display proper use of the system, the system is being monitored to detect improper use and other illicit activity there is no expectation of privacy while using the system. · Expedia Group takes a layered / defense-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly. · Expedia's systems are hosted on Amazon Web Services (AWS) and in Data Centers that provide Expedia Group with annual SOC 2 reports to ensure compliance.
Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability	· Minimisation: Expedia Groupensures only minimum amount of data is collected, processed and stored.  We only use identifiable format wherenecessary. · Retention: TheExpedia Groupdata retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished.  · Quality: Expedia Group has a formalized, quality management program, the Customer Experience Management (CEM) program. We are always striving for improvement within EG’s environment and seeking to streamline processes for higher efficiencies resulting in consistent, high-quality services and interactions with our partners, clients and travelers. · Accountability:Expedia Group ensure accountability oversight with consistent implementation of policies, industry regulations/frameworks and legal requirements by maintaining a formalized Governance program, and Legal/Privacy body.
Measures for allowing data portability and ensuring erasure	· Expedia Group is directly responsible for ensuring compliance with data protection laws (including in relation to requests from data subjects). Expedia Groupresponds to all subject requests, including Access, deletion and portabilityin accordance with applicable data protection law.  · EG’s data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. In the event that Expedia Group is unable to destroy Personal Data, Expedia Group shall continue to extend relevant protections of the Agreement between the parties governing such personal data and terminate any further processing.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able toprovide assistance tothe controller and, for transfers from a processor to a sub-processor, to the data exporter	· Expedia groupconducts due diligence into the information security practices of its vendors and requires vendors to meet comprehensive security requirements, including obligations requiring vendors to have in place and maintain appropriate technical and organisational measures.  · Expedia Grouphasformaliseda detailed Security Impact Assessment (“SIA”) process. All new vendors accessing data are screened prior to engagement and during the term where necessary.  · Additionally,Expedia Groupalso has robust vendor processor terms that areimposed onall vendors, ensuring the flow downof obligationsto any oftheir sub-processors.

ANNEX II – UK ADDENDUM

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract

Part 1 Tables

Table 1: Parties
Start Date	The Date of the SCCs to which these are attached (EU SCCs).
Parties Key Contact	Exporter: As per EU SCCs.	Importer: As per EU SCCs.
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs	The version of the Approved EU SCCs which this Addendum is appended to.
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex IA: List of Parties Annex 1B Description of Transfer Annex II: Technical and organisational measures	As per EU SCCs
Table 4: Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19	Neither Party

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.