Last updated: 19 November 2024 

SCOPE: If and to the extent that the Company is (a) processing personal data as part of the Services in the capacity of an independent and autonomous controller, and (b) no personal data is shared between the Parties as part of the Services, this global controller & controller agreement (“C&C Agreement”) is supplemental to and applies to the Agreement and any relevant processing undertaken in connection with the Agreement, and sets out additional terms, requirements and conditions on which the third-party service provider (referred to in this C&C Agreement as the “Company”) will process personal data when providing Services under the Agreement. 

1. DEFINITIONS AND INTERPRETATION

1.2 This C&C Agreement is subject to the terms of the Agreement and is incorporated by reference into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this C&C Agreement.

1.3 If the Agreement contains a C&C Agreement Appendix which sets out the processing overview for processing of personal data by Company under this Part 6, then that Appendix forms part of this C&C Annex to this Part 6 and will have effect as if set out in full in the body of this C&C Agreement. Any reference to this C&C Agreement includes that Appendix.

1.4 In the case of conflict or ambiguity between any of the provisions of this C&C Agreement and the provisions of the Agreement, the provisions of this C&C Agreement will prevail to the extent of the subject matter of this C&C Agreement.

2. RELATIONSHIP OF THE PARTIES AND DATA PROTECTION

2.1 Each of Expedia and the Company acknowledge that for the purpose of Applicable Data Protection Law, each party is an autonomous and independent controller; and that no personal data shall be shared between the Parties in connection with the Agreement.

3. OBLIGATIONS

3.1 Each Party will collect and process Controller Personal Data to fulfil its respective rights and the obligations under this Agreement, as well as under all applicable laws. As such, each Party will:

1. process such Controller Personal Data as an independent and autonomous controller;
2. comply with all Applicable Data Protection Laws applicable to controllers when processing such Controller Personal Data;
3. ensure that it has an appropriate lawful basis under Applicable Data Protection Laws for its processing of Controller Personal Data;
4. implement and maintain all appropriate technical and organizational measures and safeguards to protect Controller Personal Data they each process from and against a personal data breach, taking into account the risks represented by the processing and the nature of the Controller Personal Data;
5. take all necessary measures to ensure that Controller Personal Data are transferred in accordance with Applicable Data Protection Laws; and 
6. not share, distribute, sell or otherwise permit access to Controller Personal Data or otherwise collected for the purposes of this Agreement with any third party save for any data sharing that is necessary to fulfil the purposes of this Agreement or as otherwise agreed between the Parties in the Agreement.

3.2 Where the Company is processing personal data of any Personnel of Expedia, Company will notify Expedia without undue delay of a verified personal data breach affecting such personal data and provide Expedia with all relevant information as Expedia requires. 

4. TERM AND TERMINATION

4.1 This C&C Agreement will remain in full force and effect so long as the Agreement remains in effect.

4.2 Any provision of this C&C Agreement that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Controller Personal Data will remain in full force and effect.