Processor DPA | Expedia

PART 4 – PROCESSOR Data Processing Agreement

Last Updated: 19 November 2024

SCOPE: If and to the extent that the Company is processing personal data as part of the Services in the capacity of a processor on behalf of Expedia, this global Expedia data processing agreement (“DPA”) is supplemental to and applies to the Agreement and any relevant processing undertaken in connection with the Agreement, and sets out additional terms, requirements and conditions on which the third-party service provider (referred to in this DPA as the “Company”) will process personal data when providing Services under the Agreement. Where CCPA applies, Company will be deemed to be the Service Provider, as defined in CCPA.

1. DEFINITIONS AND INTERPRETATION

1.1 This DPA is subject to the terms of the Agreement and is incorporated by reference into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA, unless otherwise defined herein.

1.2 The Processor Processing Overview set out in the Appendix attached to the Agreement forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes that Appendix.

1.3 In the case of conflict or ambiguity between:

any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail to the extent of the subject matter of this DPA, save as expressly agreed otherwise between the Parties in the Agreement; and
any of the provisions of this DPA and the SCCs incorporated by reference herein, the provisions of the SCCs will prevail.

2. RELATIONSHIP OF THE PARTIES AND DATA PROTECTION

2.1 Each of Expedia and the Company acknowledge that for the purpose of Applicable Data Protection Law, Expedia is the controller and has appointed the Company as its processor to process Processor Personal Data in accordance with this DPA.

2.2 Each of Expedia and the Company will comply with the obligations that apply to it under Applicable Data Protection Law.

2.3 Expedia confirms that it has an appropriate lawful basis (to the extent required by Applicable Data Protection Law) for the transfer of Processor Personal Data to the Company (if any) and the processing activities carried out by the Company under Expedia's instruction in accordance with this DPA.

3. INSTRUCTIONS

Company will process the Processor Personal Data as a processor only for a Permitted Purpose and strictly in accordance with Expedia’s written instructions, unless otherwise required by Applicable Data Protection Law to which the Company is subject, in which case, the Company shall promptly notify Expedia of that legal requirement before processing. The Company will not process the Processor Personal Data for its own purposes or those of any third party. The Company must promptly notify Expedia if, in its opinion, Expedia’s instruction infringes Applicable Data Protection Law or if the Company can no longer comply with an obligation under this DPA. The Processor Processing Overview attached as an Appendix to the Agreement describes the subject matter, duration, nature and purpose of processing and the personal data categories and data subject types relevant to the processing to be carried out by the Company to fulfil the Permitted Purposes.

4. INTERNATIONAL TRANSFERS

4.1 The Parties agree and acknowledge that in this clause 4.1, wherever the word ‘transfer’ is used, it includes access being provided by one controller/processor to another controller/processor and:

the Company will not transfer (nor permit any other party to transfer) the Processor Personal Data outside of its territory of origination other than as necessary for a Permitted Purpose and only where the Company takes any required compliance measures to enable such transfer is legally in accordance with Applicable Data Protection Law.
Asia-Pacific Region and CBPR System/ PRP System:
1. The Parties agree and acknowledge that:
  1. a CBPR Party or PRP Party is bound by a legally enforceable set of obligations to provide comparable protection to Applicable Data Protections Laws; and
  2. Expedia is a CBPR Party.
    Where the Company is a PRP Party, the provisions of this paragraph (b) will be construed to apply two-way.
2. Subject to paragraph (iii) below, the Parties agree that where:
  1. Processor Personal Data is being transferred from one CBPR/PRP Country to another CBPR/PRP Country; and
  2. the data importer is a CBPR Party or PRP Party (as applicable),
    then, to the extent that and for so long as the CBPR System or PRP System (as applicable) is a recognized method of transfer by a relevant supervisory authority, the CBPR System or PRP System (as applicable) shall be the agreed mechanism for cross-border transfers of Processor Personal Data to such CBPR Party or PRP Party.
3. The CBPR System or PRP System (as applicable) will only apply for transfers that involve at least one of the Parties being located in an Asia-Pacific Region country that is also a CBPR/PRP Country.
4. Expedia confirms that it will provide at least the same level of protection for the Processor Personal Data as is required under the CBPR System; and it will promptly notify the other Party if it makes a determination that it can no longer provide this level of protection. In such event, or if the other Party otherwise reasonably believes that Expedia is not protecting the Processor Personal Data to the standard required under the CBPR System, the other Party may either:
  1. instruct Expedia to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event the Parties will promptly cooperate in good faith to identify, agree and implement such steps;
  2. agree an alternate safeguard that may apply to the processing under Applicable Data Protection Law; or
  3. if (A) and (B) fail to resolve the issue, terminate any affected portion of this DPA and the Agreement without penalty by giving notice to Expedia.
    If the Company holds a current PRP System certification, then the above provisions will be deemed to apply as if the obligations are two-way and as if references to the CBPR System were references to the PRP System in relation to the Company.
DPF: The Parties agree that in respect of transfers of Restricted Transfer Data between the Parties to the United States or to a country which has not been deemed "adequate" (“Adequate Country”) under the Applicable Data Protection Laws of the originating Restricted Transfer Country:
1. to the extent that and for so long as (A) the DPF is a recognized and valid method of transfer by a relevant authority; and (B) Expedia continues to hold a current DPF certification, the DPF shall be the agreed mechanism for cross-border transfers of data originating from a Restricted Transfer Country from the Company to Expedia in the United States; and
2. to the extent that and for so long as: (A) the DPF is not a valid method of transfer and (B) Expedia does not hold a then current DPF certification, the SCCs shall apply to such transfers and Expedia will enter into them on the basis set out in paragraph (h) below. Where Company also holds a current DPF certification, relevant transfers of Restricted Transfer Data to Company can similarly be made under the DPF with SCCs as a fallback mechanism as set out above and where this is the case, the provisions of paragraphs (d) and (e) below shall be construed as applying two-way.
With regards to the DPF, Expedia agrees that it will provide the same level of protection as required by the DPF. If Company reasonably believes we are not protecting the Restricted Transfer Data to the standard required by the DPF, Expedia may either:
1. rely on the SCCs as set out in paragraph (h) below;
2. if SCCs are not a viable or appropriate solution, propose to Company reasonable and appropriate steps to stop and remediate any unauthorized processing, which Expedia will in good faith implement using commercially reasonable efforts; or
3. if the fallbacks in paragraphs (i) or (ii) above are not viable, terminate any affected portion of this DPA and the Agreement without penalty by giving notice in accordance with the Agreement.
If Company is certified under the DPF, Company will comply with the Notice and Choice Principles of the DPF (as defined in the EU-U.S. DPF). For the avoidance of doubt, if Company is not DPF certified or accessing or receiving the Restricted Transfer Data in a country deemed ‘adequate’ by the European Commission, then the SCCs will be relied on for transfers of Restricted Transfer Data from Expedia to Company.
The Parties agree that they may each disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, any European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
Extension of SCCs to Non-Restricted Transfer Countries: In relation to transfers of Processor Personal Data between the Parties originating from a country that is not a Restricted Transfer Country but is otherwise subject to safeguards that, according to Applicable Data Protection Law, must be applied before a transfer can be made of that Processor Personal Data outside of the country of origin (each a “Non-Restricted Transfer Country”), then the Parties agree that:
1. the SCCs set out in paragraph (h) below shall be deemed to extend to such additional transfers to the extent that such deemed extension would satisfy the safeguards of that particular country; and/or
2. where the measures set out in paragraph (h) below are insufficient or require supplementary measures, the parties agree to take such further measures, including, for example, execution of relevant documents, collection of consent, making of required filings, as may be required from to time in order to satisfy Applicable Data Protection Law.
SCCs: Subject to the foregoing paragraphs of clause 4.1 above, where the Parties have determined that any transfer of Processor Personal Data between Expedia and the Company requires execution of SCCs in order to comply with Applicable Data Protection Law, the Parties hereby agree to enter into the SCCs which are incorporated by reference into this DPA on an unchanged basis save for the following selections:
1. Where Company is located inside the European Economic Area or an Adequate Country, only Module four (4) (Processor to Controller) of the SCCs applies. Otherwise, Modules two (2) (Controller to Processor) and four (4) of the of the SSCs apply.
2. For the purposes of clause 9(a) of the SCCs, option 1 (“Specific Prior Authorization”) is deleted. The relevant period of days for prior notification of changes in subprocessors is fourteen (14) days.
3. For the purposes of clause 11(a) of the SCCs, the optional language is deleted.
4. For the purposes of clause 13 of the SCCs, the relevant paragraph is “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority”.
5. For the purposes of clause 17 of the SCCs, the governing law is Ireland.
6. For the purposes of clause 18(b) of the SCCs, the selection is Ireland.
7. A new clause 19 is added to the SCCs to cover transfers of personal data from the United Kingdom to outside of the United Kingdom as follows:

“Clause 19

UK GDPR and DPA 2018

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of UK GDPR and Data Protection Act 2018 (a “UK transfer”). For the purposes of such UK transfer, the provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall apply as set out in the form attached as the Addendum.”

h. A new clause 20 is added to the SCCs to cover transfers of personal data from Switzerland to outside of Switzerland as follows:

“Clause 20

Swiss – FADP

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover extra-territorial transfers that fall under the scope of Federal Act of Data Protection (“FADP”) (referred to in this Clause as a “Swiss transfer”). For the purposes of such Swiss transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the Federal Data Protection and Information Commissioner (“FDPIC”) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Swiss transfer as are deemed necessary by the FCPIC to comply with the UK GDPR and FADP, and the Clauses shall be interpreted in accordance with the requirements for Swiss transfers arising under those laws or as otherwise set out in guidance issued by the FDPIC, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Swiss transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the FADP when engaging in Swiss transfers.”

i. A new clause 21 is added to the SCCs to cover transfers of personal data from Brazil to outside of Brazil as follows:

“Clause 21

Brazil – LGPD

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the Brazilian General Data Protection Law No. 13,709/18 (Lei Geral de Proteção de Dados) (“LGPD”) (referred to in this Clause as a Brazilian transfer). For the purposes of such Brazilian transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and Brazil’s National Data Protection Authority (“ANPD”) shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Brazilian transfer as are deemed necessary by the ANPD to comply with the LGPD, and the Clauses shall be interpreted in accordance with the requirements for Brazilian transfers arising under those laws or as otherwise set out in guidance issued by the ANPD or other relevant Brazilian authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Brazilian transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the LGPD when engaging in Brazilian transfers.”

j. A new clause 22 is added to the SCCs to cover transfers of personal data from any other country not hitherto specified where the SCCs may be extended to ensure appropriate safeguards for transfers of personal data originating from that country to a party located outside of that country as follows:

“Clause 22

Other third country transfers

The Parties agree that these Clauses will extend and apply, to the extent relevant to the transfer in question, to cover cross-border transfers that fall under the scope of the any other applicable laws and regulations in any relevant jurisdiction, relating to the use or processing of personal data (“Applicable Data Protection Laws”) requiring terms and protections broadly equivalent to these Clauses in order to transfer personal data from that country to another (referred to in this Clause as a “Third Country transfer”). For the purposes of such Third Country transfers, the governing law shall be deemed to be the selected Member State, the choice of forum shall be the selected Member State and the data protection authority or regulatory body of that country shall be the competent supervisory authority. The Parties further agree that such further changes shall be construed to be made to the Clauses in respect of a Third Country transfer as are deemed necessary by such supervisory authority to comply with the Applicable Data Protection Law of that country, and the Clauses shall be interpreted in accordance with the requirements for Third Country transfers arising under those laws or as otherwise set out in guidance issued by the relevant supervisory authority, without the Parties having to enter into separate standard contractual clauses prepared specifically for their Third Country transfers. The Parties shall further do all such acts and things as may be necessary to ensure compliance with the Applicable Data Protection Law(s) when engaging in Third Country transfers.”

4.2 For the purposes of the SCCs:

Annex one (1) (SCCs Processing Overview) of this Part four (4) will constitute Annex one (1) of the SCCs.
Where the Company is the data importer under the SCCs, Part two (2) (Security Measures) and Part three (3) (Business Continuity) of the Requirements will constitute Annex two (2) of Module two (2) for the purposes of the SCCs.
Where Expedia is the data importer under the SCCS, Annex two (2) (Technical and Organisational Measures) to this DPA constitutes Annex two (2) of Module four (4) for the purposes of the SCCS with respect to Expedia.

4.3 Subject to the requirements set out in Clause 7 (Subprocessors) below, Expedia authorizes the Company to enter into further SCCs as required with a proposed Subprocessor. The Company will make the executed SCCs available to Expedia on request.

5.PERSONNEL AND CONFIDENTIALITY

The Company will ensure that any Personnel or any third party (legal or natural) (each an “Authorized Person”) it authorizes to process the Processor Personal Data have committed themselves to a strict duty of confidentiality (whether contractual or statutory) and shall not permit any person to process the Processor Personal Data who is not under such a duty of confidentiality. Company shall ensure that all Authorized Persons process the Processor Personal Data only as necessary for the Permitted Purpose.

6. SECURITY MEASURES

Company must at all times implement appropriate technical and organizational measures (as defined in the "GDPR") to protect Processor Personal Data, including against a personal data breach. Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures will include the security measures identified in Parts two (2) and three (3) of the Requirements.

7. SUB-PROCESSORS

7.1 The Company may only authorize a Sub-processor to process the Processor Personal Data if:

Expedia is provided with an opportunity to object to the appointment of each Sub-processor within fourteen (14) days after the Company supplies Expedia with full details regarding such subcontractor (including the proposed name, address, location and processing activities) to the following mailbox: Subprocessorchangenotification@expediagroup.com. Similarly, any change to any of the material details of processing carried out by any existing Sub-processor must be notified to Expedia using the same mailbox. If Expedia objects to any proposed Sub-processor or change to processing carried out by an existing Sub-processor, in each case, on reasonable data protection grounds, then Company will not permit that Sub-processor to process Processor Personal Data;
the Company enters into a written contract with the Sub-processor that contains terms substantially similar to those set out in this DPA; and
Company remains fully liable to Expedia for any breach of this DPA that is caused by an act, error or omission of its Sub-processsor.

7.2 A list of approved existing Sub-processors as at the date of the Agreement are set out in the Processor Processing Overview attached to the Agreement, including name, location and processing activities or alternatively a link has been provided to Expedia containing such information. Company confirms that it has satisfied the requirements set out in paragraph (b) and (c) of Clause 7.1 above in respect of each such Sub-processor. Company will maintain and provide, on request, updated copies of the Sub-processor list to Expedia.

7.3 The Parties consider the Company to be responsible for any Processor Personal Data processed by its Sub-processors.

8. COOPERATION AND EXERCISE OF DATA SUBJECT RIGHTS

8.1 At no additional cost and taking into account the nature of the processing, Company must provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Expedia to enable Expedia to respond to:

any request (a “Data Subject Request”) from a data subject to exercise its rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure and data portability, as applicable); and
any other correspondence, enquiry or complaint received from a data subject, regulator or other third party,

insofar as such request or communication relates to Processor Personal Data.

8.2 Company will notify Expedia promptly and in any event within two (2) working days if it (or its Sub-processors) receives a Data Subject Request or other communication referred to in Clause 8.1(b) above.

8.3 Company will not directly respond to a Data Subject Request or other communication referred to in Clause 8.1(b) above other than at Expedia’s request or instruction or as provided for in this DPA.

9. DATA PROTECTION IMPACT ASSESSMENT

If Company believes or becomes aware that its processing of Processor Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Expedia. Company will provide Expedia with all such reasonable and timely assistance as Expedia may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant supervisory authority.

10. PERSONAL DATA BREACH

10.1 Upon becoming aware of a personal data breach, the Company will notify Expedia of such personal data breach without undue delay and in any event, within seventy-two (72) hours of becoming so aware.

10.2 When notifying Company under Clause 10, Company will, without undue delay, provide Expedia with the following information:

description of the nature of the personal data breach, including the categories and approximate number of both data subjects and records concerned;
the likely consequences; and
description of the measures taken, or proposed to be taken, to address (a) and/or (b), including measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the above information at the same time, the Company will provide such information in phases without undue delay, and keep Expedia informed of all related developments.

10.3 Immediately following any personal data breach, the parties will co-ordinate with each other to investigate the matter. The Company will reasonably co-operate with Expedia in Expedia’s handling of the matter, including, as reasonably deemed appropriate by Expedia:

assisting with any investigation;
permitting and assisting with security audits in accordance with Clause 13 (Audits);
taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach; and
The Company will not inform any third party of any personal data breach without first obtaining Expedia’s prior written consent, except when expressly required to do so by law.

10.4 The Company agrees that Expedia has the sole right to determine:

whether to provide notice of the personal data breach to any data subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Expedia’s discretion, including the contents and delivery method of the notice; and
whether to offer any type of remedy to affected data subjects, including the nature and extent of such remedy.

10.5 The Company will cover all of its own reasonable expenses associated with the performance of the obligations under this Clause and reimburse Expedia for actual reasonable expenses that Expedia incurs when responding to a personal data breach attributable to the processor, including all costs of notice and any remedy as set out in this Clause.

11. DELETION OR RETURN

The Company will comply with Section 1.11 of Section 1 of Part 2 (Deletion or Return) of the Requirements.

12. RECORDS AND EVIDENCE OF COMPLIANCE

12.1 The Company will keep detailed, accurate and up-to-date written records ("Records") regarding any processing of Processor Personal Data it carries out for Expedia, including but not limited to, the access, control and security of the Processor Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of Processor Personal Data to a third country and related safeguards, and a general description of the technical and organizational security measures referred to in Clause 6. The Company will provide Expedia with copies of Records upon request.

12.2 The Company will make available to Expedia all information necessary (including but not limited to, Records) to enable Expedia to verify the Company’s compliance with its obligations under this DPA.

12.3 Company will promptly inform Expedia in writing of any material changes to its processing activities from time to time, for example, without limitation, a change to how or where Processor Personal Data is accessed, hosted or which otherwise processed.

13. AUDITS

The Company will comply with paragraph 1.10 of Section 1 of Part 2 (Right to Audit) of the Requirements.

14. DATA COLLECTION AND TRANSPARENCY

Where the Company is collecting personal data directly from data subjects on behalf of Expedia, the Company will only collect Processor Personal Data for Expedia using an Expedia privacy notice or method that Expedia specifically pre-approves in writing. The Company will not modify or alter the notice in any way without Expedia’s prior written consent. Where consent is required to collect such personal data, the Company will collect such consent in accordance with Applicable Data Protection Law, including ensuring that it maintained records of the date, time and method by which such consent was collected for each data subject and make such records available to Expedia on request.

15. ADDITIONAL OBLIGATIONS

15.1 For the purpose of this section, “sale/sell” and “share” will have the meaning given to them in Applicable Data Protection Law in the United States.

15.2 To the extent that Processor Personal Data processed by the Company is within the scope of Applicable Data Protection Laws of the United States, the Company will be deemed to be a "Service Provider" as that term is defined in the CCPA and references to processor in this DPA shall be construed accordingly for such purposes.

The Company will not process any Processor Personal Data outside of the direct business relationship between the Parties as outlined in the Agreement and this dpa. Additionally, the Company will not combine Processor Personal Data it receives from or on behalf of Expedia with any personal information it receives from another entity or that it collects from its own interactions with individuals, except where allowed under Applicable Data Protection Laws and explicitly permitted by Expedia. Expedia may take steps as reasonable and appropriate to remediate unauthorized use of Processor Personal Data outside of its instructions.
If the Company has access to de-identified Processor Personal Data, it will publicly commit to maintain and only use such de-identified data in such form. The Company will not allow any Sub-processor to re-identify any de-identified Processor Personal Data unless so instructed in writing by Expedia.
For the purposes of Applicable Data Protection Laws, the Company acknowledges and agrees that it is not permitted to sell, share or rent the Processor Personal Data. The Parties agree that the transfer of any Processor Personal Data in accordance with this Agreement and this DPA does not constitute a sale or sharing.

16. TERM AND TERMINATION

16.1 This DPA will remain in full force and effect so long as:

the Agreement remains in effect; or
the Company retains any Processor Personal Data related to the Agreement in its possession or control.

16.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Processor Personal Data will remain in full force and effect.

ANNEX 1

SCCs - Processor Overview

This is Annex one (1) for the purposes of the Module two (2) and four (4) Standard Contractual Clauses to the extent the Parties agree that they apply to the Agreement. This Processing Overview should be read in conjunction with Processor Processing Overview attached to the Agreement.

MODULE TWO (2) – Controller to Processor

A. LIST OF PARTIES

Data exporter(s):

Expedia Group parties	Expedia controllers acting as data exporters: Each of the Expedia entities identified as “Data Controllers for Europe” in the link here. EU Representatives and UK Representatives: Each of the Expedia entities identified as such in the above link. Addresses of all relevant parties can be found in the above link, as can details of any relevant DPOs.
Address	As specified in the Agreement
Role	Controller
Contact name, position & contact details for all Expedia Group parties	Account or relationship manager using email address notified to counterparty contact from time to time and copied to Expedia's privacy or security inbox indicated in the notice provisions of the Agreement or otherwise provided from time to time.
Activities relevant to personal data transferred under SCCs for Controllers	Data exporter may contract services from time to time from the Data Importer(s) as set out in, and in accordance with, the contract into which the DPA to which this Annex is appended is incorporated, any Statements of Works, and/or Orders or similar ancillary agreements entered into in connection with that contract ("Agreement")

Data importer(s):

Company	The party/ies providing a service or product to the Expedia Group party/ies as identified identified in the Agreement
Address	As specified in the Agreement
Role	Processor
Contact name, position and contact details for all Company parties	Account or relationship manager using email address notified to Expedia from time to time
Activities relevant to the personal data transferred under SCCs	Data importer may provide services from time to time to the Data Exporters as set out in, and in accordance with, the Agreement

B. DESCRIPTION OF TRANSFER

Categories of data subject Categories of personal data Sensitive data	See Section B1 (Transfer from Controller to Processor) of Processor Processing Overview attached to the Agreement
Frequency of the transfer	Continuous or ad hoc basis in accordance with the needs of Expedia’s business
Nature of the processing	All processing operations required to facilitate provision of services in accordance with the Agreement
Purpose(s) of the data transfer and further processing	See Section B1 (Transfer from Controller to Processor) of the Processor Processing Overview attached to the Agreement
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	In accordance with the retention policy of the Company, provided that to the extent that any personal data is retained beyond the termination of the Agreement for back up or legal reasons, Company will continue to protect such personal data in accordance with the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Company to attach complete current list or insert link to such link in Section B1 (Transfer from Controller to Processor) of Processor Processing Overview attached to the Agreement

C. COMPETENT SUPERVISORY AUTHORITY

Irish Data Protection Authority

MODULE FOUR (4) – PROCESSOR TO CONTROLLER

A. LIST OF PARTIES

Data exporter(s):

Party/ies

The data importer for Module two (2) above is the data exporter for the purposes of Module four (4).

Contact, activities and role are as per Module two (2).

Data importer(s):

Parties

Expedia Group controllers acting as data exporters in Module two (2) act as the data importers for the purposes of Module four (4).

Contact, activities, and role are as per Module two (2).

B. DESCRIPTION OF TRANSFER

Categories of data subject Categories of personal data Sensitive data	See Section B2 (Transfer from Processor to Controller) of Processor Processing Overview attached to the Agreement
Frequency of the transfer	As per Section B1.
Nature of the processing	As per Section B1.
Purpose(s) of the data transfer and further processing	See Section B2 (Transfer from Processor to Controller) of Processor Processing Overview attached to the Agreement
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	In accordance with the retention policy of Expedia
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Available on request in the event that SCCs apply on account of invalidation of the DPF

C. COMPETENT SUPERVISORY AUTHORITY

Irish Data Protection Authority

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPEDIA MEASURES

Expedia Group parties acting as data importers will comply with the below measures for the purposes of Annex II of the SCCs.

Subject	Measure
Measures of pseudonymisation and encryption of personal data	Expedia Group supports industry standard encryption protocols for data transmission based on Expedia Group’s Information Classification and Handling Standard. Data handling requirements are based on a categorical basis. Depending on the data being handled, different security requirements are in place across Expedia Group. For example, credit card data is considered Highly Sensitive and required to be encrypted both in transit and at rest. Personal data of the customer (and its employees) is pseudonymized (and anonymized) by Expedia Group when possible and as required according to EG’s Information, Classification and Handling Standards. Credit card numbers are tokenized/pseudonymized to eliminate processing of cleartext credit card numbers. Expedia Group utilizes encrypted connections through VPN, SSL, etc. and utilizes multi-factor authentication mechanisms.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Expedia Group maintains responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data. The monitoring of key processing facilities is in place, with a robust SOX program where controls over data processing and integrity are tested and attested to on an ongoing basis. Industry standard logging and monitoring is in place on EG’s systems to ensure and protect against unauthorized access, modification and/or deletion. Expedia Group maintains service resilience through redundant architecture, data replication, and integrity checking.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Expedia Group’s systems are specifically designed to impede or prevent common attacks and ensure availability for operation, monitoring and maintenance. For this purpose, Expedia Group regularly carries out simulated tests and audits to confirm that its systems maintain availability. Servers are patched against Expedia Group’s robust patching policy and protected by industry standard AV/AM programs. Additionally, vulnerability assessments, thorough testing, and network reviews are conducted to ensure EG’s systems are maintained. Availability and reliability monitoring is in place to ensure Expedia sites remain online, with minimal interruptions of service. Expedia Group maintains a Disaster Recovery Plan that accounts for emergencies and contingency plans to ensure that customer services are uninterrupted according to severity and are tested regularly to ensure viability.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing	Expedia Group’s technical and organizational measures are audited annually by external assessors as well as through robust internal testing. EG conducts annual PCI assessments utilizing a third-party assessor and ensures ongoing compliance with PCI. EG’s comprehensive internal testing function is comprised of quarterly vulnerability testing, internal and external penetration testing, network, system and firewall scanning and reviews. Additionally, an internal audit department conducts annual risk assessments to prioritize operational audits.
Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage	Expedia Group systems are aligned with industry best practices and have in place communication practices such as time-out sessions, lock-out protocols, and robust password and authentication controls. Expedia Group maintains requirements for account provisioning and oversight to prevent unauthorized access or misuse of Expedia Group information and uses industry best practices as required, such as the Least Privilege Access principle, unique ID’s and multi factor authentication for strong authentication purposes.
Measures for ensuring physical security of locations at which personal data are processed	A Security Operations Center provides 24x7 coverage, with a formal incident response plan reviewed and tested at least annually. All systems are regularly controlled and tested by external service providers. Each Expedia Group customer receives their own customer ID. All datasets of the respective customer are stored under this ID and all customer data is logically segregated. Due to administration rights and database structures, the customer can only access datasets which are assigned to that user ID and data centers/AWS controls. Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system.
Measures for ensuring events logging	Expedia Group maintains robust logging and monitoring requirements to account for the who, what, where, when, target, source, and success/failure of the logged event.
Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products	Only persons who are expressly authorized by Expedia and have a ‘need to know’ have access to personal data. Controls and monitoring are in place to ensure least privileged access and unauthorized access attempts to the system. Expedia Group’s (EG) Information Security program is aligned with industry frameworks and standards, working through its risk management program to ensure a robust and comprehensive security posture. Expedia Group maintains secure operational processes to support the security, availability, integrity and confidentiality of the environment and customers’ data. Expedia Group’s build standards only enable system components, services, and protocols that serve a business requirement. Operating Systems, databases, and off-the-shelf applications must be discoverable to satisfy legal and regulatory audit requirements, supports configuration management tools, or deploys configuration management that successfully enforces security controls, must enable encryption for all remote administrative access to a system, display proper use of the system, the system is being monitored to detect improper use and other illicit activity there is no expectation of privacy while using the system. Expedia Group takes a layered / defense-in-depth strategy to security. Critical capabilities and controls are in place across the enterprise (e.g.: anti-malware, WAF, network segmentation, DLP, etc.), utilizing a suite of policies, operations and technologies to ensure the environment is monitored through a central security organization and alerts responded to accordingly. Expedia's systems are hosted on Amazon Web Services (AWS) and in Data Centers that provide Expedia Group with annual SOC 2 reports to ensure compliance.
Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability	Minimisation: Expedia Group ensures only minimum amount of data is collected, processed and stored.   We only use identifiable format where necessary. Retention: The Expedia Group data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. Quality: Expedia Group has a formalized, quality management program, the Customer Experience Management (CEM) program. We are always striving for improvement within EG’s environment and seeking to streamline processes for higher efficiencies resulting in consistent, high-quality services and interactions with our partners, clients and travelers. Accountability: Expedia Group ensure accountability oversight with consistent implementation of policies, industry regulations/frameworks and legal requirements by maintaining a formalized Governance program, and Legal/Privacy body.
Measures for allowing data portability and ensuring erasure	Expedia Group is directly responsible for ensuring compliance with data protection laws (including in relation to requests from data subjects). Expedia Group responds to all subject requests, including access, deletion and portability in accordance with applicable data protection law. Expedia Group's data retention policy sets out different retention periods and backups depending on the category of data, including any legal obligation or other exemption which requires such data to be retained until certain legal obligations, such as tax and accounting purposes, have been extinguished. In the event that Expedia Group is unable to destroy Personal Data, Expedia Group shall continue to extend relevant protections of the Agreement between the parties governing such personal data and terminate any further processing.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter	Expedia Group conducts due diligence into the information security practices of its vendors and requires vendors to meet comprehensive security requirements, including obligations requiring vendors to have in place and maintain appropriate technical and organisational measures. Expedia Group has formalised a detailed Security Impact Assessment (“SIA”) process. All new vendors accessing data are screened prior to engagement and during the term where necessary. Additionally, Expedia Group also has robust vendor processor terms that are imposed on all vendors, ensuring the flow down of obligations to any of their sub-processors.

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Addendum)

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1 Tables

Table 1: Parties
Start Date	The date of the SCCs to which these are attached (Approved EU SCCs).
Parties Key Contact	Exporter: As per EU SCCs.	Importer: As per EU SCCs.
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs	The version of the Approved EU SCCs which this Addendum is appended to.
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex IA: List of Parties Annex 1B Description of Transfer Annex II: Technical and organisational measures	As per EU SCCs
Table 4: Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19	Neither Party

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

	Scope
	Definitions and Interpretation
	Relationship of the Parties
	Instructions
	International Transfers
	Personnel and Confidentiality
	Security Measures
	Sub-processors
	Cooperation &Exercise of Rights
	DPIA
	Personal Data Breach
	Deletion or return
	Records & Evidence of Compliance
	Audits
	Data Collection and Transparency
	Additional Obligations
	Term & Termination
	Annex I
	Annex II
	Addendum