“controller”, “data subject” “personal data”, "personal data breach", “process/processing”, “processor”, and “supervisory authority” and (or reasonably equivalent terms) will have the meanings given to them in the Applicable Data Protection Law.

“Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as attached to SCCs for the purposes of UK Transfers in accordance with Part 4 and/or Part 5 of these Requirements (as applicable).

“Annex 1” means, as the context requires, the Annex 1 that forms part of Part 4 (Processor DPA) or the Annex 1 that forms part of Part 5 (Controller to Controller Agreement), in each case, together with the applicable sections of the relevant Appendix of the Agreement.

“Annex 2” means (a) in relation to the Company, Part 2 (Security Measures), Part 3 (Business Continuity) and Section 8 of Part 4 (Processor Data Processing Agreement) of the Requirements; and (b) where specified as applying, the Expedia Security Measures set out in Annex II of Parts 4 and 5 of these Requirements.

“Annexes” means Annex 1 and Annex 2 collectively.

“Appendix” means, as the context requires, the relevant Processor or Controller Processing Overview attached as an Appendix to the Agreement.

“Applicable Data Protection Law” means any applicable laws and regulations in any relevant jurisdiction, relating to the use or processing of personal data.

"CBPR/PRP Country" means a country that is a full or associate member of the CBPR System and the PRP System. 

"CBPR Party" means an organization that holds a current certification under the CBPR System. 

"CBPR System" means the Global Cross Border Privacy Rules System. 

“Controller Personal Data” means, if applicable, Expedia Personal Data processed by the Parties in connection with the Agreement in their respective capacities as independent and autonomous controllers.

“CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations signed into law on June 28, 2018, as amended, supplemented or replaced from time to time.

“DPF” means an EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or Swiss-U.S. Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time and which has not been invalidated.

“Expedia Personal Data” means any personal data that:

1. is provided to Company by Expedia (or its Affiliates or a third party on Expedia’s behalf) for processing; or

2. Company (or any of its subcontractors) generates, collects, hosts, transmits or otherwise processes, in each case in connection with the provision of the Services.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended, supplemented or replaced from time to time. 

“Permitted Purpose” means as necessary for (i) provision of the Services; (ii) creation of aggregated and irretrievably anonymized internal reports for analytic, business intelligence and business reporting; and (iii) to comply with legal obligations which do not conflict with Applicable Data Protection Laws. Permitted Purposes expressly excludes using personal data, or any data derived from personal data (including inputs or outputs) for the training of AI models of the Company or any other third party or system which is not for the sole benefit of Expedia unless explicitly agreed between the Parties in the Agreement. 

“Personnel” means in relation to a Party, its employees, independent contractors, consultants, agents and other representatives.

“Processor Personal Data” means, if applicable, Expedia Personal Data processed by Company in its capacity as a Processor on behalf of Expedia.

"PRP Party" means an organization that holds a current certification under the PRP System. 

"PRP System" means the Privacy Recognition for Processors System.

“Requirements” means these Expedia Group Privacy and Data Handling Requirements.

"Restricted Transfer Country" means any country in the European Economic Area, Switzerland, the United Kingdom, and Brazil.

"Restricted Transfer Data" means Expedia Personal Data in a Restricted Transfer Country. 

“Standard Contractual Clauses/ SCCs” means the approved European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to third countries, as issued on 4 June 2021, as amended, replaced, supplemented, or superseded from time to time, and the full current version of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en

“Sub-processor” means any third party other than Company, including Company’s Affiliates and subcontractors, appointed by Company as a processor to process Expedia Personal Data.

“Technical and Organizational Measures” means appropriate technical and organizational security measures as defined in the GDPR, and shall include implementing reasonable industry protections having regard to physical, electronic and procedural safeguards to protect the personal data supplied to Company against any personal data breach, and any security requirements, obligations, specifications or event reporting procedures set forth in any schedule, order or statement of work or similar document attached or entered into pursuant to the applicable Agreement.

“Expedia Information” is all non-public data and includes all Confidential Information and Expedia Personal Data on any media format which is acquired from, owned by, stored or processed on behalf of, or otherwise the responsibility and/or property of, Expedia and includes Expedia Data (as defined in the Agreement).

“Highly Sensitive Information” is that subset of Expedia Information whose unauthorized disclosure or use could reasonably entail enhanced potential risk for Expedia, its employees or customers and includes, without limitation: 

1. government-issued identifiers, such as passport numbers or U.S. Social Security Number (“SSN”), financial and/or payment account numbers, data subject to PCI DSS requirements such as credit or debit card numbers, and/or authentication data, such as passwords or PINs

2. Expedia corporate information such as banking and treasury data, privileged administrative accounts and credentials, penetration test reports, and vulnerability scan reports

3. personal data marked as sensitive, special category or reasonably equivalent and requiring higher protections in Applicable Data Protection Law, including race and ethnicity, political views, religion, spiritual or philosophical beliefs, biometric data for ID purposes, health data, sex life data, sexual orientation, genetic data, and precise location data.

“PA-DSS” means the Payment Application Data Security Standard, its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

“Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorization or settlement.

“Payment Card Brands” means American Express, Discover, Mastercard, Visa, and JCB International.

“PCI DSS” means the Payment Card Industry (PCI) Data Security Standard (DSS), its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).

“Protected Environment” means any segregated network environment, network storage device, individual servers and/or devices which are secured through logical or physical access control to industry best-practice standards.