Expedia Group Privacy and Data Handling Requirements
Expedia Group takes the security and privacy practices of companies it does business with extremely seriously, and we expect our vendors and other business partners to do the same.? The purpose of these Requirements is to establish those minimum information security standards and data privacy requirements that must be adhered to by any Company performing services for an Expedia Group company (“Expedia”) or who otherwise has access to Expedia Information.?
SCOPE OF REQUIREMENTS: Company must handle, treat, and otherwise protect Expedia Information in accordance with these Requirements and any contractual agreement between such Company and Expedia.? If there is a direct conflict between any term of these Requirements and the terms of a written contract between Company and Expedia, the terms of the written contract will prevail to the extent of the conflict.
Sections 1 through 4 apply as follows. Requirements in all sections that apply must be met:
|1.||If Company accesses Expedia Personal Data, Expedia Critical Information, networks, or facilities|
|2.||If Company provides code or develops systems that access, process, or store Expedia Information|
|3.||If Company accesses or otherwise receives Expedia employee or customer Personal Data|
|4.||If Company accesses or otherwise receives Expedia employee or customer Cardholder Data, or provides Cardholder processing software to Expedia|
For purposes of these Requirements, the following definitions shall apply:
“Data Security Breach” means: (A) the loss or misuse (by any means) of Personal Data, including, without limitation any unauthorized access or disclosure to unauthorized individuals; (B) the inadvertent, unauthorized and/or unlawful Processing, corruption, modification, transfer, sale or rental of Personal Data; or (C) any other act or omission that compromises the security, confidentiality, or integrity of Personal Data.? Data Security Breach includes, without limitation, a breach resulting from or arising out of Company’s internal use, Processing or other transmission of Personal Data, whether between or among Company’s subsidiaries and affiliates or any other person or entity acting on behalf of Company.
“EEA Data” means any Personal Data Processed by or on behalf of Company under this Agreement that relates to employees, customers or other individuals who are located in the EEA.
“Expedia Critical Information” means any data, plus the infrastructure containing or providing direct access to that data, which has legal, financial or compliance implications for Expedia.? Examples of such data include Personal Data of Expedia customers, employees, end-users, partners and suppliers, and other individuals; privileged administrative accounts and credentials; financial data including data subject to PCI DSS; critical security vulnerability and gap reports; and material non-public legal and intellectual property documents.
“Expedia Information” is all non-public data and includes all Expedia Critical Information and Expedia Personal Data on any media format which is acquired from, owned by, stored on behalf of, or otherwise the responsibility and/or property of, Expedia.
“GDPR” shall mean European Union Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (as amended, replaced or superseded).
“Highly Sensitive Information” is that subset of Personal Data whose unauthorized disclosure or use could reasonably entail enhanced potential risk for the data subject.? Highly Sensitive Information includes, without limitation, U.S.? Social Security Number (“SSN”), or credit or debit card number (“Cardholder Data”), and/or account authentication data, such as passwords or PINs.
“PA-DSS” means Payment Application Data Security Standard 3.0, its supporting documentation and any subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorization or settlement.
“Payment Card Brands” means American Express, Discover, MasterCard and Visa.
“PCI DSS” means the Payment Card Industry (PCI) Data Security Standard (DSS) version 2.0, its supporting documentation and any applicable subsequent version(s) of said standard?published by the PCI Security Standards Council or its successor(s).
“Personal Data” means any information that relates to an individual, including an employee, customer, end-user or any other individual, including, without limitation: (A) first and last name; (B) home or other physical address; (C) telephone number; (D) email address; (E) identification number, location data or online identifier associated with an individual; (F) “Sensitive Information” (as defined below); (G) “Highly Sensitive Information” (as defined above); (H) employment, financial or health information; or (I) any other information relating to an individual, including cookie information and usage and traffic data or profiles, that is combined with any of the foregoing.
“Processing” or “Process” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, restriction, blocking, deletion, erasure, or destruction.
“Protected Environment” means any segregated network environment, network storage device, individual servers and/or devices which are secured through logical or physical access control to industry best-practice standards.
“Sensitive Information” is a subset of Personal Data and has the meaning assigned under Article 9 of the GDPR and includes medical information, criminal history, race, ethnicity, national origin, information about sexual orientation or activity, political opinions and religious beliefs.
“Technical and Organizational Security Measures” means security measures, consistent with the type of Personal Data being Processed and the services being provided by Company, to protect Personal Data, which measures shall implement best industry protections and include physical, electronic and procedural safeguards to protect the Personal Data supplied to Company against any Data Security Breach, and any security requirements, obligations, specifications or event reporting procedures set forth in any Schedule/Statement of Work to this Agreement.
SECTION 1: ACCESS TO PERSONAL DATA, EXPEDIA CRITICAL INFORMATION, NETWORKS, OR FACILITIES
SCOPE OF SECTION 1: If Company has access to Expedia Personal Data; Expedia Critical information; Expedia networks (including without limitation, if Expedia is providing a data feed or other information to Company via the Internet or vice-versa); or Expedia facilities (e.g., Company personnel will be performing services at an Expedia facility), Company will, at a minimum, comply with the provisions in Section 1:
1.1 INFORMATION SECURITY PROGRAM
1.1.1 INFORMATION SECURITY RISK MANAGEMENT PROCESS
Company must have an established process that periodically assesses information security risk within the organization that has access to Expedia Information.
1.1.2 INFORMATION SECURITY POLICY
Company must have a documented information security policy, approved by appropriate management or governance committee and reviewed periodically, which defines responsibilities for protecting information assets.? Policies shall be based upon industry best practices, addressing areas such as asset management, personnel security, physical, environmental, equipment, and media security, communications and operations management, access controls, information systems development and maintenance, incident management, business continuity management, and compliance.
1.1.3 ORGANIZATION OF INFORMATION SECURITY
Company must document, adopt, and enforce compliance with Company information security requirements, policies, standards, and procedures.? Company must provide Expedia a point-of-contact for escalation of all information security matters.? If Company is contractually permitted to allow third-party access to Expedia Information, Company must define procedures that ensure that downstream third-party and outsourced service providers comply with this Agreement when working with Expedia Information on behalf of Company.
1.2 ASSET MANAGEMENT, CLASSIFICATION, AND HANDLING
Company must have a managed and up-to-date inventory of Company assets that have access to Expedia Information.? Company must define and maintain an information classification process that specifies appropriate security and handling controls based upon defined classifications.? Expedia has the right to review and approve all non-Expedia owned equipment connecting with Expedia networks.? Assets that connect to Expedia networks may be subject to modifications including, but not limited to, custom configurations and settings, O/S hardening, patching, security agents and mobile security code (such as anti-virus and authentication certificates).
1.2.1 HANDLING EXPEDIA INFORMATION
- All Expedia Information must be encrypted in transit.
- Expedia Highly Sensitive Information must be encrypted both in transit and at rest.
- All other Expedia Information must be encrypted or secured in a Protected Environment with limited access when at rest.
1.3 PERSONNEL AND HUMAN RESOURCES SECURITY
1.3.1 BACKGROUND AND SCREENING CHECKS
To the extent allowed by local law and prior to employment, Company must conduct employee and contingent staff background screening commensurate with the level of access provided, including criminal, financial, and/or employment background screening.? Background checks must be completed and the results deemed satisfactory by Company prior to the employee or contractor being assigned to perform services for Expedia where those services will involve having access to Expedia Information.? Individuals whose background checks reveal convictions for violations including but not limited to computer crimes, fraud, theft, identity theft, or excessive financial defaults MUST not be permitted access to Expedia Information.? Upon request and to the extent allowed by local law, Company will provide necessary evidence to Expedia of the screening and results.
1.3.2 SECURITY AWARENESS AND EDUCATION
- Anyone who has access to Expedia Information must complete information security awareness training, annually.? The training must educate employees and contingent staff on all applicable policies, procedures, and standards and the responsibility to secure confidential information such as Expedia Information.? Company shall be responsible for providing and verifying successful training of all Company employees and contingent staff.? Expedia’s online information security awareness training is available to anyone with an account on the Expedia corporate network; successful completion of the Expedia training is a requirement for continued access to the network, unless evidence of equivalent training is provided.Company must require employees to acknowledge, in writing or electronically, that they have completed all required training, and have read, understand, and agree to abide by all applicable security policies and procedures.? Upon request, Company must provide evidence and reports of training completion to Expedia.
1.4 PHYSICAL, ENVIRONMENTAL, EQUIPMENT, AND MEDIA SECURITY
- Company must implement controls that restrict unauthorized physical access to areas containing equipment used to access Expedia Information.? Company must monitor all areas containing equipment used to access Expedia Information for attempts at unauthorized access.? All secure areas must be enclosed by a perimeter that will deter unauthorized personnel from gaining access.? Personnel working in secure areas must be easily identified as authorized to work in that area.? Company must implement and maintain processes to verify that only authorized personnel with an approved business need may be permitted to work in secure areas.? Company must not allow visitors access to secure areas unescorted.? Company must ensure proper disposal of all Expedia Information using appropriately secured containers for shredding or other approved means.
- Company must only store Expedia Information in locations that will be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heat or cooling, and power failures or outages.? Company must implement controls to prevent or detect the removal of any equipment involved in accessing Expedia Information.? For purposes of clarity, this provision relates only to permanent storage facilities.? Portable media controls are listed below.
- If Company is contractually permitted to take Expedia Information off-site in any format, soft or hard copy, Company must in all cases take steps to protect such Expedia Information from unauthorized disclosure.? Expedia Information must not be transmitted to unauthorized external services/companies for transfer, storage, or backup.? When not in use, Expedia Information must be secured or locked away.
- When the use of Company-supplied removable or portable data storage media is authorized by Expedia to store or access Expedia Information, the media must be encrypted to industry-standard levels or similarly protected.
- Company must configure a password-protected inactivity timeout of fifteen (15) minutes, maximum, on workstations or laptops used to store or access Expedia Information.
- Company must have processes in place to return or completely destroy Expedia Information upon request, in any format in which it is stored, soft or hard copy, and must not allow personnel to discard any media containing Expedia Information except by secure methods that completely destroy the data.
1.5 COMMUNICATIONS AND OPERATIONS MANAGEMENT
1.5.1 OPERATIONAL SYSTEM SECURITY
On all Company IT systems used to access, process, or store Expedia Information:
- Company must follow documented change management procedures.? Company must ensure thorough testing of changes to IT systems to prevent negative security impacts.
- Company must establish repeatable controls to ensure secure configuration and system hardening, including changing default passwords and settings, and disabling of all unnecessary services/daemons, ports, and network traffic on all systems that connect to Expedia networks or access Expedia Information.
- Company must establish and maintain a patch management process for software (including open source software and firmware) covering network devices, servers, and desktop/laptop computers, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.? Company must deploy patches in a period of time that is commensurate with the criticality of the patch and sensitivity of Expedia Information accessed.? Critical security patches must be installed within one month of their release.
1.5.2 MALWARE PROTECTION
Company must deploy, enable, and keep up to date malware protection that detects, removes, and protects against all known types of malicious software on all IT systems that access, process, or store Expedia Information.? Company must ensure malware protection technology is configured to enable upon boot-up, set both automatic updates and periodic scans, and have logging enabled.? Infected systems must be removed from the network until verified as virus-free.
1.5.3 NETWORK, OPERATING SYSTEM, AND APPLICATION CONTROL
All systems or networks connecting to Expedia networks and/or accessing Expedia Information must employ safeguard controls capable of monitoring and blocking unauthorized network traffic.? Company must enable logging on network activity for audit, incident response, and forensic purposes.? Where such controls are not available, systems or networks used to access Expedia Information must be physically or logically separate from other Company networks.
1.5.4 LOGGING OF SYSTEM USE
Company must configure all Company systems used to access, process, or store Expedia Information to enable basic forensic accountability.? In the case of an information security incident involving Company-supplied laptops, desktops, or removable or portable data storage media used to access, process, or store Expedia Information, Company must provide access to the equipment or media to Expedia or Expedia’s representatives upon request, along with all relevant encryption/decryption keys necessary to enable forensic analysis, except when the incident involves the actual loss or destruction of the equipment or media.
Company servers used to access, process, or store Expedia Information must maintain sufficient audit logging to enable forensic analysis, including logging of security events, connectivity to services and sessions, and modification to user and configuration settings.? Audit logs must be maintained for a minimum of three months.? In the case of an information security incident involving Company servers used to access, process, or store Expedia Information, Company must provide access to the relevant audit logs to Expedia or Expedia’s representatives upon request to enable forensic analysis.
1.6 ACCESS CONTROL
1.6.1 EXPEDIA-MANAGED ENVIRONMENTS
Access to Expedia Information must be restricted to authorized users, only.? When the data resides physically or logically within Expedia-managed environments, Company access will be subject to Expedia’s access management policies and procedures.? Expedia must authorize all decisions for access to Expedia Information residing within Expedia-managed environments.? Company may not extend access to Expedia Information residing within Expedia-managed environments to third parties without prior written consent.? Expedia reserves the right to monitor all systems used to access Expedia-managed environments.? If Expedia provides equipment such as laptops used to access Expedia Information, the equipment will be subject to Expedia’s configuration and access management policies and procedures.? Company must immediately notify Expedia in writing if a Company employee or Company subcontractor with access to Expedia-managed systems terminates, no longer requires access to the Expedia account, or requires changes to the user account.? Notification must include name and User ID of the accounts or systems the person has access to.
220.127.116.11 REMOTE ACCESS CONTROL
Remote network connectivity to Expedia-managed environments must always use Expedia-approved methods such as SSL VPN when connecting.? Expedia’s Host Checker policy will not allow connection from equipment without the capability of meeting Expedia’s security requirements for remote management, encryption, and authentication.? Host Checker will verify equipment configurations such as current system patch levels, anti-virus software signatures and scanning engines, and personal firewalls.? If Company is contractually permitted to remotely access Expedia-managed environments with Company-supplied equipment, Expedia will provide Company with a list of current configuration requirements upon request.? Company shall be responsible for maintaining Company-supplied equipment configurations.
1.6.2 OUTSIDE OF EXPEDIA-MANAGED ENVIRONMENTS
If Company is contractually permitted to access, process, or store Expedia Information outside of Expedia-managed environments, Company must have an access management process that includes account authorization and management, password management and authentication, and remote access controls.? Company must not provide access to Expedia Information to any third party (including, without limitation, Company’s subsidiaries and affiliates, subcontractors, and any person or entity acting on behalf of Company) unless the access is necessary to carry out Company’s obligations under this Agreement; such third party is bound by the obligations that are at least of the same level as those set out in this Agreement, and, for Personal Data, such obligations must comply with the requirements of the applicable privacy laws including the GDPR.? Company shall remain responsible for any breach of the obligations set forth in this Agreement to the same extent as if Company caused such breach.
18.104.22.168 COMPANY USER ACCESS MANAGEMENT
Expedia authorizes access to Expedia Information on a need-to-know basis.? All user accounts used to access Expedia Information must be unique and clearly associated with an individual user.? Company must ensure unique assignment of user IDs, tokens, or physical access badges provided to employee or contingent staff granted access to Expedia Information outside of Expedia-managed environments.? Company must ensure all user/system/service/administrator accounts and passwords are never shared.? Company is responsible for reviewing authorization privileges assigned to its employees and contingent staff on a monthly basis to ensure that access is appropriate for the user’s functioning role.? Access authorization should follow “principles of least privilege.”? Company must provide and ensure that IT administrators use separate and unique accounts for administration and non-administration responsibilities.? Company must ensure that procedures exist for prompt modification or termination of access rights in response to organizational changes.
22.214.171.124 PASSWORD MANAGEMENT AND AUTHENTICATION CONTROLS ON COMPANY SYSTEMS
Company must ensure that systems with access to Expedia Information require complex passwords with reasonable expiration, reuse, and lock-out controls.? Company must prohibit its users from sharing passwords.? Company must encrypt authentication credentials during storage and transmission.? Company must change passwords immediately for accounts suspected of compromise.
1.7 UNAUTHORIZED ACCESS TO EXPEDIA INFORMATION
Company shall not attempt to access, or allow access to, any Expedia Information which they are not authorized to access under this Agreement or associated Schedules/Statements of Work.? If such access is attained, Company shall immediately terminate such access, report such incident to Expedia, describe in detail the accessed Expedia Information and return or destroy any copied or removed Expedia Information upon Expedia’s instruction.
1.8 INFORMATION SECURITY INCIDENT MANAGEMENT
Company must establish and maintain procedures that ensure appropriate response to security incidents.? Management procedures should address monitoring, investigation, response, and notification.? Company must securely save evidence such as security logs for forensic analysis.? Incident response plans must include methods to protect evidence of activity from modification or tampering, and allow for the establishment of a proper chain of custody for evidence.
Company must notify Expedia without undue delay, and in no event later than twenty-four (24) hours after becoming aware of a verified Data Security Breach; within forty-eight (48) hours of a suspected Data Security Breach involving Personal Data; and within seventy-two (72) hours of any suspected compromise of information security, system abuse, and/or violation of information security policy involving Expedia Information; and must, at Company’s cost and expense, assist and cooperate with Expedia concerning any disclosures to affected parties and/or data protection authorities, and other remedial measures as requested by Expedia or required under applicable law.
Security notifications should be reported to Expedia Enterprise Information Security via the Relationship Manager.? If after hours, report notifications via the Expedia Global Service Desk by email at EXPHD@expedia.com or by phone at (866) 679-7227 or 00 800 80007227 (Europe).
1.9 BUSINESS CONTINUITY MANAGEMENT
Company must maintain a comprehensive and current: business continuity plan (“BCP”) that documents and implements processes and procedures to ensure essential business functions continue to operate during and after a disaster; and disaster recovery plan (“DRP”) that documents technical plans for specific restoration of Expedia Information, ensuring there is no reduction of security in a disaster.? If Company is allowed to store or process Expedia Information within its environment, it must ensure the availability of data through backups.? All such backups must employ encryption and be stored in a secure off-site location.
Company information security policies and practices must comply with all applicable laws and regulations and contractual obligations to Expedia.? Where local laws appear to prevent compliance with Expedia Information Security requirements, Company is responsible for notifying Expedia Enterprise Information Security to determine appropriate compensating controls.
1.11 RIGHT TO AUDIT
Expedia shall have the right to conduct, at Expedia’s cost, inspections, assessments and/or audits (e.g.? questionnaires, phone interviews, and onsite reviews), upon ten (10) days advance notice to Company, at a maximum of one (1) time per year, to evaluate compliance with these Requirements.? Company agrees to cooperate with Expedia or its assigned agents regarding such inspections, assessments and/or audits.? Company, at its own cost, will promptly correct deficiencies in the Technical and Organizational Security Measures identified by Company or by Expedia.
In addition to Expedia’s annual compliance audit, in the event of a verified Data Security Breach involving Expedia Personal Data, Company agrees, at its sole expense, to provide a mutually agreed upon third-party auditor, and any governmental authority acting pursuant to statutory powers, access for inspections, assessments and/or audits (e.g.? via questionnaires, phone interviews, and onsite reviews), and with no less than ten (10) days advance notice to Company, including access to Company’s facilities, systems, records, procedures and business practices to the extent related to the Data Security Breach and the contracted products and services.? The third-party auditors shall execute a mutually agreed-upon nondisclosure agreement with Company prior to commencing an audit.? Any such audit may take place during the term of the Agreement and for a period of two years thereafter, shall occur during normal business hours and shall not unreasonably interfere with Company’s normal business operations.? Company shall cooperate with third-party auditor’s agents regarding such inspections, assessments and/or audits.? Any such audit reports shall be shared with Expedia, subject to redaction of information reasonably considered highly sensitive and therefore confidential by Company.
SECTION 2: CODE OR SYSTEMS DEVELOPMENT AND MAINTENANCE
SCOPE OF SECTION 2: If Company’s services to Expedia include code that Expedia consumes or hosts, or where Company has in-house developers for systems that will access, process, or store Expedia Information, Company will comply with the provisions in Section 2:
2.1 APPLICATION SECURITY
Company must not allow Expedia production data in any development, test, quality assurance (“QA”), or other non-production environment.? If production-quality data is required for development or testing purposes, it must first be “sanitized” by manipulation of data that removes all personal data elements, including name, SSN or equivalent, credit card numbers, etc.? Company must ensure protection of Personal Data and Expedia Critical information that is stored in cache or cookies.
2.1.1 CRYPTOGRAPHIC CONTROLS
Where applicable, Company must use commercially available cryptographic algorithms and all deployed encryption solutions must follow best practices in key management.? Encryption keys must be protected against disclosure and misuse and must be rotated on a regular basis as defined by the level of sensitivity of information.? Retired keys must be destroyed.
2.1.2 SYSTEM SECURITY
Company must establish and maintain configuration standards for all network devices and hosts accessing, processing, or storing sensitive Expedia Information, addressing currently known security vulnerabilities and industry best security practices.? Company must ensure that software (including open source software and firmware) used in operational systems maintain current level of patching support by its supplier.
2.1.3 SECURE DEVELOPMENT AND SUPPORT
All software development done on behalf of Expedia must follow a documented software development process or life cycle (SDLC) with appropriate security checkpoints.? Company must validate and test firmware, software, and application source code against vulnerabilities and weaknesses before deploying code to production.? If Company develops software, it may be required to demonstrate the effectiveness of security controls prior to software acceptance.? All software deployed to a production status in Expedia’s environment must adhere to and utilize Expedia’s change control process.
2.2 SECURITY AWARENESS AND EDUCATION
Company shall be responsible for providing and verifying successful completion of secure development training based upon industry best-practice standards for all Company developers working with the applicable code or systems.? Expedia’s online secure developer training is available to all developers with an account on the Expedia corporate network; successful completion of the Expedia training is a requirement for applicable Company developers, unless evidence of equivalent training is provided.? Upon request, Company must provide evidence and reports of training completion to Expedia.
SECTION 3: ACCESS TO EMPLOYEE OR CUSTOMER PERSONAL DATA
SCOPE OF SECTION 3: If Company has access to or otherwise receives Personal Data (including, without limitation, of potential, current or former Expedia employees, customers, end-users or other individuals) in the course of providing services, Company will comply with the provisions in Section 3:
- Personal Data shall at all times remain the sole property of Expedia, and nothing in this Agreement will be interpreted or construed as granting Company any license or other right under any patent, copyright, trademark, trade secret, or other proprietary right to Personal Data.
- Company shall Process Personal Data only on the written instruction of Expedia and in accordance with this Agreement and applicable data privacy and security laws.? Expedia hereby instructs Company, and Company hereby agrees, to Process Personal Data as necessary to perform Company’s obligations under this Agreement and strictly for no other purpose.? Further details of the nature and purposes of the processing are set out at the applicable SOW governed by this Agreement.
- Company shall not create or maintain data which are derivative of Personal Data except for the purpose of performing its obligations under this Agreement and as authorized by Expedia.
- Company shall return, delete, or destroy (at Expedia’s request) all Personal Data relating to this Agreement, in any medium, including any copies and materials derived from or incorporating such Personal Data, upon the expiration or termination of this Agreement, or when there is no longer any legitimate business need (as determined by Expedia) to retain such Personal Data, or otherwise on the instruction of Expedia, but in no event later than ten (10) days from the date of such expiration, termination, or instruction.? If applicable law prevents or precludes the return or destruction of any Personal Data, Company shall notify Expedia and shall protect the Personal Data from any further Processing except Company’s obligations under this Agreement to protect the security of Personal Data shall survive termination of this Agreement.
- At any and all times during which Company is Processing Expedia Personal Data, Company shall:
- Comply with all applicable privacy and security laws to which it is subject, and not, by act or omission, place Expedia in violation of any applicable privacy or security law.
- Have in place appropriate Technical and Organizational Security Measures to protect the security of Personal Data and prevent a Data Security Breach, including, without limitation, a breach resulting from or arising out of Company’s internal use, Processing or other transmission of Personal Data, whether with Expedia, between or among Company’s subsidiaries and affiliates, or any other person or entity acting on behalf of Company.? Upon Expedia’s request, Company shall provide evidence that it has established and maintains Technical and Organizational Security Measures governing the Processing of Personal Data.
- Not disclose Personal Data nor permit any third party to access or Process Personal Data (including, without limitation, Company’s subsidiaries, affiliates, subcontractors or any person or entity acting on behalf of Company) unless with respect to such disclosure, accessing or Processing: (A)?the disclosure, accessing or Processing is necessary in order to carry out Company’s obligations under this Agreement; (B)?such third party is bound by provisions and obligations substantively equivalent to those set forth in this Agreement; (C)?Company has received Expedia’s prior written consent; and (D)?Company shall remain responsible for any breach of the obligations set forth in this Agreement to the same extent as if Company caused such breach.
- Establish policies and procedures to provide all reasonable and prompt assistance to Expedia in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any Personal Data Processed by Company.
- Cross-border data transfers.
- Company shall not Process (and shall not permit any third party to Process) Personal Data outside the territory of origination unless it takes any required compliance measures to enable such transfer legally.
- With regard to EEA Data (defined below), Company shall not Process (and shall not permit any third party to Process) such data in any territory outside of the European Economic Area (“EEA”) unless it first informs Expedia and takes such measures as Expedia considers necessary to provide adequate protection for the EEA Data consistent with the requirements of Chapter V of the GDPR.? For the avoidance of doubt, such measures may include Company (or third party, as applicable):
- ensuring that it processes the EEA data in a country that has been deemed adequate by the European Commission pursuant to Article 45 of the GDPR;
- processing the EEA Data pursuant to Standard Contractual Clauses (or “model clauses”) approved by a decision of the European Commission;
- processing the EEA Data in compliance with Binding Corporate Rules that have been duly authorized by EEA data protection authorities that are competent for the EEA Data.
- with respect to transferring the EEA data to the United States, Processing such data pursuant to the EU-U.S. and/or Swiss-U.S. Privacy Shield Frameworks, as applicable.
- Ensure that any person (including Company’s staff, agents and Subcontractors) who is authorized to Process the Personal Data is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality.
- With regard to EEA Data, assist Expedia to conduct data protection impact assessments to the extent such assessments are required by the GDPR, and if necessary, consult with relevant supervisory authorities pursuant to Articles 35-36 of the GDPR.
SECTION 4: COMPANY REPRESENTATIONS, ACKNOWLEDGEMENTS, AND AGREEMENTS RELATED TO CARDHOLDER AND FINANCIAL/PAYMENT ACCOUNT DATA
SCOPE OF SECTION 4: If Company has access to or otherwise receives Expedia employee or customer financial/payment account numbers, including without limitation Cardholder Data, or provides Cardholder processing software to Expedia, Company will comply with the provisions in Section 4:
- Company represents that it is presently in compliance, and will remain in compliance with the current PCI DSS.? Company shall provide Expedia with a copy of its PCI DSS Attestation of Compliance annually at the time of filing, and immediately notify Expedia of any change in its PCI DSS compliance status.
- Company acknowledges that Cardholder Data is owned exclusively by Expedia, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Expedia, and further acknowledges that such Cardholder Data may be used only on the instruction of Expedia and in accordance with this Agreement, applicable privacy and security laws, and the operating regulations of the Payment Card Brands.
- Company agrees that, in the event of a Data Security Breach involving Cardholder Data, Company shall afford full cooperation and access to Company’s premises, books, logs and records by a designee of the Payment Card Brands to the extent necessary to perform a thorough security review and to validate Company’s compliance with the PCI Standards.
- If Company provides to Expedia software that processes any payments via a payment application, Company represents that software provided to Expedia has been assessed and complies with the PA-DSS, and agrees to provide Expedia with all documentation, including the PA-DSS Implementation Guide, necessary for Expedia to deploy the software in a manner consistent with PCI DSS.? Company agrees to re-assess software following any changes determined to impact payment application security in accordance with the PA-DSS and provide updated documentation as necessary.
Last Revised January 31, 2018