Last Modified: October 11, 2023
This Data Privacy Addendum, including its Annexes (“DPA”) forms part of the Business Travel Agreement or other written or electronic agreement (e.g., “Letter of Agreement” or “Purchase Order Form”), referred to in this DPA as the “Agreement”, between Atlas Travel & Technology Group, Inc., including its brands, related corporate businesses, or affiliates; (hereinafter referred to as “ATTG”) and Client in connection with the Services as defined in the Agreement.
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
The term of this DPA will follow the term of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
Annex 1 – Details of Processing
Annex 2 – Technical and Organizational Security Measures
The defined terms used in this Data Privacy Addendum shall be read as having the meanings set forth in the Agreement. If a term is defined both in this Data Privacy Addendum and elsewhere in the Agreement then, for purposes of this Data Privacy Addendum, the definition in this Data Privacy Addendum shall prevail.
In this Data Privacy Addendum, references to any Applicable Privacy Laws and terms defined therein shall be replaced with or incorporate (as the case may be) references to any Applicable Privacy Laws replacing, amending, extending, re-enacting, or consolidating such Applicable Privacy Laws and the equivalent terms defined in such Applicable Privacy Laws once in force and applicable.
The parties acknowledge that, in order to provide the Services, ATTG must necessarily process Client Personal Data as a Controller. Each party shall act as a separate and independent Controller (and not as a joint Controller) in relation to all Client Personal Data it Processes under and/or in connection with this Agreement and the Services. Each party shall comply with all Applicable Privacy Laws in respect of its Processing of Client Personal Data and shall ensure that it has a lawful basis for all such Processing, where applicable. Where an affiliate of a party is a Controller or Processor of Client Personal Data under this Agreement, such party shall ensure that its affiliate complies with its obligations under the Applicable Privacy Laws and this Data Privacy Addendum as applicable.
Without limiting the foregoing, each party shall refrain from “selling” (as defined by the CCPA at Cal. Civ. Code § 1798.140(t), as it may be amended) or transferring Client Personal Data other than in compliance with the Applicable Privacy Laws.
Prior to sharing any Client Personal Data with ATTG, Client shall provide all notifications required by Applicable Privacy Laws to the relevant Data Subject in each case with respect to the sharing of Client Personal Data with ATTG. Where ATTG collects Client Personal Data directly from Data Subjects, ATTG shall be responsible for ensuring that it provides clear and transparent information to Data Subjects, as required under Applicable Privacy Laws, in relation to the relevant Processing.
Each party shall provide the other party with such reasonable cooperation, assistance and information to the other to assist that other party with its compliance with Applicable Privacy Laws.
Each party shall promptly notify the other (to the extent permitted by law) in writing providing reasonable detail of any third-party complaint, audit, investigation or enquiry (whether by a Supervisory Authority, Data Subject or otherwise) establishing, alleging or enquiring as to possible noncompliance with any Applicable Privacy Laws in connection with Client Personal Data maintained by or for such party, and the parties will cooperate reasonably with each other in respect thereof.
The parties are aware that Applicable Privacy Laws may impose a duty on a party to inform a Supervisory Authority and the Data Subject in the event of Personal Data Breach affecting Client Personal Data. In addition to complying with its notification requirements under Applicable Privacy Laws, ATTG shall promptly notify the Client of any technical, organizational or other incidents (including incidents at Processors) which have resulted in a Personal Data Breach affecting Client Personal Data. ATTG’s notification of a Personal Data Breach to the Client must be comprehensive and include any information required by Applicable Privacy Laws, as and to the extent such information is available. In the event of a Personal Data Breach, ATTG shall promptly take any measures required and appropriate under Applicable Privacy Laws and technical standards to restore the confidentiality, integrity and availability of Client Personal Data and the resilience of ATTG’s processing systems and services and to mitigate the risk of harm and/or any detrimental consequences for the Data Subjects affected or potentially affected by the Personal Data Breach.
Each party will provide the other party with reasonable assistance in complying with any Data Subject Request.
In accordance with Good Industry Practice and Applicable Privacy Laws, each party shall implement appropriate technical and organizational security measures (including maintaining any security controls) to ensure a level of security for Personal Data in such party’s possession or control that is appropriate to the risk presented by the Processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data transmitted, stored or otherwise Processed.
Without prejudice to the generality of the foregoing, the minimum technical and organizational security measures that ATTG shall implement and maintain are set out in Annex II to this Data Privacy Addendum. ATTG may, from time to time, implement adequate alternative technical and organizational security measures provided, however, that such measures shall not materially fall short of the level of security set out herein.
ATTG shall ensure that all personnel involved in the Processing of Client Personal Data are properly qualified and trained and have committed themselves to keep Client Personal Data confidential or are under an appropriate statutory obligation of confidentiality in accordance with Applicable Privacy Laws.
Where required, each party will appoint authorized data privacy and security contact personnel.
If ATTG engages a third-party Processor to process Client Personal Data for the purpose of providing the Services, ATTG shall agree to written terms with the Processor that: (i) require the Processor only to process the Client Personal Data for the purpose of delivering the Services; (ii) require the Processor to implement appropriate technical and organizational security measures, with at least the same level of protection or higher as those in this Data Privacy Addendum, to protect the Client Personal Data against a Personal Data Breach; and (iii) otherwise comply with the requirements of Applicable Privacy Laws. ATTG shall remain responsible to the Client for any breach of this Data Privacy Addendum that is caused by an act, error or omission of the Processor.
Notwithstanding the above, Client acknowledges that the Suppliers to whom ATTG discloses Client Personal Data in order to provide the Services are independent Controllers under Applicable Privacy Laws, and not Processors. As such, the requirements concerning Processors described in the preceding paragraph do not apply to ATTG’s disclosure of Client Personal Data to Suppliers.
You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by ATTG in the United States. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Applicable Privacy Laws.
Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Applicable Privacy Laws.
(A) In order to enable the efficient and effective delivery of its Services, ATTG may from time to time transfer and Process Client Personal Data from Europe to other jurisdictions. This shall be permitted only where: (i) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the traveler (for example, to book travel or accommodation through a Supplier in a non-European country) or where the transfer is required by applicable law; and (ii) ATTG has done all such acts and things as are necessary to ensure that any Client Personal Data transferred outside of Europe (whether to an ATTG affiliate, a Processor, or otherwise) will remain adequately protected in accordance with the requirements of Applicable Privacy Laws.
(B) Client acknowledges that in connection with the performance of the Services, ATTG may ensure such adequate protection by executing Standard Contractual Clauses. Subject to sub-section (C), the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the DPA as follows:
(a) EEA Transfers. In relation to European Data that is subject to the GDPR, where Client is the “data exporter” and ATTG is the “data importer”;
(i) Module One will apply;
(ii) in Clause 7, the optional docking clause will not apply;
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply and the governing law will be the Republic of Ireland;
(v) in Clause 18(b), disputes will be resolved before the courts of Ireland
(vi) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and
(vii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
(b) UK Transfers. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
(c) Swiss Transfers. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications
(i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA;
(ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Switzerland and Swiss law; and
(iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
(C) Although ATTG does not currently rely on the EU-US Privacy Shield as a legal basis for transfers of European Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as ATTG is self-certified to the Privacy Shield ATTG will process European Data in compliance with the Privacy Shield Principles and let you know if it is unable to comply with this requirement. In the event that ATTG adopts an alternative transfer mechanism (including any new or successor version of the EU-US Privacy Shield) for transfers of European Data to ATTG, such alternative transfer mechanism will apply automatically instead of the Standard Contractual Clauses described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
The Client may in its absolute discretion by written notice require ATTG to return a complete copy of all Client Personal Data to the Client (or its nominee) by secure file transfer in such format as is reasonably notified by the Client. The Client shall be responsible for providing Data Subjects with any notice required under Applicable Privacy Laws in relation to such request.
ATTG acknowledges that, as a general rule, Personal Data may not be kept indefinitely or longer than necessary for the intended Processing. Client Personal Data may only be retained for so long as is necessary to satisfy all applicable lawful bases for Processing, where applicable, and otherwise for such period as required by Applicable Privacy Laws, and always provided that ATTG shall ensure that such retained Personal Data is (i) kept confidential and protected against unauthorized access, disclosure or use and (ii) only Processed as necessary for the purpose specified in the Applicable Privacy Laws permitting its storage and other Processing and for no other purpose.
ATTG shall keep or cause to be kept such information as is reasonably necessary to demonstrate compliance with its obligations under this Data Privacy Addendum and shall, upon reasonable notice during the term of the Agreement, make available to the Client information necessary to demonstrate compliance with its obligations under this Data Privacy Addendum where such information is not subject to confidentiality restrictions owed to third parties. Without limiting the foregoing, ATTG shall make available to the Client, on request: (i) a list of all Processors appointed by ATTG to Process Client Personal Data; and (ii) a copy of its most recent PCI DSS Attestation of Compliance, to the extent the Client Personal Data includes any payment cardholder data. Any non-public documentation and information disclosed to the Client in accordance with this paragraph shall be deemed proprietary and confidential information of ATTG. The Client shall not disclose such documentation or information to any third party or use it for any purpose other than evaluating ATTG’s compliance with this Data Privacy Addendum
The undertakings in this Data Privacy Addendum shall remain in force even after termination or expiration of the Agreement.
Data exporter(s):
Name: The Client, as defined in the Agreement
Address: The Client’s address, as set out in the Agreement
Contact person’s name, position and contact details: The Client’s contact details, as set out in the Agreement.
Activities relevant to the data transferred under these Clauses: Travel management services
Role (controller/processor): Controller
Data importer(s):
Name: Atlas Travel & Technology Group, Inc.
Address: 200 Donald Lynch Boulevard, Marlborough, MA 01752
Contact person’s name, position and contact details: Lea Cahill, President
Activities relevant to the data transferred under these Clauses: Travel management services
Role (controller/processor): Controller
Categories of data subjects whose personal data is transferred: Client travelers
Categories of personal data transferred: Personal data including, but not limited to, name, address, phone number(s), email address(es), passport or other government issued identification numbers, credit card details, travel preferences and loyalty membership identification, gender, birthdate, and meal preferences.
Sensitive data transferred (if applicable) and applied restrictions or safeguards: The parties do not anticipate the transfer of sensitive data.
Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous basis for the purposes of fulfilling the travel management services.
Nature of the processing:
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
Purpose(s) of the data transfer and further processing:
The provision of the Services pursuant to the Agreement, including travel booking and related travel management services.
Period for which the personal data will be retained:
Subject to the “Return of Data” and the “Data Retention” sections of this DPA, Personal Data will be Processed for the duration of the Term of the Agreement, unless otherwise agreed in writing.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Personal Data may be collected and shared with or disclosed to third party service providers for the provision of the Services pursuant to the Agreement including travel booking and related travel management services.
For the purposes of the Standard Contractual Clauses, the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR.
In addition to the terms set forth in this Data Privacy Addendum, ATTG commits to implement and maintain technical and organizational security measures as least as stringent as those included below (details may change over time but the overall level of security will not decrease):
1 .DATA SECURITY GOVERNANCE
ATTG maintains internal organizational and governance policy and procedures to appropriately manage information throughout its lifecycle. ATTG regularly tests, assesses and evaluates the effectiveness of its technical and organizational security measures.
ATTG will adhere to the applicable requirements of Payment Card Industry Data Security Standard (PCI DSS) when Processing payment card data.
2. PHYSICAL ACCESS CONTROL
ATTG uses a variety of measures appropriate to the function of the location to prevent unauthorized access to the physical premises where Personal Data are Processed. Those measures include:
3. SYSTEM ACCESS CONTROL
ATTG implements appropriate measures to prevent its systems from being used by unauthorized persons. Those measures include:
4. DATA ACCESS CONTROL
Individuals that are granted use of ATTG systems are only able to access the data that are required to be accessed by them within the scope of their responsibilities and to the extent covered by their respective access permission (authorization) and such data cannot be read, copied, modified or removed without specific authorization. Those measures include:
5. DISCLOSURE CONTROL
ATTG implements appropriate measures to prevent data from being read, copied, altered or deleted by unauthorized persons during electronic transmission and during the transport of data storage media. ATTG also implements appropriate measures to verify to which entities’ data are transferred. Those measures include:
6. DATA ENTRY CONTROL
ATTG implements appropriate measures to monitor whether data have been entered, changed or removed (deleted), and by whom. Those measures include:
7. INSTRUCTIONAL CONTROL
ATTG implements appropriate measures to ensure that data may only be Processed in accordance with relevant instructions. Those measures include:
8. AVAILABILITY CONTROL
ATTG maintains appropriate levels of redundancy and fault tolerance for accidental destruction or loss of data, including:
9. SEPARATION CONTROL
ATTG implements appropriate measures to ensure that data that are intended for different purposes are Processed separately. This is accomplished by: