Last Modified: October 6, 2025
This Data Privacy Addendum, including its Annexes (“DPA”) forms part of the Business Travel Services Agreement or other written or electronic agreement (e.g., “Letter of Agreement” or “Purchase Order Form”), referred to in this DPA as the “Agreement”, between Atlas Travel & Technology Group, Inc., including its brands, related corporate businesses, or affiliates; (hereinafter referred to as “ATTG”) and Client in connection with the Services as defined in the Agreement.
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
The term of this DPA will follow the term of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
Annex 1 – Details of Processing
Annex 2 – CCPA Data Protection and Security
The defined terms used in this DPA shall be read as having the meanings set forth in the Agreement. If a term is defined both in this DPA and elsewhere in the Agreement then, for purposes of this DPA, the definition in this DPA shall prevail.
In this DPA, references to any Data Protection Laws and terms defined therein shall be replaced with or incorporate (as the case may be) references to any Data Protection Laws replacing, amending, extending, re-enacting, or consolidating such Data Protection Laws and the equivalent terms defined in such Data Protection Laws once in force and applicable.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection;privacy and/or electronic communications; interception and monitoring of communications; restrictions on or requirements relating to the processing of Personal Data of any kind, including laws addressing identity theft, security breaches, or Artificial Intelligence which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws. Any referenced to “Controller,” “Data Subject(s),” “Personal Data,” “Processor,” “Sale,” “Share,” “Special Category Data,” “Sensitive Data,” have meanings set out in and will be interpreted in accordance with such applicable laws (and “process,” “processed,” and “processing” will be construed accordingly).
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Client Personal Data” means Personal Data provided to ATTG by Client, its affiliates, employees, officers, contractors, representatives, agency workers, or end users to ATTG pursuant to the provision of the Services or otherwise in connection with the Agreement.
“Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data defined herein by reference within Data Protection Laws
“Controller Purposes” the purposes and methods for which the Controller Personal Data may be processed by a Controller, as detailed in Annex 1, Details of Processing.
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded or replaced.
“Data Subject” means any natural person about whom Personal Data relates.
“Data Subject Request” means any request by a Data Subject in respect of Personal Data Processed by a Controller pursuant to the provision of the Services or otherwise in connection with the Agreement.
“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.
“Good Industry Practice” means the exercise of that degree of skill, diligence, prudence, and foresight which would reasonably and ordinarily be expected from a skilled and experienced operator engaged in the same type of undertaking under the same or similar circumstances.
“Personal Data” means any information relating to an identified or identifiable natural person (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person), or as that term (or similar variants, such as “personal information”) may otherwise be defined in Data Protection Laws).
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data in ATTG’s possession or control. Personal Data Breaches include, but are not limited to: (i) unauthorized access, disclosure, loss, download, theft, blocking, encryption or deletion by malware or other unauthorized action in relation to Client Personal Data by unauthorized third parties; (ii) operational incidents which have an impact on the Processing of Client Personal Data; or (iii) any breach of this DPA or Data Protection Laws by ATTG, its employees or agents, to the extent that such breach affects the integrity and security of Client Personal Data or materially adversely impacts ATTG’s obligations under this DPA.
“Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, access, consultation, use, acquisition, transfer, hosting (via server, web, cloud, or otherwise), disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Any activity defined as processing by or otherwise subject to the requirements of Data Protection Laws shall fall within this definition. “Processed”, “Process” and any other variations of “Processing” shall also be defined as set out above.
“Processor” means the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
“Relevant Controller” means any ATTG affiliate that is a Controller of any relevant in scope Personal Data.
“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as may be amended, superseded or replaced.
“Supervisory Authority” means any data protection authority or other governmental, regulatory, administrative, judicial, or other agency or similar body that has authority to implement, enforce, and/or oversee compliance with Data Protection Laws.
“Supplier” means the transport, accommodation and other wholesale service providers such as airlines, coach, rail and car rental operators who ATTG engages on the Client’s behalf to deliver travel related products and services to the Client.
“Switzerland Addendum” means the Swiss Addendum to the EU Standard Contractual Clauses set out in the Annex of Commission Implementing (EU) 2021/914 of 4 June 2021.
“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf as may be amended, superseded, or replaced.
Each Relevant Controller will be entitled to enforce the obligations of this Data Privacy Addendum and any Attachments referred to herein against the Client, in respect of the Controller Personal Data for which it is a Controller.
The parties acknowledge that, in order to provide the Services, ATTG must necessarily process Client Personal Data as a Controller. Each party shall act as a separate and independent Controller (and not as a joint Controller or Processor) in relation to all Client Personal Data it Processes under and/or in connection with this Agreement and the Services. Each party shall comply with all Data Protection Laws in respect of its Processing of Client Personal Data and shall ensure that it has a lawful basis for all such Processing, where applicable. Where an affiliate of a party is a Controller or Processor of Client Personal Data under this Agreement, such party shall ensure that its affiliate complies with its obligations under the Data Protection Laws and this DPA as applicable.
To the extent that the CCPA applies to the processing of Client Personal Data, Annex 2, CCPA Data Protection and Security, shall apply. Without limiting the foregoing, each party shall refrain from “selling” (as defined by the CCPA at Cal. Civ. Code § 1798.140(t), as it may be amended) or transferring Client Personal Data other than in compliance with the Data Protection Laws or as defined in this agreement.
The Client represents and warrants that prior to sharing any Client Personal Data with ATTG, Client shall provide all notifications (including privacy notices) to the Data Subjects that are clear and intelligible as well as easily accessible, and which includes details of the sharing with ATTG and its future processing for the Controller Purposes and as contemplated under the DPA as required by Data Protection Laws to the relevant Data Subject in each case with respect to the sharing of Client Personal Data with ATTG. (Client shall provide ATTG with a copy of such privacy notice upon request). Where ATTG collects Client Personal Data directly from Data Subjects, ATTG shall be responsible for ensuring that it provides clear and transparent information to Data Subjects, as required under Data Protection Laws, in relation to the relevant Processing.
Each party shall provide the other party with such reasonable cooperation, assistance and information to the other to assist that other party with its compliance with Data Protection Laws including but not limited to in relation to the response to Personal Data Breaches and the implementation measures to mitigate their possible adverse effects and protect the interest and rights of relevant Data Subjects.
For avoidance of doubt, the obligation of mutual cooperation shall not imply authorization to represent the other Party in contact with Data Subjects or Data Protection Authorities and Regulators.
Each party shall promptly notify the other (to the extent permitted by law) in writing providing reasonable detail of:
6.1 Any Client Personal Data that should not have been shared or in respect of which a Data Subject has withdrawn consent, requested deletion, or objected to/opted out of certain processing or third-party complaint, audit, investigation or enquiry (whether by a Supervisory Authority, Data Subject or otherwise) establishing, alleging or enquiring as to possible noncompliance with any Data Protection Laws in connection with Client Personal Data maintained by or for such party, and the parties will cooperate reasonably with each other in respect thereof.
The parties are aware that Data Protection Laws may impose a duty on a party to inform a Supervisory Authority and the Data Subject in the event of Personal Data Breach affecting Client Personal Data. In addition to complying with notification requirements under Data Protection Laws, ATTG shall promptly notify the Client of any technical, organizational or other incidents (including incidents at Processors) which have resulted in a Personal Data Breach affecting Client Personal Data. ATTG’s notification of a Personal Data Breach to the Client must be comprehensive and include any information required by Data Protection Laws, as and to the extent such information is available. To the extent the Client suffers a Personal Data Breach that has an impact on the Services provided under this agreement or the Client Personal Data, Client shall notify the ATTG Security Operations Center at SOC@atlastravel.com of such Personal Data Breach as soon as reasonably practicable and before it is made public or notified to a Data Protection Supervisory Authority, Regulator, or Data Subject.
In the event of a Personal Data Breach, ATTG shall promptly take any measures required and appropriate under Data Protection Laws and technical standards to restore the confidentiality, integrity and availability of Client Personal Data and the resilience of ATTG’s processing systems and services and to mitigate the risk of harm and/or any detrimental consequences for the Data Subjects affected or potentially affected by the Personal Data Breach.
Each party will provide the other party with reasonable assistance in complying with any Data Subject Request.
Parties acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by ATTG in the United States and to other jurisdictions where ATTG affiliates and Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
In order to enable the efficient and effective delivery of its Services, ATTG may from time to time transfer and Process Client Personal Data from Europe to other jurisdictions. This shall be permitted only where: (i) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the traveler (for example, to book travel or accommodation through a Supplier in a non-European country) or where the transfer is required by applicable law; and (ii) ATTG has done all such acts and things as are necessary to ensure that any Client Personal Data transferred outside of Europe (whether to an ATTG affiliate, a Processor, or otherwise) will remain adequately protected in accordance with the requirements of Data Protection Laws.
(A) ATTG will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
(B) Client acknowledges that in connection with the performance of the Services, ATTG is a recipient of European Data in the United States. To the extent that ATTG receives European Data in the United States, ATTG will comply with the following:
(a) In relation to European Data that is subject to the GDPR
(i) Client is the “data exporter” and ATTG is the “data importer”;
(ii) the Module One terms apply;
(iii) in Clause 7, the optional docking clause will not apply;
(iv) in Clause 11, the optional language is deleted;
(v) in Clause 17, Option 1 will apply and the governing law will be the Republic of Ireland);
(vi) in Clause 18(b), disputes will be resolved before the courts of Ireland
(vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA;
(viii) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and
(ix) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
(b) In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
(c) In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland”.
(C) Alternative Transfer Mechanism. In the event that ATTG is required to adopt an alternative transfer mechanism for European Data, in addition to or other than the mechanisms described in sub-section (B) above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
ATTG acknowledges that, as a general rule, Personal Data may not be kept indefinitely or longer than necessary for the intended Processing. Client Personal Data may only be retained for so long as is necessary to satisfy all applicable lawful bases for Processing, where applicable, and otherwise for such period as required by Data Protection Laws, and always provided that ATTG shall ensure that such retained Personal Data is (i) kept confidential and protected against unauthorized access, disclosure or use and (ii) only Processed as necessary for the purpose specified in the Data Protection Laws permitting its storage and other Processing and for no other purpose.
ATTG shall keep or cause to be kept such information as is reasonably necessary to demonstrate compliance with its obligations under this DPA and shall, upon reasonable notice during the term of the Agreement, make available to the Client information necessary to demonstrate compliance with its obligations under this DPA where such information is not subject to confidentiality restrictions owed to third parties. Without limiting the foregoing, ATTG shall make available to the Client, upon written request: (i) a list of all Processors appointed by ATTG to Process Client Personal Data; and (ii) a copy of its most recent PCI DSS Attestation of Compliance, to the extent the Client Personal Data includes any payment cardholder data. Any non-public documentation and information disclosed to the Client in accordance with this paragraph shall be deemed proprietary and confidential information of ATTG. The Client shall not disclose such documentation or information to any third party or use it for any purpose other than evaluating ATTG’s compliance with this DPA.
In accordance with Good Industry Practice and Data Protection Laws, each party shall implement appropriate technical and organizational security measures (including maintaining any security controls) to ensure a level of security for Personal Data in such party’s possession or control that is appropriate to the risk presented by the Processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data transmitted, stored or otherwise Processed.
Without prejudice to the generality of the foregoing, the minimum technical and organizational security measures that ATTG shall implement and maintain are made available at https://atlastravelandtechnology.com/attg-technical-and-organizational-measures/ which are incorporated by reference into this DPA. ATTG may, from time to time, implement adequate alternative technical and organizational security measures provided, however, that such measures shall not materially fall short of the level of security set out herein.
The undertakings in this DPA shall remain in force even after termination or expiration of the Agreement.
A. LIST OF PARTIES
Data exporter(s):
Name: The Client, as defined in the Agreement
Address: The Client’s address, as set out in the Agreement
Contact person’s name, position and contact details: The Client’s contact details, as set out in the Agreement.
Activities relevant to the data transferred under these Clauses: Travel management services
Role (controller/processor): Controller
Data importer(s):
Name: Atlas Travel & Technology Group, Inc.
Address: 200 Donald Lynch Boulevard, Marlborough, MA 01752
Contact person’s name, position and contact details: Lea Cahill, President
Activities relevant to the data transferred under these Clauses: Travel management services
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Client travelers
Categories of personal data transferred:
The types of personal data include:
Identification Data: Name, title, date of birth, nationality, gender, passport details, visa information, national ID information (if required for specific destinations/services).
Contact Data: Email address, phone number, address, optional alternate contacts, or optional travel companions
Travel-Related Data: Frequent flyer numbers, loyalty program memberships, travel preferences (e.g., seat preferences, meal preferences, disability assistance requirements), known traveler numbers (e.g. TSA PreCheck, Global Entry), travel history, travel itinerary details, booking locators (booking ID, passenger name record (PNR), airline locator).
Financial Data: Credit or debit card details (card number, expiry date, cardholder name), bank account data, invoice details.
Sensitive data transferred (if applicable) and applied restrictions or safeguards:
In some circumstances, we may collect personal data from you which may be regarded as sensitive information under your local data protection laws. Sensitive information may include (without limitation) your racial or ethnic origin, philosophical or religious beliefs or affiliations, sexual orientation, membership of political, professional or trade associations (for use in booking special rates), biometric and genetic information, and financial information and health-related information (e.g. to provide appropriate travel accommodation and accessibility or facility requirements or dietary restrictions for health reasons).
The Technical and Organizational Measures are made available at https://atlastravelandtechnology.com/attg-technical-and-organizational-measures/ which are incorporated by reference into this DPA.
Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous basis for the purposes of fulfilling the travel management services.
Nature of the processing:
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
Purpose(s) of the data transfer and further processing:
The primary purpose of the Processing is for the provision of the Services pursuant to the Agreement. This includes:
Period for which the personal data will be retained:
Subject to the “Data Retention” section of this DPA, Personal Data will be Processed for the duration of the Term of the Agreement, unless otherwise agreed in writing.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Personal Data may be collected and shared with or disclosed to third party service providers for the provision of the Services pursuant to the Agreement including travel booking and related travel management services.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be the competent authority of the country in which the data exporter is established.