Data Processing Agreement

This Data Processing Addendum (“DPA”) supplements the Travel Curious Supplier Contract, or other agreement in place (the “Services Agreement”) between Supplier and Travel Curious Ltd. (the “Customer”).

The Customer and Supplier may share Personal Information with the other Party in connection with the Services in respect of which both the Customer and the Supplier are a controller (“Shared Personal Data”). The Parties intend that the processing activities carried out by either Party shall comply with the provisions of this DPA and the Services Agreement.

1. DATA PROCESSING AND PROTECTION.

1.1. Each Party shall be responsible for its compliance with all applicable obligations imposed by Privacy Laws in relation to the Shared Personal Data.

1.2. To the fullest extent permitted by Privacy Laws, Customer and Supplier shall each be independent controllers and not joint controllers of the Shared Personal Data and as such independently determine the purposes and the means of the processing of that Shared Personal Data. In particular, each Party shall be individually responsible for ensuring that its processing of the Shared Personal Data is lawful, fair and transparent in accordance with Privacy Laws on the basis that the Individual has unambiguously given his or her consent, or on the basis of some other valid ground provided for in Privacy Laws.

1.3. In the event that either Party receives in respect of the Shared Personal Data: (i) any request from an Individual to exercise any of its rights under Privacy Laws (including its rights of access, rectification, objection, erasure, restriction or data portability, as applicable), or (ii) any other correspondence, enquiry or complaint from an Individual, supervisory authority or other third party in connection with the processing of the Shared Personal Data (collectively, “Correspondence”), then where such Correspondence relates to processing conducted by the other Party, it shall promptly inform the other Party and the Parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Privacy Laws.

1.4. Each Party shall implement and maintain appropriate technical and organizational measures to protect any Shared Personal Data in their possession or control from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

1.5. Each Party warrants and represents that it shall give appropriate notices to Individuals as may be required in accordance with Privacy Laws.

1.6. Either Party shall not make any statement (or provide any documents) about matters concerning the processing of Shared Personal Data provided by a Party, without the prior written approval of the other Party, except where a Party is legally required to make a statement (or provide any documents) without the approval of the other Party, in which case the requesting Party shall promptly provide to the other Party a copy of any such statements or documents unless prohibited by applicable law.

1.7. For purposes of this DPA, “Cardholder Information” means any Shared Personal Data that includes: (a) with respect to a payment card, the account holder’s name, account number, service code, card validation code/value, PIN or PIN block, valid to and from dates and magnetic stripe data; and (b) information relating to a payment card transaction that is identifiable with a specific account. If a Party has access to Cardholder Information, such Party must at all times comply with the security standards for the protection of Cardholder Information with which payment card companies require merchants to comply, including, but not limited to, the Payment Card Industry Data Security Standards currently in effect and as may be updated from time to time (“PCI Standards”).

2. DATA TRANSFERS.

2.1. Restricted Transfers of Personal Information Subject to GDPR or Adopting Countries. Except as otherwise set forth in this paragraph, the SCCs will apply to (i) any Transfer of Personal Information that is subject to the EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”), or the laws of a country outside the European Economic Area (“EEA”) in which the competent authority has approved the use of the SCCs (each, an “Adopting Country”) or otherwise requires a legal basis for the Transfer of Personal Information; and (ii) any onward Transfer of such Personal Information to Supplier located outside of the EEA or the United Kingdom (or if such Supplier will access EU data from outside of the EEA or the United Kingdom).

2.1.1. Where the Transfer relates to Personal Information of an Adopting Country, the Parties agree:

2.1.2. All references in the SCCs to “EU,” “Union” or “Member State” will be interpreted as references to the Adopting Country;

2.1.3. All references to EU law will be interpreted as references to the relevant provisions of the Adopting Country’s data protection law;

2.1.4. For the purpose of Clause 17 of the SCCs, the SCCs will be governed by the law of the Adopting Country for transfer of Personal Information subject to the data protection laws of the Adopting Country.

2.1.5. For the purpose of Clause 18 of the SCCs, any dispute arising from the SCCs will be resolved by the courts of the Adopting Country.

2.1.6. For the purpose of Annex I.C of the SCCs, the competent data protection authority is the data protection authority of the Adopting Country.

2.2. The SCCs are incorporated into and form part of this DPA.

2.3. Restricted transfers from the United Kingdom under the SCCs: In case of any transfers of Personal Information from the United Kingdom subject to the data protection laws of the United Kingdom, the UK Addendum to the SCCs attached as Annex III to the SCCs shall apply.

2.4. For avoidance of doubt, either Party must continue to comply with its general obligations under Section 1 of this DPA, in addition to Section 2, where applicable.

3. THIRD-PARTY BENEFICIARIES.

The Parties agree that Customer’s affiliates are intended third- party beneficiaries of this DPA and that this DPA is intended to inure to the benefit of such affiliates. Without limiting the foregoing, Customer affiliates will be entitled to enforce the terms of this DPA as if each was a signatory to this DPA. Customer also may enforce the privacy and data security provisions on behalf of Customer affiliates (instead of Customer affiliate(s) separately bringing a cause of action against Supplier). Supplier will be entitled to rely solely on Customer’s instructions relating to Customer Information.

4. MISCELLANEOUS.

4.1. Upon termination of the Services Agreement, a Party’s relevant obligations under this DPA shall survive to the extent that such Party continues to process Shared Personal Data. Notwithstanding the foregoing, Customer is not permitted to process Supplier’s Personal Data after the Testing Period, as defined in the Amendment 1 to Order Form #1798.

4.2. If there are any conflicts or inconsistencies between this DPA and the Services Agreement, the provisions in this DPA shall prevail (but only to the extent there is such a conflict or inconsistency). To the extent there is any conflict between this DPA and the terms of any applicable SCC’s, the terms of the SCC’s will prevail. Nothing within this DPA shall relieve either Party of its own direct obligations and liabilities under Privacy Laws.

4.3. The Parties agree that this DPA may be amended only by written agreement between the Parties.

4.4. This DPA may be executed in several counterparts (including delivery via facsimile or electronic mail), each of which will be deemed to be an original but all of which together will constitute one and the same instrument.

5. CONTRACT OF ADHERENCE

5.1. The Parties agree that subject to the prior agreement of Customer, a new Party may be added to this DPA, provided that it is a Customer affiliate, with effect on and from when it executes and enters into a Contract of Adherence so as to be bound by this DPA as a Party.

5.2. The Parties hereby authorize Customer to execute for and on their behalf a Contract of Adherence with any such new Party.

6. GOVERNING LAW

6.1 The Parties acknowledge and agree that, in any action between or among them related to the enforcement of this DPA, the law shall be governed by, and construed in accordance with, the laws of England and Wales. The Parties to this DPA irrevocably agree that the courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

7. DEFINITIONS.

Capitalized terms used but not defined in this DPA will have the meanings set forth in the applicable Services Agreement.

7.1. “Approved Purpose” means the purpose for the transfer of the Shared Personal Data, as set out in Schedule A.

7.2. “SCCs” means the attached 2021 EU Standard Contractual Clauses (Module 1 Controller to Controller) ((EU) 2021/914), together with the attached Annexes I, II, and III (where applicable).

7.3. “Contract of Adherence” means contract of adherence with Customer (on behalf of itself and the other Parties) which evidences the signatories’ intention to be bound by this DPA from the date on which they execute such contract.

7.4. “Individual” means any individual about whom Personal Information may be Processed under this DPA.

7.5. “Personal Information” or “Personal Data” means any Customer or Supplier Information received under this DPA that identifies, directly or indirectly, an Individual or relates to an identifiable Individual.

7.6. “Privacy Laws” means all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security or Processing of Personal Information including, without limitation, the General Data Protection Regulation (2016/679), the European Union Directives governing electronic commerce (Directive 2002/58/EC), and data retention (Directive 2006/24/EC); the UK General Data Protection Regulation; the Privacy Act 1988 (Cth), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s anti-spam legislation or “CASL”); the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM); information security breach notification laws (such as Cal. Civ. Code §§ 1798.29, 1798.82 - 1798.84); laws imposing minimum information security requirements (such as Cal. Civ. Code § 1798.81.5 and 201 Mass. Code Reg. 17.00); laws requiring the secure disposal of records containing certain Personal Information (such as N.Y. Gen. Bus. Law § 399-H), and all similar international, federal, provincial, state and local requirements.

7.7. “Process or “Processing” means any operation or set of operations performed upon any information or data, whether or not by automatic means, including the collection, recording, organization, structuring, alteration, access, disclosure, copying, transfer, storage, deletion, retention, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, sale, sharing, augmentation or other use of Personal Information, whether by automated means or otherwise.

7.8. “Special Categories of Data” or “Sensitive Data” means any of the following types of Personal Information: (i) Social Security or identity card number, taxpayer identification number, passport number, driver’s license number or other government-issued identification number; (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account including Cardholder Information or credit history; (iii) username and password; or (iv) information on race, religion, ethnicity, sex life or practices or sexual orientation, medical information, health information, genetic or biometric information, biometric templates, political, religious or philosophical beliefs, political party or trade union membership, background check information or judicial data such as criminal records (including alleged commission of an offense) or information on other judicial or administrative proceedings. If Customer, or any relevant Customer affiliate, is located in Australia, it also means an individual’s membership in a professional or trade association.

7.9. “Transfer” means the access by, transfer or delivery to or disclosure of Personal Information to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction from which the Personal Information originated.

Schedule A

Details of the Processing Activities

Data subjects

The personal data transferred concern the following categories of data subjects:

Categories of data

The personal data transferred is:

Special categories of data

The personal data transferred may concern the following special categories of data:

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Nature of the processing/Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Purpose(s) of the data transfer and further processing

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For transfers to processors, also specify subject matter, nature and duration of the processing

Schedule B

Technical and Organisational Security Measures

In accordance with Clause 1.4 of the DPA, the Supplier will adopt and maintain appropriate (including organisational and technical) security measures in dealing with the Personal Data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

In determining the technical and organizational security measures required by Clause 1.4 of the DPA, the Supplier will take account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The Supplier will implement the following specific security measures, as applicable: Supplier maintains and enforces various policies, standards and processes designed to secure Personal Data and other data to which Supplier Personnel are provided access and to protect Personal Data and other data from accidental loss or destruction. This Schedule represents the minimum security measures that will be taken by Supplier. If any commercial agreement with Supplier requires a higher level or more extensive security measures, Supplier will abide by those terms.

1. Information Security Policies and Standards.

Supplier will implement security requirements for staff and all subcontractors, Suppliers, or agents who have access to Personal Data that are designed to ensure a level of security appropriate to the risk and address the requirements detailed in these Security Standards. Supplier will conduct periodic risk assessments and review and, as appropriate, revise its information security practices at least annually or whenever there is a material change in Supplier’s business practices that may reasonably affect the security, confidentiality or integrity of Personal Data, provided that Supplier will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of Personal Data. Supplier shall keep written records of such assessments and review.

2. Physical Security.

Supplier will maintain commercially reasonable security systems at all Supplier sites at which an information system that uses or houses Personal Data are located. Supplier reasonably restricts access to such Personal Data appropriately and has in place practices to prevent unauthorized individuals from gaining access to Personal Data.

3. Organizational Security.

  • When media are to be disposed of or reused, Supplier will implement procedures to prevent any subsequent retrieval of any Personal Data stored on the media before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures will be implemented to prevent undue retrieval of Personal Data stored on them.

  • Supplier will implement security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.

  • All Personal Data security incidents are managed in accordance with appropriate incident response procedures.

  • Supplier will encrypt, using industry-standard encryption tools, all Personal Data that Supplier: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; and (iii) stores on portable devices, in each case, where technically feasible. Supplier will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Data.

  • Supplier will ensure (i) that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage and (ii) that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified.

  • Supplier will ensure that Personal Data collected for different purposes can be processed separately. Supplier will keep databases containing Personal Data obtained from Customer logically separate from information obtained from any other third party.

4. Network Security.

Supplier maintains network security using commercially available equipment and industry-standard techniques, including firewalls, intrusion detection and prevention systems, access control lists and routing protocols.

5. Access Control.

  • Supplier will maintain appropriate access controls, including, but not limited to, restricting access to Personal Data to the minimum number of Supplier Personnel who require such access. Supplier will maintain a list of the persons who have accessed Personal Data and a list of those who are permitted to access the Personal Data.

  • Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data. Supplier will maintain an audit trail to document whether and by whom Personal Data have been accessed, entered into, modified, transferred or removed from Personal Data Processing, which must be presented to Customer upon Customer’s request. Supplier will log atypical events (e.g., a computerized removal of a significant volume of Personal Data).

  • User administration procedures define user roles and their privileges and how access is granted, changed and terminated; address appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms.

  • All employees of Supplier are assigned unique User IDs.

  • Access rights are implemented adhering to the “principle of least privilege.”

  • Supplier will implement commercially reasonable physical and electronic security to create and protect passwords.

  • Supplier will establish security procedures to prevent Personal Data Processing systems from being used without authorization, such as through logical access controls.

6. Virus and Malware Controls.

Supplier will install and maintain the latest anti-virus and malware protection software on the system and has in place scheduled malware monitoring and system scanning to protect Personal Data from anticipated threats or hazards and protect against unauthorized access to or use of Personal Data.

7. Personnel.

  • Prior to providing access to Personal Data to Supplier Personnel, Supplier will require Supplier Personnel to comply with its Information Security Program.

  • Supplier will implement a security awareness program to train personnel about their security obligations. This program will include training about data classification obligations; physical security controls; security practices; and security incident reporting.

  • If Supplier is provided with access to Cardholder Information, Supplier Personnel will receive training at least once each year to prevent the loss, theft, leakage, falsification or damage of Personal Data.

  • Supplier will clearly define roles and responsibilities for Supplier Personnel. Screening will be implemented before employment with terms and conditions of employment applied appropriately.

  • Supplier employees will strictly follow established security policies and procedures. A disciplinary process will be utilized if employees commit a security breach.

8. Business Continuity.

Supplier will implement appropriate back-up and disaster recovery and business resumption plans. These plans will include processes to ensure recovery of Personal Data that was modified or destroyed due to unauthorized access. Supplier will review its business continuity plan and risk assessment regularly. Business continuity plans will be tested and updated regularly to ensure that they are up to date and effective.

9. Primary Security Manager.

Supplier will notify Customer of its designated primary security manager. The security manager will be responsible for managing and coordinating the performance of Supplier’s obligations set forth in its Information Security Program and in this DPA.