Swiss Safe Harbor Privacy Policy

World Travel, Inc. Safe Harbor Policies
Introduction
In addition to its own confidential and proprietary information, and trade secrets, World Travel,
Inc.’s clients, travelers, business partners, and other parties with whom it conducts business entrust it with
important information relating to their businesses. It is World Travel, Inc.’s general policy that no Team
Member shall breach such confidences. Additionally, the policies set forth herein detail World Travel,
Inc.’s commitment to data security including but not limited to its adherence the core principals of the
U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.
This policy supplements, but does not replace, all other polices, practices, and procedures
including any applicable confidentiality or non-disclosure agreement.
European Union and Swiss Safe Harbor Policies
As a global travel management company, World Travel, Inc. collects, compiles, and analyzes
global data on behalf of its clients. World Travel, Inc. may therefore receive data that originates from the
European Union, European Economic Area, or Switzerland. In turn, it delivers such data to its clients and
other third parties (as appropriate) by: (i) publishing client-specific data in its web-based reporting
platform, WorldReports™, and/or (ii) sending files of such data (e.g., a file transfer) to authorized
recipients, pursuant to a client’s request.1
Because World Travel, Inc. is a ticketing agent that falls within the jurisdiction of the U.S.
Department of Transportation, it is eligible for participation in the U.S.-EU Safe Harbor Framework and
the U.S.-Swiss Safe Harbor Framework. World Travel, Inc. self-certifies its adherence to the U.S.-EU
Safe Harbor and U.S.-Swiss Safe Harbor frameworks. World Travel, Inc. will only display its Safe
Harbor certification marks when it is in complete compliance with each framework.
The paragraphs below set forth World Travel, Inc.’s commitment to the U.S.-EU Safe Harbor
Framework and U.S.-Swiss Safe Harbor Framework.
This policy is also available at
http://corporate.worldtravelinc.com/About/Privacy-Statement/EUSafeHarbor.aspx
and
http://corporate.worldtravelinc.com/About/Privacy-Statement/SwissSafeHarbor.aspx.
All of World
1
WorldReports™ is only available to authorized client representatives, such as a client’s travel manager. In
addition, all access to WorldReports is controlled by confidential user names and passwords that are managed by
World Travel, Inc. in accordance with its Information Security Policy.
1|Page
CONFIDENTIAL
Effective Date: 25-March-2015
Next Review Date: January 2015
Travel, Inc.’s privacy policies can be found at http://corporate.worldtravelinc.com/About/PrivacyStatement.aspx
Definitions
“Data Controller” means the legal person that determines the purposes and means of processing
personal data. A Data Controller is sometimes also referred to as a “Data Exporter.” For example,
World Travel, Inc.’s clients are Data Controllers. Additionally, World Travel, Inc.’s clients, and in some
instances a client’s other travel management provider, are Data Exporters.
“Data Processor” means the legal person who processes data on behalf of the Data Controller. A
Data Processor is sometimes referred to as a “Data Importer.”
World Travel, Inc. is a Data
Processor/Data Importer.
“Data protection” or “data privacy” means the management of personal data.
“EU Directive” refers to the Council Directive 95/46/EC on the Protection of Individuals with
regard to the Processing of Personal Data and on the Free Movement of such Data, 1995 O.J. L 281/31.
Broadly speaking, the EU Directive prohibits the transfer of personal data and personal information
outside of the EU; unless, however, the Data Processor has appropriately certified its U.S.-EU Safe
Harbor status.
“European Union” or “EU” refers to the group of European countries that participate in the world
economy as one economic unit and operate under one official currency, the Euro. As of March 17, 2015,
the twenty-eight EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the
United Kingdom. “Member State” refers to a country that is a full member of the EU. World Travel,
Inc.’s Safe Harbor Policy also applies to the transfer of data from the European Economic Area (the
“EEA”). The EEA unites the EU Member States and three EEA European Free Trade Association
(“EFTA”) countries: Iceland, Lichtenstein, and Norway.
World Travel, Inc. currently collects data from the following EU Member States: Austria,
Belgium, Croatia, Czech Republic, Denmark, France, Germany, Hungary, Ireland, Italy, Latvia,
Lithuania, Netherlands, Poland, Portugal, Romania, Spain, Sweden, and the United Kingdom. World
Travel, Inc. does not collect any data from Iceland, Lichtenstein, or Norway. World Travel, Inc. does
2|Page
CONFIDENTIAL
Effective Date: 25-March-2015
Next Review Date: January 2015
collect data from the Ukraine, which is not either an EU Member or a member of the EEA. Nonetheless,
World Travel, Inc. will handle data imported from the Ukraine in the same fashion as data imported from
an EU Member State.
“Opt-in” means a traveler’s expression of affirmative consent.
“Opt-out” means a traveler’s exercise of choice through an affirmative request that a particular
use or disclosure of data not occur.
“Personal Data” shall mean any information relating to an identified or identifiable natural
person (a “Data Subject”); one who can be identified, directly or indirectly, in particular by reference to
an identification number or to one or more factors specific to physical, physiological, mental, economic,
cultural or social identity; or by variables or other identifiers that can be used to identify the individual,
such as name, postal address, e-mail address, telephone number, Social Security number, or other unique
identifier. Personal data can be recorded in any format. This definition is purposefully broad.
For clarity, the term Personal Data excludes Sensitive Data.
“Sensitive Data” means data
pertaining to racial or ethnic origins, political or religious beliefs, or health information.
On rare
occasions, World Travel, Inc. may collect Sensitive Data from an individual for purposes of fulfilling its
obligations with respect to making a valid reservation with a supplier of travel and/or travel related
services, e.g., meal preferences for frequent flyer programs.
World Travel, Inc. collects, compiles, and analyzes (processes) the following primary data types:
first name, last name, employee identification number, e-mail address(es) (professional and sometimes
personal), mailing address, travel/flight information, frequent flyer information/supplier preferences, and
form of payment information (all credit card numbers are masked). Individuals may request a list of the
data types collected by World Travel, Inc. at their employer’s request by sending such request to
SafeHarbor@worldtravelinc.com.
“Processing of personal data” means any operation or set of operations performed upon Personal
Data and/or personal information, whether or not by automatic means, such as collection, recording,
organization, storage, disclosure by transmission, or otherwise making available.
The “Swiss Federal Act on Data Protection” or the “Swiss FADP” refers to Switzerland’s law
which, like the EU Directive, prohibits the transfer of personal data and personal information outside of
Switzerland; unless, however, the Data Processor has certified its U.S.-Swiss Safe Harbor status.
3|Page
CONFIDENTIAL
Effective Date: 25-March-2015
Next Review Date: January 2015
Safe Harbor Principles
A key component of an adequate Safe Harbor Privacy Policy is adherence to the seven core
principles of the Safe Harbor frameworks. The seven principles are: (1) notice, (2) choice, (3) onward
transfer, (4) security, (5) data integrity, (6) access, and (7) enforcement. World Travel, Inc. is committed
to the principles, as set forth in detail below.
Notice. World Travel, Inc. collects Personal Data and personal information so that it can
fulfill its contractual agreements with its clients. World Travel, Inc. will cause its clients to notify their
personnel (i.e., data subjects) about the purposes for which it collects and uses Personal Data or personal
information. In addition, each World Travel, Inc.’s clients must provide it with evidence that it has (i)
provided adequate notice to and (ii) obtained consent from its personnel, such that it has met its
obligations under (x) the Directive and/or (y) the Swiss FADP, as may be applicable. World Travel, Inc.
will not import any data on behalf of, or for the benefit of, any client that cannot provide such evidence.
Choice. World Travel, Inc. will only use Personal Data and/or personal information for
the purposes of providing corporate travel management services to its clients. Out of an abundance of
caution, World Travel, Inc. will work with its clients to ensure that individuals have the opportunity to
opt-out and exclude their Personal Data or personal information from the collection, compilation, or
analysis of client’s travel-related data; to the extent such exclusion is not overly burdensome for World
Travel, Inc. Determining whether to allow an individual to opt-out will be performed on a request-byrequest basis. World Travel, Inc. will consult with its client(s) to ensure compliance with this principle
and the individual’s request. Individuals who wish to opt out may make a request by submitting such
written request to SafeHarbor@worldtravelinc.com.
Onward Transfer. In the event World Travel, Inc. is asked to forward Personal Data or
personal information to a third party (i.e., not a client), it will only do so upon assurances that such third
party subscribes to the EU and Swiss Safe Harbor privacy principles. In the alternative, World Travel,
Inc. may elect to enter into a written agreement with such third party requiring that the third party provide
at least the same level of privacy protection as is required by the relevant principles.
Access. Individuals may have access to their Personal Data or personal information for
the purpose of correcting, amending, or deleting information that is inaccurate; unless, however,
providing such access is overly burdensome to World Travel, Inc. Determining whether to allow an
individual access will be performed on a request-by-request basis. World Travel, Inc. will consult with its
4|Page
CONFIDENTIAL
Effective Date: 25-March-2015
Next Review Date: January 2015
client to ensure compliance with this principle and the individual’s request. Individuals who wish to
have access to their information may make a request for access by submitting such written request to
SafeHarbor@worldtravelinc.com.
Security. World Travel, Inc. shall take commercially reasonable precautions to protect
Personal Data and personal information from loss, misuse, and unauthorized access, disclosure, alteration
and destruction. World Travel, Inc. has the following minimum requirements for data that is transferred
to it from the EU, EEA, or Switzerland:
(1)
File Transmission and Encryption. Each party (a “Sender”) will deliver, or make
arrangement for delivery of one or more source files containing data, including
Personal Data (each a “Source File”) to World Travel, Inc. by one of the
following methods: SFTP (recommend PGP), API/web services via SSL/https or
certificated authentication. World Travel, Inc.’s clients and/or their authorized
third parties (e.g., a credit card provider) who do not comply with this method of
data transfer have until June 1, 2015 to do so. Upon receipt, World Travel, Inc.
will store any Source File on a secure server located behind its firewall (i.e., not
in a DMZ (demilitarized zone/perimeter network)) for more than ten (10)
calendar days. World Travel, Inc. maintains documentation on each file that it
sent to it by a Sender.
(2)
Access. Only authorized World Travel, Inc. personnel shall have access to such
data.
World Travel, Inc. grants such access using the concept of “least
privilege.” This means that access to data is proportionate to the task the Team
Member must execute and not, for example, their job title. For example, if a
Team Member is responsible for importing data from an SFTP site into a
database, the Team Member will only have the permissions necessary to
complete this task.
The Team Member would not necessarily also have
permission to query the database.
(3)
Logging. World Travel, Inc. will keep current, accurate logs to track data import
and export, including server and database access.
(4)
Storage. World Travel, Inc. will store data that originated within the EU, EEA,
or Switzerland in its data warehouse using commercially reasonable data security
5|Page
CONFIDENTIAL
Effective Date: 25-March-2015
Next Review Date: January 2015
methods. At a minimum, any database that stores data that originated from the
EU, EEA, or Switzerland will reside on an internal World Travel, Inc. corporate
network, segregated from the DMZ and any untrusted network. All databases
that store imported data are encrypted at rest.
Data Integrity. World Travel, Inc. shall only collect Personal Data, personal information,
or Sensitive Data for the purpose of meeting its contractual obligations to its clients for the provision of
corporate travel reservation and management services.
Moreover, World Travel, Inc. will take
commercially reasonable steps to ensure that the data it collects is reliable for its intended use, accurate,
complete, and current.
Enforcement. In order to ensure its compliance with the Safe Harbor Principles, World
Travel, Inc. will provide clients and their travelers with a readily available and affordable mechanism to
resolve individual complaints or other disputes that arise from or relate to World Travel, Inc.’s Safe
Harbor practices. World Travel, Inc. is registered with JAMS and has designated JAMS as its Alternative
Dispute Resolution (ADR) Provider for disputes under the U.S.-EU Safe Harbor Framework and U.S.Swiss Safe Harbor Framework. (See also attached certification from JAMS.) In accordance with this
designation, the entity against whom a claim is brought is responsible for all (100%) of the ADR
expenses associated with settling the claim. This is an entity-pays-all policy. Questions regarding JAMS
ADR should be directed to: JAMS Practice Development Manager (Global) at SafeHarbor@jamsadr.com
or by calling 212-607-2771.
Amendments
As with all of World Travel, Inc.’s workplace and business policies, World Travel, Inc. may
amend any of its policies at any time, in its sole discretion. World Travel, Inc. will ensure that the most
up to date copy of this policy is posted at the URLs provided herein.
Contact Us
Any questions about this Safe Harbor Policy may be directed to SafeHarbor@worldtravelinc.com
or to World Travel, Inc.’s Executive Vice President & Corporate Counsel, Maribeth L. Minella, by e-mail
(mminella@worldtravelinc.com) or by telephone (484-348-6665).
In addition, all opt-out requests,
access requests, complaints, or any other issues arising from or that relate to World Travel, Inc.’s Safe
Harbor practices should also be directed to SafeHarbor@worldtravelinc.com.
6|Page
CONFIDENTIAL
Effective Date: 25-March-2015
Next Review Date: January 2015
7|Page
CONFIDENTIAL
Effective Date: 25-March-2015
Next Review Date: January 2015