World Travel, Inc. Safe Harbor Policies Introduction In addition to its own confidential and proprietary information, and trade secrets, World Travel, Inc.’s clients, travelers, business partners, and other parties with whom it conducts business entrust it with important information relating to their businesses. It is World Travel, Inc.’s general policy that no Team Member shall breach such confidences. Additionally, the policies set forth herein detail World Travel, Inc.’s commitment to data security including but not limited to its adherence the core principals of the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework. This policy supplements, but does not replace, all other polices, practices, and procedures including any applicable confidentiality or non-disclosure agreement. European Union and Swiss Safe Harbor Policies As a global travel management company, World Travel, Inc. collects, compiles, and analyzes global data on behalf of its clients. World Travel, Inc. may therefore receive data that originates from the European Union, European Economic Area, or Switzerland. In turn, it delivers such data to its clients and other third parties (as appropriate) by: (i) publishing client-specific data in its web-based reporting platform, WorldReports™, and/or (ii) sending files of such data (e.g., a file transfer) to authorized recipients, pursuant to a client’s request.1 Because World Travel, Inc. is a ticketing agent that falls within the jurisdiction of the U.S. Department of Transportation, it is eligible for participation in the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework. World Travel, Inc. self-certifies its adherence to the U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks. World Travel, Inc. will only display its Safe Harbor certification marks when it is in complete compliance with each framework. The paragraphs below set forth World Travel, Inc.’s commitment to the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework. This policy is also available at http://corporate.worldtravelinc.com/About/Privacy-Statement/EUSafeHarbor.aspx and http://corporate.worldtravelinc.com/About/Privacy-Statement/SwissSafeHarbor.aspx. All of World 1 WorldReports™ is only available to authorized client representatives, such as a client’s travel manager. In addition, all access to WorldReports is controlled by confidential user names and passwords that are managed by World Travel, Inc. in accordance with its Information Security Policy. 1|Page CONFIDENTIAL Effective Date: 25-March-2015 Next Review Date: January 2015 Travel, Inc.’s privacy policies can be found at http://corporate.worldtravelinc.com/About/PrivacyStatement.aspx Definitions “Data Controller” means the legal person that determines the purposes and means of processing personal data. A Data Controller is sometimes also referred to as a “Data Exporter.” For example, World Travel, Inc.’s clients are Data Controllers. Additionally, World Travel, Inc.’s clients, and in some instances a client’s other travel management provider, are Data Exporters. “Data Processor” means the legal person who processes data on behalf of the Data Controller. A Data Processor is sometimes referred to as a “Data Importer.” World Travel, Inc. is a Data Processor/Data Importer. “Data protection” or “data privacy” means the management of personal data. “EU Directive” refers to the Council Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data, 1995 O.J. L 281/31. Broadly speaking, the EU Directive prohibits the transfer of personal data and personal information outside of the EU; unless, however, the Data Processor has appropriately certified its U.S.-EU Safe Harbor status. “European Union” or “EU” refers to the group of European countries that participate in the world economy as one economic unit and operate under one official currency, the Euro. As of March 17, 2015, the twenty-eight EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. “Member State” refers to a country that is a full member of the EU. World Travel, Inc.’s Safe Harbor Policy also applies to the transfer of data from the European Economic Area (the “EEA”). The EEA unites the EU Member States and three EEA European Free Trade Association (“EFTA”) countries: Iceland, Lichtenstein, and Norway. World Travel, Inc. currently collects data from the following EU Member States: Austria, Belgium, Croatia, Czech Republic, Denmark, France, Germany, Hungary, Ireland, Italy, Latvia, Lithuania, Netherlands, Poland, Portugal, Romania, Spain, Sweden, and the United Kingdom. World Travel, Inc. does not collect any data from Iceland, Lichtenstein, or Norway. World Travel, Inc. does 2|Page CONFIDENTIAL Effective Date: 25-March-2015 Next Review Date: January 2015 collect data from the Ukraine, which is not either an EU Member or a member of the EEA. Nonetheless, World Travel, Inc. will handle data imported from the Ukraine in the same fashion as data imported from an EU Member State. “Opt-in” means a traveler’s expression of affirmative consent. “Opt-out” means a traveler’s exercise of choice through an affirmative request that a particular use or disclosure of data not occur. “Personal Data” shall mean any information relating to an identified or identifiable natural person (a “Data Subject”); one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to physical, physiological, mental, economic, cultural or social identity; or by variables or other identifiers that can be used to identify the individual, such as name, postal address, e-mail address, telephone number, Social Security number, or other unique identifier. Personal data can be recorded in any format. This definition is purposefully broad. For clarity, the term Personal Data excludes Sensitive Data. “Sensitive Data” means data pertaining to racial or ethnic origins, political or religious beliefs, or health information. On rare occasions, World Travel, Inc. may collect Sensitive Data from an individual for purposes of fulfilling its obligations with respect to making a valid reservation with a supplier of travel and/or travel related services, e.g., meal preferences for frequent flyer programs. World Travel, Inc. collects, compiles, and analyzes (processes) the following primary data types: first name, last name, employee identification number, e-mail address(es) (professional and sometimes personal), mailing address, travel/flight information, frequent flyer information/supplier preferences, and form of payment information (all credit card numbers are masked). Individuals may request a list of the data types collected by World Travel, Inc. at their employer’s request by sending such request to SafeHarbor@worldtravelinc.com. “Processing of personal data” means any operation or set of operations performed upon Personal Data and/or personal information, whether or not by automatic means, such as collection, recording, organization, storage, disclosure by transmission, or otherwise making available. The “Swiss Federal Act on Data Protection” or the “Swiss FADP” refers to Switzerland’s law which, like the EU Directive, prohibits the transfer of personal data and personal information outside of Switzerland; unless, however, the Data Processor has certified its U.S.-Swiss Safe Harbor status. 3|Page CONFIDENTIAL Effective Date: 25-March-2015 Next Review Date: January 2015 Safe Harbor Principles A key component of an adequate Safe Harbor Privacy Policy is adherence to the seven core principles of the Safe Harbor frameworks. The seven principles are: (1) notice, (2) choice, (3) onward transfer, (4) security, (5) data integrity, (6) access, and (7) enforcement. World Travel, Inc. is committed to the principles, as set forth in detail below. Notice. World Travel, Inc. collects Personal Data and personal information so that it can fulfill its contractual agreements with its clients. World Travel, Inc. will cause its clients to notify their personnel (i.e., data subjects) about the purposes for which it collects and uses Personal Data or personal information. In addition, each World Travel, Inc.’s clients must provide it with evidence that it has (i) provided adequate notice to and (ii) obtained consent from its personnel, such that it has met its obligations under (x) the Directive and/or (y) the Swiss FADP, as may be applicable. World Travel, Inc. will not import any data on behalf of, or for the benefit of, any client that cannot provide such evidence. Choice. World Travel, Inc. will only use Personal Data and/or personal information for the purposes of providing corporate travel management services to its clients. Out of an abundance of caution, World Travel, Inc. will work with its clients to ensure that individuals have the opportunity to opt-out and exclude their Personal Data or personal information from the collection, compilation, or analysis of client’s travel-related data; to the extent such exclusion is not overly burdensome for World Travel, Inc. Determining whether to allow an individual to opt-out will be performed on a request-byrequest basis. World Travel, Inc. will consult with its client(s) to ensure compliance with this principle and the individual’s request. Individuals who wish to opt out may make a request by submitting such written request to SafeHarbor@worldtravelinc.com. Onward Transfer. In the event World Travel, Inc. is asked to forward Personal Data or personal information to a third party (i.e., not a client), it will only do so upon assurances that such third party subscribes to the EU and Swiss Safe Harbor privacy principles. In the alternative, World Travel, Inc. may elect to enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. Access. Individuals may have access to their Personal Data or personal information for the purpose of correcting, amending, or deleting information that is inaccurate; unless, however, providing such access is overly burdensome to World Travel, Inc. Determining whether to allow an individual access will be performed on a request-by-request basis. World Travel, Inc. will consult with its 4|Page CONFIDENTIAL Effective Date: 25-March-2015 Next Review Date: January 2015 client to ensure compliance with this principle and the individual’s request. Individuals who wish to have access to their information may make a request for access by submitting such written request to SafeHarbor@worldtravelinc.com. Security. World Travel, Inc. shall take commercially reasonable precautions to protect Personal Data and personal information from loss, misuse, and unauthorized access, disclosure, alteration and destruction. World Travel, Inc. has the following minimum requirements for data that is transferred to it from the EU, EEA, or Switzerland: (1) File Transmission and Encryption. Each party (a “Sender”) will deliver, or make arrangement for delivery of one or more source files containing data, including Personal Data (each a “Source File”) to World Travel, Inc. by one of the following methods: SFTP (recommend PGP), API/web services via SSL/https or certificated authentication. World Travel, Inc.’s clients and/or their authorized third parties (e.g., a credit card provider) who do not comply with this method of data transfer have until June 1, 2015 to do so. Upon receipt, World Travel, Inc. will store any Source File on a secure server located behind its firewall (i.e., not in a DMZ (demilitarized zone/perimeter network)) for more than ten (10) calendar days. World Travel, Inc. maintains documentation on each file that it sent to it by a Sender. (2) Access. Only authorized World Travel, Inc. personnel shall have access to such data. World Travel, Inc. grants such access using the concept of “least privilege.” This means that access to data is proportionate to the task the Team Member must execute and not, for example, their job title. For example, if a Team Member is responsible for importing data from an SFTP site into a database, the Team Member will only have the permissions necessary to complete this task. The Team Member would not necessarily also have permission to query the database. (3) Logging. World Travel, Inc. will keep current, accurate logs to track data import and export, including server and database access. (4) Storage. World Travel, Inc. will store data that originated within the EU, EEA, or Switzerland in its data warehouse using commercially reasonable data security 5|Page CONFIDENTIAL Effective Date: 25-March-2015 Next Review Date: January 2015 methods. At a minimum, any database that stores data that originated from the EU, EEA, or Switzerland will reside on an internal World Travel, Inc. corporate network, segregated from the DMZ and any untrusted network. All databases that store imported data are encrypted at rest. Data Integrity. World Travel, Inc. shall only collect Personal Data, personal information, or Sensitive Data for the purpose of meeting its contractual obligations to its clients for the provision of corporate travel reservation and management services. Moreover, World Travel, Inc. will take commercially reasonable steps to ensure that the data it collects is reliable for its intended use, accurate, complete, and current. Enforcement. In order to ensure its compliance with the Safe Harbor Principles, World Travel, Inc. will provide clients and their travelers with a readily available and affordable mechanism to resolve individual complaints or other disputes that arise from or relate to World Travel, Inc.’s Safe Harbor practices. World Travel, Inc. is registered with JAMS and has designated JAMS as its Alternative Dispute Resolution (ADR) Provider for disputes under the U.S.-EU Safe Harbor Framework and U.S.Swiss Safe Harbor Framework. (See also attached certification from JAMS.) In accordance with this designation, the entity against whom a claim is brought is responsible for all (100%) of the ADR expenses associated with settling the claim. This is an entity-pays-all policy. Questions regarding JAMS ADR should be directed to: JAMS Practice Development Manager (Global) at SafeHarbor@jamsadr.com or by calling 212-607-2771. Amendments As with all of World Travel, Inc.’s workplace and business policies, World Travel, Inc. may amend any of its policies at any time, in its sole discretion. World Travel, Inc. will ensure that the most up to date copy of this policy is posted at the URLs provided herein. Contact Us Any questions about this Safe Harbor Policy may be directed to SafeHarbor@worldtravelinc.com or to World Travel, Inc.’s Executive Vice President & Corporate Counsel, Maribeth L. Minella, by e-mail (mminella@worldtravelinc.com) or by telephone (484-348-6665). In addition, all opt-out requests, access requests, complaints, or any other issues arising from or that relate to World Travel, Inc.’s Safe Harbor practices should also be directed to SafeHarbor@worldtravelinc.com. 6|Page CONFIDENTIAL Effective Date: 25-March-2015 Next Review Date: January 2015 7|Page CONFIDENTIAL Effective Date: 25-March-2015 Next Review Date: January 2015
© Copyright 2024