Data Privacy Addendum for all customers other than Amadeus Hospitality Shanghai Customers

DATA PROCESSING AGREEMENT   
Last updated: December 2023

This Data Processing Agreement (“DPA”) describes the Processing of Personal Data by the Amadeus contracting entity as indicated in the Agreement (“Amadeus”), in respect to the provision of Services to the Customer.

This DPA forms an integral part of the Agreement between Amadeus and its Customer(s), which shall be applicable where the Services entail the Processing of Personal Data by Amadeus on behalf of the Customer. For the provision of these Services, the Customer will be acting as the Data Controller and Amadeus will be acting as a Data Processor.

Amadeus reserves the right to perform updates and non-material changes to this DPA from time to time, without prior notification to its Customers. The most updated version is available on (LINK) and any previous versions are available on (LINK).  The DPA version that will apply to the Agreement shall be the DPA version in force at the time of the Effective Date, which should continue to apply throughout the duration of such Agreement.

This DPA does not apply to Agreements where Amadeus acts as a Data Controller, which is governed by separate terms. Notwithstanding the foregoing, Amadeus shall be the Data Controller in respect of activities relating to the administration of the commercial relationship between it and the Customer (e.g., invoicing Customer).

  1.  DEFINITIONS 
    “Controller”   means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
    “Data Protection Laws”  means all laws and regulations relating to the Processing of Personal Data and privacy, including the EU General Data Protection Regulation (2016/679/EC, hereinafter “GDPR”), as well as all laws and regulations implementing or made under them and any amendment or re-enactment of them, as applicable to each party.
    “Subprocessor”  means any third-party appointed or engaged by Amadeus to Process Personal Data on behalf of the Controller.
    “Data Subject”  means an identified or identifiable natural person connected to the Customer, for which Customer instructs Amadeus to Process their Personal Data for the performance of the Services.
    “Personal Data”  means any information relating to Data Subject
    “Personal Data Breach”   means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed as a result of the Services provided under this Agreement.
    “Processing” “Process”  means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    “Cross Border Transfer”  means the Processing performed by a Party and/or Subprocessor in one jurisdiction where the Personal Data is transferred, accessed, disclosed to another Party and/or Subprocessor located in another jurisdiction that is different from where the Personal Data was originally Processed.
  2. PROCESSING OF PERSONAL DATA 

2.1 The purpose for Amadeus Processing the Personal Data is Amadeus’s provision of the Services to the Customer. Amadeus shall only Process the Personal Data in accordance with the Customer’s documented instructions. These instructions will be as set out in the Agreement and this DPA, which will include any actions necessary to perform its obligations or to provide the Services licensed pursuant to the Agreement, and any other documented instruction provided by the Customer, except to the extent that any legal requirement prevents Amadeus from complying with such instructions or requires the Processing of Personal Data other than as instructed by the Customer. Amadeus will inform Customer if, in its opinion, an instruction infringes any Data Protection Laws, and as permitted by applicable Data Protection Laws. Customer acknowledges that in the provision of the Services under the Agreement Amadeus may transfer Personal Data in accordance with applicable Data Protection Laws. 

2.2 Processing includes such activities as specified in the Service Order(s) or as otherwise necessary to perform the obligations and Services set forth therein and which shall in determine the duration and the subject-matter of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects to which the Personal Data relates, as further detailed in Annex 1. 

3. SUBPROCESSORS 

3.1 The Customer agrees that Amadeus may engage Subprocessors for the provision of the Services, provided that Amadeus complies with the provisions of this clause. The Customer authorizes the Subprocessors subcontracted by Amadeus for the Processing of Personal Data at the Effective Date, to be made available to the Customer upon request and as applicable to the Agreement. 

3.2 Customer hereby grants Amadeus with a general authorization to engage Subprocessors in accordance with the provisions set forth in this Section 3. Where Amadeus were to engage or replace a Subprocessor after the Effective Date of this DPA, Amadeus shall inform Customer of any changes to the Subprocessors used in Processing of Personal Data made after the Effective Date of this DPA by notifying Customer, providing the Customer with the opportunity to object as described further on this Section 3. 

3.3 If Customer, acting reasonably, objects to the use of a Subprocessor, on the grounds that such use would present a significant risk to the Data Subjects’ rights and freedoms’, Customer may notify Amadeus promptly in writing within fourteen (14) calendar days after receipt of Amadeus notice in accordance with the paragraph above by providing details and evidence of such grounds. Amadeus shall use reasonable endeavours to resolve the reasons for Customer’s objections or to procure use of a different Subprocessor 

3.4 If Customer does not present objections in writing within fourteen (14) calendar days after receipt of notice of an appointment of a Subprocessor, Customer shall be deemed to authorize such Subprocessor

3.5 Where the Customer has objected to the appointment of a Subprocessor in accordance to Section 3.2 and Amadeus is unable to or fails to resolve the reasons for Customer’s objections or to procure use of a different Subprocessor within a reasonable period of time, Customer may terminate the Services which cannot be provided by Amadeus without the use of the Subprocessor to which Customer objects by providing written notice to Amadeus, provided Customer will not be entitled to claim damages in respect such termination. 

3.6 Amadeus remains responsible for its Subprocessors’ compliance with the obligations of this Data Processing Addendum and the Agreement as applicable. Any Subprocessor to whom Amadeus transfers Personal Data will have entered into written agreements with Amadeus requiring that the Subprocessor abide by terms in substance that provide for the same data protection obligations as this DPA, as applicable. 

4. SECURITY 

4.1 Amadeus shall Process Personal Data subject to appropriate technical and organizational measures against unauthorized or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data in accordance with Data Protection Laws. The security measures are further described in this document in Annex 2. 

4.2 Amadeus shall use personnel authorized by Amadeus to access the Personal Data who are subject to a duty of confidentiality in respect of the Personal Data. 

5. DELETION OR RETURN OF PERSONAL DATA 

5.1 Amadeus shall, at the choice of the Customer, delete or return all Personal Data to the Customer after the end of the Processing of Personal Data under the Agreement and in accordance with the terms of the Agreement, unless Amadeus is required to retain the Personal Data by applicable law. 

6. COOPERATION AND ASSISTANCE 

6.1 Amadeus will, in a manner consistent with the functionality of the Services and to the extent required under Data Protection Laws, provide reasonable support to Customer that may be required to respond to regulatory authority, law enforcement authority and/or a request of Data Subject to exercise rights as defined under Data Protection Laws (‘’Data Subject Requests’’). For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests. If Amadeus receives a Data Subject Request addressed to the Customer, Amadeus will inform the Data Subject to contact the Controller directly (i.e., Customer) and redirect such request to Customer. 

6.2 Amadeus shall, to the extent required by Data Protection Laws, provide reasonable assistance to Customer to enable its compliance with its obligations under Data Protection Laws (including Articles 32 to 36 of the GDPR or other corresponding provisions under Data Protection Laws) taking into account the nature of processing and the information available to Amadeus. 

6.3 Amadeus reserves the right to charge fees (based on the costs incurred by Amadeus) for the performance of the obligations under this Section 6. 

7. INCIDENT MANAGEMENT 

7.1 Amadeus shall notify Customer without undue delay on becoming aware of any Personal Data Breach in connection with the Agreement and this Data Processing Addendum, whereby such notification shall be made upon having effective confirmation that such Personal Data Breach involves Personal Data Processed by Amadeus in connection with the Agreement and this DPA. The referred notification shall include, to the extent reasonably available, information to assist Customer to comply with its obligations in accordance with applicable Data Protection Laws. 

7.2 Upon request and direction of the Controller, Amadeus shall cooperate with Customer and undertake such reasonable actions to assist in the investigation, mitigation and remediation of the Personal Data Breach, in order to meet any specific requirements and/or comply with obligations as defined by applicable Data Protection Laws. 

8. DATA PROTECTION AUDIT

8.1 Upon reasonable request and at the Customer’s expense, Amadeus shall make available to Customer information reasonably necessary to demonstrate compliance with Amadeus’s Personal Data Processing obligations under the Agreement and this DPA. If Customer, acting reasonably, considers that Amadeus has not provided sufficient evidence of its compliance, Customer must notify Amadeus in writing providing evidence of such concerns, and Amadeus shall use reasonable endeavors to resolve Customer’s concerns. If Amadeus is unable to resolve Customer’s concerns, Customer may, as required under Data Protection Laws, audit Amadeus’s control environment and security practices relevant to the Personal Data Processed under the Agreement and this Data Processing Addendum for Customer. Any audits conducted by Customer or a mutually agreed upon third party auditor pursuant to this provision shall be subject to: the execution of an appropriate confidentiality agreement with Amadeus, compliance with Amadeus’s on-site or other applicable security policies and the following conditions: unless required or otherwise requested by a regulator: (i) audits shall be limited to once annually; (ii) audits will be carried out during normal working hours, without disturbing business operations; (iii) Customer will provide at least thirty (30) days prior written notice; and (iv) a Customer will provide Amadeus with a copy of the audit report.  

 9. CROSS BORDER TRANSFERS 

9.1 Customer acknowledges that in the provision of the Services, Amadeus may perform Cross Border Transfers of Personal Data, which shall be made in accordance with applicable Data Protection Laws and as further described under this Section. 

9.1.1 Amadeus Affiliates in or from the EEA/UK/Switzerland: Amadeus may transfer Personal Data to one or more of its Affiliates i) within the EEA, UK and/or Switzerland pursuant to Data Protection Laws and/or ii) to one or more of its Affiliates located in a jurisdiction outside the EEA/UK/Switzerland (“Third Countries”) provided that such transfer is made on the basis of i) an adequacy decision (ex Article 45 GDPR or other corresponding provisions under Data Protection Laws) or ii) a valid transfer mechanism insofar permitted by Data Protection Laws. 

9.1.2 Subprocessors in or from the EEA/UK/Switzerland: Subject to Customer authorization on Section 4, Amadeus may transfer Personal Data to a Subprocessor located i) within the EEA/UK/Switzerland pursuant to Data Protection Laws and/or ii) outside the EEA/UK/Switzerland (“Third Countries”), provided that such transfer is made on the basis of i) an adequacy decision (ex Article 45 GDPR or other corresponding provisions under applicable Data Protection Laws) or ii) a valid transfer mechanism insofar permitted by Data Protection Laws. 

9.1.3 Other Cross Border Transfers:  For any other Cross Border Transfer not contemplated under this Section 9 and where such Cross Border Transfer is necessary for the provision of the Services, Amadeus and Customer shall liaise in good faith with one another and shall undertake to complete the relevant schedules, appendices, and any other required documentation as applicable and required to be signed as between Amadeus and Customer. 

10. GENERAL TERMS 

10.1   The provisions of this Data Processing Addendum are supplemental to the relevant AgreementIn the event of inconsistencies between the provisions of this Data Processing Addendum and the provisions of the relevant Agreement the provisions of this Data Processing Addendum shall prevail. 

10.2  Each Party to this Data Processing Addendum shall comply with Data Protection Laws as applicable to such Party.

 

ANNEX 1 | Details of the processing of personal data

 

Categories of data subjects whose personal data is transferred Customer’s hotel guests. 
Categories of personal data processed.  Guest information: First and last name; email address; position salutation, last name, first mail, title, email, company, address 1, address2, city, state, postal code, country, phone, frequent guest id, initial_, phoneday, phoneevening, rawstreetaddr, lastupdate, users, unsubscribe, gsource, groupconame, birthdate, corpid, frequent_guestid, lastccno, contacttitle, contactfirstname, contactlastname, contactemail, airtravelerid, cartravelerid, guest profile, IP, tracking technology and IDs (e.g. cookies, pixels, hashed identifiers, universal identifiers, etc.) – as applicable. Payment information (if applicable): credit card type, credit card number, expiration date, name on card, billing address 1, billing address 2, billing city, billing country, billing state, billing postal code, billing code. 
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.  The personal data transferred does not concern nor require to provide the services no special categories of data  
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).  Continuous basis 
Nature of the processing  Processing of the Customer data for the provision of the services described in the service agreement between the processor and the controller 
Purpose(s) of the data transfer and further processing  Provision of the services described in the service agreement between the processor and the controller 
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period  Service provision Term (or as long as required under applicable laws). 

 

ANNEX 2 | Security Measures 

  1. GENERAL 
    1. 1 Amadeus has implemented and will maintain the following measures for Customer Personal Data that is in the possession, control, or otherwise processed by and under the control and responsibility of Amadeus in accordance with the following security measures.    
    1. 2 The Amadeus Technical and Organizational Security Measures are based on ISO 27001 controls and require Amadeus to implement and maintain physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability and security of the products and services and security of Customer Personal Data processed in the provision of the services. Details of additional security measures and relevant exceptions that apply to a specific Service Module are available upon request.  
  1. SECURITY REQUIREMENTS

2.1 Information Security Policies  

Amadeus shall maintain documented information security policies, processes, organization and controls (the ‘Processes’’), that are appropriate, taking into account the information security risks and where applicable, recognized industry standards. The Processes will be reviewed and, if required, updated by Amadeus at least on an annual basis, taking into account good industry practices.  

2.2 Organization of Information Security 

Security Ownership – Amadeus has a designated security official responsible for information security and control and implementation of the Processes. 

Security Roles and Responsibilities – Amadeus personnel are subject to confidentiality obligations; Individuals for whom Amadeus is responsible will have documented security roles and responsibilities where relevant. 

Risk Management Program – Amadeus will have in place a risk management process to perform risk assessments before and while providing the products and services. 

2.3 Human Resources Security  

Amadeus will screen Amadeus personnel as part of the hiring process in accordance with its policies and subject to limitations of applicable law. 

During employment – Amadeus will make personnel aware of security rules and procedures through a documented security awareness and training program including informing personnel of consequences of breaching security rules and procedures. 

Termination of employment – Amadeus will maintain the relevant processes, including the removal of system accesses after termination or change of employment. 

2.4 Asset Management  

Asset InventoryAmadeus will maintain an inventory of where Customer Personal Data is stored.  

Classification and labelling of Customer Personal Data Amadeus will maintain access to Customer Personal Data that is appropriately restricted, according to the classification. 

Acceptable use policyAmadeus will have in place an acceptable use policy that applies to information and assets that contain Customer Personal Data. 

Handling of assets and disposal of assets Amadeus will have in place procedures for handling, management and secure disposal of information and assets.  

2.5 Access Controls 

Access Policy – Amadeus will maintain a record of access and security privileges of individuals having access to Customer Personal Data. 

Access Authorization – Amadeus shall maintain a record of personnel’s accounts authorized to access information systems that contain Customer Personal Data, and individual personnel shall have separate identifiers or log ins. 

Least Privilege – access to Customer Personal Data is restricted to those individuals who are required to access the Customer Personal  Data to perform their job function on a need-to-know basis. 

Application Security – Amadeus shall implement system and application access controls. 

Authentication – Amadeus shall use industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication measures are based on passwords, the passwords shall be renewed regularly and meet industry standard password protection practices. 

Network Design – Amadeus shall logically have controls in place to avoid access to Customer Personal Data by individuals where they may not be authorized to access. 

2.6 Physical and Environmental Security 

Physical Access to facilities – Amadeus shall limit access to facilities where Customer Personal Data is located or accessed from to identified authorized individuals. 

Physical Access to components – Amadeus shall maintain records of the incoming and outgoing media containing Customer Personal Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of such data they contain. 

Protection from disruption – Amadeus shall use industry standard systems to protect against loss of Customer Personal Data due to power supply failure or other disruptions. 

Data deletion – Amadeus shall use industry standard practices to securely delete Customer Personal Data in accordance with the Agreement and applicable law. 

2.7 Communications and Operations Management  

Operational – Amadeus shall maintain documentation describing security measures, the relevant procedures and responsibilities of its personnel who have access to Customer Personal Data. 

Environment Separation – Amadeus shall maintain separation of development, testing and production environments. 

Data Recovery procedures – Amadeus shall have in place data recovery procedures so that Customer Data can be recovered, including written business continuity and disaster recovery plans.  

Malicious software – Amadeus shall maintain reasonable and up-to-date anti-malware, anti-spam, and similar controls on networks, systems and devices.  

Encryption and Other Security Measures 

Strong cryptography and security protocols are deployed for or made available to protect Customer Personal Data while in transit and at rest.  

Monitoring and Logging – Amadeus shall log access to information systems containing Customer  Personal Data.  

Technical Vulnerability Management – Amadeus will maintain a vulnerability management program addressing vulnerabilities in a timely manner based on risk assessments.  

2.8 Third Party Suppliers  

Amadeus shall only use third party suppliers who contractually agree to implement appropriate technical and organizational measures that are substantially similar to the Amadeus Technical and Organizational Security Measures.   

Amadeus shall have contractual safeguards in place with its third-party suppliers and will carry out reasonable due diligence and monitoring of such third-party suppliers in connection with the provision of the services.   

2.9 Information Security Incident Management  

Incident Response Process – Amadeus has a written security incident response plan that includes procedures to be followed to identify, address and report any Security Incident. The plan is regularly tested and has procedures to notify impacted stakeholders.   

Investigation and Cooperation in event of Security Incident – In the event of a Security Incident, Amadeus shall promptly take reasonable steps to contain, investigate and mitigate any Security Incident.   

2.10 Business Continuity Management   

Business Continuity – Amadeus has processes, procedures and controls for business continuity that applies to the people, processes and facilities in which Amadeus processes Customer Personal Data.  Amadeus shall review the processes, procedures and controls at regular intervals.