This Travel Audience Data Processing Agreement (“DPA”) describes the Processing of Personal Data by the Amadeus contracting entity as indicated in the Agreement (“Travel Audience”), in respect to the provision of Services to the Customer as indicated in the Agreement.

This DPA forms an integral part of and is subject to the Travel Audience Landing Page Terms and Conditions between Travel Audience and its Customer (“Agreement”), which is applicable where the Services entail the Processing of Personal Data by Travel Audience or its Affiliates or Subprocessor(s) on behalf of the Customer. For the provision of these Services, the Customer will be acting as a Controller and Travel Audience will be acting as a Processor.

This DPA does not apply to Agreements where Travel Audience acts as a Controller, which is governed by separate terms. Moreover, Travel Audience shall be a Controller in respect of Processing of Personal Data relating to the administration of the commercial relationship between it and the Customer (e.g., invoicing Customer).

Capitalized terms used in this DPA but not defined herein shall have the meanings assigned to them in the Agreement, unless otherwise specifically and expressly stipulated in Section 1 [Definitions] of this DPA.

 

1. DEFINITIONS

“Controller”	means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Cross Border Transfer”	means the Processing performed by a Controller, Processor and/or Subprocessor in one jurisdiction where the Personal Data is transferred, accessed, disclosed to another Controller, Processor and/or Subprocessor located in another jurisdiction that is different from where the Personal Data was originally Processed.
“Data Protection Laws”	means all laws and regulations relating to the Processing of Personal Data and privacy, including the EU General Data Protection Regulation (2016/679/EC, hereinafter “GDPR”), as well as all laws and regulations implementing or made under them and any amendment or re-enactment of them, as applicable to each party.
“Data Subject” and/or “Website Visitor”	means an identified or identifiable natural person connected to the Customer, for which Customer instructs Travel Audience to Process their Personal Data for the performance of the Services.
“Personal Data”	means any information relating to Data Subject
“Personal Data Breach”	means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed as a result of the Services provided under this Agreement.
“Processing” or “Process”	means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”	means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
“Subprocessor”	means any third party appointed or engaged by Travel Audience to Process Personal Data on behalf of the Controller.

 

2. PROCESSING OF PERSONAL DATA

2.1       The purpose for Travel Audience Processing the Personal Data is Travel Audience’s provision of the Services to the Customer pursuant to the Agreement and as further specified under Annex I. Travel Audience shall only Process the Personal Data in accordance with the Customer’s documented instructions as set out in the Agreement and this DPA, which will include any actions necessary to perform its obligations or to provide the Services pursuant to the Agreement, and any other documented instruction provided by the Customer, except to the extent that any legal requirement prevents Travel Audience from complying with such instructions or requires the Processing of Personal Data other than as instructed by the Customer.

2.2      Travel Audience will inform Customer if, in its opinion, an instruction infringes any Data Protection Laws, and as permitted by applicable Data Protection Laws. Customer acknowledges that in the provision of the Services under the Agreement Travel Audience may transfer Personal Data to third parties in accordance with applicable Data Protection Laws and as set forth in this DPA.

2.3      Processing includes such activities as specified in the Agreement or as otherwise necessary to perform the obligations and Services set forth therein and which shall determine the duration and the subject-matter of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects to which the Personal Data relates, as further detailed in Annex 1.

 

3. SUBPROCESSORS

3.1       The Customer agrees that Travel Audience may engage Subprocessors for the provision of the Services, provided that Travel Audience complies with the provisions of this section. The Customer authorizes the Subprocessors subcontracted by Travel Audience for the Processing of Personal Data as of the Effective Date, the list of which will be made available to the Customer upon request and as applicable to the Agreement.

3.2      Customer hereby grants Travel Audience with a general written authorization to engage Subprocessors in accordance with the provisions set forth in this Section 3. Where Travel Audience were to engage a new or replace a Subprocessor after the Effective Date of this DPA, Travel Audience shall inform Customer prior to any changes to the Subprocessors used in Processing of Personal Data made after the Effective Date of this DPA by notifying Customer, providing the Customer with the opportunity to object as described further on this Section 3.

3.3      If Customer, acting reasonably, objects to the use of a Subprocessor, on reasonable grounds relating to the protection of Personal Data , Customer may notify Travel Audience promptly in writing within fourteen (14) calendar days after receipt of Travel Audience notice in accordance with the paragraph above by providing details and evidence of such grounds. Travel Audience shall use reasonable endeavors to resolve the reasons for Customer’s objections or to procure use of a different Subprocessor.

3.4      If Customer does not present objections in writing within fourteen (14) calendar days after receipt of notice of an appointment of a Subprocessor, Customer shall be deemed to authorize such Subprocessor.

3.5      Where the Customer has objected to the appointment of a Subprocessor in accordance to Section 3.2 and Travel Audience is unable to or fails to resolve the reasons for Customer’s objections or to procure use of a different Subprocessor within a reasonable period of time, Customer may terminate the Services which cannot be provided by Travel Audience without the use of the Subprocessor to which Customer objects by providing written notice to Travel Audience, provided Customer will not be entitled to claim damages in respect such termination or a refund of paid fees.

3.6      Travel Audience remains responsible for its Subprocessors’ compliance with the obligations of this Data Processing Addendum and the Agreement as applicable. Any Subprocessor to whom Travel Audience transfers Personal Data will have entered into written agreements with Travel Audience requiring that the Subprocessor abide by terms in substance that provide for no less equivalent data protection obligations as this DPA, as applicable.

 

4. SECURITY; DUTY OF CONFIDENTIALITY

4.1       Travel Audience shall Process Personal Data subject to appropriate technical and organizational measures against unauthorized or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data in accordance with Data Protection Laws. The security measures are further described in this document in Annex 2. Such security measures can be updated by Travel Audience as to maintain an appropriate level of security of Personal Data and such updates shall apply to the Services. Any update of the security measures by Travel Audience will be no less stringent than the previous version and can be provided to the Customer upon request.

4.2      Travel Audience shall use personnel authorized by Travel Audience to access the Personal Data who are subject to a duty of confidentiality in respect of the Personal Data and have a business need to access the Personal Data in connection with the performance of Travel Audience’s obligations under this DPA and the Agreement.

 

5. DELETION OR RETURN OF PERSONAL DATA

5.1       Travel Audience shall, at the choice of the Customer, delete or return all Personal Data to the Customer after the end of the Processing of Personal Data under the Agreement and in accordance with the terms of the Agreement, unless Travel Audience is required to retain the Personal Data by applicable law. Travel Audience will continue to apply the protections in this DPA to any retained Personal Data.

5.2      Notwithstanding Section 5.1, Travel Audience will, upon termination of the Agreement, disconnect the Landing Page from the internet but maintain the Landing Page for period of time mutually agreed by the Parties, after which the Landing Page will be removed from the host server. All tracking technologies will similarly be deactivated at this time. Customer may request to reactivate the Landing Page after it is disconnected form the internet and before it is removed from the host server.

 

6. COOPERATION AND ASSISTANCE

6.1       Travel Audience will, in a manner consistent with the functionality of the Services and to the extent required under Data Protection Laws, provide reasonable support to Customer that may be required to respond to regulatory authority, law enforcement authority and/or a request of Data Subject to exercise rights as defined under Data Protection Laws (‘’Data Subject Requests’’). For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests. If Travel Audience receives a Data Subject Request addressed to the Customer, Travel Audience will inform the Data Subject to contact the Customer directly and redirect such request to Customer to respond.

6.2      Travel Audience shall, to the extent required by Data Protection Laws, provide reasonable assistance to Customer to enable Customer’s compliance with its obligations under Data Protection Laws (including Articles 32 to 36 of the GDPR or other corresponding provisions under Data Protection Laws) taking into account the nature of processing and the information then available to Travel Audience.

6.3      Travel Audience reserves the right to charge reasonable fees (based on the costs incurred by Travel Audience) for the performance of its obligations under this Section 6.

 

7. PERSONAL DATA BREACH

7.1       Travel Audience shall notify Customer without undue delay on becoming aware of any Personal Data Breach in connection with the Agreement and this Data Processing Addendum, whereby such notification shall be made upon having effective confirmation that such Personal Data Breach involves Personal Data Processed by Travel Audience in connection with the Agreement and this DPA. The referred notification shall include, to the extent reasonably available, information to assist Customer to comply with its obligations in accordance with applicable Data Protection Laws. For avoidance of doubt, Travel Audience’s notice does not constitute an admission of fault by Travel Audience or its Sub-processor(s) for the Personal Data Breach.

7.2       Upon request and direction of the Customer, Travel Audience shall cooperate with Customer and undertake such reasonable actions to assist in the investigation, mitigation and remediation of the Personal Data Breach, in order to meet any specific requirements and/or comply with obligations as defined by applicable Data Protection Laws.

 

8. DATA PROTECTION AUDIT

8.1       Upon reasonable request and at the Customer’s expense, Travel Audience shall make available to Customer information reasonably necessary to demonstrate compliance with Travel Audience’s Personal Data Processing obligations under the Agreement and this DPA. If Customer, acting reasonably, considers that Travel Audience has not provided sufficient evidence of its compliance, Customer must notify Travel Audience in writing providing evidence of such concerns, and Travel Audience shall use reasonable endeavors to resolve Customer’s concerns. If Travel Audience is unable to resolve Customer’s concerns, Customer may, as required under Data Protection Laws, audit Travel Audience’s control environment and security practices relevant to the Personal Data Processed under the Agreement and this Data Processing Addendum for Customer.

8.2      Any audits conducted by Customer or a mutually agreed upon independent third party auditor pursuant to this provision shall be at Customer’s expense and subject to the execution of an appropriate confidentiality agreement with Travel Audience and the following conditions, unless otherwise required or requested by a regulator or other competent governmental or legal authority: (i) audits shall be limited to once in any rolling 12-month period; (ii) audits will be carried out during normal working hours, without disturbing business operations, and in compliance with Travel Audience’s on-site or other applicable security policies; (iii) Customer will provide at least thirty (30) days prior written notice; and (iv) a Customer will provide Travel Audience with a copy of the audit report (subject to appropriate redactions for confidentiality).

8.3      Any audit report is Travel Audience’s confidential and proprietary information.

 

9. CROSS BORDER TRANSFERS

9.1       Customer acknowledges that in the provision of the Services, Travel Audience may perform Cross Border Transfers of Personal Data, which shall be made in accordance with applicable Data Protection Laws and as further described under this Section.

9.1.1     Travel Audience Affiliates in or from the EEA/UK/Switzerland: Travel Audience may transfer Personal Data to one or more of its Affiliates (i) within the EEA, UK and/or Switzerland pursuant to Data Protection Laws and/or Iii) to one or more of its Affiliates located in a jurisdiction outside the EEA/UK/Switzerland (“Third Countries”) provided that such transfer is made on the basis of (i) an adequacy decision (for example as provided in  Article 45 GDPR or other corresponding provisions under Data Protection Laws) or (ii) a valid transfer mechanism insofar permitted by Data Protection Laws.

9.1.2    Subprocessors in or from the EEA/UK/Switzerland: Subject to Customer authorization pursuant to Section 3, above, Travel Audience may transfer Personal Data to a Subprocessor located (i) within the EEA/UK/Switzerland pursuant to Data Protection Laws and/or (ii) to Third Countries outside the EEA/UK/Switzerland, provided that such transfer is made on the basis of (i) an adequacy decision (for example as provided in  Article 45 GDPR or other corresponding provisions under applicable Data Protection Laws) or (ii) a valid transfer mechanism insofar permitted by Data Protection Laws.

9.1.3    Other Cross Border Transfers: For any other Cross Border Transfer not contemplated under this Section 9 and where such Cross Border Transfer is necessary for the provision of the Services, Travel Audience and Customer shall liaise in good faith with one another and shall undertake to complete the relevant schedules, appendices, and any other required documentation or agreements as applicable and required to be implemented as between Travel Audience and Customer.

 

10. NOTICE AND CONSENT

10.1     The Customer warrants and is responsible for the lawful Processing of Personal Data on behalf of Customer by Travel Audience at its Processor and will adhere to all applicable laws and regulations, including but not limited to Data Protection Laws. Where legally required, Customer shall (i) ensure Data Subjects are adequately informed about the Processing of their Personal Data and (ii) obtain and manage any required Data Subject consents in accordance with applicable law.

10.2.    Subject to the Agreement and to the extent required under Section 10.1, the Customer may request Travel Audience to provide technical assistance with its compliance obligations as required of Customer under Data Protection Laws, which may include embedding and/or making available Customer specific privacy documents (“Privacy Notice”) and/or Customer designated consent management tools (“CMP”) on the Customer’s Landing Page or otherwise as applicable to the Services. In such case(s), Customer shall:

10.2(a)           provide Travel Audience with all necessary Privacy Notice(s) and/or any other privacy related content as required of Customer and the Processing of Personal Data, including specific instructions of placement/accessibility to Data Subjects (provided it is feasible and appropriate to the Services) under applicable law; and

10.2(b)           provide Travel Audience with the necessary items to implement a Customer- designated CMP (such as the relevant code or appropriate instructions to code) on the Customer’s Landing Page or otherwise, which CMP shall be capable of collecting, managing and storing Data Subject consents, as required of Customer under applicable law.

10.3    Customer represents and warrants that any code or instructions to code provided to Travel Audience to implement a Customer-designated CMP will comply with all relevant legal and technical requirements to ensure proper implementation and functionality.

10.4    The Customer is solely responsible for ensuring that the Privacy Notice(s) and CMP are accurate, up to date and compliant with all applicable laws. The Customer shall promptly notify Travel Audience of any required updates and/or changes to the Privacy Notice(s) and/or CMP or other relevant documentation as regards the processing of Personal Data in connection with the Services and provide the updated materials or instructions to Travel Audience in due time. Travel Audience shall implement the updates as instructed by Customer; provided, however, Travel Audience will not be liable for any delays and/or errors resulting from Customer’s failure to provide timely and accurate updates.

10.5     Where efforts conducted under Section 10.2 exceed commercially reasonable assistance, Travel Audience reserves the right to charge reasonable fees (based on the costs incurred by Travel Audience) for the performance of the referred Customer instructed obligations.

 

11. ANALYTICS AND USAGE DATA

11.1       Travel Audience may use analytics to monitor, identify, and collect trend and usage statistics with respect to usage of the Landing Page, including, without limitation, how often different features of the Landing Page are used, how often different buttons and menu items are clicked, how often displayed advertising is clicked, execution time for different operations, types of errors, error reports, download locations, versions, platform information, application and, features usage, exception tracking, and operating system information (collectively, “Analytical and Usage Data”). Customer hereby agrees that Travel Audience may collect and compile such Analytical and Usage Data and use it in aggregated and anonymous form to provide, operate, manage, maintain, and enhance the Landing Page, develop new functionality(ies) or otherwise improve the Services. Analytical and Usage Data may be analyzed, evaluated, used, distributed and published by Travel Audience. Travel Audience shall own and retain all right, title to and interest in such Analytical and Usage Data.

 

12. GENERAL TERMS

12.1      The provisions of this DPA are supplemental to the relevant Agreement.  In the event of inconsistencies or conflict between the provisions of this DPA and the provisions of the relevant Agreement, the provisions of this DPA shall prevail.

12.2     Travel Audience reserves the right to perform non-material updates and changes to this DPA from time to time, or as where required by applicable law, without prior notification to Customer.

12.3     Each party to this DPA shall comply with Data Protection Laws as applicable to such party.

12.4     The headings of any sections, subsections, and paragraphs of this DPA are inserted for convenient reference only and are not intended to be part of or to affect the meaning or interpretation of this DPA.

12.5     Any claims brought in connection with this DPA shall be subject to the terms and conditions including, but not limited to, the exclusions and limitations set forth in the Agreement.

12.6     Except as may be applicable for Cross Border Transfers subject to Section 9, the governing law and forum for this DPA shall be the governing law and forum set forth in the Agreement.

 

ANNEX 1   l   Details of the Processing of Personal Data

Categories of Data Subjects whose Personal Data is Processed	Visitors to the Customer’s Landing Page
Types of Personal Data Processed.	Visitor IP address and location (determined from IP address) Customer may instruct Travel Audience to implement and/or manage specific tracking technology to enable Travel Audience to render the Services, which is determined, defined instructed by the Customer in its own discretion and may include the processing of the following types of Personal Data by Travel Audience, as applicable: Cookie ID User Agent Universal Identifiers Mobile advertising ID Tracking technologies and IDs (cookies, pixels, widgets, hashed identifiers, etc.) In conjunction with the above, Travel Audience may process user consent signals associated with Customer’s Consent Management Platform for purposes of displaying, targeting and re-targeting personalized advertising to users on the Landing Page and/or third-party websites. Travel Audience may also receive user travel intent data (e.g., travel dates, origin, destination(s), etc.), although such user intent travel data should not, by itself, directly identify individual users.
Sensitive data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	Unless instructed and defined by Customer, the Personal Data processed to provide the services does not concern nor require special categories of Personal Data or sensitive Personal Data.
Nature of the Processing	Data hosting, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination and/or deletion.
Purpose(s) of the Personal Data Processing	Hosting: Hosting of Customer’s Landing Page; Travel intent processing: Analysis of data based on Data Subject connected signals within the context and their interaction on digital properties, as to best define their interests; Management of online marketing campaigns: promoting Customer defined content to Data Subjects by means of personalized advertising content and/or redirection to specific digital properties (such as websites, mobile applications and other applicable media outlets) as defined and agreed by the Parties; Targeting Analysis: Display personalized advertising based on the signaled interests connected to the Data Subjects, for consequent retargeting of advertising content (via Travel Audience technology, Customer based technology or social media platforms); Reporting: measure the effects/performance (e.g. clicks, views) of online advertising campaigns agreed by the Parties, which include attribution linked operations instructed by the Customer and/or Customer audit related obligations.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period	Retention of Personal Data for the period as described in this DPA or as required by the Customer and/or applicable legal requirement.

 

 

ANNEX 2   l   Security Measures

Travel Audience has implemented and will maintain the following measures for Customer Personal Data that is in the possession, control, or otherwise processed by and under the control and responsibility of Travel Audience in accordance with the following security measures.

 

Encryption of personal data
1.1. Pseudonymisation
For clients using our services, we take the security measures, as appropriate, that result from the respective service description of products or services or that were defined by the responsible person within the framework of the processing.

Otherwise, no pseudonymisation measures are taken.

1.2 Encryption
During the transmission of personal data within Travel Audience products via insecure or public networks, strong cryptography and security protocols are used for protection.  The used protocol exclusively supports secure versions or configurations. For the used encryption method, a state-of-the-art encryption strength is used.

 

Measures to secure confidentiality
2.1 Entry control
Entry to all buildings in which client personal data is processed is protected by means of mechanical or electronic keys. A key register is kept for all keys and access cards. The validity of this entry authorization is limited to the duration of the employment. Other individuals that require access to these areas for certain occasions are accompanied by an Travel Audience employee at all times. These areas are protected by a burglar alarm system. Outside business hours, the burglar alarm system is connected to a security service.

2.2 Admission control
All Travel Audience employees are subject to individual confidentiality agreements.

Every software developer has a individually assigned laptop as local workstation to develop data processing systems. Every laptop is fitted with a personal password-protected user account for the software developer and encrypted disk for storage purposes.

All data processing systems have an admission control system that prevents the use by unauthorized third parties.

2.3 Access control
The IT systems used in the data processing of Personal Data have a dedicated rights system that allows to assign data accesses and modifications based on roles and individual authorisations. Employees only get the required access rights according to their functional tasks. Each employee’s responsibility for the confidentiality, integrity and availability of data and information is strengthened in yearly training measures.

The data processed and stored in Google Cloud is protected by Google from unauthorised access: “For Google employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to denied responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Google’s security policies.”

2.4 Separation control
Identical services for comparable customer groups are processed on jointly used systems. System administrators get system-specific, not customer-specific authorisations. The data is logically separated and only made accessible to authorised users.

Test and development systems are logically separated from production systems. The transition from development systems to production systems is secured by software release processes with authorisation procedures and traceably documented. All changes to production systems go through a peer-review process to ensure quality and correctness. Peer-review procedures are regularly reviewed and revised.

 

Measures to secure integrity
3.1 Transfer control
Data exchange takes place in encrypted form according to a state-of-the-art procedure.

Data exchange inside of Google Cloud is protected by Google: “Google uses encryption to protect data in transit and at rest. Data in transit to G Suite is protected using HTTPS, which is activated by default for all users. G Suite and Google Cloud Platform services encrypt customer content stored at rest, without any action required from customers, using one or more encryption mechanisms.”

3.2 Input control
Differentiated user authorisations are defined. Employees only get the required access rights according to their functional tasks. The granting of authorisations takes place in a documented authorisation procedure.

Travel Audience employs the Google Cloud Audit service to monitor any modification to its Google Cloud resources.

 

Availability and capacity of the systems and services
The operating services include the implementation of data backups that enable data recovery in case of data loss. For this purpose, automated data backups are carried out according to specified standard procedures.

All data processing systems are designed redundantly. Redundancy is achieved by both the design of the system and further enhanced the underlying cloud infrastructure.

Google Cloud availability: “Google designs the components of our platform to be highly redundant. Google’s data centers are geographically distributed to minimize the effects of regional disruptions on global products such as natural disasters and local outages. In the event of hardware, software, or network failure, services are automatically and instantly shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss.”

 

Measures to restore availability and access to personal data in case of a technical incident
The operating services include the implementation of data backups as well as a data recovery in case of data loss. For this purpose, automated data backups are carried out according to standard procedures.

 

Procedure to regularly check, assess and evaluate the technical-organisational measures
6.1 Data privacy management
The Data Protection Officer ensures a regular check, assessment and evaluation of the effectiveness of the used technical and organisational measures to guarantee the security of the processing. Like that it is ensured that all issues of legal data protection relevance are forwarded to the Data Protection Officer.

6.2 Order control
Identical products or services for comparable customer groups are processed on jointly used systems. System administrators get system-specific, not customer-specific authorisations. The data is logically separated and only made accessible to authorised users. Specific accounts are in place to restrict certain access to Data.

Test systems are physically separated from production systems.