CLASSIC VACATIONS PRIVACY AND DATA HANDLING REQUIREMENTS
Classic Vacations takes the security and privacy practices of companies it does business with extremely seriously, and we expect our vendors and other business partners to do the same. The purpose of these Requirements is to establish those minimum information security standards and data privacy requirements that must be adhered to by any Company performing services for Classic Vacations.
SCOPE OF REQUIREMENTS: Company must handle, treat, and otherwise protect Classic Vacations Information in accordance with these Requirements and any contractual agreement between such Company and Classic Vacations. If there is a direct conflict between any term of these Requirements and the terms of a written contract between Company and Classic Vacations, the terms of the written contract will prevail to the extent of the conflict.
Sections 1 through 4 apply as follows. Requirements in all sections that apply must be met:
- If Company accesses Classic Vacations Personal Data, Classic Vacations Critical Information, networks, or facilities
- If Company provides code or develops systems that access, process, or store Classic Vacations Information
- If Company accesses or otherwise receives Classic Vacations employee or customer Personal Data
- If Company accesses or otherwise receives Classic Vacations employee or customer Cardholder Data, or provides Cardholder processing software to Classic Vacations
Classic Vacations Privacy and Data Handling Requirements table
For purposes of these Requirements, the following definitions shall apply:
“Data Security Breach” means: (A) the loss or misuse (by any means) of Personal Data, including, without limitation any unauthorized access or disclosure to unauthorized individuals; (B) the inadvertent, unauthorized and/or unlawful Processing, corruption, modification, transfer, sale or rental of Personal Data; or (C) any other act or omission that compromises the security, confidentiality, or integrity of Personal Data. Data Security Breach includes, without limitation, a breach resulting from or arising out of Company’s internal use, Processing or other transmission of Personal Data, whether between or among Company’s subsidiaries and affiliates or any other person or entity acting on behalf of Company.
“EEA Data” means any Personal Data Processed by or on behalf of Company under this Agreement that relates to employees, customers or other individuals who are located in the EEA.
“Classic Vacations Critical Information” means any data, plus the infrastructure containing or providing direct access to that data, which has legal, financial or compliance implications for Classic Vacations. Examples of such data include Personal Data of Classic Vacations customers, employees, end-users, partners and suppliers, and other individuals; privileged administrative accounts and credentials; financial data including data subject to PCI DSS; critical security vulnerability and gap reports; and material non-public legal and intellectual property documents.
“Classic Vacations Information” is all non-public data and includes all Classic Vacations Critical Information and Classic Vacations Personal Data on any media format which is acquired from, owned by, stored on behalf of, or otherwise the responsibility and/or property of, Classic Vacations.
“GDPR” shall mean European Union Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (as amended, replaced or superseded).
“Highly Sensitive Information” is that subset of Personal Data whose unauthorized disclosure or use could reasonably entail enhanced potential risk for the data subject. Highly Sensitive Information includes, without limitation, U.S. Social Security Number (“SSN”), or credit or debit card number (“Cardholder Data”), and/or account authentication data, such as passwords or PINs.
“PA-DSS” means the Payment Application Data Security Standard, its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“Payment Application” means any application that stores, processes, or transmits cardholder data as part of authorization or settlement.
“Payment Card Brands” means American Express, Discover, MasterCard and Visa.
“PCI DSS” means the Payment Card Industry (PCI) Data Security Standard (DSS), its supporting documentation and any applicable subsequent version(s) of said standard published by the PCI Security Standards Council or its successor(s).
“Personal Data” means any information that relates to an individual, including an employee, customer, end-user or any other individual, including, without limitation: (A) first and last name; (B) home or other physical address; (C) telephone number; (D) email address; (E) identification number, location data or online identifier associated with an individual; (F) “Sensitive Information” (as defined below); (G) “Highly Sensitive Information” (as defined above); (H) employment, financial or health information; or (I) any other information relating to an individual, including cookie information and usage and traffic data or profiles, that is combined with any of the foregoing.
“Processing” or “Process” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, restriction, blocking, deletion, erasure, or destruction.
“Protected Environment” means any segregated network environment, network storage device, individual servers and/or devices which are secured through logical or physical access control to industry best-practice standards.
“Sensitive Information” is a subset of Personal Data and has the meaning assigned under Article 9 of the GDPR and includes medical information, criminal history, race, ethnicity, national origin, information about sexual orientation or activity, political opinions and religious beliefs.
“Technical and Organizational Security Measures” means security measures, consistent with the type of Personal Data being Processed and the services being provided by Company, to protect Personal Data, which measures shall implement best industry protections and include physical, electronic and procedural safeguards to protect the Personal Data supplied to Company against any Data Security Breach, and any security requirements, obligations, specifications or event reporting procedures set forth in any Schedule/Statement of Work to this Agreement.
SECTION 1: ACCESS TO PERSONAL DATA, CLASSIC VACATIONS CRITICAL INFORMATION, NETWORKS, OR FACILITIES
SCOPE OF SECTION 1: If Company has access to Classic Vacations Personal Data; Classic Vacations Critical information; Classic Vacations networks (including without limitation, if Classic Vacations is providing a data feed or other information to Company via the Internet or vice-versa); or Classic Vacations facilities (e.g., Company personnel will be performing services at a Classic Vacations facility), Company will, at a minimum, comply with the provisions in Section 1:
1.1 INFORMATION SECURITY PROGRAM
1.1.1 INFORMATION SECURITY RISK MANAGEMENT PROCESS
Company must have an established process that periodically assesses information security risk within the organization that has access to Classic Vacations Information.
1.1.2 INFORMATION SECURITY POLICY
Company must have a documented information security policy, approved by appropriate management or governance committee and reviewed periodically, which defines responsibilities for protecting information assets. Policies shall be based upon industry best practices, addressing areas such as asset management, personnel security, physical, environmental, equipment, and media security, communications and operations management, access controls, information systems development and maintenance, incident management, business continuity management, and compliance.
1.1.3 ORGANIZATION OF INFORMATION SECURITY
Company must document, adopt, and enforce compliance with Company information security requirements, policies, standards, and procedures. Company must provide Classic Vacations a point-of-contact for escalation of all information security matters. If Company is contractually permitted to allow third-party access to Classic Vacations Information, Company must define procedures that ensure that downstream third-party and outsourced service providers comply with this Agreement when working with Classic Vacations Information on behalf of Company.
1.2 ASSET MANAGEMENT, CLASSIFICATION, AND HANDLING
Company must have a managed and up-to-date inventory of Company assets that have access to Classic Vacations Information. Company must define and maintain an information classification process that specifies appropriate security and handling controls based upon defined classifications. Classic Vacations has the right to review and approve all non-Classic Vacations owned equipment connecting with Classic Vacations networks. Assets that connect to Classic Vacations networks may be subject to modifications including, but not limited to, custom configurations and settings, O/S hardening, patching, security agents and mobile security code (such as anti-virus and authentication certificates).
1.2.1 HANDLING CLASSIC VACATIONS INFORMATION
- All Classic Vacations Information must be encrypted in transit.
- Classic Vacations Highly Sensitive Information must be encrypted both in transit and at rest.
- All other Classic Vacations Information must be encrypted or secured in a Protected Environment with limited access when at rest.
1.3 PERSONNEL AND HUMAN RESOURCES SECURITY
1.3.1 BACKGROUND AND SCREENING CHECKS
To the extent allowed by local law and prior to employment, Company must conduct employee and contingent staff background screening commensurate with the level of access provided, including criminal, financial, and/or employment background screening. Background checks must be completed and the results deemed satisfactory by Company prior to the employee or contractor being assigned to perform services for Classic Vacations where those services will involve having access to Classic Vacations Information. Individuals whose background checks reveal convictions for violations including but not limited to computer crimes, fraud, theft, identity theft, or excessive financial defaults MUST not be permitted access to Classic Vacations Information. Upon request and to the extent allowed by local law, Company will provide necessary evidence to Classic Vacations of the screening and results.
1.3.2 SECURITY AWARENESS AND EDUCATION
- Anyone who has access to Classic Vacations Information must complete information security awareness training, annually. The training must educate employees and contingent staff on all applicable policies, procedures, and standards and the responsibility to secure confidential information such as Classic Vacations Information. Company shall be responsible for providing and verifying successful training of all Company employees and contingent staff. Classic Vacations’ online information security awareness training is available to anyone with an account on the Classic Vacations corporate network; successful completion of the Classic Vacations training is a requirement for continued access to the network, unless evidence of equivalent training is provided. Company must require employees to acknowledge, in writing or electronically, that they have completed all required training, and have read, understand, and agree to abide by all applicable security policies and procedures. Upon request, Company must provide evidence and reports of training completion to Classic Vacations.
1.4 PHYSICAL, ENVIRONMENTAL, EQUIPMENT, AND MEDIA SECURITY
- Company must implement controls that restrict unauthorized physical access to areas containing equipment used to access Classic Vacations Information. Company must monitor all areas containing equipment used to access Classic Vacations Information for attempts at unauthorized access. All secure areas must be enclosed by a perimeter that will deter unauthorized personnel from gaining access. Personnel working in secure areas must be easily identified as authorized to work in that area. Company must implement and maintain processes to verify that only authorized personnel with an approved business need may be permitted to work in secure areas. Company must not allow visitors access to secure areas unescorted. Company must ensure proper disposal of all Classic Vacations Information using appropriately secured containers for shredding or other approved means.
- Company must only store Classic Vacations Information in locations that will be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heat or cooling, and power failures or outages. Company must implement controls to prevent or detect the removal of any equipment involved in accessing Classic Vacations Information. For purposes of clarity, this provision relates only to permanent storage facilities. Portable media controls are listed below.
- If Company is contractually permitted to take Classic Vacations Information off-site in any format, soft or hard copy, Company must in all cases take steps to protect such Classic Vacations Information from unauthorized disclosure. Classic Vacations Information must not be transmitted to unauthorized external services/companies for transfer, storage, or backup. When not in use, Classic Vacations Information must be secured or locked away.
- When the use of Company-supplied removable or portable data storage media is authorized by Classic Vacations to store or access Classic Vacations Information, the media must be encrypted to industry-standard levels or similarly protected.
- Company must configure a password-protected inactivity timeout of fifteen (15) minutes, maximum, on workstations or laptops used to store or access Classic Vacations Information.
- Company must have processes in place to return or completely destroy Classic Vacations Information upon request, in any format in which it is stored, soft or hard copy, and must not allow personnel to discard any media containing Classic Vacations Information except by secure methods that completely destroy the data.
1.5 COMMUNICATIONS AND OPERATIONS MANAGEMENT
1.5.1 OPERATIONAL SYSTEM SECURITY
On all Company IT systems used to access, process, or store Classic Vacations Information:
- Company must follow documented change management procedures. Company must ensure thorough testing of changes to IT systems to prevent negative security impacts.
- Company must establish repeatable controls to ensure secure configuration and system hardening, including changing default passwords and settings, and disabling of all unnecessary services/daemons, ports, and network traffic on all systems that connect to Classic Vacations networks or access Classic Vacations Information.
- Company must establish and maintain a patch management process for software (including open source software and firmware) covering network devices, servers, and desktop/laptop computers, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Company must deploy patches in a period of time that is commensurate with the criticality of the patch and sensitivity of Classic Vacations Information accessed. Critical security patches must be installed within one month of their release.
1.5.2 MALWARE PROTECTION
Company must deploy, enable, and keep up to date malware protection that detects, removes, and protects against all known types of malicious software on all IT systems that access, process, or store Classic Vacations Information. Company must ensure malware protection technology is configured to enable upon boot-up, set both automatic updates and periodic scans, and have logging enabled. Infected systems must be removed from the network until verified as virus-free.
1.5.3 NETWORK, OPERATING SYSTEM, AND APPLICATION CONTROL
All systems or networks connecting to Classic Vacations networks and/or accessing Classic Vacations Information must employ safeguard controls capable of monitoring and blocking unauthorized network traffic. Company must enable logging on network activity for audit, incident response, and forensic purposes. Where such controls are not available, systems or networks used to access Classic Vacations Information must be physically or logically separate from other Company networks.
1.5.4 LOGGING OF SYSTEM USE
Company must configure all Company systems used to access, process, or store Classic Vacations Information to enable basic forensic accountability. In the case of an information security incident involving Company-supplied laptops, desktops, or removable or portable data storage media used to access, process, or store Classic Vacations Information, Company must provide access to the equipment or media to Classic Vacations or Classic Vacations’s representatives upon request, along with all relevant encryption/decryption keys necessary to enable forensic analysis, except when the incident involves the actual loss or destruction of the equipment or media.
Company servers used to access, process, or store Classic Vacations Information must maintain sufficient audit logging to enable forensic analysis, including logging of security events, connectivity to services and sessions, and modification to user and configuration settings. Audit logs must be maintained for a minimum of three months. In the case of an information security incident involving Company servers used to access, process, or store Classic Vacations Information, Company must provide access to the relevant audit logs to Classic Vacations or Classic Vacations’s representatives upon request to enable forensic analysis.
1.6 ACCESS CONTROL
1.6.1 CLASSIC VACATIONS-MANAGED ENVIRONMENTS
Access to Classic Vacations Information must be restricted to authorized users, only. When the data resides physically or logically within Classic Vacations-managed environments, Company access will be subject to Classic Vacations’s access management policies and procedures. Classic Vacations must authorize all decisions for access to Classic Vacations Information residing within Classic Vacations-managed environments. Company may not extend access to Classic Vacations Information residing within Classic Vacations-managed environments to third parties without prior written consent. Classic Vacations reserves the right to monitor all systems used to access Classic Vacations-managed environments. If Classic Vacations provides equipment such as laptops used to access Classic Vacations Information, the equipment will be subject to Classic Vacations’s configuration and access management policies and procedures. Company must immediately notify Classic Vacations in writing if a Company employee or Company subcontractor with access to Classic Vacations-managed systems terminates, no longer requires access to the Classic Vacations account, or requires changes to the user account. Notification must include name and User ID of the accounts or systems the person has access to.
184.108.40.206 REMOTE ACCESS CONTROL
Remote network connectivity to Classic Vacations-managed environments must always use Classic Vacations-approved methods such as SSL VPN when connecting. Classic Vacations’s Host Checker policy will not allow connection from equipment without the capability of meeting Classic Vacations’s security requirements for remote management, encryption, and authentication. Host Checker will verify equipment configurations such as current system patch levels, anti-virus software signatures and scanning engines, and personal firewalls. If Company is contractually permitted to remotely access Classic Vacations-managed environments with Company-supplied equipment, Classic Vacations will provide Company with a list of current configuration requirements upon request. Company shall be responsible for maintaining Company-supplied equipment configurations.
1.6.2 OUTSIDE OF CLASSIC VACATIONS-MANAGED ENVIRONMENTS
If Company is contractually permitted to access, process, or store Classic Vacations Information outside of Classic Vacations-managed environments, Company must have an access management process that includes account authorization and management, password management and authentication, and remote access controls. Company must not provide access to Classic Vacations Information to any third party (including, without limitation, Company’s subsidiaries and affiliates, subcontractors, and any person or entity acting on behalf of Company) unless the access is necessary to carry out Company’s obligations under this Agreement; such third party is bound by the obligations that are at least of the same level as those set out in this Agreement, and, for Personal Data, such obligations must comply with the requirements of the applicable privacy laws including the GDPR. Company shall remain responsible for any breach of the obligations set forth in this Agreement to the same extent as if Company caused such breach.
220.127.116.11 COMPANY USER ACCESS MANAGEMENT
Classic Vacations authorizes access to Classic Vacations Information on a need-to-know basis. All user accounts used to access Classic Vacations Information must be unique and clearly associated with an individual user. Company must ensure unique assignment of user IDs, tokens, or physical access badges provided to employee or contingent staff granted access to Classic Vacations Information outside of Classic Vacations-managed environments. Company must ensure all user/system/service/administrator accounts and passwords are never shared. Company is responsible for reviewing authorization privileges assigned to its employees and contingent staff on a monthly basis to ensure that access is appropriate for the user’s functioning role. Access authorization should follow “principles of least privilege.” Company must provide and ensure that IT administrators use separate and unique accounts for administration and non-administration responsibilities. Company must ensure that procedures exist for prompt modification or termination of access rights in response to organizational changes.
18.104.22.168 PASSWORD MANAGEMENT AND AUTHENTICATION CONTROLS ON COMPANY SYSTEMS
Company must ensure that systems with access to Classic Vacations Information require complex passwords with reasonable expiration, reuse, and lock-out controls. Company must prohibit its users from sharing passwords. Company must encrypt authentication credentials during storage and transmission. Company must change passwords immediately for accounts suspected of compromise.
1.7 UNAUTHORIZED ACCESS TO CLASSIC VACATIONS INFORMATION
Company shall not attempt to access, or allow access to, any Classic Vacations Information which they are not authorized to access under this Agreement or associated Schedules/Statements of Work. If such access is attained, Company shall immediately terminate such access, report such incident to Classic Vacations, describe in detail the accessed Classic Vacations Information and return or destroy any copied or removed Classic Vacations Information upon Classic Vacations’s instruction.
1.8 INFORMATION SECURITY INCIDENT MANAGEMENT
Company must establish and maintain procedures that ensure appropriate response to security incidents. Management procedures should address monitoring, investigation, response, and notification. Company must securely save evidence such as security logs for forensic analysis. Incident response plans must include methods to protect evidence of activity from modification or tampering, and allow for the establishment of a proper chain of custody for evidence.
Company must notify Classic Vacations without undue delay, and in no event later than twenty-four (24) hours after becoming aware of a verified Data Security Breach; within forty-eight (48) hours of a suspected Data Security Breach involving Personal Data; and within seventy-two (72) hours of any suspected compromise of information security, system abuse, and/or violation of information security policy involving Classic Vacations Information; and must, at Company’s cost and expense, assist and cooperate with Classic Vacations concerning any disclosures to affected parties and/or data protection authorities, and other remedial measures as requested by Classic Vacations or required under applicable law.
Security notifications should be reported to Classic Vacations Enterprise Information Security via the Relationship Manager. If after hours, report notifications via the Classic Vacations Global Service Desk by email at EXPHD@Classic Vacations.com or by phone at (866) 679-7227 or 00 800 80007227 (Europe).
1.9 BUSINESS CONTINUITY MANAGEMENT
Company must maintain a comprehensive and current: business continuity plan (“BCP”) that documents and implements processes and procedures to ensure essential business functions continue to operate during and after a disaster; and disaster recovery plan (“DRP”) that documents technical plans for specific restoration of Classic Vacations Information, ensuring there is no reduction of security in a disaster. If Company is allowed to store or process Classic Vacations Information within its environment, it must ensure the availability of data through backups. All such backups must employ encryption and be stored in a secure off-site location.
Company information security policies and practices must comply with all applicable laws and regulations and contractual obligations to Classic Vacations. Where local laws appear to prevent compliance with Classic Vacations Information Security requirements, Company is responsible for notifying Classic Vacations Enterprise Information Security to determine appropriate compensating controls.
1.11 RIGHT TO AUDIT
Classic Vacations shall have the right to conduct, at Classic Vacations’s cost, inspections, assessments and/or audits (e.g. questionnaires, phone interviews, and onsite reviews), upon ten (10) days advance notice to Company, at a maximum of one (1) time per year, to evaluate compliance with these Requirements. Company agrees to cooperate with Classic Vacations or its assigned agents regarding such inspections, assessments and/or audits. Company, at its own cost, will promptly correct deficiencies in the Technical and Organizational Security Measures identified by Company or by Classic Vacations.
In addition to Classic Vacations’s annual compliance audit, in the event of a verified Data Security Breach involving Classic Vacations Personal Data, Company agrees, at its sole expense, to provide a mutually agreed upon third-party auditor, and any governmental authority acting pursuant to statutory powers, access for inspections, assessments and/or audits (e.g. via questionnaires, phone interviews, and onsite reviews), and with no less than ten (10) days advance notice to Company, including access to Company’s facilities, systems, records, procedures and business practices to the extent related to the Data Security Breach and the contracted products and services. The third-party auditors shall execute a mutually agreed-upon nondisclosure agreement with Company prior to commencing an audit. Any such audit may take place during the term of the Agreement and for a period of two years thereafter, shall occur during normal business hours and shall not unreasonably interfere with Company’s normal business operations. Company shall cooperate with third-party auditor’s agents regarding such inspections, assessments and/or audits. Any such audit reports shall be shared with Classic Vacations, subject to redaction of information reasonably considered highly sensitive and therefore confidential by Company.
SECTION 2: CODE OR SYSTEMS DEVELOPMENT AND MAINTENANCE
SCOPE OF SECTION 2: If Company’s services to Classic Vacations include code that Classic Vacations consumes or hosts, or where Company has in-house developers for systems that will access, process, or store Classic Vacations Information, Company will comply with the provisions in Section 2:
2.1 APPLICATION SECURITY
Company must not allow Classic Vacations production data in any development, test, quality assurance (“QA”), or other non-production environment. If production-quality data is required for development or testing purposes, it must first be “sanitized” by manipulation of data that removes all personal data elements, including name, SSN or equivalent, credit card numbers, etc. Company must ensure protection of Personal Data and Classic Vacations Critical information that is stored in cache or cookies.
2.1.1 CRYPTOGRAPHIC CONTROLS
Where applicable, Company must use commercially available cryptographic algorithms and all deployed encryption solutions must follow best practices in key management. Encryption keys must be protected against disclosure and misuse and must be rotated on a regular basis as defined by the level of sensitivity of information. Retired keys must be destroyed.
2.1.2 SYSTEM SECURITY
Company must establish and maintain configuration standards for all network devices and hosts accessing, processing, or storing sensitive Classic Vacations Information, addressing currently known security vulnerabilities and industry best security practices. Company must ensure that software (including open source software and firmware) used in operational systems maintain current level of patching support by its supplier.
2.1.3 SECURE DEVELOPMENT AND SUPPORT
All software development done on behalf of Classic Vacations must follow a documented software development process or life cycle (SDLC) with appropriate security checkpoints. Company must validate and test firmware, software, and application source code against vulnerabilities and weaknesses before deploying code to production. If Company develops software, it may be required to demonstrate the effectiveness of security controls prior to software acceptance. All software deployed to a production status in Classic Vacations’s environment must adhere to and utilize Classic Vacations’s change control process.
2.2 SECURITY AWARENESS AND EDUCATION
Company shall be responsible for providing and verifying successful completion of secure development training based upon industry best-practice standards for all Company developers working with the applicable code or systems. Classic Vacations’s online secure developer training is available to all developers with an account on the Classic Vacations corporate network; successful completion of the Classic Vacations training is a requirement for applicable Company developers, unless evidence of equivalent training is provided. Upon request, Company must provide evidence and reports of training completion to Classic Vacations.
SECTION 3: ACCESS TO EMPLOYEE OR CUSTOMER PERSONAL DATA
SCOPE OF SECTION 3: If Company has access to or otherwise receives Personal Data (including, without limitation, of potential, current or former Classic Vacations employees, customers, end-users or other individuals) in the course of providing services, Company will comply with the provisions in Section 3:
- Personal Data shall at all times remain the sole property of Classic Vacations, and nothing in this Agreement will be interpreted or construed as granting Company any license or other right under any patent, copyright, trademark, trade secret, or other proprietary right to Personal Data.
- Company shall Process Personal Data only on the written instruction of Classic Vacations and in accordance with this Agreement and applicable data privacy and security laws. Classic Vacations hereby instructs Company, and Company hereby agrees, to Process Personal Data as necessary to perform Company’s obligations under this Agreement and strictly for no other purpose. Further details of the nature and purposes of the processing are set out at the applicable SOW governed by this Agreement.
- Company shall not create or maintain data which are derivative of Personal Data except for the purpose of performing its obligations under this Agreement and as authorized by Classic Vacations.
- Company shall return, delete, or destroy (at Classic Vacations’s request) all Personal Data relating to this Agreement, in any medium, including any copies and materials derived from or incorporating such Personal Data, upon the expiration or termination of this Agreement, or when there is no longer any legitimate business need (as determined by Classic Vacations) to retain such Personal Data, or otherwise on the instruction of Classic Vacations, but in no event later than ten (10) days from the date of such expiration, termination, or instruction. If applicable law prevents or precludes the return or destruction of any Personal Data, Company shall notify Classic Vacations and shall protect the Personal Data from any further Processing except Company’s obligations under this Agreement to protect the security of Personal Data shall survive termination of this Agreement.
- At any and all times during which Company is Processing Classic Vacations Personal Data, Company shall:
- Comply with all applicable privacy and security laws to which it is subject, and not, by act or omission, place Classic Vacations in violation of any applicable privacy or security law.
- Have in place appropriate Technical and Organizational Security Measures to protect the security of Personal Data and prevent a Data Security Breach, including, without limitation, a breach resulting from or arising out of Company’s internal use, Processing or other transmission of Personal Data, whether with Classic Vacations, between or among Company’s subsidiaries and affiliates, or any other person or entity acting on behalf of Company. Upon Classic Vacations’s request, Company shall provide evidence that it has established and maintains Technical and Organizational Security Measures governing the Processing of Personal Data.
- Not disclose Personal Data nor permit any third party to access or Process Personal Data (including, without limitation, Company’s subsidiaries, affiliates, subcontractors or any person or entity acting on behalf of Company) unless with respect to such disclosure, accessing or Processing: (A) the disclosure, accessing or Processing is necessary in order to carry out Company’s obligations under this Agreement; (B) such third party is bound by provisions and obligations substantively equivalent to those set forth in this Agreement; (C) Company has received Classic Vacations’s prior written consent; and (D) Company shall remain responsible for any breach of the obligations set forth in this Agreement to the same extent as if Company caused such breach.
- Establish policies and procedures to provide all reasonable and prompt assistance to Classic Vacations in responding to any and all requests, complaints, or other communications received from any individual who is or may be the subject of any Personal Data Processed by Company.
- Cross-border data transfers.
- Company shall not Process (and shall not permit any third party to Process) Personal Data outside the territory of origination unless it takes any required compliance measures to enable such transfer legally.
- With regard to EEA Data (defined below), Company shall not Process (and shall not permit any third party to Process) such data in any territory outside of the European Economic Area (“EEA”) unless it first informs Classic Vacations and takes such measures as Classic Vacations considers necessary to provide adequate protection for the EEA Data consistent with the requirements of Chapter V of the GDPR. For the avoidance of doubt, such measures may include Company (or third party, as applicable):
- ensuring that it processes the EEA data in a country that has been deemed adequate by the European Commission pursuant to Article 45 of the GDPR;
- processing the EEA Data pursuant to Standard Contractual Clauses (or “model clauses”) approved by a decision of the European Commission;
- processing the EEA Data in compliance with Binding Corporate Rules that have been duly authorized by EEA data protection authorities that are competent for the EEA Data.
- with respect to transferring the EEA data to the United States, Processing such data pursuant to the EU-U.S. and/or Swiss-U.S. Privacy Shield Frameworks, as applicable.
- Ensure that any person (including Company’s staff, agents and Subcontractors) who is authorized to Process the Personal Data is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality.
- With regard to EEA Data, assist Classic Vacations to conduct data protection impact assessments to the extent such assessments are required by the GDPR, and if necessary, consult with relevant supervisory authorities pursuant to Articles 35-36 of the GDPR.
SECTION 4: COMPANY REPRESENTATIONS, ACKNOWLEDGEMENTS, AND AGREEMENTS RELATED TO CARDHOLDER AND FINANCIAL/PAYMENT ACCOUNT DATA
SCOPE OF SECTION 4: If Company has access to or otherwise receives Classic Vacations employee or customer financial/payment account numbers, including without limitation Cardholder Data, or provides Cardholder processing software to Classic Vacations, Company will comply with the provisions in Section 4:
- Company represents that it is presently in compliance, and will remain in compliance with the current PCI DSS. Company shall provide Classic Vacations with a copy of its PCI DSS Attestation of Compliance annually at the time of filing, and immediately notify Classic Vacations of any change in its PCI DSS compliance status.
- Company acknowledges that Cardholder Data is owned exclusively by Classic Vacations, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Classic Vacations, and further acknowledges that such Cardholder Data may be used only on the instruction of Classic Vacations and in accordance with this Agreement, applicable privacy and security laws, and the operating regulations of the Payment Card Brands.
- Company agrees that, in the event of a Data Security Breach involving Cardholder Data, Company shall afford full cooperation and access to Company’s premises, books, logs and records by a designee of the Payment Card Brands to the extent necessary to perform a thorough security review and to validate Company’s compliance with the PCI Standards.
- If Company provides to Classic Vacations software that processes any payments via a payment application, Company represents that software provided to Classic Vacations has been assessed and complies with the PA-DSS, and agrees to provide Classic Vacations with all documentation, including the PA-DSS Implementation Guide, necessary for Classic Vacations to deploy the software in a manner consistent with PCI DSS. Company agrees to re-assess software following any changes determined to impact payment application security in accordance with the PA-DSS and provide updated documentation as necessary.
Last Revised March 23, 2021