Instant Book Data Sharing Exhibit 

This Data Sharing Exhibit (“Exhibit”) forms an integral part of each written or electronic agreement between TripAdvisor and Partner, on behalf of itself and its affiliates, for the provision of the Instant Book Services from TripAdvisor as identified in the applicable agreement and hereinafter defined as Services (“Services”) (each an “Agreement”). All capitalized terms, where not otherwise defined in this Exhibit, will have the meanings set forth in the Agreement.

1. General

The purpose of this Exhibit is to reflect the arrangements between TA and Partner that have been put in place to facilitate the sharing of personal data between the parties acting both as data controller.

2. Roles and responsibilities of the parties

2.1.   The parties hereby acknowledge and agree that either party acts as a Controller within the meaning of Regulation (EU) 2016/679 (GDPR), together with any national implementing laws in any member state of the European Union (Data Protection Laws) in respect of the personal data it receives from the other party, and that each party will individually determine the purposes and means of its processing of the personal data.

2.2.   Each parties shall only process personal data in accordance with the requirements of Data Protection Laws, including:

a.   process the personal data lawfully, fairly and in an transparent manner in relation to the data subjects;

b.   treat the personal data as confidential and ensures that is employees will treat the personal data as confidential;

c.   only process the personal data for limited and specified purposes;

d.   not retain the personal data for longer than is necessary to carry out the purposes for which it has obtained the personal data; and

e.   implement appropriate security measures to protect the personal data, including appropriate technical and organisational measures, to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage, including inter alia:

                 i.   the pseudonymisation and encryption of the personal data;

ii.  the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

iii. the ability to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident; and

iv.  a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.3.  Where either party becomes aware of inaccuracies of the personal data received from the other party, it will notify the other party thereof.

3. Data breaches

Each party shall notify the other party without undue delay after becoming aware of a notifiable personal data breach within the meaning of article 33 and article 34 of the GDPR. Such notification shall include information that the relevant party reasonably is able to disclose to the other party, taking into account the nature of the personal data and the personal data breach, the information available to the relevant party and any restriction on disclosing the information, such as confidentiality.

4. Data transfers

Each party may transfer the personal data outside the European Economic Area if it complies with the provisions of the Data Protection Laws on the transfer of personal data to third countries.

5. Data subject’s requests ad third party rights

Each party that has disclosed personal data to the other party shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with the GDPR to that other party, unless this proves impossible or involves disproportionate effort.

6. Indemnity

Each party will hold the other party harmless of any claims, damages, penalties and any costs or fees, of whatever nature incurred by the party or for which the party may become liable due to any failure by the other party or its employees or agents to comply with any of its obligations under this Exhibit or any Data Protection Legislation.

7. Other

The Partner confirms that it has the ability and competence to fulfill the obligations set out in this Exhibit.


Last Updated: May 2018