Privacy Terms Applicable to Group Sales Agreements

At Hilton, we take the protection of Personal Data very seriously. All individuals or organizations (“Group Sales Customers”) that enter into a group sales agreement (“Agreement”) with Hilton Domestic Operating Company Inc., a Delaware corporation, or any of its direct or indirect subsidiaries, owned or managed hotels, partnerships or joint ventures (individually or collectively, “Hilton”), or through Hilton for the benefit of its franchisees, must abide by and comply with the terms set forth in these Privacy Terms Applicable to Group Sales Agreements (the “Privacy Terms”). In the event of a conflict between these Privacy Terms and the Agreement, these Privacy Terms shall control, unless the Agreement sets forth terms that provide greater protection for personal information, in which case the Agreement shall control. Hilton and Group Sales Customer agree to execute Standard Contractual Clauses as required by applicable law.

With respect solely to Personal Data of residents of a country within the European Economic Area or of the United Kingdom (if and as applicable):

In the absence of an adequacy decision by the European Commission or other relevant body, to the extent that Personal Data is transferred by a party outside the European Economic Area or the United Kingdom for processing, that party shall provide appropriate safeguards in accordance with the GDPR and/or UK GDPR (as applicable) and fully comply with the Controller to Controller Standard Contractual Clauses (“SCCs”) and/or UK Addendum. The SCCs and UK Addendum are incorporated by reference herein subject to the following terms:

• The parties decline to incorporate Clause 7 (Docking Clause) of the SCCs.

• The parties agree that Clause 17 (Governing law) Option of the SCCs shall apply. These clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The parties agree that this shall be the law of Ireland except with the UK Addendum applies, in which case the parties agree that this shall be the laws of England and Wales.

• Pursuant to Clause 18 (Choice of forum and jurisdiction) of the SCCs, any dispute arising from these clauses shall be resolved by the courts of Ireland, except when the UK Addendum applies, in which case the parties agree that any dispute rising from these clauses shall be resolved by the courts of England and Wales.

• Pursuant to Annex 1.A of the SCCs, the parties agree that Hotel is the “Data Importer” and Group Sales Customer is the “Data Exporter” and that the details of the transfer are provided for in the Agreement.

• The parties agree to incorporate Annex II as provided herein:

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

a. Data Importer maintains appropriate security procedures and practices designed to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Data. Such procedures and practices are compliant, at a minimum, with these clauses, and applicable data protection requirements. All such procedures and practices take into account the nature of the Personal Data and the commensurate risks associated with such Personal Data.

b. Consistent with the foregoing, Data Importer:

i. adopted, implemented, maintains, and monitors a written information security program that contains administrative, technical, and physical safeguards to (A) prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Data; (B) ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; and (C) ensure the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;

ii. conducts periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Personal Data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;

iii. takes reasonable steps to ensure the trustworthiness of all Data Importer employees, agents and subcontractors who will be provided with access to Personal Data;

iv. ensures that its information security program includes industry standard password, firewall, operating system, anti-virus, and malware protections to protect Personal Data stored or otherwise handled on computer systems;

v. encrypts, using industry standard encryption tools, all records and files (A) containing Personal Data that Data Importer transmits or sends wirelessly or across public networks; and (B) containing sensitive Personal Data that Data Importer: (1) stores on laptops or storage media; (2) stores on portable devices; and (3) stores on any device that is transported outside of the physical or logical access controls of Data Importer; and to safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Personal Data;

vi. maintains an incident response program that specifies the actions to be taken by Data Importer when it has reason to believe that a Data Security Breach may have or has occurred; and

vii. implements such additional security measures as may be required under applicable data protection laws.