Service Provider Data Protection Standards (SPDPS)
Last Updated: February 2022
At Hilton, we take the protection of Personal Information relating to our customers, employees, independent contractors, and service providers very seriously. All individuals or organizations that provide goods or services (“Providers”) to Hilton Domestic Operating Company Inc., a Delaware corporation, or any of its direct or indirect subsidiaries, owned and managed hotels, partnerships or joint ventures (individually or collectively, “Hilton”), or through Hilton for the benefit of its franchisees, must abide by and comply with the principles set forth in these Service Provider Data Protection Standards (the “Standards”). These Standards form part of any agreement between Hilton and Provider that references these Standards, or to which these Standards are attached or incorporated (the “Agreement”). In the event of a conflict between these Standards and the Agreement, these Standards shall control with respect to its subject matter, unless the Agreement sets forth more stringent standards.
a. “Biometric Data” means Personal Information resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of an individual that allows or confirms the unique identification of that individual.
b. “Cardholder Data” means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction.
c. “Data Protection Requirements” means, collectively, all laws and regulations relating to data privacy, data security, personal data, transborder data flow, and data protection that apply to Provider’s Processing of Personal Information, including without limitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation (“GDPR and Brazil’s Law No. 13.709 of August 14, 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of July 8, 2019) (the “LGPD”)).
d. “Data Safeguards” means the administrative, operational, organizational, technical, and physical safeguards described in Section 9 of these Standards, as modified in accordance with these Standards. e. “Genetic Data” means Personal Information relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of that individual and which result, in particular, from an analysis of a biological sample from such individual.
f. “Health Data” means Personal Information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health.
g. “Malware” means computer software, code, or instructions that: (a) adversely affect the operation, security, availability, or integrity of a computing, telecommunications, or other digital operating or processing system or environment, including without limitation, other programs, data, databases, computer libraries, and computer and communications equipment, by altering, destroying, disrupting, or inhibiting such operation, security, or integrity; (b) self-replicate without manual intervention where such self-replication lacks functional purpose; (c) purport to perform a useful function but which actually perform either a destructive, harmful, or unauthorized function, or perform no useful function and utilize substantial computer, telecommunications, or memory resources; or (d) without authorization, collect and/or transmit to third parties any information or data, including such software, code, or instructions commonly known as viruses, Trojans, logic bombs, worms, and spyware.
h. “Personal Information” means any information (i) that can be used (alone or in combination with other information within Provider’s control) to identify, locate, or contact a specific individual, or (ii) related to an identified or identifiable individual. By way of illustration, and not of limitation, Personal Information consists of obviously personally identifiable data elements, such as name, address, and email address as well as less obvious information such as an individual’s personal preferences, hotel stay-related information, guest account information, location data, and online identifiers. Personal Information also includes (without limitation) factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual. Personal Information may pertain to customers, employees, or others. Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files, including all copies, fragments, and excerpts, whether or not such Personal Information has been intermingled with other information or materials. For purposes of these Standards, Personal Information only includes information: (i) provided to Provider by or on behalf of Hilton; or (ii) obtained, used, accessed, possessed, or otherwise Processed by Provider in connection with the provision of the Services.
i. “PCI Standards” means the data security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply, including, but not limited to, the Payment Card Industry Data Security Standards currently in effect and as modified during the term of the Agreement.
j. “Process“ means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
k. “Provider Processing Record” means a written record of all categories of Processing carried out in connection with the Services, which contains the following: (i) the name and contact details of Provider and any Subcontractors and, where applicable, the name and contact details of Provider’s data protection officer; (ii) the categories of Processing performed by the Provider for Hilton; (iii) the list of countries, if any, to which the Provider transfers Personal Data; and (iv) a description of the Provider’s Data Safeguards.
l. “Security Breach“ means (i) any circumstance pursuant to which applicable Data Protection Requirements require action in response to such circumstance, including but not limited to, notification of such breach to be given to affected parties, a regulator, or data protection authority; or (ii) any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance that compromises, or could reasonably be expected to compromise, either Physical Security or Systems Security (as such terms are defined below) in a manner that either does or could reasonably be expected to permit unauthorized Processing, use, disclosure, acquisition of, or access to any Personal Information. “Physical Security” means physical security at any location housing systems maintained by Provider or its agents or Subcontractors in connection with the Services or in the course of physical transportation of assets or physical media used by Provider or its agents or Subcontractors in performing the Services. “Systems Security” means security of computer, electronic, or telecommunications systems of any variety (including databases, hardware, software, storage, switching, and interconnection devices and mechanisms); security of networks of which such systems are a part or with which such systems communicate; and security of networks used directly or indirectly by Provider or its agents, or Subcontractors in connection with the Services.
m. “Sensitive Personal Information“ is Personal Information which due to its nature has been classified by applicable Data Protection Requirements as deserving additional privacy and security protections, including (without limitation): (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, information contained in a passport or other travel document, driver’s license number, or other identification number issued by a government or public body or (B) financial account number; (ii) an individual’s username which, in combination with a password, PIN, or access code would grant access to an online account; (iii) Cardholder Data; (iv) data about racial or ethnic origin; (v) data about political opinions, religious or philosophical beliefs, or trade union membership; (vi) Genetic Data; (vii) Biometric Data; (viii) Health Data; and (ix) data concerning a natural person’s sex life or sexual orientation. n. “Services“ means the goods and services provided by Provider to Hilton, or through Hilton for the benefit of its franchisees, as further described in the Agreement.
o. “Subcontractor“ means an entity, including any Provider affiliate, engaged by Provider to perform Services for Provider that involve the Processing of Personal Information.
2. SUBJECT MATTER AND DURATION OF PROCESSING; TYPE AND NATURE OF PERSONAL INFORMATION.
Provider will Process Personal Information in connection with the Services described in the Agreement and during the term of such Agreement, subject to compliance with the Data Protection Requirements and the Agreement. The type of Personal Information Processed by Provider is described in the Agreement. The Processing may involve Personal Information of employees of Hilton, customers and guests of Hilton, and business contact information of Hilton corporate customers, suppliers, and other business partners, as further described in the Agreement.
3. NATURE AND PURPOSE OF THE PROCESSING; OWNERSHIP OF PERSONAL INFORMATION.
Hilton will have the exclusive right to determine the purposes for which the Personal Information is Processed. Provider will Process Personal Information for the sole purpose of providing the Services in accordance with the Agreement. At no time will Provider acquire any ownership, license, rights, or other interest in or to the Personal Information. As between Hilton and Provider, Personal Information will remain the proprietary information of Hilton at all times and Hilton shall be the “Controller” and Provider shall be the “Processor,” as such terms are defined in the GDPR and LGPD.
4. USE AND PROCESSING OF PERSONAL INFORMATION
Provider will Process the Personal Information only on behalf of Hilton and only as specifically instructed by Hilton in writing, including with regard to transfers of Personal Information to a third country or an international organization, unless required to do so by Data Protection Requirements to which Provider is subject; in such a case, Provider shall inform Hilton of that legal requirement before Processing, unless such Data Protection Requirement prohibits such information on important grounds of public interest. Hilton hereby instructs Provider to Process the Personal Information solely as necessary to provide the Services under the Agreement and subject to compliance with the Agreement, these Standards and the Data Protection Requirements. In no event may Provider: (a) use Personal Information to market its services or those of an affiliate or third party; (b) sell or rent Personal Information; or (c) otherwise Process any Personal Information for Provider’s, its affiliates’, or any third party’s own purposes. Provider shall immediately inform Hilton if, in its opinion, an instruction infringes any Data Protection Requirements.
5. USE OF SUBCONTRACTORS
a. Unless otherwise expressly permitted pursuant to the Agreement, Provider will not utilize Subcontractors in the performance of Services without the written consent of Hilton in each instance.
b. To the extent that the Agreement expressly provides for a general authorization for Provider to use Subcontractors, Provider shall: (i) provide Hilton a list of Provider’s Subcontractors involved in the provision of Services prior to the commencement of Services and promptly upon request by Hilton, with the identity of each Subcontractor, the Services performed by such Subcontractor, the location(s) from which such Subcontractors perform Services, and such additional information as may be reasonably requested by Hilton; and (ii) notify Hilton in writing in the event of any intended addition or replacement of any such Subcontractors (each, a “Subcontractor Change”). Hilton shall have a reasonable period of time to object to any Subcontractor Change. In the event of any such objection, Provider will not implement the Subcontractor Change unless Provider is able to address Hilton’s concerns to Hilton’s reasonable satisfaction. In the event of a Subcontractor Change involving Services provided in a “software as a service” or multi-tenant environment, where Subcontractor Changes cannot be implemented separately for a single customer and Provider is unable to address Hilton’s concerns to Hilton’s reasonable satisfaction, Hilton may terminate the Agreement or the applicable Services for cause and without liability (or payment of any termination or other fees). In the event of such a termination, Provider will promptly refund Hilton any pre-paid fees covering the remainder of the term of such Agreement or Services.
c. Where Provider engages a Subcontractor for carrying out specific Processing activities on behalf of Hilton, Provider shall impose on the Subcontractor the same data protection obligations as set out herein between Hilton and Provider. These obligations shall be imposed by way of a contract or other legal act under applicable Data Protection Requirements and shall require the Subcontractor to provide sufficient guarantees that it will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of applicable Data Protection Requirements. Provider will remain at all times accountable and responsible for compliance with these Standards by its Subcontractors.
6. DISCLOSURE OF PERSONAL INFORMATION
Provider will hold the Personal Information in confidence in accordance with the Data Protection Requirements, these Standards, and the Agreement. Provider will not disclose Personal Information to any of its affiliates or to any third party (including, without limitation, any Subcontractors) except as necessary to provide the Services. Prior to disclosing any Personal Information to any Subcontractor or other third party, Provider will have in place with such Subcontractor or other third party a written agreement that includes obligations that are at least as restrictive as those in these Standards. Provider further agrees, upon Hilton’s request, to provide a list of all affiliates and third parties to which Provider has disclosed Personal Information. Provider will remain at all times accountable and responsible for compliance with these Standards by Provider, Provider’s affiliates, and third parties to whom Provider discloses any Personal Information. Provider will ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information and have executed written confidentiality agreements (or are under an appropriate statutory obligation of confidentiality). Provider will ensure that such confidentiality obligations survive any termination of employment of such personnel.
7. DISCLOSURE UNDER LEGAL PROCESS
If Provider is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoena, civil investigative demand, or other similar process) to disclose any Personal Information to a third party, Provider will not disclose the Personal Information without complying with applicable laws. Unless prohibited by applicable law, Provider will provide Hilton with written notice of any request or requirement to disclose Personal Information to a third party no more than seventy-two (72) hours after receiving the request but in any event prior to making any disclosure so that Hilton may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. Notwithstanding the foregoing, Provider will exercise commercially reasonable efforts to prevent or limit any disclosure of Personal Information and to preserve the confidentiality of Personal Information including, without limitation, by cooperating with Hilton to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to any Personal Information that the Provider is required to disclose.
8. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
As provided in Section 4, Provider may only transfer Personal Information from one country to another upon the prior written consent of Hilton and in compliance with Data Protection Requirements. At Hilton’s discretion, Provider will require any of its agents and/or Subcontractors to enter into a data processing agreement with Hilton that incorporates the Standards and any necessary contract terms related to cross-border data transfers. Should the agent and/or Subcontractor not agree to the data processing agreement, Provider may not use that agent or Subcontractor and must engage in a Subcontractor Change. Such change will be governed by Section 5(b) of these Standards.
a. If the Provider will obtain or have access to Personal Information originating from the European Economic Area (“EEA”), UK, or Switzerland, the following applies:
i. If Provider will store Personal Information originating from the UK outside of the UK or EEA, Provider agrees to the UK Addendum to the European Commission Standard Contractual Clauses (SCCs) between controllers and processors. The SCCs and UK Addendum are incorporated by reference into these Standards, as further discussed in Section 8(b);
ii. If Provider will store Personal Information originating from within the EEA or Switzerland outside of the EEA or Switzerland, Provider agrees to the European Commission Standard Contractual Clauses (SCCs) between controllers and processors. The SCCs are incorporated by reference into these Standards, as further discussed in Section 8(b).
b. When Section 8(a) applies, the SCCs for transfers between controllers and processors (Module two) are incorporated by reference (the SCCs can be found). Hilton and Provider agree to the SCCs as follows:
i. Hilton is the controller/data exporter. Provider is processor/data importer.
ii. Pursuant to Clause 6 (Details of the transfer) of the SCCs, Hilton and the Provider agree that the details of the transfer are described in the Agreement and Sections 2-4 of these Standards. The details of the transfer form Annex 1.B of the SCCs.
iii. Hilton and Provider agree to incorporate Clause 7 (Docking clause) of the SCCs.
iv. Pursuant to Clause 8 (Obligations of the parties) of the SCCs, Provider as the data importer agrees that it has implemented the technical and organizational security measures specified in Section 9 of these Standards (the Data Safeguards). The Data Safeguards constitute the technical and organizational security standards that form Annex II of the SCCs.
v. Hilton and Provider agree to incorporate Clause 9(a) Option 2 (General Written Authorization) of the SCCs.
vi. Hilton and Provider agree that the following language applies to Clause 13(a) (Supervision) of the SCCs: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
vii. Hilton and Provider agree that Clause 17 (Governing Law) Option 1 of the SCCs shall apply. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland except when the UK Addendum applies, in which case the parties agree that this shall be the laws of England and Wales.
viii. Pursuant to Clause 18 (Choice of forum and jurisdiction) of the SCCs, any dispute arising from these Clauses shall be resolved by the courts of Ireland, except when the UK Addendum applies, in which case the parties agree that any dispute arising from these Clauses shall be resolved by the courts of England and Wales.
ix. Pursuant to Annex I. A (List of parties) of the SCCs, the Data Exporter party shall be: Hilton 7930 Jones Branch Drive McLean, Virginia 22101 U.S.A. Data Protection Officer DataProtectionOffice@hilton.com Activities relevant to the data transferred under these Clauses: The data exporter engages with the data importer to process data in accordance with the parties’ data processing agreement. Role: Controller
x. Pursuant to Annex I.A (list of parties) of the SCCs, Provider shall provide Hilton with the Data Importer party information.
xi. Pursuant to Annex I.C (Competent Supervisory Authority) and in accordance with Clause 13 (Supervision) of the SCCs, the Competent Supervisory Authority is the Dutch Data Protection Authority, except when the UK Addendum applies, in which case the Competent Supervisory Authority is the UK’s Information Commissioner’s Office.
xii. Pursuant to Annex III. (List of Sub-Processors) of the SCCs, Provider shall provide Hilton with the list of sub-processors, when applicable.
xiii. Hilton and Provider agree that by signing the Agreement they are also signing the SCCs, and if relevant, the UK Addendum, as incorporated by reference and completed in accordance with this Section 8(b).
c. Should a court with applicable jurisdiction invalidate the use of the SCCs as a mechanism by which to transfer Personal Information, Hilton and Provider agree to promptly implement contractual language and/or technical changes to ensure that transfers of Personal Information are lawful.
d. Should countries other than those in the EEA, UK, and Switzerland adopt cross-border data transfer clauses similar to the SCCs, Hilton and Provider agree to execute such clauses when necessary.
9. DATA SAFEGUARDS
a. Provider will adopt, implement, and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information. Such procedures and practices will be compliant, at a minimum, with the Agreement, these Standards, and the Data Protection Requirements. All such procedures and practices will take into account the nature of the Personal Information and the commensurate risks associated with such Personal Information.
b. Consistent with the foregoing, Provider agrees:
i. to adopt, implement, maintain, and monitor a written information security program that contains administrative, technical, and physical safeguards to (A) prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information; (B) ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services; and (C) ensure the ability to restore the availability of and access to Personal Information in a timely manner in the event of a physical or technical incident;
ii. to conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;
iii. to take reasonable steps to ensure the trustworthiness of all Provider employees, agents and Subcontractors who will be provided with access to Personal Information;
iv. to ensure that its information security program includes industry standard password, firewall, operating system, anti-virus, and Malware protections to protect Personal Information stored or otherwise handled on computer systems;
v. to encrypt, using industry standard encryption tools, all records and files (A) containing Personal Information that Provider transmits or sends wirelessly or across public networks; and (B) containing Sensitive Personal Information that Provider: (1) stores on laptops or storage media; (2) stores on portable devices; and (3) stores on any device that is transported outside of the physical or logical access controls of Provider; and to safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Personal Information;
vi. to maintain an incident response program that specifies the actions to be taken by Provider when it has reason to believe that a Security Breach may have or has occurred;
vii. to implement such additional security measures as may be required under the Data Protection Requirements or specified in the Agreement.
viii. to comply with the PCI Standards with respect to Cardholder Data if the Provider Processes Cardholder Data in connection with the Services. Consistent with Provider’s obligations as set forth in the Agreement, Provider acknowledges its responsibility for the protection and security of Cardholder Data in connection with the performance of the Services. Provider further represents and warrants that it will not take any actions that will compromise Hilton’s ability to comply with the PCI Standards.
ix. where Provider, directly, or through any of its agents or Subcontractors, connects to Hilton’s computing systems and/or networks, that: (A) all Provider interconnectivity to Hilton’s computing systems and/or networks and all attempts at same will only occur through Hilton’s security gateways/firewalls; (B) Provider will not access, and will not permit any other person or entity to access, Hilton’s computing systems and/or networks without Hilton’s authorization; (C) if Hilton grants Provider permission to access its computing systems and/or networks, Provider will only access Hilton’s computing systems and/or networks as authorized; and (D) Provider’s systems connecting to Hilton’s systems or networks, and those Provider systems which, if compromised, could affect the security, confidentiality, integrity, or availability of Hilton’s computing systems or networks, will be actively protected by an industry standard Malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of Hilton’s computing systems and/or networks. Provider agrees that Hilton may perform periodic assessments of Provider’s network. Should any assessment of Provider’s network reveal inadequate security by Provider or its agents or Subcontractors, Hilton, in addition to other remedies it may have, may suspend Provider’s, its agents’ or Subcontractors’ access to Hilton’s computing systems and/or networks until such security issue has been resolved to the satisfaction of Hilton.
c. Provider agrees that: (i) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Information in Provider’s possession or otherwise acquired by or accessible to Provider; (ii) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Information, will receive appropriate training relating to the protection of Personal Information; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Information to the minimum number of Provider employees and agents who require such access for purposes of providing goods and/or services to Hilton; and (iv) it will impose appropriate disciplinary measures for violations of its information security policies and procedures.
d. If Provider disposes of any paper or electronic record containing Personal Information, Provider will do so in an appropriate manner based on the sensitivity of the information in order to prevent unauthorized access to such information in connection with its disposal. Upon request, Provider will be required to certify to Hilton that all forms of Personal Information disposed of have been destroyed in accordance with these Standards. If Provider cannot so certify, Provider shall provide a written explanation for its inability to certify that it complied with this disposal requirement.
e. Provider shall review and, as appropriate, revise the Data Safeguards: (i) at least annually or whenever there is a material change in Provider’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Information; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended, or re-interpreted Data Protection Requirements, and (iv) as reasonably requested by Hilton. Provider agrees not to alter or modify its Data Safeguards in such a way that will weaken or compromise the security, confidentiality, or integrity of Personal Information.
10. SECURITY BREACHES
Provider agrees to notify Hilton at ISC@Hilton.com immediately upon becoming aware of a Security Breach, including the presence of Malware, if possible. If Provider is not able to notify Hilton immediately upon becoming aware of a Security Breach, including the presence of Malware, Provider will notify Hilton within seventy-two (72) hours of becoming aware of a Security Breach. After providing such notice, Provider will (i) promptly investigate the Security Breach, including by conducting a root cause analysis, and report its findings to Hilton, (ii) provide Hilton with a remediation plan, approved by Hilton in its sole discretion, to address the Security Breach and prevent any further incidents; (iii) remediate such Security Breach in accordance with the Hilton-approved remediation plan; (iv) conduct a forensic investigation to determine what systems, data, and information were affected by the Security Breach; (v) cooperate with Hilton as Hilton executes its security incident response plan and otherwise investigates the Security Breach; (vi) abide by any requests by Hilton for Provider to cooperate with any law enforcement or regulatory officials, credit reporting companies, or credit card associations investigating such Security Breach, and (vii) keep Hilton advised of the status of such Security Breach and all matters related thereto. Provider further agrees to provide all reasonable assistance requested by Hilton and/or Hilton’s designated representatives in the furtherance of any investigation, correction, and/or remediation by Hilton of any such Security Breach and shall reimburse Hilton upon Hilton’s demand for all reasonable Security Breach Related Costs incurred by Hilton arising out of or in connection with any such Security Breach. If a notification to an individual is required under any Data Protection Requirement or pursuant to any Hilton privacy or security policies, then notifications to all individuals who are affected by the same event (as reasonably determined by Hilton) shall be considered legally required. Security Breach Related Costs shall include Hilton’s internal and external costs associated with addressing and responding to the Security Breach, including but not limited to: (i) the preparation and mailing or other transmission of legally required notifications; (ii) the preparation and mailing or other transmission of such other communications to affected individuals, agents, or others as Hilton deems reasonably appropriate; (iii) the establishment of a call center for up to twelve (12) months or such longer period as may be required pursuant to applicable Data Protection Requirements or is reasonable under the circumstances; (iv) the establishment of communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points, and training); (v) fees for public relations and other similar crisis management services; (vi) legal, forensics, and accounting fees and expenses associated with Hilton’s investigation of and response to such Security Breach or presence of Malware; and (vii) costs for commercially reasonable credit reporting, credit watch, identity protection, identity remediation, and similar services that are associated with legally required notifications or are advisable under the circumstances for up to twelve (12) months or such longer period as may be required pursuant to applicable Data Protection Requirements or is reasonable under the circumstances. Unless otherwise required by applicable Data Protection Requirements, Hilton shall make the final decision on notifying Hilton’s employees, guests, service providers, regulatory authorities and/or the general public of such Security Breach, and the implementation of the remediation plan.
11. COMPLAINTS; INVESTIGATIONS
If Provider receives any complaint, notice, or communication which relates directly or indirectly to Provider’s Processing of Personal Information or either Hilton’s or Provider’s compliance with applicable laws or regulations in connection with Personal Information, Provider will promptly notify Hilton. At Hilton’s request, Provider will assist and support Hilton in the event of such a complaint or an investigation by a regulator or data protection authority or similar authority, if and to the extent that such complaint or investigation relates to Provider’s Processing of Personal Information. Such assistance will be at Hilton’s sole expense, except where the complaint or investigation arose from an allegation concerning or an investigation into Provider’s acts or omissions, in which case such assistance will be at Provider’s sole expense.
12. DATA SUBJECT REQUESTS RELATING TO PERSONAL INFORMATION
Provider will immediately inform Hilton in writing upon receiving any request for access to, correction, amendment, or deletion of any Personal Information from an individual who is (or claims to be) the subject of the data (“Data Subject Requests”). Unless otherwise required by laws or regulations or provided for in the Agreement, Provider will not respond directly to these requests unless explicitly authorized by Hilton to do so, other than as necessary to confirm that the request relates to Hilton. As part of the Services, Provider shall cooperate with and provide all reasonable assistance to Hilton in responding to and implementing Data Subject Requests.
13. DATA PROTECTION OFFICER
Provider has appointed a data protection officer where required pursuant to Data Protection Requirements.
14. OTHER ASSISTANCE TO HILTON
In addition to, and without limitation of, Provider’s other obligations under these Standards, and where applicable to the Services and the Processing, Provider shall assist and cooperate with Hilton, at Hilton’s request and as part of the Services: (i) in Hilton’s implementation of security measures applicable to Personal Information; (ii) in connection with any Security Breach notification required to be made to a data protection authority or to customers; (iii) in connection with any privacy impact assessment related to the Processing; and (iv) in connection with any consultation with a data protection authority conducted by Hilton in connection with the Processing.
15. VIOLATIONS OF THESE STANDARDS
Provider agrees to notify Hilton immediately of any material breach or violation of these Standards. Without limiting other remedies that may be available to Hilton for violation of these Standards, Provider agrees that Hilton may, at its discretion, immediately terminate Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and Hilton, without penalty, if Provider violates any requirement of these Standards. Further, Provider agrees to fully indemnify Hilton for all costs, fees, claims, or actions associated with any unauthorized Processing of Personal Information within Provider’s control, as well as any unauthorized access, acquisition, or use of Personal Information by agents, Subcontractors, or third parties.
16. RECORD, AUDITS, AND INSPECTIONS
Provider shall maintain, at all times during the term of the Agreement, and shall provide to Hilton, upon Hilton’s request and at no additional charge, complete and accurate records and reasonable supporting documentation regarding the Data Safeguards as well as business continuity and recovery facilities, resources, plans, and procedures, and such other records and documentation necessary to validate Provider’s compliance with these Standards, including the Provider Processing Record. Upon reasonable notice to Provider, Provider will permit Hilton, its auditors, designated audit representatives, and regulators, including data protection authorities, during normal business hours, to audit and inspect: (i) Provider’s facilities where Personal Information is Processed; (ii) any computerized systems used to Process Personal Information; and (iii) Provider’s security practices and procedures, data protection practices and procedures, and business continuity and recovery facilities, resources, plans, and procedures. The audit and inspection rights hereunder will be, at a minimum, for the purpose of (i) verifying Provider’s compliance with these Standards and the Data Protection Requirements, (ii) verifying the integrity of the Personal Information, and (iii) facilitating Hilton’s compliance with Data Protection Requirements.
17. RETURN OF PERSONAL INFORMATION
Hilton has the right, in its sole discretion at any time and from time to time, to restrict, discontinue, suspend, cancel, terminate, or modify Provider’s right to Process Personal Information. Upon the termination or expiration of the Agreement or Provider’s provision of Services, or upon Hilton’s request, Provider will, and will cause its agents and Subcontractors to, return in a manner and format reasonably requested by Hilton, or, if specifically directed by Hilton, destroy, any or all Personal Information in its possession, power, or control and delete any existing copies unless applicable Data Protection Requirements require storage of the Personal Information, and Provider will certify the same, each as described in Section 9(d) above.
18. CHANGES TO THESE STANDARDS
Hilton can change these Standards in its sole discretion at any time and from time to time. Any changes to these Standards will be binding upon Provider when posted at http://www.hiltondistribution.com/privacyanddataprotectionstandards.htm; provided, however, that Provider will have a reasonable period of time to implement any change in the Policy (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Provider is obligated to check this URL regularly for any changes. The most recent changes to the Policy will appear at the bottom of the Policy in the section entitled “Material Revisions to Hilton’s Service Provider Data Protection Standards.”
19. SURVIVAL; THIRD PARTY BENEFICIARIES
Provider’s obligations under these Standards will survive the termination or expiration of its services or any related agreements and will continue for as long as Provider, or any of its agents or Subcontractors retain or have access to Personal Information. Provider acknowledges and agrees that each entity referenced in the definition of “Hilton” above is an intended third party beneficiary of Provider’s obligations and liabilities under these Standards, including without limitation Provider’s obligations with respect to Personal Information, and as such, each will have a right of its own to enforce these Standards.
MATERIAL REVISIONS TO HILTON’S SERVICE PROVIDER DATA PROTECTION STANDARDS
Last Update: February 2022
February 2022 Changes:
• Updated Cross-Border Transfers of Personal Information to, when required, incorporate the European Commission’s Revised Standard Contractual Clauses and the UK Addendum (effective March 21, 2022) by reference.
• Incorporated references to the General Data Protection Law of Brazil (LGPD).
May 2021 Changes:
• Updated Cross-Border Transfers of Personal Information to, only when required, incorporate the European Commission’s Standard Contractual Clauses by reference.
November 2020 Changes:
• Revised section on Cross-Border Transfers of Personal Information to account for the European Court of Justice’s invalidation of the Privacy Shield.
• Changed term “Notification Related Costs” to “Security Breach Related Costs” and further revised the “Security Breach” section.
March 2018 Changes:
• Updated defined terms to comport with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data, commonly referred to as the “General Data Protection Regulation” (GDPR).
• Updating data safeguard requirements.
• Further limiting use of subcontractors.
• Restricting cross-border transfers of data without approval from Hilton and agreement to any necessary data transfer agreement.