European Data Protection Compliance and GDPR
Frequently Asked Questions
- What does Egencia do?
- Why is data protection law relevant to Egencia and its Clients?
- Who must comply with data protection law?
- Does Egencia have a public privacy statement describing how it collects, uses, shares, retains and otherwise processes personal data and how it addresses the rights of data subjects?
- What does data processing include?
- Are Egencia Clients controllers or processors of their employees' personal data?
- Is Egencia a controller or processor of Travelers' personal data?
- Does Egencia control Traveler personal data independently or jointly with its Clients?
- What does it mean for Egencia to be a controller in practice?
- Do regulators agree that Egencia is a controller of Travelers' personal data?
- As a controller, can Egencia do whatever it wants with the Travelers' personal data?
- How does Egencia and the Expedia Group manage privacy compliance?
- What did Egencia do internally to comply with the GDPR?
- How does Egencia comply with processor/vendor obligations under the GDPR?
- How does Egencia handle data subject rights requests?
- Does Egencia offer privacy and security training to its employees?
- Is Egencia maintaining a data processing register?
- Will personal data of Travelers ever be transferred outside Europe?
- How does Egencia comply with EU data export rules?
- Do we need to sign model clauses with Egencia?
- What security measures does Egencia apply to protect Travelers' personal data?
- How will Egencia handle data breaches?
- Can we audit Egencia's security measures?
- How does Egencia and the wider Expedia Group embed Privacy by Design and Default?
Egencia provides travel services to corporate clients (the "Clients"). These services include travel booking, management and administration services, which are supplied directly to those that travel for work on behalf of Clients, such as employees, consultants, and job applicants (the "Travellers"), and the provision of travel reports to Clients concerning Travelers' use of the travel services. In addition, Egencia provides Travelers with ancillary support services related to their travel.
- European Union ("EU") data protection law derives from the General Data Protection Regulation 2016/679 (the “GDPR”) as well as national laws implemented in each EU Member State. The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, individuals residing in the EU.
- EU data protection law gives individuals the right to control how their personal data is used and places legal obligations on organisations that collect, use and share personal data to safeguard such information.
- EU data protection law is relevant to Egencia and its EU Clients because, in the course of providing travel services, Egencia must necessarily collect, use and disclose personal data about Travelers – such as their name, contact details and booking details. These FAQs explain more about how EU data protection law applies in the context of Egencia's services and the measures Egencia takes to comply with such laws.
- European data protection law establishes the concept of “controllers” and “processors”. The distinction between these two roles is really important. A controller is an entity that determines the purposes, conditions and means of the processing of personal data (or, put another way, "why and how" personal data are processed), while the processor is an entity which processes personal data on behalf of the controller. In practice, the key aspect of this definition is the ability to decide how personal data are being collected, stored, used, altered and disclosed.
- To explain the difference between these two roles:
- Controllers: a "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processors: a "processor" is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and strictly in accordance with its instructions, normally pursuant to a service agreement. Data processors do not have any decision-making autonomy when processing personal information.
- Does Egencia have a public privacy statement describing how it collects, uses, shares, retains and otherwise processes personal data and how it addresses the rights of data subjects?
Yes. Our privacy statement (“Privacy Statement”) can be found on the relevant Egencia website per country. For example:
"Processing" is central to the scheme of EU data protection law. It is a common misunderstanding that processing is only carried out by processors. In fact, the term "processing" is very broad. Processing is carried out by both controllers and processors and essentially covers anything that is done to, or with, personal data (including simply collecting, storing or deleting personal data). Thus, "processing" per EU data protection law occurs whenever an organisation does anything with personal data.
Every business is a controller of its employees' personal data. The business necessarily makes its own decisions about "why and how" employees' information is used for employment administration purposes. Each Egencia Client is therefore always a controller of its employees' personal data.
In many service relationships, a vendor processes personal data for its Clients as a processor. By contrast, Egencia is a controller of Travelers' personal data. Unlike some other travel management companies, Egencia has a proprietary technology platform and the nature of this business is such that we are necessarily the party that determines the purpose and means of processing for the provision of our services. Our position is consistent with that adopted by other major TMCs with similar offerings. Because Egencia has a proprietary technology platform, it must have the autonomy to ‘control’ the processing of data on that platform as part of technology platform management.
As a controller, Egencia is directly responsible for ensuring compliance with applicable EU data protection laws. When a Client provides employees' personal data to Egencia to provide travel services, Egencia creates its own, separate copy of this data within a profile created for each Traveler. The profile is essentially an account record relating to the Traveler in question, recording the details necessary to arrange travel and accommodation bookings for them (such as their contact details, passport and visa details as well as travel preferences). Egencia creates and stores these Traveler profiles so that it can re-use them each time a Traveler makes a booking, without having to ask the Traveler to supply the same information time and time again.
The fact that Egencia is a controller of Travelers' personal data is also evidenced by Egencia’s retention of a high degree of autonomy in deciding "how and why" to process these personal data. In particular:
- Egencia's relationship with the Client provides the context against which Travelers' personal data are processed by Egencia. At the same time, Egencia has a direct engagement with a Traveler whereby Egencia processes a Traveler’s personal data for the purpose of booking travel and accommodation.
- Egencia is responsible for providing a Privacy Statement to Travelers about how Egencia uses Travelers’ personal data. The Privacy Statement is available in a concise, transparent, intelligible and easily accessible form using clear and plain language. Amongst other things, Egencia's Privacy Statement explains to the Travelers that Egencia is the controller of Traveler booking information.
- Except when travel managers, arrangers and travel directors designated by Clients (“Travel Managers”) book and manage travel on behalf of Travelers or guests, in which case Travel Managers must ensure that Travelers or guests receive and review Egencia's privacy statement (“Privacy Statement”), Travelers must register with Egencia before any booking can be placed. Travelers confirm they have read the Privacy Statement when registering on Egencia's platform.
- Bookings are made directly by the Traveler (or its representative, such as a personal assistant or a Travel Manager). Similarly, the Traveler may instruct the Client to make bookings on its behalf through Egencia. All details of the bookings, including the itinerary, meal or seating preferences and cancellations are arranged solely between Egencia and the Traveler. The Client may upload a Traveler's travel preferences on behalf of the Traveler for its convenience.
- When a booking is made, Egencia communicates directly with the Traveler about the Traveler’s booking. Egencia sends directly to the Traveler details of the travel itinerary, any updates to the Traveler's booking and related details. The Client is not a party to these communications.
- Travelers can access, correct and update their profiles directly through Egencia's platform. Any such correction or updating is made directly upon request by the Traveler, and not escalated to Clients for prior review and approval.
- Egencia exercises full decision-making autonomy over all vital elements of the processing of Travelers' personal data – including processing by third party travel suppliers with whom Travelers' personal data are shared for booking purposes and third party vendors who may process Travelers' personal data to support Egencia's service delivery.
- EU data protection regulators also have expressed their view that Egencia processes Traveler data as a data controller. Section 10 below provides additional detail.
Egencia and its Clients are independent controllers of Travelers’ personal data and do not control such information jointly. Independent control occurs when processing decisions are made without conferring with another controller. Joint control would occur where two controllers work together to decide the purposes, conditions and means of processing personal data (the ‘how and why’ personal data are being processed). The ‘how and why’ Egencia processes Travelers’ personal data is determined solely by Egencia in connection with the provision of travel services. For example, Egencia (i) determines how and when to communicate with Travelers; (ii) processes Traveler Data on its proprietary technology platform; and (iii) determines the security measures and processes implemented to protect Travelers’ personal data. Independently, Clients decide the ‘how and why’ of processing employee personal data for their business administration purposes without Egencia’s input.
In practice, Egencia's role as a controller means:
- Egencia is directly responsible for compliance with data protection requirements applicable to controllers.
- Greater protection for both the Client and the Traveler, because Egencia will be subject to the contractual data protection obligations within its service agreement with the Client and to statutory data protection requirements under applicable data protection laws (which will be enforced if and as appropriate by European data protection authorities directly against Egencia).
Yes. European data protection authorities have previously indicated that they agree with the assessment that Egencia is a controller. For example:
- Europe's former data protection advisory body, the Article 29 Working Party (now replaced by the European Data Protection Board), gave the following example in its Opinion 1/2010 on the concepts of "controller" and "processor":
Example No. 7: Travel agency (1)
A travel agency sends personal data of its customers to the airlines and a chain of hotels, with a view to making reservations for a travel package. The airline and the hotel confirm the availability of the seats and rooms requested. The travel agency issues the travel documents and vouchers for its customers. In this case, the travel agency, the airline and the hotel will be three different data controllers, each subject to the data protection obligations relating to its own processing of personal data.
- The French data protection authority, the CNIL, has previously advised that it considers Egencia a controller of Travelers' personal data as follows:
"To the extent that Egencia is independent in determining the technical and organisational means to be implemented according to the expertise at its disposal (Egencia imposes its IT tools on its customers), and the low degree of control exercised by customers over the services provided on their behalf, it is appropriate to consider that Egencia is responsible for processing within the meaning of Article 2 of the law of 6 January 1978 as amended. Consequently, Egencia is required to comply with all of the obligations inherent to this role." (Extract from letter sent by the CNIL, on 23 February 2012, concerning Egencia's data controllership role.)
Since the meaning of a controller or processor has not changed in the interim, and in fact, data protection authorities like the CNIL have become ever clearer in their rulings and guidance that the definition of a processor is to be construed narrowly; we are even more confident that data protection authorities will continue to insist that we act as controller.
- The Swedish data protection authority, the Swedish Data Inspection Board, has previously advised in an opinion issued in October 2003 that it considers travel agents to be controllers of Travelers' personal data. "The first issue is regarding the disclosure of personal data from the travel agencies. It is the travel agency that is the controller of personal data regarding processing of personal data taking place at the travel agency and accordingly the one that independently and on its own accord has to ensure that the processing of personal data that the travel agency undertakes is in accordance with the Personal Data Act".
No. Egencia will only use Travelers’ personal data in accordance with applicable data protection requirements and for limited purposes such as providing and improving its platform services, to communicate with Travelers or for fraud prevention.
Expedia has a dedicated privacy function headed by a vice president and associate general counsel, privacy and data security (the “Privacy and Data Security Vice President”) based in the United States.
The Privacy and Data Security Vice President leads Expedia Group’s global privacy team (the “Global Privacy Team”) which provides support to all Expedia brands, including Egencia. The dedicated Global Privacy Team is tasked with overseeing and monitoring data protection compliance. The team consists of several attorneys based in the United States, APAC and Europe. The team is supported by extremely well respected, external specialist privacy lawyers where required. Egencia also has a group of brand attorneys both in the EU and the US who work very closely with the Global Privacy Team.
Egencia takes its compliance with applicable data protection laws seriously and proactively prepared for GDPR compliance 18 months before the GDPR became applicable. As part of its GDPR project, Egencia completed a series of workshops, reviews, and assessments with its staff to understand in detail the changes necessary to meet GDPR requirements. Following a gap analysis, a series of workstreams were rolled out as part of an extensive GDPR implementation program. The changes introduced as part of the workstreams are discussed in more detail below.
Egencia’s vendor contract terms contain robust data protection assurances that are required with all vendors, ensuring the flow down to any of their sub-processors.
Egencia has trained its agents about Traveler privacy rights as well as how to recognise data subject rights requests and escalate promptly to ensure they are handled correctly and in accordance with applicable laws.
Yes, all Egencia staff complete Information Security and Privacy Essentials training on an annual basis.
Yes. As a controller, Egencia maintains a detailed record of processing activities.
Egencia is a US headquartered company with a global presence. Thus, Egencia processes Travelers' personal data outside of Europe, including in the US, for different purposes including reporting services, accounting and invoicing. Egencia also works with international service providers who help it manage and deliver its services. Egencia has strict contractual terms in place with these vendors to ensure they protect the privacy and security of Travelers' personal data.
As a controller, Egencia is directly responsible for ensuring compliance with EU data export rules. To achieve compliance, Egencia has implemented a group-wide set of "standard contractual clauses" (also called "model clauses"). This standard form data export agreement has been approved by the European Commission for legitimising transfers of personal data from the EU to non-EU countries.
Egencia already has in place group-wide standard contractual clauses (“SCC”). Clients do not need to sign their own standard contractual clauses with Egencia, as Egencia manages the data transfer within the Egencia platform and hence our SCC cover the relevant data flow.
Egencia is committed to ensuring that Travelers' personal data is secure. Egencia implements appropriate technical and organisational measures to protect Traveler's personal data against (i) accidental or unlawful destruction; (ii) accidental loss, alteration, unauthorised disclosure or access; and (iii) all other unlawful forms of processing.
In particular, Egencia has established and maintains a comprehensive information security program that imposes numerous security controls. Egencia's information systems are protected by industry standard firewalls and intrusion detection systems. In addition, regular vulnerability scans are performed, both automatically and manually by an internal and dedicated team of security experts. Egencia’s vulnerability management program incorporates penetration testing and application vulnerability assessments to ensure security is appropriately configured and enforced within the Egencia environment.
Egencia’s servers are hosted on Amazon Web Services Ireland Region and US West Region. We also have servers in Amsterdam, Netherlands and in Arizona, USA operated by the technical staff of Egencia/Expedia only and hosted at top-level operator data centers. These data centers provide high level security (secured building, 24-hour security guard, CCTV, fire protection) and failure protection (Tier II 2N+1, power architecture, redundant internet connection).
Egencia's website is connected to the Amsterdam Internet Exchange (AMS-IX); one of the world’s largest Internet Exchanges and connected to a global network of Tier 1 carriers. Each server or other data center equipment is at least doubled to ensure that the failure of one system will not affect the operations of the whole.
This security commitment has led us to achieve and maintain strong security certifications, including PCI-DSS and TÜV certifications.
Egencia's security and legal teams have reviewed and refreshed Egencia’s incident response plans to ensure the plans are GDPR compliant.
Notwithstanding that Egencia is a controller of Traveler personal data, Egencia still contractually commits to notify Clients without undue delay of confirmed data breaches impacting such Client's Traveler personal data. Egencia will cooperate in good faith with its Clients to take actions to remedy and mitigate the effects of the data breach.
Egencia facilitates Client audits upon written request as follows:
- First, Egencia will provide its Clients with a copy of (i) a current version of its PCI DSS Attestation of Compliance and (ii) its SSAE 18 Audit Reports, or industry standard equivalents or successors, for Egencia’s data center providers.
- Second, Egencia will, no more than once a year: (i) meet with a Client's security team to discuss any security question the Client may have, or (ii) complete a questionnaire provided by the Client regarding Egencia's compliance with security requirements and data protection laws.
Egencia cannot accommodate on-premise audits by Clients but does take full responsibility to ensure the security of all Client and Traveler data. Egencia aligns its security framework with ISO/IEC 27002 and conducts several audits throughout the year that provide assurances that Egencia’s controls are properly and securely managed.
Expedia Group’s dedicated Global Privacy Team is responsible for GDPR compliance. This team works closely with the various product teams to integrate privacy by design and default into any new project or initiative. Egencia has Privacy Impact Assessment (PIA) and Security Impact Assessment (SIA) processes, to be used by default when a new project or initiative is started, ensuring it assesses the personal data in use and mitigate any risk posed.