HILTON DOMESTIC OPERATING COMPANY INC. SERVICE PROVIDER DATA PROTECTION STANDARDS (these “Standards”)
Last Updated: March 2018.
At Hilton, we take the protection of Personal Information relating to our customers, employees, independent contractors, and service providers very seriously. All individuals or organizations that provide goods or services (“Providers”) to Hilton Domestic Operating Company Inc., a Delaware corporation, or any of its direct or indirect subsidiaries, owned and managed hotels, partnerships or joint ventures (individually or collectively, “Hilton”), or through Hilton for the benefit of its franchisees, must abide by and comply with the principles set forth in these. Service Provider Data Protection Standards (the “Standards”). These Standards form part of any agreement between Hilton and Provider that references these Standards, or to which these Standards are attached or incorporated (the “Agreement”). In the event of a conflict between these Standards and the Agreement, these Standards shall control with respect to its subject matter, unless the Agreement sets forth more stringent standards.
- “Biometric Data” means Personal Information resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of an individual that allows or confirms the unique identification of that individual.
- “Cardholder Data” means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction.
- “Data Protection Requirements” means, collectively, all laws and regulations relating to data privacy, data security, personal data, transborder data flow, and data protection that apply to Provider’s Processing of Personal Information, including without limitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation (“GDPR”)).
- “Data Safeguards” means the administrative, operational, organizational, technical, and physical safeguards described in Section 9 of these Standards, as modified in accordance with these Standards.
- “Genetic Data” means Personal Information relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of that individual and which result, in particular, from an analysis of a biological sample from such individual.
- “Health Data” means Personal Information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health.
- “Malware” means computer software, code, or instructions that: (a) adversely affect the operation, security, availability, or integrity of a computing, telecommunications, or other digital operating or processing system or environment, including without limitation, other programs, data, databases, computer libraries, and computer and communications equipment, by altering, destroying, disrupting, or inhibiting such operation, security, or integrity; (b) self-replicate without manual intervention where such self-replication lacks functional purpose; (c) purport to perform a useful function but which actually perform either a destructive, harmful, or unauthorized function, or perform no useful function and utilize substantial computer, telecommunications, or memory resources; or (d) without authorization, collect and/or transmit to third parties any information or data, including such software, code, or instructions commonly known as viruses, Trojans, logic bombs, worms, and spyware.
- “Personal Information” means any information (i) that can be used (alone or in combination with other information within Provider’s control) to identify, locate, or contact a specific individual, or (ii) related to an identified or identifiable individual. By way of illustration, and not of limitation, Personal Information consists of obviously personally identifiable data elements, such as name, address, and email address as well as less obvious information such as an individual’s personal preferences, hotel stay-related information, guest account information, location data, and online identifiers. Personal Information also includes (without limitation) factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual. Personal Information may pertain to customers, employees, or others. Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files, including all copies, fragments, and excerpts, whether or not such Personal Information has been intermingled with other information or materials. For purposes of these Standards, Personal Information only includes information: (i) provided to Provider by or on behalf of Hilton; or (ii) obtained, used, accessed, possessed, or otherwise Processed by Provider in connection with the provision of the Services.
- “PCI Standards” means the data security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply, including, but not limited to, the Payment Card Industry Data Security Standards currently in effect and as modified during the term of the Agreement.
- “Process“ means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Provider Processing Record” means a written record of all categories of Processing carried out in connection with the Services, which contains the following: (i) the name and contact details of Provider and any Subcontractors and, where applicable, the name and contact details of Provider’s data protection officer; (ii) the categories of Processing performed by the Provider for Hilton; (iii) the list of countries, if any, to which the Provider transfers Personal Data; and (iv) a description of the Provider’s Data Safeguards.
- “Security Breach“ means (i) any circumstance pursuant to which applicable Data Protection Requirements require action in response to such circumstance, including but not limited to notification of such breach to be given to affected parties or a regulator or data protection authority; or (ii) any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance that compromises, or could reasonably be expected to compromise, either Physical Security or Systems Security (as such terms are defined below) in a manner that either does or could reasonably be expected to permit unauthorized Processing, use, disclosure, acquisition of, or access to any Personal Information. “Physical Security” means physical security at any location housing systems maintained by Provider or its agents or Subcontractors in connection with the Services or in the course of physical transportation of assets or physical media used by Provider or its agents or Subcontractors in performing the Services. “Systems Security” means security of computer, electronic, or telecommunications systems of any variety (including databases, hardware, software, storage, switching, and interconnection devices and mechanisms); security of networks of which such systems are a part or with which such systems communicate; and security of networks used directly or indirectly by Provider or its agents, or Subcontractors in connection with the Services.
- “Sensitive Personal Information“ is Personal Information which due to its nature has been classified by applicable Data Protection Requirements as deserving additional privacy and security protections, including (without limitation): (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, information contained in a passport or other travel document, driver’s license number, or other identification number issued by a government or public body or (B) financial account number; (ii) an individual’s username which, in combination with a password, PIN, or access code would grant access to an online account; (iii) Cardholder Data; (iv) data about racial or ethnic origin; (v) data about political opinions, religious or philosophical beliefs, or trade union membership; (vi) Genetic Data; (vii) Biometric Data; (viii) Health Data; and (ix) data concerning a natural person’s sex life or sexual orientation.
- “Services“ means the goods and services provided by Provider to Hilton, or through Hilton for the benefit of its franchisees, as further described in the Agreement.
- “Subcontractor“ means an entity, including any Provider affiliate, engaged by Provider to perform Services for Provider that involve the Processing of Personal Information.
2. SUBJECT MATTER AND DURATION OF PROCESSING; TYPE AND NATURE OF PERSONAL INFORMATION.
Provider will Process Personal Information in connection with the Services described in the Agreement and during the term of such Agreement, subject to compliance with the Data Protection Requirements and the Agreement. The type of Personal Information Processed by Provider is described in the Agreement. The Processing may involve Personal Information of employees of Hilton, customers and guests of Hilton, and business contact information of Hilton corporate customers, suppliers, and other business partners, as further described in the Agreement.
3. NATURE AND PURPOSE OF THE PROCESSING; OWNERSHIP OF PERSONAL INFORMATION.
Hilton will have the exclusive right to determine the purposes for which the Personal Information is Processed. Provider will Process Personal Information for the sole purpose of providing the Services in accordance with the Agreement. At no time will Provider acquire any ownership, license, rights, or other interest in or to the Personal Information. As between Hilton and Provider, Personal Information will remain the proprietary information of Hilton at all times and Hilton shall be the “Controller” and Provider shall be the “Processor,” as such terms are defined in the GDPR.
4. USE AND PROCESSING OF PERSONAL INFORMATION
Provider will Process the Personal Information only on behalf of Hilton and only as specifically instructed by Hilton in writing, including with regard to transfers of Personal Information to a third country or an international organization, unless required to do so by Data Protection Requirements to which Provider is subject; in such a case, Provider shall inform Hilton of that legal requirement before Processing, unless such Data Protection Requirement prohibits such information on important grounds of public interest. Hilton hereby instructs Provider to Process the Personal Information solely as necessary to provide the Services under the Agreement and subject to compliance with the Agreement, these Standards and the Data Protection Requirements. In no event may Provider: (a) use Personal Information to market its services or those of an affiliate or third party; (b) sell or rent Personal Information; or (c) otherwise Process any Personal Information for Provider’s, its affiliates’, or any third party’s own purposes. Provider shall immediately inform Hilton if, in its opinion, an instruction infringes any Data Protection Requirements.
5. USE OF SUBCONTRACTORS
- Unless otherwise expressly permitted pursuant to the Agreement, Provider will not utilize Subcontractors in the performance of Services without the written consent of Hilton in each instance.
- To the extent that the Agreement expressly provides for a general authorization for Provider to use Subcontractors, Provider shall: (i) provide Hilton a list of Provider’s Subcontractors involved in the provision of Services prior to the commencement of Services and promptly upon request by Hilton, with the identity of each Subcontractor, the Services performed by such Subcontractor, the location(s) from which such Subcontractors perform Services, and such additional information as may be reasonably requested by Hilton; and (ii) notify Hilton in writing in the event of any intended addition or replacement of any such Subcontractors (each, a “Subcontractor Change”). Hilton shall have a reasonable period of time to object to any Subcontractor Change. In the event of any such objection, Provider will not implement the Subcontractor Change unless Provider is able to address Hilton’s concerns to Hilton’s reasonable satisfaction. In the event of a Subcontractor Change involving Services provided in a “software as a service” or multi-tenant environment, where Subcontractor Changes cannot be implemented separately for a single customer and Provider is unable to address Hilton’s concerns to Hilton’s reasonable satisfaction, Hilton may terminate the Agreement or the applicable Services for cause and without liability (or payment of any termination or other fees). In the event of such a termination, Provider will promptly refund Hilton any pre-paid fees covering the remainder of the term of such Agreement or Services.
- Where Provider engages a Subcontractor for carrying out specific Processing activities on behalf of Hilton, Provider shall impose on the Subcontractor the same data protection obligations as set out herein between Hilton and Provider. These obligations shall be imposed by way of a contract or other legal act under applicable Data Protection Requirements and shall require the Subcontractor to provide sufficient guarantees that it will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of applicable Data Protection Requirements. Provider will remain at all times accountable and responsible for compliance with these Standards by its Subcontractors.
6. DISCLOSURE OF PERSONAL INFORMATION
Provider will hold the Personal Information in confidence in accordance with the Data Protection Requirements, these Standards, and the Agreement. Provider will not disclose Personal Information to any of its affiliates or to any third party (including, without limitation, any Subcontractors) except as necessary to provide the Services. Prior to disclosing any Personal Information to any Subcontractor or other third party, Provider will have in place with such Subcontractor or other third party a written agreement that includes obligations that are at least as restrictive as those in these Standards. Provider further agrees, upon Hilton’s request, to provide a list of all affiliates and third parties to which Provider has disclosed Personal Information. Provider will remain at all times accountable and responsible for compliance with these Standards by Provider, Provider’s affiliates, and third parties to whom Provider discloses any Personal Information. Provider will ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information and have executed written confidentiality agreements (or are under an appropriate statutory obligation of confidentiality). Provider will ensure that such confidentiality obligations survive any termination of employment of such personnel.
7. DISCLOSURE UNDER LEGAL PROCESS
If Provider is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoena, civil investigative demand, or other similar process) to disclose any Personal Information to a third party, Provider will not disclose the Personal Information without complying with applicable laws. Unless prohibited by applicable law, Provider will provide Hilton with written notice of any request or requirement to disclose Personal Information to a third party no more than seventy-two (72) hours after receiving the request but in any event prior to making any disclosure so that Hilton may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. Notwithstanding the foregoing, Provider will exercise commercially reasonable efforts to prevent or limit any disclosure of Personal Information and to preserve the confidentiality of Personal Information including, without limitation, by cooperating with Hilton to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to any Personal Information that the Provider is required to disclose.
8. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
As provided in Section 4, Provider may only transfer Personal Information from one country to another upon the prior written consent of Hilton and in compliance with Data Protection Requirements. With respect to Personal Information originating from the European Union (“EU”) or Switzerland that is Processed by Provider in connection with the Services, (i) where Provider is located and receives such Personal Information within the EU or Switzerland, Provider agrees that it will not transfer any Personal Information outside the EU or Switzerland without the prior written consent of Hilton (which may be included in the Agreement) and shall follow Hilton’s instructions for implementing adequate safeguards for any such transfers under applicable Data Protection Requirements and shall ensure that any Subcontractors do the same; and (ii) where Provider is either (A) not located within the EU or Switzerland, or (B) initially receives such Personal Information from a country outside the EU or Switzerland (e.g., the Personal Information originating from the EU or Switzerland is sent to the Provider directly from the United States), (1) Provider agrees to provide at least the same level of privacy protection as is required by the EU-U.S. Privacy Shield Framework, located at https://www.privacyshield.gov/EU-US-Framework, and as amended from time to time; and (2) at Hilton’s request, Provider and any of its agents and Subcontractors shall enter into a data processing agreement with Hilton that incorporates the European Commission Standard Contractual Clauses between Controllers and Processors, or any other similar clauses relating to other countries, to allow Personal Information to be transferred by Hilton to Provider and its agents, and Subcontractors. Without limiting the generality of the foregoing, Provider will not transfer Personal Information to any country (including for Processing by Provider’s agents or Subcontractors) unless Hilton has agreed, in writing, to that transfer.
9. DATA SAFEGUARDS
- Provider will adopt, implement, and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information. Such procedures and practices will be compliant, at a minimum, with the Agreement, these Standards, and the Data Protection Requirements. All such procedures and practices will take into account the nature of the Personal Information and the commensurate risks associated with such Personal Information.
- Consistent with the foregoing, Provider agrees:
- to adopt, implement, maintain, and monitor a written information security program that contains administrative, technical, and physical safeguards to (A) prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information; (B) ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services; and (C) ensure the ability to restore the availability of and access to Personal Information in a timely manner in the event of a physical or technical incident;
- to conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;
- to take reasonable steps to ensure the trustworthiness of all Provider employees, agents and Subcontractors who will be provided with access to Personal Information;
- to ensure that its information security program includes industry standard password, firewall, operating system, anti-virus, and Malware protections to protect Personal Information stored or otherwise handled on computer systems;
- to encrypt, using industry standard encryption tools, all records and files (A) containing Personal Information that Provider transmits or sends wirelessly or across public networks; and (B) containing Sensitive Personal Information that Provider: (1) stores on laptops or storage media; (2) stores on portable devices; and (3) stores on any device that is transported outside of the physical or logical access controls of Provider; and to safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Personal Information;
- to maintain an incident response program that specifies the actions to be taken by Provider when it has reason to believe that a Security Breach may have or has occurred;
- to implement such additional security measures as may be required under the Data Protection Requirements or specified in the Agreement.
- to comply with the PCI Standards with respect to Cardholder Data if the Provider Processes Cardholder Data in connection with the Services. Consistent with Provider’s obligations as set forth in the Agreement, Provider acknowledges its responsibility for the protection and security of Cardholder Data in connection with the performance of the Services. Provider further represents and warrants that it will not take any actions that will compromise Hilton’s ability to comply with the PCI Standards.
- where Provider, directly, or through any of its agents or Subcontractors, connects to Hilton’s computing systems and/or networks, that: (A) all Provider interconnectivity to Hilton’s computing systems and/or networks and all attempts at same will only occur through Hilton’s security gateways/firewalls; (B) Provider will not access, and will not permit any other person or entity to access, Hilton’s computing systems and/or networks without Hilton’s authorization; (C) if Hilton grants Provider permission to access its computing systems and/or networks, Provider will only access Hilton’s computing systems and/or networks as authorized; and (D) Provider’s systems connecting to Hilton’s systems or networks, and those Provider systems which, if compromised, could affect the security, confidentiality, integrity, or availability of Hilton’s computing systems or networks, will be actively protected by an industry standard Malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of Hilton’s computing systems and/or networks. Provider agrees that Hilton may perform periodic assessments of Provider’s network. Should any assessment of Provider’s network reveal inadequate security by Provider or its agents or Subcontractors, Hilton, in addition to other remedies it may have, may suspend Provider’s, its agents’ or Subcontractors’ access to Hilton’s computing systems and/or networks until such security issue has been resolved to the satisfaction of Hilton.
- Provider agrees that: (i) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Information in Provider’s possession or otherwise acquired by or accessible to Provider; (ii) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Information, will receive appropriate training relating to the protection of Personal Information; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Information to the minimum number of Provider employees and agents who require such access for purposes of providing goods and/or services to Hilton; and (iv) it will impose appropriate disciplinary measures for violations of its information security policies and procedures.
- If Provider disposes of any paper or electronic record containing Personal Information, Provider will do so in an appropriate manner based on the sensitivity of the information in order to prevent unauthorized access to such information in connection with its disposal. Upon request, Provider will be required to certify to Hilton that all forms of Personal Information disposed of have been destroyed in accordance with these Standards. If Provider cannot so certify, Provider shall provide a written explanation for its inability to certify that it complied with this disposal requirement.
- Provider shall review and, as appropriate, revise the Data Safeguards: (i) at least annually or whenever there is a material change in Provider’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Information; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended, or re-interpreted Data Protection Requirements, and (iv) as reasonably requested by Hilton. Provider agrees not to alter or modify its Data Safeguards in such a way that will weaken or compromise the security, confidentiality, or integrity of Personal Information.
10. SECURITY INCIDENTS
Provider agrees to notify Hilton at ISC@Hilton.com immediately upon becoming aware of a Security Breach, including the presence of Malware, if possible. If Provider is not able to notify Hilton immediately upon becoming aware of a Security Breach, including the presence of Malware, Provider will notify Hilton within twenty-four (24) hours of becoming aware of a Security Breach. After providing such notice, Provider will (i) promptly investigate the Security Breach, including by conducting a root cause analysis, and report its findings to Hilton, (ii) provide Hilton with a remediation plan, approved by Hilton in its sole discretion, to address the Security Breach and prevent any further incidents; (iii) remediate such Security Breach in accordance with the Hilton-approved remediation plan; (iv) conduct a forensic investigation to determine what systems, data, and information were affected by the Security Breach; (v) cooperate with Hilton as Hilton executes its security incident response plan and otherwise investigates the Security Breach; (vi) abide by any requests by Hilton for Provider to cooperate with any law enforcement or regulatory officials, credit reporting companies, or credit card associations investigating such Security Breach, and (vii) keep Hilton advised of the status of such Security Breach and all matters related thereto. Provider further agrees to provide all reasonable assistance requested by Hilton and/or Hilton’s designated representatives in the furtherance of any investigation, correction, and/or remediation by Hilton of any such Security Breach and shall reimburse Hilton upon Hilton’s demand for all reasonable Notification Related Costs incurred by Hilton arising out of or in connection with any such Security Breach resulting in a requirement for legally required notifications. If a notification to an individual is required under any Data Protection Requirement or pursuant to any Hilton privacy or security policies, then notifications to all individuals who are affected by the same event (as reasonably determined by Hilton) shall be considered legally required. Notification Related Costs shall include Hilton’s internal and external costs associated with addressing and responding to the Security Breach, including but not limited to: (i) the preparation and mailing or other transmission of legally required notifications; (ii) the preparation and mailing or other transmission of such other communications to affected individuals, agents, or others as Hilton deems reasonably appropriate; (iii) the establishment of a call center for up to twelve (12) months or such longer period as may be required pursuant to applicable Data Protection Requirements or is reasonable under the circumstances; (iv) the establishment of communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points, and training); (v) fees for public relations and other similar crisis management services; (vi) legal, forensics, and accounting fees and expenses associated with Hilton’s investigation of and response to such Security Breach or presence of Malware; and (vii) costs for commercially reasonable credit reporting, credit watch, identity protection, identity remediation, and similar services that are associated with legally required notifications or are advisable under the circumstances for up to twelve (12) months or such longer period as may be required pursuant to applicable Data Protection Requirements or is reasonable under the circumstances. Unless otherwise required by applicable Data Protection Requirements, Hilton shall make the final decision on notifying Hilton’s employees, guests, service providers, regulatory authorities and/or the general public of such Security Breach, and the implementation of the remediation plan.
11. COMPLAINTS; INVESTIGATIONS
If Provider receives any complaint, notice, or communication which relates directly or indirectly to Provider’s Processing of Personal Information or either Hilton’s or Provider’s compliance with applicable laws or regulations in connection with Personal Information, Provider will promptly notify Hilton. At Hilton’s request, Provider will assist and support Hilton in the event of such a complaint or an investigation by a regulator or data protection authority or similar authority, if and to the extent that such complaint or investigation relates to Provider’s Processing of Personal Information. Such assistance will be at Hilton’s sole expense, except where the complaint or investigation arose from an allegation concerning or an investigation into Provider’s acts or omissions, in which case such assistance will be at Provider’s sole expense.
12. DATA SUBJECT REQUESTS RELATING TO PERSONAL INFORMATION
Provider will immediately inform Hilton in writing upon receiving any request for access to, correction, amendment, or deletion of any Personal Information from an individual who is (or claims to be) the subject of the data (“Data Subject Requests”). Unless otherwise required by laws or regulations or provided for in the Agreement, Provider will not respond directly to these requests unless explicitly authorized by Hilton to do so, other than as necessary to confirm that the request relates to Hilton. As part of the Services, Provider shall cooperate with and provide all reasonable assistance to Hilton in responding to and implementing Data Subject Requests.
13. DATA PROTECTION OFFICER
Provider has appointed a data protection officer where required pursuant to Data Protection Requirements.
14. OTHER ASSISTANCE TO HILTON
In addition to, and without limitation of, Provider’s other obligations under these Standards, and where applicable to the Services and the Processing, Provider shall assist and cooperate with Hilton, at Hilton’s request and as part of the Services: (i) in Hilton’s implementation of security measures applicable to Personal Information; (ii) in connection with any Security Breach notification required to be made to a supervisory authority or to Data Subjects; (iii) in connection with any privacy impact assessment related to the Processing; and (iv) in connection with any consultation with a supervisory authority conducted by Hilton in connection with the Processing.
15. VIOLATIONS OF THESE STANDARDS
Provider agrees to notify Hilton immediately of any material breach or violation of these Standards. Without limiting other remedies that may be available to Hilton for violation of these Standards, Provider agrees that Hilton may, at its discretion, immediately terminate Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and Hilton, without penalty, if Provider violates any requirement of these Standards. Further, Provider agrees to fully indemnify Hilton for all costs, fees, claims, or actions associated with any unauthorized Processing of Personal Information within Provider’s control, as well as any unauthorized access, acquisition, or use of Personal Information by agents, Subcontractors, or third parties.
16. RECORD, AUDITS, AND INSPECTIONS
Provider shall maintain, at all times during the term of the Agreement, and shall provide to Hilton, upon Hilton’s request and at no additional charge, complete and accurate records and reasonable supporting documentation regarding the Data Safeguards as well as business continuity and recovery facilities, resources, plans, and procedures, and such other records and documentation necessary to validate Provider’s compliance with these Standards, including the Provider Processing Record. Upon reasonable notice to Provider, Provider will permit Hilton, its auditors, designated audit representatives, and regulators, including data protection authorities, during normal business hours, to audit and inspect: (i) Provider’s facilities where Personal Information is Processed; (ii) any computerized systems used to Process Personal Information; and (iii) Provider’s security practices and procedures, data protection practices and procedures, and business continuity and recovery facilities, resources, plans, and procedures. The audit and inspection rights hereunder will be, at a minimum, for the purpose of (i) verifying Provider’s compliance with these Standards and the Data Protection Requirements, (ii) verifying the integrity of the Personal Information, and (iii) facilitating Hilton’s compliance with Data Protection Requirements.
17. RETURN OF PERSONAL INFORMATION
Hilton has the right, in its sole discretion at any time and from time to time, to restrict, discontinue, suspend, cancel, terminate, or modify Provider’s right to Process Personal Information. Upon the termination or expiration of the Agreement or Provider’s provision of Services, or upon Hilton’s request, Provider will, and will cause its agents and Subcontractors to, return in a manner and format reasonably requested by Hilton, or, if specifically directed by Hilton, destroy, any or all Personal Information in its possession, power, or control and delete any existing copies unless applicable Data Protection Requirements require storage of the Personal Information, and Provider will certify the same, each as described in Section 9(d) above.
18. CHANGES TO THESE STANDARDS
Hilton can change these Standards in its sole discretion at any time and from time to time. Any changes to these Standards will be binding upon Provider when posted at http://www.hiltondistribution.com/privacyanddataprotectionstandards.htm; provided, however, that Provider will have a reasonable period of time to implement any change in the Policy (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Provider is obligated to check this URL regularly for any changes. The most recent changes to the Policy will appear at the bottom of the Policy in the section entitled “Material Revisions to Hilton’s Service Provider Data Protection Standards.”
19. SURVIVAL; THIRD PARTY BENEFICIARIES
Provider’s obligations under these Standards will survive the termination or expiration of its services or any related agreements and will continue for as long as Provider, or any of its agents or Subcontractors retain or have access to Personal Information. Provider acknowledges and agrees that each entity referenced in the definition of “Hilton” above is an intended third party beneficiary of Provider’s obligations and liabilities under these Standards, including without limitation Provider’s obligations with respect to Personal Information, and as such, each will have a right of its own to enforce these Standards.
MATERIAL REVISIONS TO HILTON’S SERVICE PROVIDER DATA PROTECTION STANDARDS
Last Update: March 2018
March 2018 Changes:
- Updated defined terms to comport with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data, commonly referred to as the “General Data Protection Regulation” (GDPR).
- Updating data safeguard requirements.
- Further limiting use of subcontractors.
- Restricting cross-border transfers of data without approval from Hilton and agreement to any necessary data transfer agreement.
March 2017 Changes:
- Changed the name of “Hilton” from “Hilton Worldwide Inc.” to “Hilton Domestic Operating Company Inc.” to reflect the updated corporate name.
- Changed the title of the document from Hilton’s “Privacy and Data Protection Policy for Service Providers” to Hilton’s “Service Provider Data Protection Standards.” Changed the references to this “policy” to these “standards.”
- Changed the contact e-mail address for Security Incidents from email@example.com to ISC@hilton.com.
- Changed the term “Special Personal Information” to “Sensitive Personal Information.”
- Amended definition of “Sensitive Personal Information” to include an individual’s username in combination with password, PIN, or access code that would grant access to an online account
- Changed Disclosure Under Legal Process section to reflect that Hilton should be notified within at least 72 hours of receipt of such requests, rather than 48 hours before a Provider intends to make a disclosure
- Added this “Revisions” section to the Policy. Added language to the Standards itself noting that the most recent changes will appear herein