HILTON DOMESTIC OPERATING COMPANY INC. SERVICE PROVIDER DATA PROTECTION STANDARDS (these “Standards”)
Last Updated: March 2017
At Hilton, we take the protection of Personal Information relating to our customers, employees, independent contractors, and service providers very seriously. All individuals or organizations that provide goods or services (“Providers”) to Hilton Domestic Operating Company Inc., a Delaware corporation, or any of its direct or indirect subsidiaries, owned and managed hotels, partnerships or joint ventures (collectively, “Hilton”), or through Hilton for the benefit of its franchisees, must abide by and comply with the principles set forth in these Standards.
“Personal Information” means any information that (i) can be used (alone or in combination with other information within Provider’s control) to identify, locate or contact a specific individual, or (ii) can be associated with an identified or identifiable individual. By way of illustration, and not of limitation, Personal Information consists of obviously personally identifiable data elements, such as name, address, and email address as well as less obvious information such as an individual’s personal preferences, hotel stay-related information, and guest account information. As an example, Personal Information may pertain to customers, employees, or others.
Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files, including all copies, fragments, and excerpts, whether or not such Personal Information has been intermingled with other information or materials. For purposes of these Standards, Personal Information, including Sensitive Personal Information and Cardholder Data, only includes information: (i) provided by Hilton to Provider; or (ii) obtained, used, accessed, processed, possessed, acquired, or otherwise handled by Provider on behalf of Hilton in connection with the provision of goods and/or services to or for Hilton.
“Sensitive Personal Information” is a subset of Personal Information, which due to its nature has been classified by law or by policy as deserving additional privacy and security protections, including: (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, information contained in a passport or other travel document, driver’s license number, or other identification number issued by a government or public body; or (B) financial account number; (ii) an individual’s username in combination with password, PIN, or access code that would grant access to an online account; (iii) Cardholder Data.
“Cardholder Data” means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction. Cardholder Data is a type of Sensitive Personal Information.
“Data Protection Requirements” means, collectively, all laws and regulations relating to data privacy, data security, personal data, transborder data flow, and data protection that apply to Provider’s Processing of Personal Information.
“Data Safeguards” means the administrative, operational, organizational, technical, and physical safeguards described in Sections 7, 12, 13, and 14 of these Standards, as modified in accordance with these Standards.
“PCI Standards” means the security Standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply, including, but not limited to. the Payment Card Industry Data Security Standards currently in effect and as modified during the term of Provider’s relationship with Hilton.
- “Process“ means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as collection, acquisition, use, organization, alteration, combination, accessing, retention, storage, transfer, disclosure, dissemination or otherwise making available, blocking, or disposal.
General PROVISions for ALL Personal Information
02. Purposes for Processing; Ownership of Personal Information.
Hilton will have the exclusive right to determine the purposes for which the Personal Information is Processed. Provider will have access to and use of the Personal Information for the sole purpose of performing and providing the services in accordance with Provider’s written agreement(s) with Hilton. At no time will Provider acquire any ownership, license, rights, or other interest in or to Personal Information. Personal Information will remain the proprietary information of Hilton at all times.
03. Use and Processing of Personal Information
Provider will hold the Personal Information in confidence in accordance with the Data Protection Requirements, these Standards, and Provider’s written agreement(s) with Hilton and will Process the Personal Information only on behalf of Hilton and only as specifically directed by Hilton in writing and as otherwise permitted or directed under Provider’s written agreement(s) with Hilton. In no event may Provider: (a) use Personal Information to market its services or those of an affiliate or third party; (b) sell or rent Personal Information; or (c) otherwise Process any Personal Information for Provider’s, its affiliates’, or any third party’s own purposes.
04. Use and Processing of Personal Information
Provider will not disclose Personal Information to any of its affiliates or to any third party (including, without limitation, Provider’s subcontractors or service providers) except as is reasonably necessary to carry out its written agreement(s) with Hilton. Should Provider disclose any Sensitive Personal Information pursuant to this provision, Provider will do so subject to Section 11 below. If, pursuant to the foregoing, Provider will disclose Personal Information to a subcontractor or other service provider, Provider will take reasonable steps to select and retain subcontractors and service providers who maintain appropriate security measures to protect Personal Information consistent with these Standards and applicable Data Protection Requirements. Prior to disclosing any Personal Information to any of its affiliates or to a third party (including under Section 11 below), Provider will have in place with such affiliate or third party a written agreement that includes obligations that are at least as broad in scope and as restrictive as those in these Standards. Provider further agrees, upon Hilton’s request, to provide a list of all affiliates and third parties to which Provider has disclosed Personal Information. Provider will remain at all times accountable and responsible for compliance with these Standards by Provider, Provider’s affiliates, and third parties retained by Provider.
05. Disclosure Under Legal Process
If Provider is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoena, civil investigative demand, or other similar process) to disclose any Personal Information to a third party, Provider will not disclose the Personal Information without complying with applicable laws and providing Hilton written notice of any such request or requirement at least seventy-two (72) hours after receiving the request so that Hilton may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. Notwithstanding the foregoing, Provider will exercise commercially reasonable efforts to prevent or limit any such disclosure or to otherwise preserve the confidentiality of the Personal Information including, without limitation, by cooperating with Hilton to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded the Personal Information.
06. Cross-Border Transfers of Personal Information
With respect to Personal Information originating from the European Union (“EU”) or Switzerland that Provider receives from Hilton, Provider agrees to provide at least the same level of privacy protection as is required by the EU-U.S. Privacy Shield Framework, located at https://www.privacyshield.gov/EU-US-Framework, and as amended from time to time. At Hilton’s request, Provider and any of its affiliates, subcontractors, or service providers will enter into a data processing agreement with Hilton that incorporates the European Commission Standard Contractual Clauses between Controllers and Processors, or any other similar clauses relating to other countries, to allow Personal Information to be transferred by Hilton to Provider and its affiliates, subcontractors, and service providers. Provider will not transfer Personal Information to any country (including for Processing by Provider’s affiliates, subcontractors, or service providers) other than the country(ies) contemplated in Provider’s written agreement(s) with Hilton, unless agreed to in writing by Hilton
07. Data Safeguards
Provider will adopt, implement, and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information. Such procedures and practices will be compliant, at a minimum, with the terms of Provider’s agreement(s) with Hilton, these Standards, and the Data Protection Requirements. All such procedures and practices will take into account the nature of the Personal Information and the commensurate risks associated with such Personal Information.
- Provider agrees that: (i) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Information in Provider’s possession or otherwise acquired by or accessible to Provider; (ii) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Information, will receive appropriate training relating to the protection of Personal Information; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Information to the minimum number of Provider employees and agents who require such access for purposes of providing goods and/or services to Hilton; and (iv) it will impose appropriate disciplinary measures for violations of its information security policies and procedures.
- If Provider disposes of any paper or electronic record containing Personal Information, Provider will do so in an appropriate manner based on the sensitivity of the information in order to prevent unauthorized access to such information in connection with its disposal. Upon request, Provider will be required to certify to Hilton that all forms of the Personal Information disposed of have been destroyed in accordance with these Standards. If Provider cannot so certify, Provider shall provide a written explanation for its inability to certify that it complied with this disposal requirement..
- Provider shall review and, as appropriate, revise the Data Safeguards: (i) at least annually or whenever there is a material change in Provider’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Information; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended, or re-interpreted Data Protection Requirements, and (iv) as reasonably requested by Hilton. Provider agrees not to alter or modify its Data Safeguards in such a way that will weaken or compromise the security, confidentiality, or integrity of Personal Information.
08. Security Incidents
Provider agrees to notify Hilton at ISC@Hilton.com whenever Provider reasonably believes that any Personal Information, or information or other material that can be used to access Personal Information, in any form or on any media, may have been accessed, acquired, modified, used, or disclosed by any unauthorized person, by any person in an unauthorized manner, or for an unauthorized purpose (“Breach”). Provider shall provide this notice to Hilton immediately, which in no event shall be longer than twenty-four (24) hours after having reason to believe that a Breach may have occurred. After providing such notice, Provider will investigate the Breach, take all necessary steps to eliminate or contain the exposures that led to such Breach, and keep Hilton advised of the status of such Breach and all matters related thereto. Provider further agrees to provide all reasonable assistance requested by Hilton and/or Hilton’s designated representatives in the furtherance of any investigation, correction, and/or remediation of any such Breach, including, but not limited to, providing any notification that Hilton may determine appropriate to send to individuals impacted or potentially impacted and/or providing any credit monitoring or identity protection services that Hilton deems appropriate to provide. Unless otherwise required by laws or regulations, prior to giving notice to any regulatory authority, any individual, or any third party of any actual or potential Breach, Provider will consult with Hilton and obtain Hilton’s written permission to give such notice.
09. Complaints; Investigations
If Provider receives any complaint, notice, or communication which relates directly or indirectly to Provider’s Processing of Personal Information or either Hilton’s or Provider’s compliance with applicable laws or regulations in connection with Personal Information, it will promptly notify Hilton. At Hilton’s request, Provider will assist and support Hilton in the event of such a complaint or an investigation by a regulator or data protection authority or similar authority, if and to the extent that such complaint or investigation relates to Provider’s Processing of Personal Information. Such assistance will be at Hilton’s sole expense, except where the complaint or investigation arose from Provider’s acts or omissions, in which case such assistance will be at Provider’s sole expense.
10. Requests for Personal Information
Provider will immediately inform Hilton in writing upon receiving any request for access to any Personal Information from an individual who is (or claims to be) the subject of the data. Unless otherwise required by laws or regulations, Provider will not respond to these requests unless explicitly authorized by Hilton to do so.
additional protections for Sensitive Personal Information
In addition to the provisions set forth above, Providers with access to Sensitive Personal Information agree to the following enhanced privacy and data protection measures set forth in Sections 11 and 12:
11. Disclosure of Sensitive Personal Information
Notwithstanding the foregoing, Provider agrees that it will not disclose Sensitive Personal Information to any of its affiliates or to any third party (including, without limitation, Provider’s subcontractors or service providers) except as required to fulfill Provider’s Services to Hilton as expressly set forth in a written agreement between Provider and Hilton.
12. Enhanced Data Security Measures
- adopt, implement, maintain, and monitor a written information security program that contains administrative, technical, and physical safeguards to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Sensitive Personal Information;
- conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Sensitive Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;
- take reasonable steps to ensure the reliability of all Provider employees and personnel who will be provided with access to Sensitive Personnel Information;
- ensure that its information security program includes industry standard password, firewall, operating system, and anti-virus and malware protections to protect Sensitive Personal Information stored or otherwise handled on computer systems;
- encrypt, using industry standard encryption tools, all records and files containing Sensitive Personal Information that Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; (iii) stores on portable devices; and (iv) stores on any device that is transported outside of the physical or logical controls of Provider. Provider will safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Sensitive Personal Information;
- maintain an incident response program that specifies the actions to be taken by Provider when it has reason to believe that a Breach may have or has occurred;
- implement such additional security measures as may be required under the Data Protection Requirements or specified in the agreement(s) between the parties.
additional protections for CARDHOLDER DATA
In addition to the provisions set forth above, Providers with access to Cardholder Data agree to the following enhanced privacy and data protection measures set forth in Section 13:
13. CARDHOLDER DATA
Provider agrees that it will comply with the PCI Standards with respect to Cardholder Data. Provider further represents and warrants that it will not take any actions that will compromise Hilton’s ability to comply with the PCI Standards.
additional protections for HILTON NETWORKS
In addition to the provisions set forth above, Providers that directly, or through any of their affiliates, subcontractors, or service providers, connect to Hilton’s computing systems and/or networks agree to the following enhanced privacy and data protection measures set forth in Section 14:
14. HILTON NETWORKS
Provider agrees that: (i) all Provider interconnectivity to Hilton’s computing systems and/or networks and all attempts at same will be only through Hilton’s security gateways/firewalls; (ii) Provider will not access, and will not permit any other person or entity to access, Hilton’s computing systems and/or networks without Hilton’s authorization, and any such actual or attempted access will be consistent with any such authorization; and (iii) Provider’s systems connecting to Hilton’s systems or networks, and those Provider systems which, if compromised, could affect the security, confidentiality, integrity, or availability of Hilton’s computing systems or networks, will be actively protected by an industry standard virus/malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of Hilton’s computing systems and/or networks. Provider agrees that Hilton may perform periodic network assessments, and should any such assessment reveal inadequate security by Provider or its affiliates, subcontractors, or service providers, Hilton, in addition to other remedies it may have, may suspend access to Hilton’s computing systems and/or networks until such security issue has been resolved.
15. Violations of these Standards
Provider agrees to notify Hilton immediately of any material breach or violation of these Standards. Without limiting other remedies that may be available to Hilton for violation of these Standards, Provider agrees that Hilton may, at its discretion, immediately terminate Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and Hilton, without penalty, if Provider violates any requirement of these Standards. Further, Provider agrees to fully indemnify Hilton for all costs, fees, claims or actions associated with any unauthorized Processing of Personal Information within Provider’s control, as well as any unauthorized access, acquisition or use of Personal Information by affiliates or third parties.
16. Audits and Inspections
Upon Hilton’s request, Provider will provide reasonable supporting documentation regarding the Data Safeguards as well as business continuity and recovery facilities, resources, plans, and procedures. Upon reasonable notice to Provider, Provider will permit Hilton, its auditors, designated audit representatives, and regulators, including data protection authorities, during normal business hours, to audit and inspect: (i) Provider’s facilities where Personal Information is Processed; (ii) any computerized systems used to Process Personal Information; and (iii) Provider’s security practices and procedures, data protection practices and procedures, and business continuity and recovery facilities, resources, plans, and procedures. The audit and inspection rights hereunder will be, at a minimum, for the purpose of verifying Provider’s compliance with these Standards and the Data Protection Requirements.
17. Return of Personal Information
Hilton has the right, in its sole discretion at any time and from time to time, to restrict, discontinue, suspend, cancel, terminate, or modify Provider’s right to Process Personal Information. Upon the termination or expiration of Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and Hilton, or upon Hilton’s request, Provider will, and will cause its affiliates, subcontractors, and service providers to, return in a manner and format reasonably requested by Hilton, or, if specifically directed by Hilton, destroy, any or all Personal Information in its possession, power, or control, and Provider will certify the same, each as described in Section 7(b) above.
18. Changes to these Standards
Hilton can change these Standards in its sole discretion at any time and from time to time. Any changes to these Standards will be binding upon Provider when posted at
www.hiltondistribution.com/privacyanddataprotectionstandards.htm; provided, however, that Provider will have a reasonable period of time to implement any change in the Policy (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Provider is obligated to check this URL regularly for any changes. The most recent changes to the Policy will appear at the bottom of the Policy in the section entitled, “Hilton’s Privacy and Data Protection Policy for Service Providers Material Revisions.
19. Survival; Third Party Beneficiaries
Provider’s obligations under these Standards will survive the termination or expiration of its services or any related agreements and will continue for so long as Provider, or any of its affiliates, subcontractors, or service providers retain or have access to Personal Information. Provider acknowledges and agrees that each entity referenced in the definition of “Hilton” above is an intended third party beneficiary of Provider’s obligations and liabilities under these Standards, including without limitation Provider’s obligations with respect to Personal Information, and as such, each will have a right of its own to enforce these Standards.
Material Revisions to Hilton’s Service Provider Data Protection Standards
Last Update: March 2017
March 2017 Changes:
- Changed the name of “Hilton” from “Hilton Worldwide Inc.” to “Hilton Domestic Operating Company Inc.” to reflect the updated corporate name.
- Changed the title of the document from Hilton’s “Privacy and Data Protection Policy for Service Providers” to Hilton’s “Service Provider Data Protection Standards.” Changed the references to this “policy” to these “standards.”
- Changed the contact e-mail address for Security Incidents from firstname.lastname@example.org to ISC@hilton.com.
- Changed the term “Special Personal Information” to “Sensitive Personal Information.”
- Amended definition of “Sensitive Personal Information” to include an individual’s username in combination with password, PIN, or access code that would grant access to an online account
- Changed Disclosure Under Legal Process section to reflect that Hilton should be notified within at least 72 hours of receipt of such requests, rather than 48 hours before a Provider intends to make a disclosure
- Added this “Revisions” section to the Policy. Added language to the Standards itself noting that the most recent changes will appear herein