SERVICE PROVIDER DATA PROTECTION STANDARDS (SPDPS)

HILTON DOMESTIC OPERATING COMPANY INC.

供应商数据保护标准(本“标准”)

Last Updated:  March 2018

最后更新日期:2018年3月

 

At Hilton, we take the protection of Personal Information relating to our customers, employees, independent contractors, and service providers very seriously. All individuals or organizations that provide goods or services (“Providers”) to Hilton Domestic Operating Company Inc., a Delaware corporation, or any of its direct or indirect subsidiaries, owned and managed hotels, partnerships or joint ventures (individually or collectively, “Hilton”), or through Hilton for the benefit of its franchisees, must abide by and comply with the principles set forth in these Service Provider Data Protection Standards (the “Standards”). These Standards form part of any agreement between Hilton and Provider that references these Standards, or to which these Standards are attached or incorporated (the “Agreement”). In the event of a conflict between these Standards and the Agreement, these Standards shall control with respect to its subject matter, unless the Agreement sets forth more stringent standards

在希尔顿,我们非常重视保护与客户、员工、独立承包商和供应商相关的个人信息。向特拉华州的Hilton Domestic Operating Company Inc.或其任何直接或间接子公司、拥有或管理的酒店、合作方或合资企业(单独或合称为“希尔顿”)或通过希尔顿为其特许经营商谋取利益而提供商品或服务的所有个人或组织(简称“供应商”),必须接受并遵守本供应商数据保护标准中规定的原则(简称本“标准”)。本标准构成希尔顿与供应商之间协议的一部分,该协议参考本标准或将本标准作为附件或包含本标准(简称“协议”)。如果本标准与协议之间存在冲突,则应以本标准的内容为准,除非协议规定了更严格的标准。

  1. DEFINITIONS.
  1. 定义。
    1.  “Biometric Data” means Personal Information resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of an individual that allows or confirms the unique identification of that individual.“生物计量数据”是指与个人的身体、生理或行为特征相关的特定技术处理产生的个人信息,该信息是认可或确认该个人身份的唯一标识。
    2. Cardholder Data”  means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction.“持卡人数据”意味着:(i)跟缴款卡相关的,账户持有人的姓名、账号、密码、卡片验证码/值、服务码(即,磁条上跟特定的接受要求有关的,以及对磁条读取交易进行限制的三或四位数字码),PIN码或PIN数据块,使用起止日期,和磁条数据;以及(ii)对于一个可识别的账户,与它的缴款卡交易相关的信息和数据,无论该交易是否是使用实体卡片进行的。
    3. Data Protection Requirements” means, collectively, all laws and regulations relating to data privacy, data security, personal data, transborder data flow, and data protection that apply to Provider’s Processing of Personal Information, including without limitation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation (“GDPR”)).
      “数据保护要求”统指与数据隐私、数据安全、个人数据、跨境数据流和数据保护有关的所有适用于供应商处理个人信息的法律和法规,包括但不限于欧洲议会和2016年4月27日理事会(欧盟)2016/679号条例(一般数据保护条例(简称“GDPR”))。
    4. Data Safeguards” means the administrative, operational, organizational, technical, and physical safeguards described in Section 9 of these Standards, as modified in accordance with these Standards.
      “数据保障”系指本标准第9条所述并根据本标准修改的行政管理、运营、组织、技术和物理保障。
    5. “Genetic Data” means Personal Information relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of that individual and which result, in particular, from an analysis of a biological sample from such individual.
      “基因数据”系指与个人遗传或获得的遗传特征有关的个人信息,该遗传或获得的遗传特征能提供有关该个人生理或健康的独特信息,特别是通过对该个人的生物样本进行分析而得到的信息。
    6. Health Data” means Personal Information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health.
      “健康数据”系指与自然人的身体或精神健康有关的个人信息,包括提供保健服务,这些信息揭示了自然人的健康状况。
    7. “Malware” means computer software, code, or instructions that: (a) adversely affect the operation, security, availability, or integrity of a computing, telecommunications, or other digital operating or processing system or environment, including without limitation, other programs, data, databases, computer libraries, and computer and communications equipment, by altering, destroying, disrupting, or inhibiting such operation, security, or integrity; (b) self-replicate without manual intervention where such self-replication lacks functional purpose; (c) purport to perform a useful function but which actually perform either a destructive, harmful, or unauthorized function, or perform no useful function and utilize substantial computer, telecommunications, or memory resources; or (d) without authorization, collect and/or transmit to third parties any information or data, including such software, code, or instructions commonly known as viruses, Trojans, logic bombs, worms, and spyware.
      “恶意软件”是指计算机软件、代码或指令:(a)通过更改、破坏、干扰或阻止计算机、电信或其他数字运行或处理系统或环境的运行、安全性、可用性或完整性,包括但不限于其他程序、数据、数据库、计算机库、计算机和通信设备的运行、安全性、可用性或完整性,对其产生不利影响;(b)没有人工干预的自我复制,而这种自我复制缺乏功能目的;(c)声称执行有用的功能,但实际上执行破坏性、有害或未经授权的功能,或不执行有用的功能,并使用大量计算机、电信或内存资源;或(d)未经授权,收集和/或向第三方传输任何信息或数据,包括通常称为病毒、木马、逻辑炸弹、蠕虫和间谍软件的软件、代码或指令。
    8. Personal Information” means any information (i) that can be used (alone or in combination with other information within Provider’s control) to identify, locate, or contact a specific individual, or (ii) related to an identified or identifiable individual. By way of illustration, and not of limitation, Personal Information consists of obviously personally identifiable data elements, such as name, address, and email address as well as less obvious information such as an individual’s personal preferences, hotel stay-related information, guest account information, location data, and online identifiers. Personal Information also includes (without limitation) factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual. Personal Information may pertain to customers, employees, or others. Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files, including all copies, fragments, and excerpts, whether or not such Personal Information has been intermingled with other information or materials. For purposes of these Standards, Personal Information only includes information: (i) provided to Provider by or on behalf of Hilton; or (ii) obtained, used, accessed, possessed, or otherwise Processed by Provider in connection with the provision of the Services.
      “个人信息”是指(i)可(单独或结合其他供应商控制范围内的信息)识别、定位或联系特定个人的任何信息,或者(ii)与已知身份或可识别身份的个人关联的信息。个人信息包括明显的个人身份数据元素,如姓名、住址、电子邮件地址,还包括不太明显的信
      息,如个人喜好、酒店住宿相关信息和来宾帐户信息、位置数据和线上识别符(这里只是举例说明,而非局限于此类信息)。个人信息还包括(但不限于)特定于个人的身体、生理、遗传、心理、经济、文化或社会身份的因素。个人信息可能涉及到客户、员工或其他人。个人信息可以存储于任何介质或采用任何格式,包括计算机化或电子记录以及纸质文件,其中又包括所有副本、片段及摘录,而且无论此类个人信息是否已混杂于其他信息或材料。就本标准而言,个人资料只包括:(i)由希尔顿或代表希尔顿提供给供应商;或(ii)供应商获得、使用、访问、拥有或以其他方式处理与提供服务相关的事宜。
    9. PCI Standards” means the data security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply, including, but not limited to, the Payment Card Industry Data Security Standards currently in effect and as modified during the term of the Agreement.
      “PCI标准”是指支付卡公司集体或单独要求商户遵守的保护支付卡信息的数据安全标准,包括但不限于当前有效的和在协议期限内修改的支付卡行业数据安全标准。
    10. Process”  means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      “处理”系指对个人信息进行的任何操作或一组操作,无论是否通过自动方式进行,如收集、记录、组织、制定、存储、改编或修改、检索、咨询、使用、通过传输、传播或以其他可获取方式提供披露、校准或关联、限制、删除或销毁。
    11. Provider Processing Record” means a written record of all categories of Processing carried out in connection with the Services, which contains the following: (i) the name and contact details of Provider and any Subcontractors and, where applicable, the name and contact details of Provider’s data protection officer; (ii) the categories of Processing performed by the Provider for Hilton; (iii) the list of countries, if any, to which the Provider transfers Personal Data; and (iv) a description of the Provider’s Data Safeguards.
      “供应商处理记录”指与服务相关的所有处理类别的书面记录,包括以下内容:(i)供应商和任何分包商的名称和联系方式,以及(如适用)供应商数据保护工作人员的名称和联系方式;(ii)供应商为希尔顿提供的处理类别;(iii)供应商传输个人数据的国家/地区列表(如果有);(iv)供应商数据保护措施的说明。
    12. Security Breach” means (i) any circumstance pursuant to which applicable Data Protection Requirements require action in response to such circumstance, including but not limited to notification of such breach to be given to affected parties or a regulator or data protection authority; or (ii) any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance that compromises, or could reasonably be expected to compromise, either Physical Security or Systems Security (as such terms are defined below) in a manner that either does or could reasonably be expected to permit unauthorized Processing, use, disclosure, acquisition of, or access to any Personal Information. “Physical Security” means physical security at any location housing systems maintained by Provider or its agents or Subcontractors in connection with the Services or in the course of physical transportation of assets or physical media used by Provider or its agents or Subcontractors in performing the Services. “Systems Security” means security of computer, electronic, or telecommunications systems of any variety (including databases, hardware, software, storage, switching, and interconnection devices and mechanisms); security of networks of which such systems are a part or with which such systems communicate; and security of networks used directly or indirectly by Provider or its agents, or Subcontractors in connection with the Services.
      “安全漏洞”是指(i)适用的数据保护要求要求针对此类情况采取行动的任何情况,包括但不限于向受影响方或监管机构或数据保护机构发出此类泄露通知;或者(ii)任何实际、试图、怀疑、威胁或合理可预见的情况下危及,或可以合理预期的危及实体安全或系统安全(术语定义如下)的方式,或可以合理地预期允许未经授权地处理、使用、披露、收购或访问任何个人信息。“实体安全”系指由供应商或其代理或分包商维护的与服务相关的所有位置房屋系统的实体安全,或在供应商或其代理或分包商执行服务时使用的资产或物理媒体的物理运输过程中的实体安全。“系统安全”系指任何种类的计算机、电子或电信系统(包括数据库、硬件、软件、存储、交换和互连设备和机制)的安全;作为该等系统的一部分或与该等系统通信网络的安全性;供应商、其代理或分包商与服务相关的直接或间接使用的网络安全性。
    13. Sensitive Personal Information” is Personal Information which due to its nature has been classified by applicable Data Protection Requirements as deserving additional privacy and security protections, including (without limitation): (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, information contained in a passport or other travel document, driver’s license number, or other identification number issued by a government or public body or (B) financial account number; (ii) an individual’s username which, in combination with a password, PIN, or access code would grant access to an online account; (iii) Cardholder Data; (iv) data about racial or ethnic origin; (v) data about political opinions, religious or philosophical beliefs, or trade union membership; (vi) Genetic Data; (vii) Biometric Data; (viii) Health Data; and (ix) data concerning a natural person’s sex life or sexual orientation.
      “敏感个人信息”是个人信息,由于其性质已被适用的数据保护要求分类为应受额外隐私和安全保护,包括(但不限于):(i)跟某个人的姓名相关联的该个人的:(A)社会保障号码、纳税人识别号码、护照或者其他旅行证件上的信息、驾驶证号码或者政府、社会团体签发的其他身份证号,或者(B)财务账号;(ii)个人的用户名,连同密码、PIN或网上账户的访问码;(iii)持卡人数据;(iv)有关种族或族裔出身的资料;(v)有关政治观点、宗教或哲学信仰或工会成员资格的数据;(vi)基因数据;(vii)生物计量数据;(viii)健康数据;及(ix)有关自然人性生活或性取向的资料。
    14.  “Services” means the goods and services provided by Provider to Hilton, or through Hilton for the benefit of its franchisees, as further described in the Agreement.
      “服务”系指供应商为其特许经营商的利益向希尔顿或通过希尔顿提供的货物和服务,详见协议。
    15.  “Subcontractor” means an entity, including any Provider affiliate, engaged by Provider to perform Services for Provider that involve the Processing of Personal Information.
      “分包商”系指由供应商聘请为供应商提供服务的任何实体(包括供应商的额关联企业),该服务中包含处理个人信息。

2. SUBJECT MATTER AND DURATION OF PROCESSING; TYPE AND NATURE OF PERSONAL INFORMATION.
处理的主题和持续时间;个人信息的种类及性质

Provider will Process Personal Information in connection with the Services described in the Agreement and during the term of such Agreement, subject to compliance with the Data Protection Requirements and the Agreement. The type of Personal Information Processed by Provider is described in the Agreement. The Processing may involve Personal Information of employees of Hilton, customers and guests of Hilton, and business contact information of Hilton corporate customers, suppliers, and other business partners, as further described in the Agreement.
在符合数据保护要求和本协议的前提下,供应商将处理与协议中描述的服务相关的个人信息,并在协议期限内处理。供应商处理的个人信息的类型在协议中有所描述。如本协议所述,处理可能涉及希尔顿员工、客户和客人的个人信息,以及希尔顿公司客户、供应商和其他业务合作伙伴的业务联系信息。

3. NATURE AND PURPOSE OF THE PROCESSING; OWNERSHIP OF PERSONAL INFORMATION.
处理的性质和目的;个人信息的所有权。

Hilton will have the exclusive right to determine the purposes for which the Personal Information is Processed. Provider will Process Personal Information for the sole purpose of providing the Services in accordance with the Agreement. At no time will Provider acquire any ownership, license, rights, or other interest in or to the Personal Information. As between Hilton and Provider, Personal Information will remain the proprietary information of Hilton at all times and Hilton shall be the “Controller” and Provider shall be the “Processor,” as such terms are defined in the GDPR.
希尔顿拥有排他性的权利,以决定使用个人信息的的目的。供应商处理个人信息的目的仅限于根据本协议提供服务。供应商在任何时候都不会获得任何个人信息的所有权、许可、权利或其他利益。正如GDPR中的术语定义,在希尔顿和供应商之间,个人信息始终是希尔顿的专有信息,希尔顿应是“控制者”,供应商应是“处理者”

4. USE AND PROCESSING OF PERSONAL INFORMATION
个人信息的使用与处理

Provider will Process the Personal Information only on behalf of Hilton and only as specifically instructed by Hilton in writing, including with regard to transfers of Personal Information to a third country or an international organization, unless required to do so by Data Protection Requirements to which Provider is subject; in such a case, Provider shall inform Hilton of that legal requirement before Processing, unless such Data Protection Requirement prohibits such information on important grounds of public interest. Hilton hereby instructs Provider to Process the Personal Information solely as necessary to provide the Services under the Agreement and subject to compliance with the Agreement, these Standards and the Data Protection Requirements. In no event may Provider: (a) use Personal Information to market its services or those of an affiliate or third party; (b) sell or rent Personal Information; or (c) otherwise Process any Personal Information for Provider’s, its affiliates’, or any third party’s own purposes. Provider shall immediately inform Hilton if, in its opinion, an instruction infringes any Data Protection Requirements.
供应商仅代表希尔顿处理个人信息,且仅按照希尔顿的书面明确指示处理,包括关于向第三方国家/地区或国际组织传输个人信息,除非供应商受数据保护要求的指示;在这种情况下,供应商应在处理之前将该法律要求告知希尔顿,除非该数据保护要求基于重要的公共利益理由禁止提供此类信息。希尔顿在此指示供应商仅在提供本协议项下服务的必要时处理个人信息,并遵守本协议、本标准和数据保护要求。在任何情况下,供应商均不得:(a)使用个人信息推销其服务或其关联机构或第三方的服务;(b)出售或出租个人信息;或者(c)另外为供应商、其关联机构或任何第三方的自身目的处理任何个人信息。如果供应商认为指示违反了任何数据保护要求,则应立即通知希尔顿。

5. USE OF SUBCONTRACTORS
使用分包商

a. Unless otherwise expressly permitted pursuant to the Agreement, Provider will not utilize Subcontractors in the performance of Services without the written consent of Hilton in each instance.
除非根据协议另有明确许可,否则在未经希尔顿书面同意的情况下,供应商不得在履行服务时使用分包商。

b. To the extent that the Agreement expressly provides for a general authorization for Provider to use Subcontractors, Provider shall: (i) provide Hilton a list of Provider’s Subcontractors involved in the provision of Services prior to the commencement of Services and promptly upon request by Hilton, with the identity of each Subcontractor, the Services performed by such Subcontractor, the location(s) from which such Subcontractors perform Services, and such additional information as may be reasonably requested by Hilton; and (ii) notify Hilton in writing in the event of any intended addition or replacement of any such Subcontractors (each, a “Subcontractor Change”). Hilton shall have a reasonable period of time to object to any Subcontractor Change. In the event of any such objection, Provider will not implement the Subcontractor Change unless Provider is able to address Hilton’s concerns to Hilton’s reasonable satisfaction. In the event of a Subcontractor Change involving Services provided in a “software as a service” or multi-tenant environment, where Subcontractor Changes cannot be implemented separately for a single customer and Provider is unable to address Hilton’s concerns to Hilton’s reasonable satisfaction, Hilton may terminate the Agreement or the applicable Services for cause and without liability (or payment of any termination or other fees). In the event of such a termination, Provider will promptly refund Hilton any pre-paid fees covering the remainder of the term of such Agreement or Services.
如果本协议明确规定了供应商使用分包商的一般授权,则供应商应: (i)在服务开始前,应希尔顿的要求,及时向其提供参与提供服务的分包商名单,包括各分包商的身份、该分包商提供的服务、该分包商提供服务的地点以及希尔顿可能合理要求的其他信息;并且(ii)如拟增加或更换任何该等分包商(均为“分包商变更”),请书面通知希尔顿。希尔顿应有合理的一段时间反对任何分包商的变更。如果出现任何此类异议,除非供应商能够满足希尔顿的合理要求,否则供应商不得实施分包商变更。如果分包商的变更涉及“软件服务”或多租户环境中提供的服务,而分包商的变更不能为单个客户单独实施,且供应商无法满足希尔顿的合理要求,希尔顿可终止本协议或适用的服务,无需承担任何责任(或终止支付或其他费用)。一旦终止,供应商将立即退还希尔顿在协议或服务剩余期限内的所有预付费用。

c. Where Provider engages a Subcontractor for carrying out specific Processing activities on behalf of Hilton, Provider shall impose on the Subcontractor the same data protection obligations as set out herein between Hilton and Provider. These obligations shall be imposed by way of a contract or other legal act under applicable Data Protection Requirements and shall require the Subcontractor to provide sufficient guarantees that it will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of applicable Data Protection Requirements. Provider will remain at all times accountable and responsible for compliance with these Standards by its Subcontractors.
如果供应商委托分包商代表希尔顿进行特定的处理活动,供应商应强制分包商履行希尔顿和供应商之间的数据保护义务。这些义务应根据适用的数据保护要求通过合同或其他法律行为强制执行,要求分包商提供足够的保证,使处理过程以符合适用的数据保护要求的方式实施恰当的技术和组织措施。供应商将始终对其分包商遵守本标准负责。|

6. DISCLOSURE OF PERSONAL INFORMATION
个人信息披露

Provider will hold the Personal Information in confidence in accordance with the Data Protection Requirements, these Standards, and the Agreement. Provider will not disclose Personal Information to any of its affiliates or to any third party (including, without limitation, any Subcontractors) except as necessary to provide the Services. Prior to disclosing any Personal Information to any Subcontractor or other third party, Provider will have in place with such Subcontractor or other third party a written agreement that includes obligations that are at least as restrictive as those in these Standards. Provider further agrees, upon Hilton’s request, to provide a list of all affiliates and third parties to which Provider has disclosed Personal Information. Provider will remain at all times accountable and responsible for compliance with these Standards by Provider, Provider’s affiliates, and third parties to whom Provider discloses any Personal Information. Provider will ensure that its personnel engaged in the Processing of Personal Information are informed of the confidential nature of the Personal Information and have executed written confidentiality agreements (or are under an appropriate statutory obligation of confidentiality). Provider will ensure that such confidentiality obligations survive any termination of employment of such personnel.
供应商将根据数据保护要求、本标准和协议对个人信息保密。除非因提供服务的必要,供应商不得向其任何关联机构或任何第三方(包括但不限于任何分包商)披露个人信息。在向任何分包商或其他第三方披露任何个人信息之前,供应商应与该分包商或其他第三方签订书面协议,其中包括至少与本标准中规定具有同样限制性的义务。供应商还同意,应希尔顿的要求,提供供应商已经披露个人信息的所有关联机构和第三方名单。供应商将始终对供应商、供应商关联机构以及供应商向其披露任何个人信息的第三方为遵守本标准负责。供应商应确保其从事个人信息处理的人员获知个人信息的机密性,并已签署书面保密协议(或负有适当的法定保密义务)。供应商应确保该保密义务在该等人员的雇佣终止后继续有效。

7. DISCLOSURE UNDER LEGAL PROCESS
法律程序下的披露

If Provider is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoena, civil investigative demand, or other similar process) to disclose any Personal Information to a third party, Provider will not disclose the Personal Information without complying with applicable laws. Unless prohibited by applicable law, Provider will provide Hilton with written notice of any request or requirement to disclose Personal Information to a third party no more than seventy-two (72) hours after receiving the request but in any event prior to making any disclosure so that Hilton may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. Notwithstanding the foregoing, Provider will exercise commercially reasonable efforts to prevent or limit any disclosure of Personal Information and to preserve the confidentiality of Personal Information including, without limitation, by cooperating with Hilton to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to any Personal Information that the Provider is required to disclose.
如果供应商被请求或要求(通过口头提问、询问、要求法律程序、传唤、民事调查要求或其他类似过程中的信息或文件)向第三方披露任何个人信息,若不符合适用法律,供应商不得披露个人信息。除非适用法律禁止,供应商应在收到请求的七十二(72)小时内向希尔顿提供请求或要求向第三方披露个人信息的书面通知,但在任何情况下,在信息披露之前,希尔顿可自费行使法律规定的权利,以阻止或限制此类披露。尽管有上述规定,供应商将行使商业上合理的努力阻止或限制任何个人信息的披露并保护个人信息的机密性,包括但不限于通过与希尔顿合作获得恰当的保护令或其他合理的保证,以确保对于供应商需要披露的任何个人信息,将给予保密处理。

8. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
个人信息的跨境转移

As provided in Section 4, Provider may only transfer Personal Information from one country to another upon the prior written consent of Hilton and in compliance with Data Protection Requirements. With respect to Personal Information originating from the European Union (“EU”) or Switzerland that is Processed by Provider in connection with the Services, (i) where Provider is located and receives such Personal Information within the EU or Switzerland, Provider agrees that it will not transfer any Personal Information outside the EU or Switzerland without the prior written consent of Hilton (which may be included in the Agreement) and shall follow Hilton’s instructions for implementing adequate safeguards for any such transfers under applicable Data Protection Requirements and shall ensure that any Subcontractors do the same; and (ii) where Provider is either (A) not located within the EU or Switzerland, or (B) initially receives such Personal Information from a country outside the EU or Switzerland (e.g., the Personal Information originating from the EU or Switzerland is sent to the Provider directly from the United States), (1) Provider agrees to provide at least the same level of privacy protection as is required by the EU-U.S. Privacy Shield Framework, located at https://www.privacyshield.gov/EU-US-Framework, and as amended from time to time; and (2) at Hilton’s request, Provider and any of its agents and Subcontractors shall enter into a data processing agreement with Hilton that incorporates the European Commission Standard Contractual Clauses between Controllers and Processors, or any other similar clauses relating to other countries, to allow Personal Information to be transferred by Hilton to Provider and its agents, and Subcontractors. Without limiting the generality of the foregoing, Provider will not transfer Personal Information to any country (including for Processing by Provider’s agents or Subcontractors) unless Hilton has agreed, in writing, to that transfer.
如第4条所述,供应商仅可在希尔顿事先书面同意并符合数据保护要求的情况下,将个人信息从一个国家/地区转移到另一个国家/地区。关于供应商处理的来自欧盟(简称“EU”)或瑞士的与服务有关的个人信息,(i)如果供应商位于欧盟或瑞士境内并接收到此类个人信息,供应商同意,未经希尔顿事先书面同意(可能包含在协议中),不得在欧盟或瑞士以外转让任何个人信息,并应遵守希尔顿的指示,根据适用的数据保护要求对任何此类转移实施充分的保障,并应确保所有分包商采取同样的做法;并且(ii)如果供应商(A)不在欧盟或瑞士境内,或者(B)最初从欧盟或瑞士以外的国家/地区接收此类个人信息(例如,源自欧盟或瑞士的个人信息直接从美国发送给供应商),(1)供应商同意提供至少与欧盟-美国隐私保护体系同等水平隐私保护,该政策可见于https://www.privacyshield.gov/EU-US-Framework,并且不时修订;及(2)应希尔顿的要求,供应商及其任何代理和分包商应与希尔顿签订一份数据处理协议,该协议包含欧盟委员会控制者和处理者之间的标准合同条款,或与其他国家相关的任何其他类似条款,以便允许希尔顿将个人信息转移给供应商及其代理和分包商。在不限制上述一般性的前提下,除非希尔顿书面同意,否则供应商不得将个人信息转移到任何国家/地区(包括供应商的代理或分包商进行处理)。

9. DATA SAFEGUARDS
数据保护措施

a. Provider will adopt, implement, and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information. Such procedures and practices will be compliant, at a minimum, with the Agreement, these Standards, and the Data Protection Requirements. All such procedures and practices will take into account the nature of the Personal Information and the commensurate risks associated with such Personal Information.
供应商将采取、实施和保持适当的安全程序和行为,以防止未经授权的访问、获取、销毁、修改、使用或披露个人信息。这些程序和行为将至少符合本协议、本标准和数据保护要求。所有此类程序和行为将考虑到个人信息的性质以及与此类个人信息相关的对应风险。

b. Consistent with the foregoing, Provider agrees:
与前述一致,供应商同意:

i. to adopt, implement, maintain, and monitor a written information security program that contains administrative, technical, and physical safeguards to (A) prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Information; (B) ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services; and (C) ensure the ability to restore the availability of and access to Personal Information in a timely manner in the event of a physical or technical incident;
采取、实施、保持和监控包含行政管理、技术和物理保护措施的书面信息安全程序,以(A)防止未经授权的访问、获取、销毁、修改、使用或披露个人信息;(B)确保处理系统和服务的持续机密性、完整性、可用性和恢复性;(C)确保在发生物理或技术事故时,能够及时恢复个人信息的可用性和可访问性;

ii. to conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;
定期进行风险评估,以确定和评估可合理预见的内部和外部风险,以确保电子、纸质和其他包含个人信息的记录的安全性、保密性和完整性,并在有需要时评估及改善其保护措施的有效性,以限制此类内部及外部风险;

iii. to take reasonable steps to ensure the trustworthiness of all Provider employees, agents and Subcontractors who will be provided with access to Personal Information;
采取合理措施,确保所有供应商雇员、代理商和分包商可信赖,确保他们有权获取个人信息;

iv. to ensure that its information security program includes industry standard password, firewall, operating system, anti-virus, and Malware protections to protect Personal Information stored or otherwise handled on computer systems;

确保其信息安全程序包括行业标准密码、防火墙、操作系统、防病毒和恶意软件保护,以保护存储或其他在计算机系统上处理的个人信息;

v. to encrypt, using industry standard encryption tools, all records and files (A) containing Personal Information that Provider transmits or sends wirelessly or across public networks; and (B) containing Sensitive Personal Information that Provider: (1) stores on laptops or storage media; (2) stores on portable devices; and (3) stores on any device that is transported outside of the physical or logical access controls of Provider; and to safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Personal Information;
使用行业标准加密工具对所有记录和文件进行加密(A)包含供应商通过无线或公共网络传输或发送的个人信息;以及(B)包含供应商的敏感个人信息:(1)储存在笔记本电脑或存储媒体上;(2)存储在便携设备上;及(3)存储在传输到供应商物理或逻辑访问控制之外的任何设备上;并保护与加密个人信息相关的所有加密密钥的安全性、机密性和完整性;

vi. to maintain an incident response program that specifies the actions to be taken by Provider when it has reason to believe that a Security Breach may have or has occurred;
维护事件响应程序,该程序规定有理由相信可能已经存在或已经发生安全漏洞时,供应商应采取的行动;

vii. to implement such additional security measures as may be required under the Data Protection Requirements or specified in the Agreement.
执行数据保护要求或协议中规定的其他安全措施。

viii. to comply with the PCI Standards with respect to Cardholder Data if the Provider Processes Cardholder Data in connection with the Services. Consistent with Provider’s obligations as set forth in the Agreement, Provider acknowledges its responsibility for the protection and security of Cardholder Data in connection with the performance of the Services. Provider further represents and warrants that it will not take any actions that will compromise Hilton’s ability to comply with the PCI Standards.
如果供应商处理与服务相关的持卡人数据,则应遵守与持卡人数据相关的PCI标准。根据本协议中规定的供应商义务,供应商承认其有责任保护与服务执行有关的持卡人数据的安全。供应商进一步声明并保证其不会采取任何损害希尔顿遵守PCI标准的行为。

ix. where Provider, directly, or through any of its agents or Subcontractors, connects to Hilton’s computing systems and/or networks, that: (A) all Provider interconnectivity to Hilton’s computing systems and/or networks and all attempts at same will only occur through Hilton’s security gateways/firewalls; (B) Provider will not access, and will not permit any other person or entity to access, Hilton’s computing systems and/or networks without Hilton’s authorization; (C) if Hilton grants Provider permission to access its computing systems and/or networks, Provider will only access Hilton’s computing systems and/or networks as authorized; and (D) Provider’s systems connecting to Hilton’s systems or networks, and those Provider systems which, if compromised, could affect the security, confidentiality, integrity, or availability of Hilton’s computing systems or networks, will be actively protected by an industry standard Malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of Hilton’s computing systems and/or networks. Provider agrees that Hilton may perform periodic assessments of Provider’s network. Should any assessment of Provider’s network reveal inadequate security by Provider or its agents or Subcontractors, Hilton, in addition to other remedies it may have, may suspend Provider’s, its agents’ or Subcontractors’ access to Hilton’s computing systems and/or networks until such security issue has been resolved to the satisfaction of Hilton.
如果供应商直接或通过其任何代理或分包商连接到希尔顿的计算系统和/或网络,则:(A)所有供应商与希尔顿计算系统和/或网络的互连,以及所有尝试都将仅通过希尔顿的安全网关/防火墙进行;(B)未经希尔顿授权,供应商不得访问,也不得允许任何其他人或实体访问希尔顿的计算系统和/或网络;(C)如果希尔顿允许供应商访问其计算系统和/或网络,供应商只能访问希尔顿授权的计算系统和/或网络;以及(D)供应商的系统连接到希尔顿的系统或网络,以及那些供应商系统,如果受到威胁,可能会影响希尔顿计算系统或网络的安全性、保密性、完整性或可用性,在访问希尔顿的任何计算系统和/或网络之前和访问时,将受到行业标准恶意软件检测/扫描程序的积极保护,该程序具有最新的防病毒定义。供应商同意希尔顿可以对其网络进行定期评估。如果对供应商网络的任何评估显示供应商或其代理或分包商的安全性不足,希尔顿除了可能采取的其他补救措施外,还可以暂停供应商、其代理或分包商访问希尔顿的计算系统和/或网络,直到安全问题得到希尔顿满意的解决。

c. Provider agrees that: (i) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Information in Provider’s possession or otherwise acquired by or accessible to Provider; (ii) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Information, will receive appropriate training relating to the protection of Personal Information; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Information to the minimum number of Provider employees and agents who require such access for purposes of providing goods and/or services to Hilton; and (iv) it will impose appropriate disciplinary measures for violations of its information security policies and procedures.
供应商同意: (i)作为雇佣或保留的条件,其员工和代理将被要求保护供应商拥有的、或供应商通过其他方式获得的或供应商可访问的所有个人信息;(ii)有权获取或以其他方式接触个人资料的雇员及代理人将接受有关保障个人信息的适当培训;(iii)保持适当的访问控制,包括但不限于将访问个人信息的权限限制在为希尔顿提供商品和/或服务而需要访问个人信息的供应商员工和代理的最低数量;以及(iv)将对违反其信息安全政策和程序的行为采取适当的纪律处分措施。

d. If Provider disposes of any paper or electronic record containing Personal Information, Provider will do so in an appropriate manner based on the sensitivity of the information in order to prevent unauthorized access to such information in connection with its disposal. Upon request, Provider will be required to certify to Hilton that all forms of Personal Information disposed of have been destroyed in accordance with these Standards. If Provider cannot so certify, Provider shall provide a written explanation for its inability to certify that it complied with this disposal requirement.
如果供应商处理任何包含个人信息的纸张或电子记录,供应商将根据信息的敏感性以适当的方式处理,以防止在处理过程中未经授权访问此类信息。根据要求,供应商将被要求向希尔顿证明所有形式的个人信息已按照本标准销毁。如果供应商无法证明,供应商应就其无法证明其遵守本处置要求提供书面解释。

e. Provider shall review and, as appropriate, revise the Data Safeguards: (i) at least annually or whenever there is a material change in Provider’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Information; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended, or re-interpreted Data Protection Requirements, and (iv) as reasonably requested by Hilton. Provider agrees not to alter or modify its Data Safeguards in such a way that will weaken or compromise the security, confidentiality, or integrity of Personal Information.
供应商应审查并酌情修订数据保障措施:(i)至少一年一次,或当供应商的商业行为发生重大变化,可能合理影响个人信息的安全性、保密性或完整性时;(ii)符合现行行业惯例;(iii)根据任何新的、修订的或重新解释的数据保护要求,以及(iv)按照希尔顿的合理要求。供应商同意不以削弱或损害个人信息的安全性、保密性或完整性的方式更改或修改其数据保障措施。

10. SECURITY INCIDENTS
安全事故

Provider agrees to notify Hilton at ISC@Hilton.com immediately upon becoming aware of a Security Breach, including the presence of Malware, if possible. If Provider is not able to notify Hilton immediately upon becoming aware of a Security Breach, including the presence of Malware, Provider will notify Hilton within twenty-four (24) hours of becoming aware of a Security Breach. After providing such notice, Provider will (i) promptly investigate the Security Breach, including by conducting a root cause analysis, and report its findings to Hilton, (ii) provide Hilton with a remediation plan, approved by Hilton in its sole discretion, to address the Security Breach and prevent any further incidents; (iii) remediate such Security Breach in accordance with the Hilton-approved remediation plan; (iv) conduct a forensic investigation to determine what systems, data, and information were affected by the Security Breach; (v) cooperate with Hilton as Hilton executes its security incident response plan and otherwise investigates the Security Breach; (vi) abide by any requests by Hilton for Provider to cooperate with any law enforcement or regulatory officials, credit reporting companies, or credit card associations investigating such Security Breach, and (vii) keep Hilton advised of the status of such Security Breach and all matters related thereto. Provider further agrees to provide all reasonable assistance requested by Hilton and/or Hilton’s designated representatives in the furtherance of any investigation, correction, and/or remediation by Hilton of any such Security Breach and shall reimburse Hilton upon Hilton’s demand for all reasonable Notification Related Costs incurred by Hilton arising out of or in connection with any such Security Breach resulting in a requirement for legally required notifications. If a notification to an individual is required under any Data Protection Requirement or pursuant to any Hilton privacy or security policies, then notifications to all individuals who are affected by the same event (as reasonably determined by Hilton) shall be considered legally required. Notification Related Costs shall include Hilton’s internal and external costs associated with addressing and responding to the Security Breach, including but not limited to: (i) the preparation and mailing or other transmission of legally required notifications; (ii) the preparation and mailing or other transmission of such other communications to affected individuals, agents, or others as Hilton deems reasonably appropriate; (iii) the establishment of a call center for up to twelve (12) months or such longer period as may be required pursuant to applicable Data Protection Requirements or is reasonable under the circumstances; (iv) the establishment of communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points, and training); (v) fees for public relations and other similar crisis management services; (vi) legal, forensics, and accounting fees and expenses associated with Hilton’s investigation of and response to such Security Breach or presence of Malware; and (vii) costs for commercially reasonable credit reporting, credit watch, identity protection, identity remediation, and similar services that are associated with legally required notifications or are advisable under the circumstances for up to twelve (12) months or such longer period as may be required pursuant to applicable Data Protection Requirements or is reasonable under the circumstances. Unless otherwise required by applicable Data Protection Requirements, Hilton shall make the final decision on notifying Hilton’s employees, guests, service providers, regulatory authorities and/or the general public of such Security Breach, and the implementation of the remediation plan.
如果可能,供应商同意在发现安全漏洞(包括存在恶意软件)后立即通过ISC@Hilton.com通知希尔顿。如果供应商未能在发现安全漏洞(包括存在恶意软件)后立即通知希尔顿,供应商应在发现安全漏洞后二十四(24)小时内通知希尔顿。在提供此类通知后,供应商应(i)立即调查安全漏洞,包括采取根本原因分析,并向希尔顿报告其发现,(ii)向希尔顿提供由希尔顿自行决定批准的补救计划,以解决安全漏洞并防止任何进一步的事故发生;(iii)根据希尔顿批准的补救计划对此类安全漏洞进行补救;(iv)进行取证调查,以确定哪些系统、数据和信息受到了安全漏洞的影响;(v)配合希尔顿执行其安全事故响应计划,并对安全漏洞进行调查;(vi)遵守希尔顿对供应商的要求,与执法或监管官员、信用报告公司或信用卡协会合作,调查此类安全漏洞,并且(vii)随时向希尔顿通报此类安全漏洞的状况及所有相关事宜。供应商还同意提供所有希尔顿和/或希尔顿指定的代表请求的合理协助,促进调查、修正,和/或希尔顿对任何此类安全漏洞进行的补救,并应根据希尔顿的要求,偿还希尔顿因任何此类安全漏洞而产生的或与此类安全漏洞相关的所有法律要求的通知费用。如果根据数据保护要求或根据任何希尔顿的隐私或安全政策,需要向个人发出通知,则对受同一事件影响的所有个人(由希尔顿酌情确定)发出通知应被视为法律要求。通知相关费用包括希尔顿处理和应对安全漏洞相关的内部和外部费用,包括但不限于: (i)准备和邮寄或以其他方式发送法律要求的通知;(ii)准备、邮寄或以其他方式向受影响的个人、代理人或希尔顿认为合理适当的其他人发送此类通信;(iii)根据适用的数据保护要求或酌情合理的情况下,设立最长可达十二(12)个月或更长时间的呼叫中心;(iv)针对此类安全漏洞建立沟通程序(例如,客户服务常见问题解答、谈话要点和培训);(v)公共关系及其他类似危机管理服务费用;(vi)与希尔顿调查和应对此类安全漏洞或存在的恶意软件相关的法律、取证和会计费用;以及(vii)商业上合理的信用报告、信用监视、身份保护、身份补救费用以及与法律要求的通知相关的类似服务费用,或根据适用的数据保护要求或酌情判断为合理的在十二(12)个月或更长时间内是可取的费用。除非适用的数据保护要求另有要求,否则希尔顿应作出最终决定,通知希尔顿的员工、客人、服务商、监管机构和/或公众此类安全漏洞,以及补救计划的实施情况。

11. COMPLAINTS; INVESTIGATIONS
投诉;调查

If Provider receives any complaint, notice, or communication which relates directly or indirectly to Provider’s Processing of Personal Information or either Hilton’s or Provider’s compliance with applicable laws or regulations in connection with Personal Information, Provider will promptly notify Hilton. At Hilton’s request, Provider will assist and support Hilton in the event of such a complaint or an investigation by a regulator or data protection authority or similar authority, if and to the extent that such complaint or investigation relates to Provider’s Processing of Personal Information. Such assistance will be at Hilton’s sole expense, except where the complaint or investigation arose from an allegation concerning or an investigation into Provider’s acts or omissions, in which case such assistance will be at Provider’s sole expense.
如果供应商收到任何直接或间接与提供方处理个人信息或希尔顿或供应商遵守与个人信息相关的适用法律或法规有关的投诉、通知或通信,供应商应立即通知希尔顿。应希尔顿的请求,如果此类投诉或调查与提供方处理个人信息有关,则提供方将在监管机构或数据保护机构或类似机构进行此类投诉或调查的情况下,向希尔顿提供协助和支持。该等协助将由希尔顿承担全部费用,除非投诉或调查源自对供应行为或不作为的指控或调查,在这种情况下,该等协助将由供应商承担全部费用。

12. DATA SUBJECT REQUESTS RELATING TO PERSONAL INFORMATION
有关个人信息的数据当事人请求

Provider will immediately inform Hilton in writing upon receiving any request for access to, correction, amendment, or deletion of any Personal Information from an individual who is (or claims to be) the subject of the data (“Data Subject Requests”). Unless otherwise required by laws or regulations or provided for in the Agreement, Provider will not respond directly to these requests unless explicitly authorized by Hilton to do so, other than as necessary to confirm that the request relates to Hilton. As part of the Services, Provider shall cooperate with and provide all reasonable assistance to Hilton in responding to and implementing Data Subject Requests.
供应商应在收到任何要求访问、更正、修订或删除数据当事人(或声称为数据当事人)个人信息的请求后,应立即以书面通知希尔顿(“数据当事人要求”)。除非法律或法规另有要求或协议中另有规定,未经希尔顿明确授权,供应商不得直接响应此类请求,除非需要确认该请求与希尔顿有关。作为服务的一部分,供应商应配合并向希尔顿提供所有合理的协助,以响应和执行数据当事人要求。

13. DATA PROTECTION OFFICER
数据保护工作人员

Provider has appointed a data protection officer where required pursuant to Data Protection Requirements.
供应商已根据数据保护要求任命了一名数据保护专员。

14. OTHER ASSISTANCE TO HILTON
对希尔顿的其他协助

In addition to, and without limitation of, Provider’s other obligations under these Standards, and where applicable to the Services and the Processing, Provider shall assist and cooperate with Hilton, at Hilton’s request and as part of the Services: (i) in Hilton’s implementation of security measures applicable to Personal Information; (ii) in connection with any Security Breach notification required to be made to a supervisory authority or to Data Subjects; (iii) in connection with any privacy impact assessment related to the Processing; and (iv) in connection with any consultation with a supervisory authority conducted by Hilton in connection with the Processing.
除了且不限于供应商在本标准下的其他义务,以及适用于服务和处理的其他义务,供应商应根据希尔顿的要求,并作为服务的一部分协助并与希尔顿合作:(i)在希尔顿实施适用于个人信息的安全措施时;(ii)就须向监察机关或数据当事人作出的任何安全漏洞的通知;(iii)涉及处理的任何私隐影响评估有关;以及(iv)与希尔顿就处理事宜与监管当局进行的任何磋商有关。

15. VIOLATIONS OF THESE STANDARDS
对本标准的违反

Provider agrees to notify Hilton immediately of any material breach or violation of these Standards. Without limiting other remedies that may be available to Hilton for violation of these Standards, Provider agrees that Hilton may, at its discretion, immediately terminate Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and Hilton, without penalty, if Provider violates any requirement of these Standards. Further, Provider agrees to fully indemnify Hilton for all costs, fees, claims, or actions associated with any unauthorized Processing of Personal Information within Provider’s control, as well as any unauthorized access, acquisition, or use of Personal Information by agents, Subcontractors, or third parties.
供应商同意立即通知希尔顿任何实质性违背或违反本标准的行为。在不限制希尔顿针对违反本标准的其他补救措施的情况下,供应商同意,如果供应商违反本标准的任何要求,则希尔顿可自行决定立即终止供应商与希尔顿之间的任何或所有协议或安排下提供货物和/或服务的条款,且无需支付任何违约金或赔偿金。此外,供应商同意完全保护希尔顿免于就其控制范围内的任何未经授权的个人信息处理,以及代理、分包商或第三方对任何未经授权的个人信息的访问、获取或使用相关的全部成本、费用、索赔或相关诉讼。

16. RECORD, AUDITS, AND INSPECTIONS
记录、审核和检查

Provider shall maintain, at all times during the term of the Agreement, and shall provide to Hilton, upon Hilton’s request and at no additional charge, complete and accurate records and reasonable supporting documentation regarding the Data Safeguards as well as business continuity and recovery facilities, resources, plans, and procedures, and such other records and documentation necessary to validate Provider’s compliance with these Standards, including the Provider Processing Record. Upon reasonable notice to Provider, Provider will permit Hilton, its auditors, designated audit representatives, and regulators, including data protection authorities, during normal business hours, to audit and inspect: (i) Provider’s facilities where Personal Information is Processed; (ii) any computerized systems used to Process Personal Information; and (iii) Provider’s security practices and procedures, data protection practices and procedures, and business continuity and recovery facilities, resources, plans, and procedures. The audit and inspection rights hereunder will be, at a minimum, for the purpose of (i) verifying Provider’s compliance with these Standards and the Data Protection Requirements, (ii) verifying the integrity of the Personal Information, and (iii) facilitating Hilton’s compliance with Data Protection Requirements.
在本协议有效期内,应希尔顿的要求,供应商应始终保留并向希尔顿提供完整、准确的记录及合理的支持文件包括数据保障、业务连续性和恢复设备、资源、计划和程序,以及证实供应商遵守本标准所需的其他记录和文件,包括供应商处理记录,且不收取附加费用。在合理通知供应商后,供应商应允许希尔顿、其审计人员、指定的审计代表和监管机构,包括数据保护机构,在正常营业时间内进行审计和检查: (i)处理个人资料的设备;(ii)用于处理个人信息的计算机系统;以及(iii)供应商的安全惯例和程序、数据保护惯例和程序、业务连续性和恢复设备、资源、计划和程序。本标准下的审计和检查权利至少将用于以下目的(i)核实供应商是否符合本标准和数据保护要求,(ii)核实个人信息的完整性,以及(iii)协助希尔顿遵守数据保护要求。

17. RETURN OF PERSONAL INFORMATION
个人信息的返还

Hilton has the right, in its sole discretion at any time and from time to time, to restrict, discontinue, suspend, cancel, terminate, or modify Provider’s right to Process Personal Information. Upon the termination or expiration of the Agreement or Provider’s provision of Services, or upon Hilton’s request, Provider will, and will cause its agents and Subcontractors to, return in a manner and format reasonably requested by Hilton, or, if specifically directed by Hilton, destroy, any or all Personal Information in its possession, power, or control and delete any existing copies unless applicable Data Protection Requirements require storage of the Personal Information, and Provider will certify the same, each as described in Section 9(d) above.
希尔顿有权随时自行决定限制、中止、暂停、取消、终止或修改供应商处理个人信息的权利。在本协议或供应商提供的服务终止或期满时,或应希尔顿的请求,供应商及其代理和分包商应以希尔顿合理要求的方式和格式返回个人信息,或在希尔顿明确指示的情况下,销毁其所有、在其权力范围内或控制的任何或所有个人信息,并删除任何现有副本,供应商应证明按此执行,如上第9(d)节所述,除非适用的数据保护要求要求其存储个人信息。

18. CHANGES TO THESE STANDARDS
对本标准的修订

Hilton can change these Standards in its sole discretion at any time and from time to time. Any changes to these Standards will be binding upon Provider when posted at http://www.hiltondistribution.com/privacyanddataprotectionstandards/chinese.htm; provided, however, that Provider will have a reasonable period of time to implement any change in the Policy (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Provider is obligated to check this URL regularly for any changes. The most recent changes to the Policy will appear at the bottom of the Policy in the section entitled “Material Revisions to Hilton’s Service Provider Data Protection Standards.”
希尔顿可随时自行决定修订本标准。对本标准的任何修订将发布于http://www.hiltondistribution.com/privacyanddataprotectionstandards/chinese.htm;只有供应商有合理的时间来实施本标准的任何修订(不得超过适用法律、法规或规章规定的实施此类修订的时间期限),则本标准的任何修订都对供应商具有约束力。供应商有义务定期检查此URL以了解任何修订。本标准的最新修订将出现在标准的底部,标题为“希尔顿供应商数据保护标准的重大修订”。

19. SURVIVAL; THIRD PARTY BENEFICIARIES
持续有效与第三方受益人

Provider’s obligations under these Standards will survive the termination or expiration of its services or any related agreements and will continue for as long as Provider, or any of its agents or Subcontractors retain or have access to Personal Information. Provider acknowledges and agrees that each entity referenced in the definition of “Hilton” above is an intended third party beneficiary of Provider’s obligations and liabilities under these Standards, including without limitation Provider’s obligations with respect to Personal Information, and as such, each will have a right of its own to enforce these Standards.
只要供应商或其任何代理或分包商或保留的服务供应商保留或有权访问个人信息的,供应商在本标准下的义务将在其服务或任何相关协议终止或到期后继续有效。供应商承认并同意,上述“希尔顿”定义中提及的每个实体都是供应商在本标准下义务和责任的预期第三方受益人,包括但不限于供应商在个人信息方面的义务,因此,每个实体都有权执行本标准。

MATERIAL REVISIONS TO HILTON’S SERVICE PROVIDER DATA PROTECTION STANDARDS

希尔顿供应商数据保护标准的重大修订

 

Last Update: March 2018

最近更新于2018年3月

March 2018 Changes:

2018年3月更改:

  •  Updated defined terms to comport with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data, commonly referred to as the “General Data Protection Regulation”
    (GDPR).更新了定义术语,以符合2016年4月27日欧洲议会和理事会关于保护自然人处理个人信息和自由传输此类数据的(欧盟)2016/679号条例,通常称为“一般数据保护条例”(简称“GDPR”)。
  • Updating data safeguard requirements.
    更新数据保护要求
  •  Further limiting use of subcontractors.
    进一步限制分包商的使用。
  • Restricting cross-border transfers of data without approval from Hilton and agreement to any necessary data transfer agreement.
    未经希尔顿批准且未达成必要的数据传输协议,限制数据跨境传输。

March 2017 Changes:
2017年3月更改:

  • Changed the name of “Hilton” from “Hilton Worldwide Inc.” to “Hilton Domestic Operating Company Inc.” to reflect the updated corporate name.
    将“希尔顿”的名称从“希尔顿全球控股有限公司”改为“Hilton Domestic Operating Company Inc.”,以反映更新后的公司名称。
  • Changed the title of the document from Hilton’s “Privacy and Data Protection Policy for Service Providers” to Hilton’s “Service Provider Data Protection Standards.” Changed the references to this “policy” to these “standards.”
    将文件标题从希尔顿“供应商隐私和数据保护政策”改为希尔顿“供应商数据保护标准”。将此“政策”的引用更改为本 “标准”。
  • Changed the contact e-mail address for Security Incidents from investigations@hilton.com to ISC@hilton.com.
    安全事故的联系电子邮件地址由investigations@hilton.com更改为ISC@hilton.com.
  • Changed the term “Special Personal Information” to “Sensitive Personal Information.”
    将“特殊个人信息”改为“敏感个人信息”。
  •  Amended definition of “Sensitive Personal Information” to include an individual’s username in combination with password, PIN, or access code that would grant access to an online account
    修改“敏感个人信息”的定义,包括个人用户名、连同密码、PIN或允许访问线上帐户的访问码
  • Changed Disclosure Under Legal Process section to reflect that Hilton should be notified within at least 72 hours of receipt of such requests, rather than 48 hours before a Provider intends to make a disclosure
    法律程序部分的披露更改为,应在收到此类请求后至少72小时前通知希尔顿,而不是在供应商打算披露之前48小时内通知希尔顿。
  •  Added this “Revisions” section to the Policy. Added language to the Standards itself noting that the most recent changes will appear herein
    将此“修订”部分添加到标准中。在标准中加入了提示文字,提示最近的修订将出现在这里。