Ovation’s EU-U.S. Privacy Shield Policy

Introduction

Ovation Travel Group, Inc. (“Ovation”) recognizes that the United States and the European Union have different laws, and take different approaches to privacy, including the requirements for protecting personally identifiable information (“PII”). As a travel management company, Ovation collects, compiles, and analyzes data on behalf of its clients, whose travelers may reside all over the world, primarily in the United States, but also in the European Union. Ovation’s clients are business entities. Accordingly, it makes travel reservations for its client’s employees or other authorized travelers (e.g., independent contractors, job candidates, etc.). Due to the potentially global reach of its services, Ovation sometimes receives data that originates from the European Union or European Economic Area. In turn, it delivers such data to its clients and other third parties (as appropriate) by: (i) sending consolidated data and reports directly to its client, (ii) publishing client-specific data in its web-based reporting platform, or (iii) sending files of such data (e.g., an onward transfer) to authorized and necessary recipients (e.g., a client’s online booking tool or risk management provider), pursuant to a client’s request. While this policy is aimed at meeting the requirements of the Privacy Shield, whenever practicable, Ovation applies this policy to any personal information it collects; provided, however, that such application is not contrary to applicable laws, rules, or regulations.

Data privacy and security is of the utmost importance to Ovation and all of its clients. Accordingly, Ovation has elected to voluntarily participate in the EU-U.S. Privacy Shield (the “Privacy Shield”) and certify its adherence to and comply with the Privacy Shield and its Principles, including the Supplemental Principles (collectively, the “Principles”) with the Department of Commerce. Details about the EU-U.S. Privacy Shield can be found at www.privacyshield.gov. Ovation understands and acknowledges that while certification may be voluntary, effective compliance is compulsory. Accordingly, it has agreed to subject its compliance to the full breadth of regulatory enforcement of the U.S. Department of Transportation (“DOT”), the Department of Commerce, or any other statutory body empowered to enforce compliance with the Principles.

Principles

This policy supplements, but does not replace, all other polices, practices, and procedures including any applicable confidentiality or non-disclosure agreement. Ovation has implemented this policy effective September 13, 2016. Ovation recognizes that the Principles apply to it immediately upon certification.

Ovation’s Eligibility to Participate in Privacy Shield

Ovation is eligible to participate in the Privacy Shield because Ovation is a ticketing agent under the jurisdiction of the U.S. Department of Transportation.

Proof of Participation

Ovation will only display its EU-U.S. Privacy Shield certification marks or make other references to its compliance when it is in complete compliance with each Principle. Evidence of Ovation’s participation can be found at: https://www.privacyshield.gov/list.

Questions and Inquiries

Any party, including individuals, may direct questions, inquiries, or complaints about Ovation’s participation in and compliance with the Privacy Shield to privacy@ovationtravel.com or the company’s Associate Counsel and Data Security Officer, Lance Taubin, at (212) 329-7356 or ltaubin@ovationtravel.com. Complaints about Ovation’s adherence to the Principles may also be directed to the U.S. Department of Transportation (www.dot.gov).

Definitions

“Personal Data” includes personal information and means data about an identified or identifiable individual that is within the scope of Directive 95/46/EC of 24 October 1995 (the “Directive”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity.

“Processing” of Personal Data means any operation or set of operations that is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure, or dissemination, and erasure or destruction.

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The “Data Exporter” means the Controller who transfers Personal Data. The “Data Importer” means the Controller who agrees to receive data from the Data Exporter for Processing.

“Processor” means a person or organization that Processes Personal Data on behalf of a Controller.

Principles

  • Notice; Choice
  1. Ovation will inform its customers and business partners (e.g., vendors and other third parties) that it participates in the Privacy Shield. It will provide such notice in a variety of manners as may be appropriate, such as language in its contracts with customers, clear notification on its website (www.ovationtravel.com), and a specific link to this policy that can be easily found at www.ovationtravel.com.

  2. Ovation collects and processes Personal Data so that it can provide travel management services to its clients. Ovation primarily collects Personal Data that is necessary to complete a reservation with an airline carrier, hotel, car rental agency, or other supplier named on a traveler’s itinerary (a “Travel Supplier”). Upon a client’s request, Ovation may also collect human resources-like data such as employee identification, department number, or cost center. The specific elements of Personal Data that Ovation Processes are:

- Passenger First Name

- Passenger Last Name

- Passenger Middle Initial

- Passenger Salutation

- Date of Birth

- Gender

- Employee Identification Number/Employee ID

- Ticket/Document Number

- Original Issue Ticket/Document Number

- Conjunctive Ticket Number (First)

- Conjunctive Ticket Number (Second)

- Conjunctive Ticket Number (Third)

- Passport Number

- TSA Known Redress Number

- Airline Frequent Flyer Numbers

- Credit Card Code

- Credit Card Number

- Credit Card Expiration Date

- Electronic Ticket Indicator

- Refundable Ticket Indicator

- Passenger Name Record (PNR) Reference

Ovation collects this data as a Data Importer and receives data, including Personal Data, from its global affiliate, BCD Travel. Ovation shares this data with: (a) the client that requested the consolidation of such data for management reporting purposes, and (b) third parties that assist and are necessary for Ovation in providing the relevant travel management services to its clients (which is considered an onward transfer).

  1. Individuals may access their Personal Data by contacting his or her employer (i.e., Ovation’s client) or by submitting a request to privacy@ovationtravel.com.

  2. In the event an individual desires to limit the use or disclosure of their Personal Data to a third party, including requests to “opt out,” he or she must contact his or her employer (i.e., Ovation’s client) or submit a request to privacy@ovationtravel.com.

  3. Ovation will respond to inquiries directed to privacy@ovationtravel.com within forty-five (45) calendar days.

  4. Ovation is registered with JAMS as its independent recourse mechanism provider based in the U.S. for the Directive and the Swiss Federal Act of Data Protection. Accordingly, individuals may contact Kathleen A. Pierz, Practice Development Manager, Global at kpierz@jamsadr.com to address complaints, and JAMS will provide appropriate recourse without cost to the individual. More information about JAMS can be found at https://www.jamsadr.com/eu-us-privacy-shield. Ovation is not opposed to an individual electing to invoke binding arbitration for the resolution of complaints.

  5. As a participant in the Privacy Shield, Ovation agrees to be subject to the investigatory and enforcement powers of the DOT. Accordingly, Ovation may be required to disclose Personal Data to DOT, or other applicable U.S. government agencies for reasons such as national security needs, law enforcement requirements, or Ovation’s liability for onward transfers. If a third party service provider providing services on Ovation’s behalf processes personal data from the EEA in a manner inconsistent with the Privacy Shield Principles, Ovation will be liable unless we can prove that we are not responsible for the event giving rise to the damages.

  6. Since Ovation is collecting Personal Data pursuant to a client’s request, Ovation will rely upon its clients to provide individuals (e.g., employees) with appropriate, clear and conspicuous notice and to obtain any necessary consent.
  • Accountability for Onward Transfer
  1. In the event Ovation is required to transfer Personal Information to a third party acting as a controller (e.g., a client’s risk management provider), Ovation will ensure that the third party will comply with the notice and choice principles set forth above. Ovation will enter into a binding written agreement with the third party recipient, which specifies that such data may only be processed for limited and specified purposes consistent with the consent provided by an individual (as applicable), and that the recipient will provide the same level of protection as set forth in the Principles. In any case of onward transfers to third parties, Ovation is potentially liable.

  2. Furthermore, Ovation will: (a) transfer such data only for limited and specified purposes; (b) ascertain that the recipient is obligated to provide the same level of privacy protection as required by the Principles; (c) take reasonable and appropriate steps to ensure that the recipient effectively processes the Personal Data transferred in a manner consistent with the organization’s obligations under the Principles; (d) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (e) provide a summary or a representative copy of the relevant privacy provisions of its contract with third party agents to the Department of Commerce upon request.
  • Security; Integrity; Purpose Limitation
  1. Ovation will take reasonable steps and appropriate measures to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation and destruction, taking into due account the risks involved and the nature of Personal Data.

  2. Ovation will only process Personal Data for the limited purposes of providing travel management services to its clients and any requested onward transfer. It will not process Personal Data for any purpose inconsistent with these limited purposes.

  3. To the extent practicable, Ovation will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. Because Ovation processes data that has been shared with travel suppliers, it is not always reasonable for Ovation to permit individuals to correct, amend, or delete this information. In fact, the burden to make such changes is disproportionate to the services that Ovation provides to its clients. Therefore, it will not, unless the circumstances are truly extraordinary, make any changes based up in an individual’s request, nor will Ovation allow individuals to have access to their data for this purpose.
  • Recourse, Enforcement and Liability
  1. Ovation acknowledges that effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences if Ovation does not follow the Principles. Accordingly, Ovation has put the following mechanisms in place:

    1. Individual complaints can be addressed, without cost to the individual, by: (i) contacting JAMS (https://www.jamsadr.com/eu-us-privacy-shield) at kpierz@jamsadr.com; (ii) by sending a detailed, written complaint to the individual’s employer; or (iii) by sending a detailed, written compliant to privacy@ovationtravel.com. Damages for Ovation’s actual non-compliance may be awarded by JAMS or where applicable law so provides.

    2. Individuals or others who wish to verify that the attestations made in this policy are true and correct may send inquiries to privacy@ovationtravel.com. Such inquires will be directed to Ovation’s Associate Counsel and Data Security Officer.

    3. Ovation agrees to be subject to the jurisdiction and enforcement powers of the DOT, or the U.S. Department of Commerce, and EU Data Protection Authorities, as applicable.

  2. As set forth above, Ovation will respond to any inquiry directed to privacy@ovationtravel.com within 45 calendar days. Any inquiry directed to it by another means will be responded to expeditiously.

  3. Ovation agrees to be subject to binding arbitration regarding complaints of non-compliance with the Privacy Shield lodged by individuals, subject to the legal agreements between Ovation and its client.

  4. In the event Ovation becomes subject to a U.S. court order or other order based on non-compliance with the Principles, Ovation shall make public any relevant sanctions or other findings.
  • Adherence to the Supplemental Principles

Ovation acknowledges that it must also adhere to the following Supplemental Principles:

  1. Sensitive Data. In the course of conducting its business, Ovation may obtain sensitive information such as medical or health conditions or religious beliefs. Ovation falls under the exception that is it not required to obtain affirmative express consent with respect to this sensitive data because the processing is in the vital interests of the data subject or another person. Further, Ovation does not have to obtain affirmative express consent with respect to this sensitive data when it is necessary for the establishment of legal claims or defenses or when required to provide medical care or diagnosis.

  2. Journalistic Exceptions. Ovation does not engage in journalistic activity such that the journalistic exception applies to it.

  3. Secondary Liability. Ovation is not an Internet Service Provider (“ISP”) or telecommunication carrier, nor does it merely transmit data as a conduit. Therefore, the Supplemental Principle regarding secondary liability does not apply.

  4. Performing Due Diligence and Conducting Audits. Ovation is not an investment bank, law firm, auditor or other firm that would normally be engaged in audits and due diligence. Therefore, this Principle does not apply.

  5. The Rule of Data Protection Authorities (DPA). Ovation has set forth above the details on its adherence to the Principles, including its commitment to cooperate with the EU data protection authorities (“DPAs”) in the investigation and resolution of complaints brought under the Privacy Shield, providing a recourse for individuals whose Personal Data is processed by Ovation, agree to remedy problems arising out of Ovation’s failure to comply, and provide mechanisms for individuals to follow-up on Ovation’s adherence to the Privacy Shield. In the event a DPA commences an investigation regarding Ovation’s adherence to the Privacy Shield (directly or indirectly), Ovation will cooperate with such investigation. Moreover, Ovation will comply with advice given by a DPA, or DPA panel, where the finder of fact takes the view that Ovation must take specific action to comply with the Principles, including remedial or corrective actions, or compensatory measures for the benefit of individuals affected by non-compliance. Further, Ovation will provide the DPAs with written confirmation that such action has been taken.

  6. Self-Certification. Ovation will apply for its Privacy Shield certification in accordance with the applicable Department of Commerce’s protocol.

  7. Verification. Ovation will verify its statements about its adherence to the Privacy Shield and its Principles through both self –assessment and outside compliance reviews as explained in greater detail below. As part of its verification, Ovation makes the following representations:

    1. This policy is accurate, comprehensive, and implemented as of September 13, 2016.

    2. This policy will be prominently displayed and accessible at www.ovationtravel.com. In addition, copies of this policy may be obtained by submitting a request to privacy@ovationtravel.com.

    3. This policy conforms to the Privacy Shield and all of its Principles, including the Supplemental Principles.

    4. Individuals may obtain information about how to file complaints by reading this policy. Complaints, access requests, and any other issues arising under the Privacy Shield may be directed to privacy@ovationtravel.com. Additional information for European businesses and individuals in Europe can be found at: www.privacyshield.com.

    5. Ovation will provide its personnel with training on this policy.

    6. Ovation has mechanisms in place to periodically audit its compliance with the Principles. To the extent practicable, Ovation will audit its compliance with the Privacy Shield by both its internal Data Security Officer and its third party cyber security consultants. Furthermore, such compliance with the Privacy Shield will be reviewed during Ovation’s annual Payment Card Industry Data Security Standards (PCI DSS) certification.

    7. Ovation will retain their records on the implementation of the Privacy Shield and make them available upon request during an investigation or in response to a complaint. Ovation will promptly respond to inquiries and other requests for information from the Department relating to Ovation’s adherence to the Principles.

  8. Access. Ovation understands that the right of access is fundamental to privacy protection. Accordingly, individuals may: (a) obtain from Ovation confirmation of whether or not it processes their Personal Data; (b) communicate with Ovation to determine the accuracy and lawfulness of Ovation’s processing of Personal Data; and (c) have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Principles, but only to the extent practicable. Inquiries about access should be directed to privacy@ovationtravel.com. Although Ovation will make a good faith effort to provide access, due to the nature of the services Ovation provides to its clients, it may be overly burdensome or expensive for Ovation to provide a high level of access to individuals or there may be a justifiable reason to restrict access to the information. In those cases, Ovation will provide the individual an explanation of why it made the determination and a contact person for any further inquiries. Individuals are therefore encouraged to contact their employer before contacting Ovation.

  9. Human Resources Data. Ovation will not import human resources data in the context of an employment relationship. Ovation may however have access to human resources-like data as a necessary component of the travel management services it provides to its clients. In such cases, Ovation will respect the national laws of the EU country where the information was collected or processed prior to transfer and will further respect any conditions for or restrictions pertaining to transfer.

  10. Obligatory Contracts for Onward Transfers. Ovation shall ensure that a contract is in place between it and any entity or agent that participates in an onward transfer. The contracts will specify that such Personal Data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as stated in the Principles. Such contracts will comply with the Directive, any subsequent EU related laws (i.e., GDPR) and the Privacy Shield. Ovation will ensure that the processor: (a) only acts on instructions from and in coordination with either Ovation or its client regarding such onward transfer; (b) provides adequate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and (c) takes into account the nature of data processing and assist with resolution of individuals exercising their rights under the Privacy Shield and its Principles. In the event that Ovation is required to transfer Personal Data to a third-party controller, Ovation will ensure that the third party will comply with the notice and choice principles set forth herein. Ovation will enter into a contract with the recipient third-party controller that provides the same level of protection as the Privacy Shield. Ovation further agrees to: (a) transfer such data only for limited and specified purposes; (b) ascertain that the recipient is obligated to provide the same level of privacy protection as required by the Principles; (c) take reasonable and appropriate steps to ensure that the recipient effectively processes the Personal Data transferred in a manner consistent with the organization’s obligations under the Principles; (d) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (e) provide a summary or a representative copy of the relevant privacy provisions of its contract with third party agents to the Department of Commerce upon request.

  11. Dispute Resolution and Enforcement. Ovation meets its obligations for dispute resolution and enforcement by enrolling with JAMS for ADR and by cooperating with the DOT and the U.S. Department of Commerce. As set forth herein, Ovation will also cooperate with any DPA or DPA panel, as may be necessary. Individuals are encouraged to raise any complaint they may have with Ovation by sending it to the attention of privacy@ovationtravel.com or the company’s Associate Counsel and Data Security Officer, Lance Taubin, at (212) 329-7356 or ltaubin@ovationtravel.com before proceeding to JAMS. Ovation will respond to an individual within 45 days of receiving a complaint. In the event Ovation is subject to any enforcement effort, it will cooperate quickly and fully.

  12. Choice – Timing of Opt-Out. Ovation adheres to the choice principle and affirms that it will only use and disclose Personal Data in ways consistent with the individual’s expectation and choices. Ovation confirms that it does not use or disclose Personal Data for direct marketing purposes.

  13. Travel Information. Since Ovation is a travel agent, it may transfer airline passenger reservation and other travel information, including frequent flyer, hotel reservation information, and special requests, to organizations located outside the EU when it is necessary to provide the services requested by Ovation’s clients or the individual or when it has been unambiguously consented to by the consumer. When this travel information is transferred, Ovation will ensure that it will respect the law of the EU Member State in which it is operating and will respect any special conditions for the handling of sensitive data.

  14. Pharmaceutical and Medical Products. This Principle does not apply to Ovation because it is not engaged in any processing with respect to pharmaceutical or medical products or services.

  15. Public Record and Publicly Available Information. Due to the nature of the information it collects, Ovation will not make such information available as part of any public record.

  16. Access Requests by Public Authorities. Upon request, Ovation will make available reports on requests for Personal Data it receives by public authorities, such as law enforcement agencies.

Amendment

Because Ovation follows the principle of least privilege, only personnel who may have access to Personal Data have been or will be trained on this Policy.

We may amend this Policy from time to time by posting a revised policy on this website, or a similar website that replaces this site. We will only amend our Policy in a manner consistent with the Principles.

Conclusion

Ovation is committed to ensuring that its clients’, and in turn their travelers’, Personal Data is handled confidentially, privately, and appropriately. Ovation has therefore made the voluntary election to participate in the Privacy Shield, and to be subject to the compliance and enforcement powers of the DOT, other U.S. governmental authorities and EU DPAs. Information about Ovation’s commitment to and compliance with the Privacy Shield may be obtained by submitting a written request to privacy@ovationtravel.com.