PRIVACY AND SECURITY STATEMENT
This Privacy and Security Statement ("Statement") is effective as of 25th of May 2018 (“Effective Date”). Both Client and Atlas Travel & Technology Group, Inc. dba Atlas Travel (each “Party” or together, the “Parties") will act as Controllers of the Personal Data which is provided by the Client to Atlas Travel or obtained by Atlas Travel on behalf of the Client, in connection with the mutually agreed upon Services provided (“Services provided”) to Client by Atlas Travel and this Statement sets out the terms of the provision of the Personal Data and how it may be used.
The following is hereby agreed:
1. Definitions and Interpretation
1.1 In this Statement:
(a) “Atlas Systems” means the infrastructure managed by Atlas Travel for the Processing of Personal Data under this Statement;
(b) "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process/Processing", and "Processor" and/or other similar terms and concepts shall have the meanings as defined in Data Protection Laws, including the GDPR;
(c) "Data Protection Laws" means the international, federal, state, and local laws relating to data protection or privacy of Data Subjects as applicable to the Services provided; and
(d) "GDPR" means the EU Regulation 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and the free movement of such data.
2. Compliance with laws
2.1 Both Parties will comply with the Data Protection Laws in the Processing of Personal Data they collect themselves, or transfer to or receive from the other Party, pursuant to the Services provided.
2.2 The Parties acknowledge and agree that they will both act as independent Controllers for their respective Processing activities pursuant to the Services provided.
2.3 The Parties acknowledge and agree that neither of them will act as a Processor on behalf of the other, and that they are each responsible for meeting their respective compliance obligations under the Data Protection Laws.
2.4 Where required, the Parties will assist the other Party in complying with its obligations under Data Protection Laws, including, but not limited to, assisting each other with verifying the authenticity of Data Subjects and responding to Data Subject requests.
3. Obligation of the parties
3.1 In relation to the Personal Data Processed by Atlas Travel, to the extent required by Data Protection Laws, Atlas Travel agrees to:
(b) inform the Data Subjects of the Processing of their Personal Data;
(c) Process Personal Data lawfully and fairly, and collect and Process Personal Data only for specified, explicit, and legitimate purposes;
(d) collect and Process adequate and relevant data, limited to what is necessary in relation to the purposes for which the Personal Data is Processed;
(e) erase or rectify inaccurate Personal Data, having regard to the purposes for which the Personal Data is Processed;
(f) delete, block, or (pseudo) anonymize Personal Data if identification of Data Subjects is no longer necessary for the purposes for which the Personal Data is Processed;
(g) implement appropriate technical and organizational security measures on Atlas Systems to protect Personal Data, including to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage as set out in Section 4;
(h) respond promptly to all enquiries from Client or from Data Subjects relating to the Personal Data, and in particular shall action all requests from Data Subjects to exercise their rights under Data Protection Laws on request from either the relevant Data Subject or from Client; and
(i) not transfer Personal Data outside the European Economic Area or other jurisdictions with similar adequacy requirements, unless such transfer is authorized by Data Protection Laws, for instance if appropriate safeguards are put in place.
3.2 For the avoidance of doubt, Client shall obtain, where required, any consents from the Data Subjects for Atlas Travel to Process Personal Data as directed by Client to Client’s subsidiaries, affiliates, or other companies under Client’s control or to other third parties with which the Client has a direct relationship. Any data release authorizations or instructions Client has provided to Atlas Travel for transferring Personal Data to such third parties will remain in effect until Client withdraws such authorizations. Atlas Travel shall not be responsible or liable for any privacy or data protection obligations as a result of Client requests.
4. Atlas Travel Implemented Security Measures
4.1 Atlas Travel has implemented appropriate technical and organizational security measures for the Atlas Systems as described in this Section 4.
4.2 Security Controls
(a) Atlas Travel will adhere to the applicable requirements of Payment Card Industry Data Security Standard (PCI DSS) when Processing payment card data;
(b) Atlas Travel shall have a process in place to regularly test, assess, and evaluate the effectiveness of the implemented technical and organizational security measures applied to the Atlas Systems;
(c) Atlas Travel shall require its data centre facilities hosting Personal Data to comply with SSAE 18 Type 2 SOC 2, PCI DSS, Privacy Shield, or equivalent and will provide Client with a copy of the most recent audit report upon written request;
(d) Atlas Travel shall have in place a change management control procedure of its information processing facilities and the Atlas Systems; and
(e) Atlas Travel shall have in place a business continuity plan for service operations and a disaster recovery plan for the hosting locations from which Atlas Travel performs its Services.
4.3 Personnel Controls
(a) Atlas Travel shall have in place an access management procedure for handling Atlas Travel personnel requests to access Personal Data to ensure access on a need to know basis only;
(b) Atlas Travel shall have in place a procedure for conducting appropriate background checks for its personnel with access to Personal Data; and
(c) Atlas Travel shall only grant access to its personnel bound to confidentiality and will require such personnel to attend security and privacy awareness training with regular intervals.
4.4 Technical Security Measures
Atlas Travel's technical security measures include:
(a) Application security and secure development controls, such as:
(i) Information security incorporated in the software development lifecycle (SDLC) and shall restrict access to application source codes; and
(ii) Regular risk assessments and penetration testing of Atlas Travel's core applications;
(b) System (access) logging for relevant Atlas Systems, keeping logs for at least one (1) year and limiting access to logs;
(c) Secure remote access to Atlas Systems via multi-factor authentication;
(d) Malware control;
(e) Network-based intrusion detection;
(f) System hardening; and
(g) Vulnerability management, including by means of infrastructure scans, application scans, external application vulnerability assessments, penetration testing, and containment and remediation procedures.
4.5 Atlas Travel shall maintain incident management policies and procedures. In the event Atlas Travel becomes aware of a Personal Data Breach affecting Personal Data Processed under the Services provided, Atlas Travel will notify the Personal Data Breach to the appropriate legal and supervisory authorities and the affected Data Subjects in compliance with Data Protection Laws.
5.1 To the maximum extent permitted by law, all other rights and obligations contained in any service agreement between the Parties or otherwise agreed between the parties which govern the Processing of Personal Data, will be replaced in their entirety with the rights and obligations contained in this Statement.