Common use of Personal Data and Security Clause in Contracts

Personal Data and Security. Unless Supplier receives consent directly from the End User, Supplier will not and will not permit any of its Affiliates to use information about End Users provided by Expedia to directly or indirectly, identify or engage in any solicited or unsolicited marketing, promotional, or similar communications. The Supplier shall: (i) when processing Personal Data, comply with applicable Data Protection Legislation and not, by act or omission, place Expedia in violation of any applicable Data Protection Legislation; (ii) process Personal Data only for the purposes of providing the Services under this Agreement or otherwise on the written instruction of Expedia; (iii) ensure appropriate operational and technical measures are in place to safeguard the Personal Data against any unauthorized access, loss, destruction, theft, use or disclosure; (iv) ensure that any third party vendor or service provider that is engaged by Supplier to process the Personal Data on Expedia’s behalf has entered into a written contract that contains data protection provisions substantially similar to these in this Agreement; (v) promptly notify Expedia if it becomes aware of any unauthorized or unlawful processing or breaches of security relating to the Personal Data; (vi) in relation to the transfer of Personal Data, not process Personal Data relating to EU Travelers outside of the European Economic Area (“Data Transfer”), except where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of Expedia or the End User, is required by law and/or in relation to the transfer of Personal Data to Supplier’s group companies for the sole purpose of providing services to Expedia or End Users under this Agreement; and (vii) in relation to Data Transfer outside of the European Economic Area, shall ensure that any transfer of Personal Data relating to EU Travelers outside the European Economic Area is adequately protected as required Data Protection Legislation applicable in jurisdictions where Decolar operates. The Supplier warrants, represents and undertakes that any data it receives and/or has access to under or in relation to this Agreement, that it shall use such data in accordance with this Section E.5.c, and only as strictly necessary to fulfill each Standalone or Package Booking and not for any other purpose.