NTS Data Protection Policy

Effective August 18, 2010
National Travel Service, Inc. (NTS) has travel agency operations in many countries around the world. NTS’s focus is to provide business travel services to the employees of businesses with whom NTS signs a corporate travel services agreement. In doing so, NTS receives individual data from the employees. Why the laws apply to us and why NTS needs to obtain the consent of the traveler Data protection laws apply to the information received by NTS because that data can be used to identify an individual person.

The purpose of data protection is to protect an individual’s rights by keeping personal data secure and by regulating its processing, so that it may be used only for the purpose for which it was given/collected. NTS is using the Data Protection Statement to request the consent of the traveler. NTS has always had internal confidentiality standards. We are in the process of implementing company-wide the measures described below in this policy, as well as additional ones. Our policy and corresponding procedures take into account the privacy laws of the United States, and in some cases surpass these regulations. It is our goal to standardize globally the way travel data is handled and processed within NTS. Information that we store

The travel data that we store may include: name, address, email address, credit card references/number, travel destinations, travel schedules, seating preferences, smoking or non-smoking accommodations, meal preferences and reservation information, as well as passport details and next of kin information. When servicing a given corporate client, NTS creates a “Traveler Profile” with travel data for each traveler, which is kept on file as a reference document and consulted each time a reservation is to be made. When a reservation is made, NTS creates a “passenger name record” (PNR), which contains all of the information needed to fulfill the travel request of each traveler.

Based on the travel expenses incurred by travelers of each corporate client, NTS produces reports that summarize and analyze the travel trends of that client.

What we do with the information

In addition to creating Traveler Profiles and PNRs, NTS uses the travel data with the consent of the traveler for the following travel and other travel-related purposes.

Reservations: NTS may need to transfer travel data to various third party travel suppliers and computer reservation systems for the purposes of making reservations within the traveler’s home country or to another NTS agency in another country where the traveler may be traveling.

Consolidation of Travel Data: At the request of the corporate client (the traveler’s employer), NTS or a third party prepares information reports that summarize and analyze the travel expenditures per destination, per travel supplier, etc. Compliance with Travel Policy: Also at the request of the corporate client, NTS may report on the compliance of the travelers with the travel policy of the client and identify any exceptions to the compliance.

Collecting Travel Payments: NTS may transfer travel data to third parties in the traveler’s home country or in another country for the purpose of collecting payments related to travel reservations.

NTS Databases: In order to constantly improve the servicing of our clients around the world, the travel data is handled out of certain locations accessible by our travel agents around the world.

New Products and Services: Also with the goal of improving service and based on the data given to NTS, we may send additional information to the traveler if it applies to his/her trip. An example would be a list of restaurants near a specific hotel, in a specific city.

NTS as a Data Controller or a Data Processor

NTS proposes two options:
1. NTS is Data Controller: NTS needs to collect the consent of each traveler (Data Protection Statement).
2. Client is Data Controller: NTS is data processor while the Client manages the traveler consent process internally.

Measures we are taking
NTS is implementing, step-by-step, a process through which we will standardize the way our company and its affiliates handle travel data.

Data Protection Statement : NTS has established a Data Protection Statement to ensure consent to various uses of travel data given to NTS. The statements are signed by the traveler either in paper form or in electronic form, as determined with the client.

Transfer to Third Parties: Prior to a transfer, third parties (except for travel suppliers such as the airlines, computer reservation systems, hotels, etc.) are required to sign a transfer agreement with NTS, which requires them to follow the applicable data protection laws. An exception may be made if the third party is located in the EU or in a country approved by the EU as having satisfactory data protection laws. This will ensure that even if the laws governing the third party are less strict than our standards, the level of protection that the traveler’s data receives will be consistent. For instance, data consolidators are required to sign an agreement. Even subsidiaries of NTS in countries with data protection laws that are considered less strict also sign a transfer agreement. There is an EU model clause Data Transfer Agreement signed between NTS B.V. and its subsidiary National Travel Service, Inc., Inc. and NTS’s U.S. entities are certified to Safe Harbor (see NTS’s name under the Safe Harbor website at:https://www.export.gov/safehrbr/list.aspx).
Security : Pursuant to the various data protection laws, NTS is implementing appropriate technical and organizational measures to protect the personal travel data, obtained from our clients’ travelers, against accidental or unlawful disclosure or destruction. The measures are being determined for each department, according to their handling of the travel data.
Destruction : Under many data protection laws, personal data must be destroyed after a certain period of time. NTS keeps travel data only as long as required by law, a period of time which may vary according to the requirements for the various internal departments.

Our policy may be subject to additional requirements in compliance with local legislation in certain countries (please see below, under “Notes”).

Infrequent travelers : Most infrequent travelers (those travelers who make three or less trips a year), or “one-offs,” will fit into the global procedure we have outlined in this policy. One-offs such as consultants for our larger clients will fill out a Traveler Profile and make reservations in the same way as our frequent travelers. There are some situations, however, where the normal procedure will be impossible to follow, such as with groups, and ship and mining crews. In these cases, the information for the one-off trip (including personal data) will not be given by the traveler, but by a third party. If the client provides personal data to us about a traveler, they must ensure that they are entitled to disclose that data to us and that without us taking any further steps required by privacy/data protection laws, we may collect, use and disclose such information for the purposes described above. For example, the client should take reasonable steps to ensure the individual traveler concerned is aware of the various matters detailed in this NTS Privacy/Data Protection Policy as those matters relate to that individual, including our identity, how to contact us, our purposes of collection, our information disclosure practices, the individual’s right to obtain access to the data and the consequences for the individual if the data is not provided.

We will also send a letter to our clients informing them of their responsibilities as a third party providing us with the personal data of an individual traveler.

Itineraries: In order to fulfill our responsibility to inform the individual traveler of our Data Protection obligations, we intend to include the following text at the end of each itinerary:
“All information provided by you, or any other party such as your employer, to National Travel Service, Inc. (NTS) will be used by NTS, its related companies and other Travel Service Providers requiring this information, in order to make and process your requested travel arrangements. A copy of NTS’s Privacy/Data Protection Policy can be obtained from your local NTS contact or from the NTS Websitehttp://www.nationaltravel.com. Please note that airlines may be required by law to pass information contained in this reservation to customs and immigration authorities when requested.”
Please note that this text does not appear on itineraries issued in the US and Canada.
Travelers’ rights
The traveler’s principal rights are to

•amend his/her personal data, and upon written request and payment of a statutory fee or if none, a reasonable fee, to receive from NTS, within a reasonable amount of time, a copy of his/her Traveler Profile (see contacts at the bottom of this Policy) (for data held by third parties, please contact the third party),
•know how his/her data is being processed, for what purpose and who is doing the processing,
•choose whether or not to receive unsolicited services/direct marketing/information on other travel products and services,
•revoke consent to the DPS (upon written request) or refuse to provide information.

Please note that if a traveler chooses not to sign, or to revoke consent to, the Data Protection Statement, NTS cannot accept his/her travel data and cannot service the traveler. If this is the case, we encourage the traveler to contact his/her employer.

Frequently Asked Questions:

What data is covered by data protection laws?
Personal data (what NTS calls travel data) is defined as data, which relates to a living individual who can be identified from the data. If the traveler data does not refer to or identify any individual employee then, the data can be processed by NTS without the traveler’s consent. For instance, if the management reports do not include any references to specific individuals, then NTS would not have to obtain the traveler’s consent to the delivery of reports to the traveler’s employer.
Why is the travel agreement between NTS and the client not sufficient to protect the travelers’ data?
The travel agreement is between the corporate client (employer of the traveler) and NTS, and not between the traveler and NTS. Data protection laws protect the rights of the individual traveler, and in processing the individual traveler’s data, NTS has obligations under these laws which it has to fulfill itself and cannot pass onto the client.

What happens if NTS does not obtain the traveler’s consent, and is therefore not in compliance with the data protection laws?

Practically speaking, it will be very difficult for NTS to provide travel services to an individual traveler who refuses to allow NTS to process his/her travel data. Included in the data protection laws are harsh penalties for non-compliance; in some countries it is a criminal offense.

What obligations do we have in processing the data within NTS?
NTS must ensure, at the very least, that the personal data:

•is processed fairly and lawfully,
•is obtained only for specific and lawful purposes and shall not be further processed in any manner incompatible with these purposes,
•is not excessive (in terms of the type of data requested) in relation to the purposes for which it is collected and further processed,
•is accurate,
•is kept secure and not held for longer than necessary.

Can NTS use the data to carry out its own analyses?
NTS may not use the data for promotion and marketing purposes by third parties unless the traveler gives his/her consent. NTS may, for instance, use the data to analyze the travel trends of its corporate clients in order to propose other NTS services to the clients, such as NTS Solutions Group activities, without receiving the traveler’s consent. If the traveler’s consent is only given to his/her employer, the corporate client, if the client is Data Controller, then that consent cannot apply to NTS’s use for purposes other than those directed by that Client.

Notes
The following notes are to detail certain points and country specifics.
“24-hour travel assistance center.” NTS is willing to provide travel services to its clients and their travelers on an emergency basis from its 24-hour travel assistance center, outside normal business hours of their usual travel agency, without requiring a signed data protection statement. NTS believes that this is in the best interest of the individual traveler during an emergency. However, NTS will inform the traveler that the traveler is required to sign the statement as soon as the traveler is able to do so.

For any questions concerning your personal travel data, please contact your local NTS office.
This policy is subject to change. The changes will be posted on this web site, so please be sure to check the site regularly.