Privacy Shield Certification
EU-U.S. PRIVACY SHIELD POLICY – COMMITMENT TO YOUR PRIVACY
Corporate Travel Management (“CTM”) respects individual privacy and values the confidence of its customers, employees, business partners and others. Not only does CTM strive to collect, use and disclose Personal Information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices. This EU-U.S. Privacy Shield Policy (this “Policy”) sets forth the privacy principles CTM follows with respect to transfers of Personal Information from the European Economic Area (“EEA”) (which includes the twenty-seven member states of the European Union (“EU”) plus Iceland, Liechtenstein and Norway) to the United States.
EU-U.S. PRIVACY SHIELD PRINCIPLES
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles to enable U.S. companies to satisfy the requirement under European Union law that adequate protection be given to Personal Information transferred from the EEA to the United States (the “EU-U.S. Privacy Shield”). The EEA also has recognized the EU-U.S. Privacy Shield as providing adequate data protection (Decision C (2016) 4176 final, 12.7.2016, Article 1 (1)). Consistent with its commitment to protect personal privacy, CTM complies with the principles set forth in the EU-U.S. Privacy Shield (the “Privacy Shield Principles”) and has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms contained this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-U.S. Privacy Shield, and to view our certification, please visit https://www.privacyshield.gov.
This Policy applies to all Personal Information, including the employee information described below, received by CTM in the United States from the EEA, in any format, including electronic, paper or verbal.
For purposes of this Policy, the following definitions shall apply:
“Agent” means any third party that collects or uses Personal Information under the instructions of, and solely for, CTM or to which CTM discloses Personal Information for use on CTM’s behalf.
“Personal Information” and “Personal Data” means data about an identified or identifiable individual that are within the scope of the EU-U.S. Privacy Shield, received by an organization in the United States from the EU, and recorded in any form.
“Processing” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“CTM” means Travel and Transport, Inc. d/b/a Corporate Travel Management, its predecessors, successors, subsidiaries, divisions and groups in the United States.
CTM collects Personal Information from and about contingent workers, employees, former employees and prospective employees. Such Personal Information can include a person’s name, contact information, social security or government-issued identification number, financial information, education and employment history, information about one’s family (spouse and dependents, for example), and job performance and development. The primary purpose for collecting such Personal Information is to carry out the employment relationship, including, without limitation, payment, compensation planning and related transactions, providing and managing benefits, performance management, career development, training, staffing, considering candidates for open positions, personnel security issues, and statistical analysis.
The privacy principles in this Policy have been developed based on the Privacy Shield Principles.
NOTICE: Where CTM collects Personal Information directly from individuals in the EEA, it will inform them about the purposes for which it collects and uses Personal Information about them, the types of third parties to which CTM discloses that information, the choices and means, if any, CTM offers individuals for limiting the use and disclosure of Personal Information about them, and how to contact CTM. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to CTM, or as soon as practicable thereafter, and in any event before CTM uses or discloses the information for a purpose other than that for which it was originally collected.
Where CTM receives Personal Information from its subsidiaries, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Information relates.
ACCOUNTABILITY FOR ONWARD TRANSFER: CTM uses a limited number of third party service providers or Agents to assist us in providing our services to customers and/or CTM employees. CTM will obtain assurances from said entities that they will safeguard Personal Information consistently with this Policy. Examples of appropriate assurances that may be provided by said entities include: a contract obligating the entity to provide at least the same level of protection as is required by the relevant Privacy Shield Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), EU-U.S. Privacy Shield certification by the entity, or being subject to another European Commission adequacy finding (e.g., companies located in Canada). Where CTM has knowledge that an entity is using or disclosing Personal Information in a manner contrary to this Policy, CTM will take reasonable steps to prevent or stop the use or disclosure. CTM acknowledges its potential liability in cases of its onward transfer of Personal Information to third parties that do not meet the standards set forth in this paragraph.
SECURITY: CTM will take reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
DATA INTEGRITY AND PURPOSE LIMITATION: CTM will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. CTM will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete and current. CTM will only collect and store Personal Information that is relevant to fulfill the purpose of the request and will retain such information no longer than appropriate to fulfill the purpose of the request.
ACCESS: Upon request, CTM will grant individuals reasonable access to Personal Information that it holds about them and to request limitations on how CTM uses or discloses Personal Information about you. In addition, CTM will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate or incomplete.
RECOURSE, ENFORCEMENT AND LIABILITY: CTM will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that CTM determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.
DISPUTE RESOLUTION: In compliance with the Privacy Shield Principles, CTM commits to resolve complaints about our collection or use of your Personal Information. Individuals in the European Union with inquiries or complaints that do not involve employee Personal Information should first contact CTM’s General Counsel at the address given below. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
If you have a complaint involving employee Personal Information as described above, you may contact the EU data protection authority (DPA) in your country. The list of EU DPAs can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
CTM agrees to cooperate with the EU DPAs and comply with the advice of such authorities with regard to employee Personal Information transferred from the EU in the context of the employment relationship.
As a last resort, privacy complaints that remain unresolved after pursuing these and other channels may be subject to binding arbitration before the Privacy Shield Panel as described in the Privacy Shield Agreement, Annex I, to be created jointly by the U.S. Department of Commerce and the European Commission.
U.S. FEDERAL TRADE COMMISSION ENFORCEMENT: CTM’s commitments under the EU-U.S. Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
LIMITATION ON APPLICATION OF PRINCIPLES
Adherence by CTM to these Privacy Shield Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
Questions or comments regarding this Policy should be submitted to CTM’s General Counsel by mail to:
Corporate Travel Management
2120 S. 72nd Street
Omaha, Nebraska 68124
Or by e-mail to the CTM Privacy Office.
CHANGES TO THIS EU-U.S. PRIVACY SHIELD POLICY
This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. A notice will be posted on the CTM web page for 60 days whenever this Privacy Shield Policy is changed in a material way.
EFFECTIVE DATE: September 14, 2016