Privacy at Expedia Group
Last Updated: July 6, 2021
Introduction
Expedia Group is committed to the privacy, confidentiality, and security of personal information entrusted to us.
Expedia Group approaches privacy by focusing on the following key privacy principles, which underlie Expedia Group’s practices for collecting, using, disclosing, storing, securing, accessing, transferring or otherwise, personal information entrusted to us:
Transparency, Purpose Limitation, Proportionality and Fairness
Expedia Group brands collect and use personal information as described in the Privacy Statement of each Expedia Group brand. Each Expedia Group Brand collects personal information for a specific, and legitimate purpose(s), and processes personal information in a lawful and transparent manner, which is not excessive for the purpose(s) for which it is collected. Any subsequent processing should be compatible with such purpose(s), unless the brand has obtained the individual’s consent, or the processing is otherwise permitted by law.
Security
Personal information we collect and use about you will have reasonable technical and organizational safeguards in place.
Compliance
We hold ourselves to privacy laws that apply to personal information we collect and use.
Data Quality, Integrity, and Relevance
You can always take steps to correct or update personal information we hold about you. We make reasonable efforts to keep your personal information accurate, complete and up-to-date as is reasonably necessary for the purpose(s) for which it is processed.
Accountability
We implement appropriate governance, policies, processes, controls, and other measures necessary to enable us to demonstrate that our processing of personal information is in accordance with the foregoing principles and applicable data protection laws.
International data transfer
The personal information that we process may be transmitted or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country.
The servers for our platform are located in the United States, and the Expedia Group companies and third-party service providers operate in many countries around the world. When we collect your personal information, we may process it in any of those countries.
We have taken appropriate steps and put safeguards in place to help ensure that your personal information remains protected in accordance with this Privacy Statement. For example, any data transfers between our group companies are governed by our intragroup agreements which incorporate strict data transfer terms (including the European Commission's Standard Contractual Clauses, for transfers from the EEA) and require all group companies to protect the personal information that they process in accordance with applicable data protection law.
We also require that third-party service providers to whom data transfers are made have appropriate safeguards in place to protect your personal information, in compliance with applicable data protection law. The particular measures used will depend on the service provider, and our agreements with them may include Standard Contractual Clauses approved by the European Commission, the service provider's certification under the EU-US and/or Swiss-US Privacy Shield or reliance on the service provider's binding corporate rules, as defined by the European Commission.
Privacy Shield
Certain Expedia Group US affiliates have certified to the EU-US and Swiss-US Privacy Shield frameworks and adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability for personal information from the EU, Switzerland and the United Kingdom. Such Expedia Group US affiliates will continue to adhere to the Privacy Shield frameworks and Principles even though the EU has determined that the Privacy Shield framework is no longer an adequate transfer mechanism for the transfer of EU personal information to the US. In addition, as noted above, Expedia Group maintains intra-group standard contractual clauses where applicable to cover the transfer of EU personal information to the US.
Our Privacy Shield certifications can be found here. For more information about the Privacy Shield principles, please visit: https://www.privacyshield.gov/.
Data Protection Officer, Data Controller and/or EU Representative:
For more information about the Data Protection Officer, data controller, and/or EU Representative for personal information we process, please click here.
Data Subject Rights
Certain countries and regions provide their residents with additional rights relating to personal information. For more information on what data subject rights may be available to you, please click here.