Adherence to Primary Principles of Privacy Shield
5.1 Notice, Choice and Accountability for Onward Transfer:
i. Radius will inform its customers and business partners (e.g., vendors and other third parties) that it participates in the Privacy Shield. It will provide such notice in a variety of manners as may be appropriate, such as, language in its contracts with customers, clear notification on its website (https://www.radiustravel.com/corporate/privacy-policy.aspx), and a specific link to this policy that can be easily found.
ii. Radius personal data may include, but is not limited to, information such as name, address, age, marital status, medical conditions, passport and visa information and corporate data.
iii. Radius is committed to adhere to principles laid in this policy, all personal data received from the EU in reliance on the Privacy Shield.
iv. Radius provides travel management services to corporate clients (typically, a Data Controller). In order to provide these services, Radius requires Personal Data regarding persons authorized to travel for the client (the “Data Subjects”) hereinafter referred to as the “Traveler” or “Travelers”.
v. To contact Radius for any inquiries or complaints, send an email to firstname.lastname@example.org. Radius will respond within forty-five (45) calendar days of such request.
vi. Radius provides travel management services and reporting to corporate clients (typically, a Data Controller). In order to provide these services, Radius requires Personal Data regarding persons authorized to travel for the client (the “Data Subjects”) hereinafter referred to as the “Traveler” or “Travelers”. This data may be collected from the Traveler, from the client, or from other sources such as travel agents. In order to complete travel arrangements requested by a Traveler, Radius typically provides Personal Data to one of the global distribution systems or an internet booking engine. This data may include, but is not limited to, information such as name, address, age, marital status, medical conditions, passport and visa information and corporate data.
Global distribution systems fulfill the travel arrangements requested through specific travel suppliers, such as airlines, hotels and rental car agencies. Radius then confirms the completed travel arrangements and itinerary to the Traveler and the costs. Radius does not exercise any control over the use of personal information transmitted using global distribution systems or other travel suppliers. As of the Effective Date, Radius provides Traveler travel information to iJET/ISOS for travel risk management as well as to DataFlex for credit card reconciliation. Otherwise, travel arrangements are shared only with the client for whom the Traveler works.
vii. Rights of data subjects to obtain access to personal data
a. Every traveler about who Radius Processes Personal Data has a right to the following:
1. to inquire whether or not Personal Data relating to him or her is being Processed by or on behalf of Radius, a customer of Radius and/or a Controller;
2. if Personal Data relating to him or her is being Processed by or on behalf of Radius, to be given the following information:
(i) a description of the Personal Data relating to him or her;
(ii) the purposes for which that Personal Data is being or is to be Processed;
(iii) the identity of any third parties to whom the data is or may be disclosed,
(iv) and, in addition, the Traveler is entitled, upon written request, to be given a copy of the relevant data in an intelligible form.
b. There may be restrictions on the amount of information that can be disclosed if such disclosure would necessarily involve disclosing information about another person or entity.
viii. In the event an individual desires to limit the use and disclosure of their personal data, including requests to “opt-out” Individuals have the right:
a. to ask Radius to correct or erase incorrect or incomplete Personal Data relating to them; Radius will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current.;
b. Notwithstanding the above, as Radius Processes Data that has been shared with the suppliers of travel (e.g. airline, car rental companies, hotels), it is not always reasonable for Radius to permit individuals to correct, amend or delete this information; accordingly, unless the circumstances are truly extraordinary, it will not make changes based upon an individual’s request, nor will Radius permit an individual’s access to such Data for that purpose;
c. to ask Radius to not or stop Processing Personal Data relating to them (“Opt Out”): In the event a Traveler Opt Out, they must also contact the customer of Radius (the Traveler’s employer). In the event that Radius receives a similar request from an individual, it will notify its customer and seek instructions from that customer. As Radius has a contractual duty to Process the individual’s data for its customer, it does not have the authority to simply eliminate an individual’s Personal Data from the data it processes. As such, Radius must seek and take direction from its customer. Notwithstanding this duty of Radius to its customers, an individual may submit an Opt Out request to email@example.com.
d. to access their Personal Data by contacting their employer (the customer of Radius) or by submitting a request to firstname.lastname@example.org. In the event Radius receives an individual’s request for access to his/her Personal Data, Radius will notify its customer of that request.
e. Radius will respond to any inquiries directed to email@example.com within forty-five (45) calendar days of such request.
f. Radius understands that the notices referenced herein must be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to it. As set forth above, Radius collects Personal Data at the request of its customers; as such, it will rely upon its customers to provide its Travelers with appropriate notice (“Notice”) and to obtain any necessary consent (“Consent”).
g. Due to the nature of its contractual relationship with its customers and the services provided to them by Radius, it will be difficult and in most instances, impossible for Radius to provide individuals with Opt Out options. Individuals are therefore strongly encouraged to first request Opt Out with their employer (the customer of Radius). Notwithstanding this, individuals may send their Opt Out request to Radius as set forth above after which such request will be forwarded by Radius to its customer.
ix. Radius designates the International Centre for Dispute Resolution/American Arbitration Association (“ICDR/AAA”) as its alternative dispute resolution provider based in the United States for all matters relating to the Privacy Shield as well as the Swiss Federal Act of Data Protection. Accordingly, ICDR/AAA is the independent dispute resolution body designated by Radius to address complaints and provide appropriate recourse without cost to the individual.
x. As a participant in the Privacy Shield, Radius agrees to be subject to the investigatory and enforcement powers of the U.S. Department of Transportation (“DOT”) and the U.S. Federal Trade Commission (“FTC”). Accordingly, Radius may be required to disclose Personal Data to DOT or FTC or other applicable U.S. government agencies including the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
xi. Radius is not opposed to an individual’s election to invoke binding arbitration for the resolution of disputes. Individuals may contact the ICDR/AAA as set forth above. More information about the ICDR/AAA can be found at http://info.adr.org/safeharbor. Individuals or others who wish to verify that the attestations contained in this policy are true and correct may send inquiries to IT@radiustravel.com. Such inquiries will be directed to Radius’ Senior Director of IT.
xii. Onward transfers to third parties:
a. In order to facilitate travel arrangements, Radius will be required to pass a Traveler's Personal Data to disclosed third parties including but not limited to operators of global distribution systems (“Third Parties”). Depending upon a Traveler’s specific travel needs, this may potentially require transfers of Personal Data beyond the European Economic Area) to locations throughout the world.
As set forth above, Radius complies with the Privacy Shield and Principles regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. In accordance with the Privacy Shield, Radius has self-certified its adherence to the Privacy Shield Principle, including sixteen binding supplemental principles, with the U.S. Department of Commerce. This policy supplements, but does not replace, all other policies, practices and/or procedures including, but not limited to applicable confidentiality or non-disclosure agreements. The implementation of this policy by Radius shall be effective September 30, 2016 (“Effective Date”). Radius recognizes that the Principles shall be applicable to it upon the Effective Date of the Certification. A copy of this policy can be found at: https://www.radiustravel.com/corporate/privacy-policy.aspx.
c. Radius has mechanisms in place to periodically monitor its compliance with the Principles.
d. Transfers to Third Parties may also take place where any Radius network offices or servers are located in a country outside the EU.
e. By submitting their Personal Data to Radius, the client of Radius on behalf of its Travelers authorizes the use of the Traveler’s Personal Data to complete their travel arrangements including any necessary transfers to Third Parties of their Personal Data as described herein and/or as may be required of Radius by the Data Controller. Travelers can request that transfers not take place however Radius may then not be able to deliver the specific travel arrangements.
g. Radius will inform its customers and other Third Parties that it participates in the Privacy Shield including but not limited to appropriate language in its customer contracts and clear notification on its website as set forth above.
h. In the event that Radius is required to transfer Personal Data to a Third Party, it will comply with the Notice and Consent principles set forth herein. It will also enter into a binding written agreement with the Third Party recipient which shall provide that such data may only be processed for limited and specified purposes all consistent with the Traveler’s Consent as set forth above and the contractual agreement between the Traveler and Radius’ customer. Such agreement with a Third Party will provide the same level of protection as set forth in the Principles. Such agreement shall further ensure that such Third Party takes reasonable and appropriate steps to ensure that it processes the Personal Data transferred to it in a manner consistent and appropriate with that organization’s obligations under the Principles, as well as to, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing. Upon request, Radius will provide a summary or a representative copy of the relevant privacy provisions of the relevant privacy provisions of its agreement with such Third Parties.
i. Keeping Travelers’ personal data secure is of paramount importance to Radius. All Personal Data processed by or on behalf of Radius is subject to stringent standards to make certain it is secure and that appropriate levels of confidentiality are maintained. Unauthorized persons are never allowed access to Personal Data. Hard copies of data are treated as confidential waste and shredded.
ii. Radius will take reasonable steps and appropriate measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction.
iii. Radius will only process Personal Data for the limited purposes of providing and/or assisting in the provision of management reporting to its customers as required by virtue of its customer contracts as well as any customer contractually mandated transfers to Third Parties. It will not process Personal Data for any purpose inconsistent with these limited purposes.
iv. Radius’ clients may review such information as travel spend, bookings and compliance with its travel policy.
v. Radius will keep security measures under review and updated as new technology becomes available.
5.3 Data Integrity and Purpose Limitation
i. Radius is committed to Processing Personal Data for which it is the Data Processor, the Data Controller and/or the Data Importer in accordance with the following principles:
a. Processing personal data fairly and lawfully.
1. Radius collects information electronically, either directly from Radius’ client, from the global distribution system upon which a Traveler reservation is made and/or from the travel agency that has made the Traveler’s reservation, The information a Traveler submits is needed to respond to requests for information, to complete travel transactions, to enhance travel arrangements and to ensure that a Traveler's arrangements are in compliance with any existing travel policy of the client (their employer).
2. Personal Data is only collected by Radius where the Traveler gives this so that Radius can fulfill any special travel needs. This data is not shared with a third party without the Traveler's consent (“Consent”) and/or the Consent of Radius’ client on behalf of the Traveler. The Radius client has the obligation to obtain the consent of its employee, the Traveler.
b. Ensuring Personal Data of a Traveler is only processed for purposes specific to Radius’ client before the processing takes place and which are lawful.
1. Radius will only disclose Personal Data to Third Parties for purposes specified in this policy.
2. Radius may sometimes be required or permitted to disclose Personal Data in order to comply with any legal obligation to which it is subject.
3. Radius will take all appropriate steps to ensure processing of Personal Data will be carried out in accordance with all applicable legislation and/or regulation.
4. Any Radius employee who uses Personal Data improperly will be subject to disciplinary action.
c. Ensuring Personal Data is adequate and relevant the purposes for which the data is Processed.
1. The Personal Data collected by Radius relates solely to those items of information necessary in order to facilitate the range of a Traveler's potentially different travel requirements. Only the information reasonably required to facilitate travel arrangements is shared among Radius, its affiliates, travel suppliers and Global distributions systems or booking engines used within the travel industry and only with Consent from the Client.
d. Keeping personal data accurate; complete; and kept up to date.
1. Radius has automated processes and oversight to update our data repositories containing the Personal Data provided by Radius’ client in order to maintain such Data in an accurate, complete and up to date manner.
5.4 Adherence to Supplemental Principles.
Many of the Supplemental Principals are extensively treated above. To the extent they have not been treated and are relevant to the role of Radius as a travel management services provider, the following policies are applicable:
i. The Role of Data Protection Authorities.
Radius has set forth above the details of its adherence to the Principles, including the provision of recourse for individuals whose Personal Data is the subject of Processing by Radius as well as mechanisms by which individuals may follow-up upon Radius’ adherence to the Privacy Shield. In the event a Data Protection Authority (“DPA”) commences an investigation regarding Radius’ adherence to the Privacy Shield, Radius will cooperate with such investigation. Moreover, Radius will comply with advice given by a DPA or DPA panel where the finder of fact indicates that Radius must take specific action to comply with the Principles, including corrective actions or compensatory measures for the benefit of individuals affected by non-compliance.
Radius will self-verify its statements relating to its adherence to the Privacy Shield and its Principles. As such and in addition to the representations set forth in this policy, Radius represents:
a. This policy is accurate, comprehensive and implemented as of September 30, 2016.
b. This policy will be prominently displayed at https://www.radiustravel.com/corporate/privacy-policy.aspx. Additionally, copies of this policy may be obtained by submitting a written request to IT@radiustravel.com.
c. This policy conforms to the Privacy Shield and all of its Principles, including the Supplemental Principles.
d. Individuals may obtain information regarding the filing of complaints as set forth in this policy. Additional information for European businesses and individuals in Europe may be found at: www.privacyshield.com.
iii. Human Resources Data
Radius may require access to human resources-like data as a necessary component of the travel management services provided to its customers. Further, Radius may obtain human resource data related to its own employees in the EU for typically employment related matters. To the extent either occur, such transfers enjoy the benefits of the Privacy Shield and this policy.
iv. Obligatory Contracts for Onward Transfers
In connection with travel management services provided by Radius to its customers, all data received from such customers is subject to an agreement between Radius and its customer, which agreement specifically sets forth the actions to be taken by Radius with respect to such data on behalf of the customer.