Data and Information Privacy and Protection Policy
WTT, Inc. d/b/a Radius Travel
This Policy applies to the collection, processing, use, disclosure and transfer of data and information about individuals by WTT, Inc., d/b/a Radius Travel ("Radius"). As such and among other things, Radius has elected to voluntarily participate in the European Union ("EU")-US Privacy Shield (the "Privacy Shield") and to certify its adherence to the Privacy Shield and its Principles, including the Supplemental Principles (collectively, the "Principles"). As such it has agreed to subject its compliance to the Privacy Shield and its Principles to the full breadth of current regulatory enforcement of the United States Department of Transportation and the United States Federal Trade Commission as well as any other statutory body empowered to enforce compliance with the Privacy Shield and its Principles. This includes the European Directive on Data Protection. Dir 95/45/EC and the Privacy and Electronic Directive Dir. 2002/58/EC.
As set forth above, various national and international laws and regulations protect the rights of individuals in connection with data relating to them. These rights include the right of a person to make sure that data about them is accurate, is processed fairly and lawfully, is kept secure and is only disclosed to others with their consent under agreed circumstances.
The purpose of this Policy is to document Radius' continuing commitment to ensuring that the aims of national and international laws and regulations on data protection, including but not limited to those set forth above, are respected and that the collection, processing, use and disclosure of data by Radius is compliant with those laws and regulations.
- As a global travel management company, Radius, among other things, receives data from within and outside the United States, including but not limited to the EU and delivers that data to its customers and other third parties in various formats; all at the request of and by agreement with its customers.
Scope of this Policy
- This Policy applies to Radius' operations throughout the world. Where local laws and regulations which go beyond the scope of this Policy apply to the collection, processing, use and disclosure of data, then these may be included in an appendix to this Policy, which will specify the location to which it applies. In that location, the additional provisions of the relevant appendix will be observed along with all of the other provisions of the Policy.
- "Personal Data" includes data that relates to a person and this person must be identifiable. The identification can be direct (for example, by reference to the person's name) or indirect (for example, by reference to a unique number that relates only to them).
- "Processing" of Personal Data means any operation or set of operations that is performed upon Personal Data, whether or not by automated means.
- "Controller" means a person or organization which, along or jointly with others, determines the purposes and means of the Processing of Personal Data.
- "Data Exporter" means the Controller who transfers Personal Data.
- "Data Importer" means the Controller or Processor who agrees to receive data from the Data Exporter for Processing.
- "Data Processor" means a person or organization that Processes Personal Data on behalf of a Controller.
- "Data Subject" means the individual whose Personal Data is being Processed.
Adherence to Primary Principles of Privacy Shield
- Notice, Choice and Accountability for Onward Transfer
- Radius will inform its customers and business partners (e.g., vendors and other third parties) that it participates in the Privacy Shield. It will provide such notice in a variety of manners as may be appropriate, such as, language in its contracts with customers, clear notification on its website (http://www.radiustravel.com/corporate/privacy-policy.aspx), and a specific link to this policy that can be easily found.
- Radius personal data may include, but is not limited to, information such as name, address, age, marital status, medical conditions, passport and visa information and corporate data.
- Radius is committed to adhere to principles laid in this policy, all personal data received from the EU in reliance on the Privacy Shield.
- To contact Radius for any inquiries or complaints, send an email to email@example.com. Radius will respond within forty-five (45) calendar days of such request.
Radius provides travel management services and reporting to corporate clients (typically, a Data Controller). In order to provide these services, Radius requires Personal Data regarding persons authorized to travel for the client (the "Data Subjects") hereinafter referred to as the "Traveler" or "Travelers". This data may be collected from the Traveler, from the client, or from other sources such as travel agents. In order to complete travel arrangements requested by a Traveler, Radius typically provides Personal Data to one of the global distribution systems or an internet booking engine. This data may include, but is not limited to, information such as name, address, age, marital status, medical conditions, passport and visa information and corporate data.
Global distribution systems fulfill the travel arrangements requested through specific travel suppliers, such as airlines, hotels and rental car agencies. Radius then confirms the completed travel arrangements and itinerary to the Traveler and the costs. Radius does not exercise any control over the use of personal information transmitted using global distribution systems or other travel suppliers. As of the Effective Date, Radius provides Traveler travel information to iJET/ISOS for travel risk management as well as to DataFlex for credit card reconciliation. Otherwise, travel arrangements are shared only with the client for whom the Traveler works.
- Rights of data subjects to obtain access to personal data
- Every Traveler about whom Radius Processes Personal Data has a right to the following:
- to inquire whether or not Personal Data relating to him or her is being Processed by or on behalf of Radius, a customer of Radius and/or a Controller;
- if Personal Data relating to him or her is being Processed by or on behalf of Radius, to be given the following information:
- a description of the Personal Data relating to him or her;
- the purposes for which that Personal Data is being or is to be Processed;
- the identity of any third parties to whom the data is or may be disclosed,
- and, in addition, the Traveler is entitled, upon written request, to be given a copy of the relevant data in an intelligible form.
- There may be restrictions on the amount of information that can be disclosed if such disclosure would necessarily involve disclosing information about another person or entity.
- In the event an individual desires to limit the use and disclosure of their personal data, including requests to "opt-out" Individuals have the right:
- to ask Radius to correct or erase incorrect or incomplete Personal Data relating to them; Radius will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current;
- Notwithstanding the above, as Radius Processes Data that has been shared with the suppliers of travel (e.g. airline, car rental companies, hotels), it is not always reasonable for Radius to permit individuals to correct, amend or delete this information; accordingly, unless the circumstances are truly extraordinary, it will not make changes based upon an individual's request, nor will Radius permit an individual's access to such Data for that purpose;
- to ask Radius to not or stop Processing Personal Data relating to them ("Opt Out"): In the event a Traveler Opt Out, they must also contact the customer of Radius (the Traveler's employer). In the event that Radius receives a similar request from an individual, it will notify its customer and seek instructions from that customer. As Radius has a contractual duty to Process the individual's data for its customer, it does not have the authority to simply eliminate an individual's Personal Data from the data it processes. As such, Radius must seek and take direction from its customer. Notwithstanding this duty of Radius to its customers, an individual may submit an Opt Out request to firstname.lastname@example.org;
- to access their Personal Data by contacting their employer (the customer of Radius) or by submitting a request to email@example.com. In the event Radius receives an individual's request for access to his/her Personal Data, Radius will notify its customer of that request.
- Radius will respond to any inquiries directed to firstname.lastname@example.org within forty-five (45) calendar days of such request.
- Radius understands that the notices referenced herein must be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to it. As set forth above, Radius collects Personal Data at the request of its customers; as such, it will rely upon its customers to provide its Travelers with appropriate notice ("Notice") and to obtain any necessary consent ("Consent").
- Due to the nature of its contractual relationship with its customers and the services provided to them by Radius, it will be difficult and in most instances, impossible for Radius to provide individuals with Opt Out options. Individuals are therefore strongly encouraged to first request Opt Out with their employer (the customer of Radius). Notwithstanding this, individuals may send their Opt Out request to Radius as set forth above after which such request will be forwarded by Radius to its customer.
- Radius designates the International Centre for Dispute Resolution/American Arbitration Association ("ICDR/AAA") as its alternative dispute resolution provider based in the United States for all matters relating to the Privacy Shield as well as the Swiss Federal Act of Data Protection. Accordingly, ICDR/AAA is the independent dispute resolution body designated by Radius to address complaints and provide appropriate recourse without cost to the individual.
- As a participant in the Privacy Shield, Radius agrees to be subject to the investigatory and enforcement powers of the U.S. Department of Transportation ("DOT") and the U.S. Federal Trade Commission ("FTC"). Accordingly, Radius may be required to disclose Personal Data to DOT or FTC or other applicable U.S. government agencies including the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Radius is not opposed to an individual's election to invoke binding arbitration for the resolution of disputes. Individuals may contact the ICDR/AAA as set forth above. More information about the ICDR/AAA can be found at http://info.adr.org/safeharbor.
Individuals or others who wish to verify that the attestations contained in this policy are true and correct may send inquiries to IT@radiustravel.com. Such inquiries will be directed to Radius' Senior Director of IT.
- Onward transfers to third parties:
- The Traveler's Personal Data, including Human Resources Data where applicable, may be transferred to third parties for the purpose of customer account management, customer program analytics consistent with customer agreements, travel and expense technology services, passenger name record enhancement, travel management risk services, detailed reporting of customer preferred suppliers and/or reconciliation of traveler booking data with credit card transactions. In each and every instance, Radius shall be liable for the acts of such third parties.
- In order to facilitate travel arrangements, Radius will be required to pass a Traveler's Personal Data to disclosed third parties including but not limited to operators of global distribution systems ("Third Parties"). Depending upon a Traveler's specific travel needs, this may potentially require transfers of Personal Data beyond the European Economic Area) to locations throughout the world.
- As set forth above, Radius complies with the Privacy Shield and Principles regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. In accordance with the Privacy Shield, Radius has self-certified its adherence to the Privacy Shield Principle, including sixteen binding supplemental principles, with the U.S. Department of Commerce. This policy supplements, but does not replace, all other policies, practices and/or procedures including, but not limited to applicable confidentiality or non-disclosure agreements. The implementation of this policy by Radius shall be effective September 30, 2016 ("Effective Date"). Radius recognizes that the Principles shall be applicable to it upon the Effective Date of the Certification. A copy of this policy can be found at: http://www.radiustravel.com/corporate/privacy-policy.aspx.
- Radius has mechanisms in place to periodically monitor its compliance with the Principles.
- Transfers to Third Parties may also take place where any Radius network offices or servers are located in a country outside the EU.
- By submitting their Personal Data to Radius, the client of Radius on behalf of its Travelers authorizes the use of the Traveler's Personal Data to complete their travel arrangements including any necessary transfers to Third Parties of their Personal Data as described herein and/or as may be required of Radius by the Data Controller. Travelers can request that transfers not take place however Radius may then not be able to deliver the specific travel arrangements.
- Radius will inform its customers and other Third Parties that it participates in the Privacy Shield including but not limited to appropriate language in its customer contracts and clear notification on its website as set forth above.
- In the event that Radius is required to transfer Personal Data to a Third Party, it will comply with the Notice and Consent principles set forth herein. It will also enter into a binding written agreement with the Third Party recipient which shall provide that such data may only be processed for limited and specified purposes all consistent with the Traveler's Consent as set forth above and the contractual agreement between the Traveler and Radius' customer. Such agreement with a Third Party will provide the same level of protection as set forth in the Principles. Such agreement shall further ensure that such Third Party takes reasonable and appropriate steps to ensure that it processes the Personal Data transferred to it in a manner consistent and appropriate with that organization's obligations under the Principles, as well as to, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing. Upon request, Radius will provide a summary or a representative copy of the relevant privacy provisions of the relevant privacy provisions of its agreement with such Third Parties.
- Keeping Travelers' personal data secure is of paramount importance to Radius. All Personal Data processed by or on behalf of Radius is subject to stringent standards to make certain it is secure and that appropriate levels of confidentiality are maintained. Unauthorized persons are never allowed access to Personal Data. Hard copies of data are treated as confidential waste and shredded.
- Radius will take reasonable steps and appropriate measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction.
- Radius will only process Personal Data for the limited purposes of providing and/or assisting in the provision of management reporting to its customers as required by virtue of its customer contracts as well as any customer contractually mandated transfers to Third Parties. It will not process Personal Data for any purpose inconsistent with these limited purposes.
- Radius' clients may review such information as travel spend, bookings and compliance with its travel policy.
- Radius will keep security measures under review and updated as new technology becomes available.
Data Integrity and Purpose Limitation
Radius is committed to Processing Personal Data for which it is the Data Processor, the Data Controller and/or the Data Importer in accordance with the following principles:
- Processing personal data fairly and lawfully.
- Radius collects information electronically, either directly from Radius' client, from the global distribution system upon which a Traveler reservation is made and/or from the travel agency that has made the Traveler's reservation, The information a Traveler submits is needed to respond to requests for information, to complete travel transactions, to enhance travel arrangements and to ensure that a Traveler's arrangements are in compliance with any existing travel policy of the client (their employer).
- Personal Data is only collected by Radius where the Traveler gives this so that Radius can fulfill any special travel needs. This data is not shared with a third party without the Traveler's consent ("Consent") and/or the Consent of Radius' client on behalf of the Traveler. The Radius client has the obligation to obtain the consent of its employee, the Traveler.
- Ensuring Personal Data of a Traveler is only processed for purposes specific to Radius' client before the processing takes place and which are lawful.
- Radius will only disclose Personal Data to Third Parties for purposes specified in this policy.
- Radius may sometimes be required or permitted to disclose Personal Data in order to comply with any legal obligation to which it is subject.
- Radius will take all appropriate steps to ensure processing of Personal Data will be carried out in accordance with all applicable legislation and/or regulation.
- Any Radius employee who uses Personal Data improperly will be subject to disciplinary action.
Ensuring Personal Data is adequate and relevant the purposes for which the data is Processed.
The Personal Data collected by Radius relates solely to those items of information necessary in order to facilitate the range of a Traveler's potentially different travel requirements. Only the information reasonably required to facilitate travel arrangements is shared among Radius, its affiliates, travel suppliers and Global distributions systems or booking engines used within the travel industry and only with Consent from the Client.
Keeping personal data accurate; complete; and up to date.
Radius has automated processes and oversight to update our data repositories containing the Personal Data provided by Radius' client in order to maintain such Data in an accurate, complete and up to date manner.
Adherence to Supplemental Principles
Many of the Supplemental Principals are extensively treated above. To the extent they have not been treated and are relevant to the role of Radius as a travel management services provider, the following policies are applicable:
The Role of Data Protection Authorities
Radius has set forth above the details of its adherence to the Principles, including the provision of recourse for individuals whose Personal Data is the subject of Processing by Radius as well as mechanisms by which individuals may follow-up upon Radius' adherence to the Privacy Shield. In the event a Data Protection Authority ("DPA") commences an investigation regarding Radius' adherence to the Privacy Shield, Radius will cooperate with such investigation. Moreover, Radius will comply with advice given by a DPA or DPA panel where the finder of fact indicates that Radius must take specific action to comply with the Principles, including corrective actions or compensatory measures for the benefit of individuals affected by non-compliance.
Radius will self-verify its statements relating to its adherence to the Privacy Shield and its Principles. As such and in addition to the representations set forth in this policy, Radius represents:
- This policy is accurate, comprehensive and implemented as of September 30, 2016.
- This policy will be prominently displayed at http://www.radiustravel.com/corporate/privacy-policy.aspx. Additionally, copies of this policy may be obtained by submitting a written request to IT@radiustravel.com.
- This policy conforms to the Privacy Shield and all of its Principles, including the Supplemental Principles.
- Individuals may obtain information regarding the filing of complaints as set forth in this policy. Additional information for European businesses and individuals in Europe may be found at: www.privacyshield.com.
Human Resources Data
Radius may require access to human resources-like data as a necessary component of the travel management services provided to its customers. Further, Radius may obtain human resource data related to its own employees in the EU for typically employment related matters. To the extent either occur, such transfers enjoy the benefits of the Privacy Shield and this policy.
Obligatory Contracts for Onward Transfers
In connection with travel management services provided by Radius to its customers, all data received from such customers is subject to an agreement between Radius and its customer, which agreement specifically sets forth the actions to be taken by Radius with respect to such data on behalf of the customer.
Radius is committed to ensuring that its customers' and their Travelers' Personal Data is handled confidentially, privately and appropriately. Radius has, therefore, voluntarily elected to participate in the Privacy Shield and to be subject to the compliance and enforcement powers of the DOT, FTC and other U.S. governmental authorities. Information about Radius' commitment to and compliance with the Privacy Shield may be obtained by submitting a written request to IT@radiustravel.com.