At Hilton Grand Vacations, we take the protection of Personal Information relating to our customers, employees, independent contractors, and service providers very seriously. All individuals or organizations that provide goods or services (“Providers”) to Hilton Grand Vacations, Inc., a Delaware corporation, or any of its direct or indirect subsidiaries, owned and managed resorts, partnerships or joint ventures (collectively, “HGV”), must abide by and comply with the principles set forth in these Standards.
1. Definitions.
- (a) “Personal Information” means any information concerning any individual that (i) can be used (alone or in combination with other information within Provider’s control) to identify, locate or contact a specific individual, or (ii) can be associated with an identified or identifiable individual. By way of illustration, and not of limitation, Personal Information consists of obviously personally identifiable data elements, such as name, address and email address as well as less obvious information such as an individual’s personal preferences, resort stay-related information and guest account information. As an example, Personal Information may pertain to customers, employees or others. Personal Information includes Personal Data as defined by Applicable Data Protection Law as applied to citizens of the European Union or Switzerland and Mexico’s Federal Law on Protection of Personal Data Held by Private Parties.
Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files, including all copies, fragments, excerpts, whether or not such Personal Information has been intermingled with other information or materials. For purposes of these Standards, Personal Information, including Sensitive Personal Information and Cardholder Data, only includes information: (i) provided by HGV to Provider; or (ii) obtained, used, accessed, processed, possessed, acquired or otherwise handled by Provider on behalf of HGV or otherwise in connection with the provision of goods and/or services to or for HGV.
- (b) “Sensitive Personal Information” is a subset of Personal Information, which due to its nature has been classified by law or by these Standards as deserving additional privacy and security protections, including: (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, passport details, driver’s license number or other identification number issued by a government or public body; or (B) financial account number, with or without any code or password that would permit access to the account; (ii) information about the race, religion, ethnicity, medical or health information, political opinions, trade union membership, background check information or sexual life of an identifiable individual; or (iii) Cardholder Data.
- (c) “Cardholder Data” means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction. Cardholder Data is a type of Sensitive Personal Information.
- (d) “Data Processor” means the Provider as it Processes the Personal Information for HGV pursuant to these Standards and the Services Agreement.
- (e) “Data Protection Requirements” means, collectively, all laws or regulations relating to data privacy, data security, personal data, transborder data flow and data protection, that apply with respect to Provider’s Processing of Personal Information.
- (f) “Data Safeguards” means the administrative, operational, organizational, technical and physical safeguards described in Sections 7, 12, 13 and 14 of these Standards, as they may be modified from time to time in accordance with these Standards.
- (g) “PCI Standards” means the security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply including, but not limited to the Payment Card Industry Data Security Standards currently in effect and as may be updated from time to time during the term of Provider’s relationship with HGV.
- (h) “Permitted Purpose” means the purpose of performing and providing the services in accordance with Provider’s written agreement(s) with HGV and strictly in accordance with the documented instructions of HGV.
- (i)“Process” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as collection, acquisition, use, organization, alteration, combination, accessing, retention, storage, transfer, disclosure, dissemination or otherwise making available, blocking or disposal.
- (j) “Controller”, “Processor”, “Data Subject”, and “Personal Data” shall have the meanings given in Applicable Data Protection Law.
- (k) “Applicable Data Protection Law” means, (a) EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws implementing or supplementing the GDPR; (b) the California Consumer Privacy Act (“CCPA”) and laws implementing or supplementing CCPA; and (c) any other applicable law with respect to any HGV Personal Information to the data protection or privacy laws of any other country, including the Mexican Federal Law on the Protection of Personal Data held by Private Parties.
GENERAL PROVISIONS FOR ALL PERSONAL INFORMATION
2. Purposes for Processing; Ownership of Personal Information. HGV (the controller) appoints Provider as a processor to Process the Personal Information that is the subject of this Agreement (the “Data”). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. HGV will have the exclusive right to determine which information it will transfer to the Provider as well as the Permitted Purpose for which, and the manner in which, the Personal Information is Processed. Provider will have access to and use of the Personal Information solely for the Permitted Purpose. In no event shall Provider Process the Data for its own purposes or those of any third party. At no time will Provider acquire any ownership, license, rights or other interest in or to Personal Information, all of which will be and remain, as between HGV and Provider, the proprietary information of HGV. Unless specifically specified in Provider’s written agreement(s) with HGV, Provider is the Data Processor and HGV is the Data Controller of such Personal Information.
3. Use and Processing of Personal Information. Provider will hold the Personal Information in confidence in accordance with the Data Protection Requirements, these Standards and Provider’s written agreement(s) with HGV, and will Process the Personal Information only on behalf of HGV and only as specifically directed by HGV in writing, and as otherwise permitted or directed under Provider’s written agreement(s) with HGV. In no event may Provider: (a) use Personal Information to market its services or those of an affiliate or third party; (b) sell or rent Personal Information to its affiliates or third parties; or (c) otherwise Process any Personal Information for Provider’s, or any of its affiliates’ or any third party’s own purposes.
4. Disclosure of Personal Information and Subcontracting. Provider will not disclose or transfer Personal Information to any of its affiliates or to any third party (including, without limitation, Provider’s subcontractors, or service providers) except as is necessary to carry out the Permitted Purpose; provided that any disclosure of Sensitive Personal Information is subject to Section 11 below. If, pursuant to the foregoing, Provider will disclose Personal Information to a subcontractor or other service provider, Provider will take reasonable steps to select and retain subcontractors and service providers who are capable of maintaining appropriate security measures to protect the Personal Information consistent with these Standards and applicable Data Protection Requirements. Prior to disclosing any Personal Information to any of its affiliates or to a third party (including under Section 11, below), Provider will have in place with such affiliate or third party a written agreement that includes obligations that are at least as broad in scope and restrictive as those in these Standards. Provider further agrees, upon HGV’s request, to provide a list of all such affiliates and third parties to which Provider has disclosed Personal Information. Provider will remain at all times accountable and responsible for compliance with these Standards, and all actions by such affiliates and third parties with respect to the disclosed Personal Information.
- 4.1 Subcontracting. Provider will not subcontract any Processing of the Personal Information to a third party subcontractor without the prior written consent of HGV. Notwithstanding this, HGV consents to Provider engaging third party subcontractors to Process the Personal Information provided that: (i) Provider provides at least thirty (30) days’ prior notice of the addition or removal of any subcontractor (including details of the Processing it performs or will perform); (ii) Provider imposes data protection terms on any subcontractor it appoints that protect the Personal Information to the same standard provided for by this provision; and (iii) Provider remains fully liable for any breach of this provision that is caused by an act, error or omission of its subcontractor. Provider will maintain and provide updated copies of the list of affiliates and third parties set forth in Section 4 when it adds or removes subcontractors in accordance with this provision.
5. Disclosure Under Legal Process. If Provider is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoena, civil investigative demand or other similar process) to disclose any Personal Information to a third party, Provider will not disclose the Personal Information without complying with the provisions of applicable laws and providing HGV written notice of any such request or requirement at least forty eight (48) hours prior to disclosing the Personal Information so that HGV may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. Notwithstanding the foregoing, Provider will exercise commercially reasonable efforts to prevent or limit any such disclosure or to otherwise preserve the confidentiality of the Personal Information including, without limitation, by cooperating with HGV to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded the Personal Information.
6. Cross-Border Transfers of Personal Information. With respect to Personal Information originating from the European Union (“EU”) or Switzerland, Provider agrees to provide at least the same level of privacy protection as is required by the relevant EU-U.S. Privacy Shield Framework, located at https://www.privacyshield.gov, as they may be amended from time to time. At HGV’s request, Provider and any of its affiliates, subcontractors or service providers will enter into a data processing agreement with HGV that incorporates the European Commission Standard Contractual Clauses between Controllers and Processors, or any similar agreement relating to other countries, including Mexico, to allow Personal Information to be transferred by HGV to Provider and such affiliates, subcontractors or service providers. Provider will not transfer Personal Information to any country (including for Processing by Provider’s affiliates, subcontractors or service providers) other than the country(ies) contemplated in Provider’s written agreement(s) with HGV, unless agreed to in writing by HGV.
7. Data Safeguards. Provider will adopt, implement and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use or disclosure of Personal Information. Such procedures and practices will be compliant, at a minimum, with the terms of Provider’s agreement(s) with HGV, these Standards and the Data Protection Requirements. All such procedures and practices will take into account the nature of the Personal Information and the commensurate risks associated with such Personal Information.
- (a) Provider agrees that: (i) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Information in Provider’s possession or otherwise acquired by or accessible to Provider; (ii) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Information, will receive appropriate training relating to the protection of Personal Information; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Information to the minimum number of Provider employees and agents who require such access for purposes of providing goods and/or services to HGV; (iv) it will establish an internal supervision and surveillance system as well as verifications to ensure compliance with its privacy and information security policies and procedures; and (v) it will impose appropriate disciplinary measures for violations of its privacy and information security policies and procedures.
- (b) If Provider disposes of any paper or electronic record containing Personal Information, Provider will do so in an appropriate manner based on the sensitivity of the information in order to prevent unauthorized access to such information in connection with its disposal. Upon request, Provider will certify to HGV that all forms of the Personal Information disposed of have been destroyed in accordance with these Standards, and will describe any exceptions.
- (c) Provider shall review and, as appropriate, revise the Data Safeguards: (i) at least annually or whenever there is a material change in Provider’s business practices that may reasonably affect the security, confidentiality or integrity of Personal Information; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended or re-interpreted Data Protection Requirements, and (iv) as reasonably requested by HGV. Provider agrees not to alter or modify its Data Safeguards in such a way that will weaken or compromise the security, confidentiality or integrity of Personal Information.
- (d) Provider will provide HGV with all information necessary to demonstrate compliance with Applicable Data Protection Law.
8. Security Incidents. Provider agrees to notify HGV immediately (which in no event will be longer than twenty four (24) hours at cyberincidentresponse@hgv.com whenever Provider reasonably believes that any Personal Information, or information or other material that can be used to access Personal Information, in any form or on any media has been accessed, acquired, modified, used or disclosed by any unauthorized person, or by any person in an unauthorized manner or for an unauthorized purpose (“Breach”). After providing such notice, Provider will investigate the Breach, take all necessary steps to eliminate or contain the exposures that led to such Breach, and keep HGV advised of the status of such Breach and all matters related thereto. Provider further agrees to provide all reasonable assistance, requested by HGV and/or HGV’s designated representatives, in the furtherance of any investigation, correction and/or remediation of any such Breach, including, but not limited to, any notification that HGV may determine appropriate to send to individuals impacted or potentially impacted and/or the provision of any credit monitoring or other identity protection service that HGV deems appropriate to provide to such individuals. To the extent permitted by applicable laws or regulations, Provider will not give notice to any regulatory authority, any individual or any third party of any actual or potential Breach without first consulting with, and obtaining HGV’s written permission.
9. Complaints; Investigations. If Provider receives any complaint, notice, or communication which relates directly or indirectly to Provider’s Processing of the Personal Information or either party’s compliance with applicable law in connection with Personal Information, it will promptly notify HGV. At HGV’s request, Provider will assist and support HGV in the event of such a complaint or an investigation by a regulator, data protection authority or similar authority, if and to the extent that such complaint or investigation relates to Personal Information. Such assistance will be at HGV’s sole expense, except where the complaint or investigation arose from Provider’s acts or omissions, in which case such assistance will be at Provider’s sole expense.
10. Requests for Personal Information; Cooperation and Data Subject’s Rights. Provider will immediately inform HGV in writing upon learning of any request for access, recertification, cancellation or opposition to any Personal Information received by Provider from an individual who is (or claims to be) the subject of the data. Provider will not respond to these requests, unless explicitly authorized by HGV, or to the extent required by law. Provider will provide all reasonable and timely assistance to HGV to enable HGV to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, opposition, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Provider, Provider will have the duty to promptly inform HGV providing full details of the same, so that HGV is in a position to provide an appropriate response in accordance with applicable laws. If for any reason Provider breaches its duty to inform HGV of any such request, correspondence, inquiry or complaint within a reasonable period of time, Provider will: (i) cooperate in complying with any measures imposed on HGV by a governing authority and (ii) indemnify HGV for all costs, fees, claims or actions associated with such breach.
ADDITIONAL PROTECTIONS FOR SENSITIVE PERSONAL INFORMATION
In addition to the provisions set forth above, Providers with access to Sensitive Personal Information agree to the following enhanced privacy and data protection measures set forth in Sections 11 and 12:
11. Disclosure of Sensitive Personal Information. Notwithstanding the foregoing, Provider agrees that it will not disclose Sensitive Personal Information to any of its affiliates or to any third party (including, without limitation, Provider’s subcontractors, or service providers) except as required to fulfill the Permitted Purposes for HGV as expressly set forth in a written agreement between Provider and HGV.
12. Enhanced Data Security Measures. Provider will:
- (a) adopt, implement, maintain and monitor a written information security program that contains administrative, technical and physical safeguards to prevent the unauthorized access, acquisition, destruction, modification, use or disclosure of Sensitive Personal Information;
- (b) conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of electronic, paper and other records containing Sensitive Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;
- (c) take reasonable steps to ensure the reliability of all Provider employees and personnel who will be provided with access to Sensitive Personnel Information;
- (d) ensure that its information security program includes industry standard password, firewall, operating system and anti-virus and malware protections to protect Sensitive Personal Information stored or otherwise handled on computer systems;
- (e) encrypt, using industry standard encryption tools, all records and files containing Sensitive Personal Information that Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; (iii) where technically feasible, stores on portable devices; and (iv) stores on any device that is transported outside of the physical or logical controls of Provider. Provider will safeguard the security, confidentiality and integrity of all encryption keys associated with encrypted Sensitive Personal Information;
- (f) maintain an incident response program that specifies the actions to be taken by Provider when it suspects or determines that a Breach has occurred;
- (g) implement such additional security measures as may be required under the Data Protection Requirements or specified in the agreement(s) between the parties, including measures to assist HGV in complying with the rights of data subjects under the Applicable Data Protection Law.
- (h) promptly, if Provider believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, inform HGV and provide HGV with all reasonable and timely assistance required by HGV to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
ADDITIONAL PROTECTIONS FOR CARDHOLDER DATA
In addition to the provisions set forth above, Providers with access to Cardholder Data agree to the following enhanced privacy and data protection measures set forth in Section 13:
13. Provider agrees that it will comply with the PCI Standards with respect to Cardholder Data. Provider further represents and warrants that it will not take any actions that will compromise HGV’s ability to comply with the PCI Standards.
ADDITIONAL PROTECTIONS FOR HILTON GRAND VACATIONS NETWORKS
In addition to the provisions set forth above, Providers that directly, or through any of their affiliates, subcontractors or service providers, connect to HGV’s computing systems and/or networks agree to the following enhanced privacy and data protection measures set forth in Section 14:
14. Provider agrees that: (i) all Provider interconnectivity to HGV’s computing systems and/or networks and all attempts at same will be only through HGV’s security gateways/firewalls; (ii) Provider will not access, and will not permit any other person or entity to access, HGV’s computing systems and/or networks without HGV’s authorization and any such actual or attempted access will be consistent with any such authorization; and (iii) Provider’s systems connecting to HGV’s systems or networks, and those Provider systems which, if compromised, could affect the security, confidentiality, integrity or availability of HGV’s computing systems or networks, will be actively protected by an industry standard virus/malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of HGV’s computing systems and/or networks. Provider agrees that HGV may perform periodic network assessments, and should any such assessment reveal inadequate security by Provider or its affiliates, subcontractors or service providers, HGV, in addition to other remedies it may have, may suspend access to HGV’s computing systems and/or networks until such security issue has been resolved.
MISCELLANEOUS PROVISIONS
15. Violations of these Standards. Provider agrees to notify HGV immediately of any material breach or violation of these Standards. Without limiting other remedies that may be available to HGV for violation of these Standards, Provider agrees that HGV may, at its discretion, immediately terminate Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and HGV, without penalty, if Provider violates any requirement of these Standards. Further, Provider agrees to fully indemnify HGV for all costs, fees, claims or actions associated with any unauthorized access, acquisition or use of Personal Information within Provider’s control.
16. Audits and Inspections. Upon HGV’s request, Provider will provide reasonable supporting documentation regarding the Data Safeguards, business continuity and recovery facilities, resources, plans and procedures. Upon reasonable notice to Provider, Provider will permit HGV, its auditors, designated audit representatives, and regulators, including data protection authorities, during normal business hours, to audit and inspect: (i) Provider’s facilities where Personal Information is Processed; (ii) any computerized systems used to Process Personal Information; and (iii) Provider’s security practices and procedures, data protection, business continuity and recovery facilities, resources, plans and procedures. The audit and inspection rights hereunder will be, at a minimum, for the purpose of verifying Provider’s compliance with these Standards and the Data Protection Requirements.
17. Return or Deletion of Personal Information. HGV has the right, in its sole discretion at any time and from time to time, to restrict, discontinue, suspend, cancel, terminate or modify Provider’s right to Process Personal Information. Upon the termination or expiration of Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and HGV, or upon HGV’s request, Provider will, and will cause its affiliates, subcontractors and service providers to, return in a manner and format reasonably requested by HGV, or, if specifically directed by HGV, destroy or delete, any or all Personal Information in its possession, power or control, and Provider will certify the same, each as described in Section 7(b) above.
18. Changes to these Standards. HGV can change these Standards in its sole discretion at any time and from time to time. Any changes to these Standards will be binding upon Provider when posted online; provided, however, that Provider will have a reasonable period of time to implement any change in these Standards (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Provider is obligated to check that URL regularly for any changes.
19. Survival; Third Party Beneficiaries. Provider’s obligations under these Standards will survive the termination or expiration of its services or any related agreements and will continue for so long as Provider, or any of its affiliates, subcontractors or service providers retain or have access to Personal Information. Provider acknowledges and agrees that each entity referenced in the definition of “HGV” above is an intended third party beneficiary of Provider’s obligations and liabilities under these Standards, including without limitation Provider’s obligations with respect to Personal Information, and as such, each will have a right of its own to enforce these Standards.
ADDITIONAL PROTECTIONS FOR HILTON WORLDWIDE HOLDINGS, INC. PERSONAL INFORMATION
In addition to the provisions set forth above, Providers with access to Hilton Worldwide Holdings, Inc. Personal Information agree to the following enhanced privacy and data protection measures set forth in Section 20:
20. Hilton Worldwide Holdings, Inc. has the exclusive right to determine the purposes for which, and the manner in which, Hilton Worldwide Holdings, Inc. Personal Information is Processed. HGV has entered into a license agreement with Hilton Worldwide Holdings, Inc. allowing HGV to Process Hilton Worldwide Holdings, Inc. Personal Information and which requires any third party Processing of Hilton Worldwide Holdings, Inc. Personal Information be approved by Hilton Worldwide Holdings, Inc. prior to Processing. Hilton Worldwide Holdings, Inc. is a third party beneficiary as it pertains to Hilton Worldwide Holdings, Inc. Personal Information and is entitled to the rights and benefits herewith and may enforce the same as if a party herein. Nothing in this provision abrogates HGV’s rights to independently enforce its rights and benefits herewith.
Issued May 2018
Latest Revision: August 19, 2020