HILTON GRAND VACATIONS
PRIVACY AND DATA PROTECTION STANDARDS
FOR SERVICE PROVIDERS (“Standards”)
At Hilton Grand Vacations, we take the protection of Personal Information relating to our customers, employees, independent contractors, and service providers very seriously. All individuals or organizations that provide goods or services (“Providers”) to Hilton Grand Vacations Inc., a Delaware corporation, or any of its direct or indirect subsidiaries, owned and managed resorts, partnerships or joint ventures (collectively, “HGV”), must abide by and comply with the principles set forth in these Standards.
1. Definitions.
(a) “Applicable Data Protection Law” means all applicable data privacy and security laws relating to the Processing of Personal Information that may exist in any relevant jurisdiction, including but not limited to: (i) the United States of America Privacy Laws (defined below); (ii) the EU General Data Protection Regulation 2016/679 as amended, replaced or superseded from time to time (“GDPR”); (iii) the UK General Data Protection Regulation (as defined in The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”); (iv) the Personal Information Protection and Electronic Documents Act, SC 2000, c. 5 (“PIPEDA”) of Canada; and (v) any other applicable law with respect to any HGV Personal Information to the data protection or privacy laws of any other country, including the Mexican Federal Law on the Protection of Personal Data held by Private Parties. In each case including any regulation, guideline, and opinion issued by any competent authority and as may be amended, superseded, supplemented, or replaced.
(b) "Authorized Personnel” means any person who Processes Personal Information on Provider’s behalf, including Provider’s employees, officers, directors, partners, principals, agents, representatives, contractors, and Subprocessors.
(c) “Breach” means any breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure or access to Personal Information.
(d) “Cardholder Data” means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction. Cardholder Data is a type of Sensitive Personal Information.
(e) “Data Processor” means the Provider as it Processes the Personal Information for HGV pursuant to these Standards and any applicable services agreement.
(f) “Data Safeguards” means the administrative, operational, organizational, technical and physical safeguards described in Sections 7, 12, 13 and 14 of these Standards, as they may be modified from time to time in accordance with these Standards.
(g) “PCI Standards” means the security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply including, but not limited to the Payment Card Industry Data Security Standards currently in effect and as may be updated from time to time during the term of Provider’s relationship with HGV.
(h) “Personal Information” means any information concerning any individual that (i) can be used (alone or in combination with other information within Provider’s control) to identify, locate or contact a specific individual, or (ii) can be associated with an identified or identifiable individual. By way of illustration, and not of limitation, Personal Information consists of obviously personally identifiable data elements, such as name, address and email address as well as less obvious information such as an individual’s personal preferences, resort stay-related information and guest account information. Further, Personal Information may pertain to customers, employees or others. Personal Information includes Personal Data as defined by Applicable Data Protection Law as applied to citizens of the European Union, United Kingdom, Canada or Switzerland and Mexico’s Federal Law on Protection of Personal Data Held by Private Parties.
Personal Information can be in any media or format, including computerized or electronic records as well as paper-based files, including all copies, fragments, excerpts, whether or not such Personal Information has been intermingled with other information or materials. For purposes of these Standards, Personal Information, including Sensitive Personal Information and Cardholder Data, only includes information: (A) provided by HGV to Provider; or (B) obtained, used, accessed, processed, possessed, acquired or otherwise handled by Provider on behalf of HGV or otherwise in connection with the provision of goods and/or services to or for HGV.
(i) “Permitted Purpose” means the purpose of performing and providing the services in accordance with Provider’s written agreement(s) with HGV and strictly in accordance with the documented instructions of HGV.
(j) “Process” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as collection, acquisition, use, organization, alteration, combination, accessing, retention, storage, transfer, disclosure, dissemination or otherwise making available, blocking or disposal.
(k) “Sensitive Personal Information” is a subset of Personal Information, which due to its nature has been classified by law or by these Standards as deserving additional privacy and security protections, including: (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, passport details, driver’s license number or other identification number issued by a government or public body; or (B) financial account number, with or without any code or password that would permit access to the account; (ii) information about the race, religion, ethnicity, medical or health information, political opinions, trade union membership, background check information or sexual life of an identifiable individual; or (iii) Cardholder Data.
(l) “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Information to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
(m) “Subprocessor” means any third party (including any Provider affiliates) engaged directly or indirectly by Providers to Process any Personal Information.
(n) “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom’s Information Commissioner and laid before Parliament in accordance with s119A of the UK Data Protection Law on 28 January 2022, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.
(o) “United States of America Privacy Laws” or “US Privacy Laws” means any state, federal, or U.S. territory, data protection legislation that applies to the Parties, as may be enacted, amended, replaced or superseded from time to time, including but not limited to (i) the California Consumer Privacy Act of 2018 , as amended by the California Privacy Rights Act of 2020, California Civil Code § 1798.100, et seq. (“CCPA”) and laws implementing or supplementing CCPA; (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Utah Consumer Privacy Act; and (v) the Connecticut Data Privacy Act.
(p) “Controller,” “Data Subject”, “Sell,” “Share,” and “Personal Data” shall have the meanings given in Applicable Data Protection Law.
GENERAL PROVISIONS FOR ALL PERSONAL INFORMATION
2. Purposes for Processing; Ownership of Personal Information. HGV (the Controller) appoints Provider as a Processor to Process the Personal Information that is the subject of the applicable service agreement. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. HGV will have the exclusive right to determine which information it will transfer to the Provider as well as the Permitted Purpose for which, and the manner in which, the Personal Information is Processed. Provider will have access to and use of the Personal Information solely for the Permitted Purpose. In no event shall Provider Process the Personal Information for its own purposes or those of any third party. At no time will Provider acquire any ownership, license, rights or other interest in or to Personal Information, all of which will be and remain, as between HGV and Provider, the proprietary information of HGV. Unless specifically specified in Provider’s written agreement(s) with HGV, Provider is the Data Processor and HGV is the Controller of such Personal Information.
3. Use and Processing of Personal Information. Provider will hold the Personal Information in confidence in accordance with Applicable Data Protection Law, these Standards and Provider’s written agreement(s) with HGV, and will Process the Personal Information only on behalf of HGV and only for the Permitted Purpose. In no event will Provider: (a) retain, use, or disclose Personal Information for any purpose other than for the Permitted Purposes, including retaining, using, or disclosing it for a commercial purpose; (b) Sell or Share Personal Information; (c) retain, use, or disclose Personal Information outside of the direct business relationship between HGV and Provider; or (d) combine HGV Personal Information with Personal Information it receives from or on behalf of another business or that it collects from its own interaction with a Data Subject, unless permitted by Applicable Data Protection Law.
4. Disclosure of Personal Information and Subcontracting. Provider will not disclose or transfer Personal Information to any of its Subprocessors except as is necessary to carry out the Permitted Purpose; provided that any disclosure of Sensitive Personal Information is subject to Section 11 below. If, pursuant to the foregoing, Provider will disclose Personal Information to a Subprocessor, Provider will take reasonable steps to select and retain Subprocessors who are capable of maintaining appropriate security measures to protect the Personal Information consistent with these Standards and Applicable Data Protection Law. Prior to disclosing any Personal Information to any Subprocessor(including under Section 11, below), Provider will have in place with such Subprocessor a written agreement that includes obligations that are at least as broad in scope and restrictive as those in these Standards and comply with Applicable Data Protection Law. Provider further agrees, upon HGV’s request, to provide a list of all Subprocessors to which Provider will disclose Personal Information. Provider will remain at all times accountable, liable, and responsible for compliance with these Standards, and all actions by such Subprocessor with respect to the disclosed Personal Information.
(a) Subcontracting. Provider will not subcontract any Processing of the Personal Information to a Subprocessor without the prior written consent of HGV. Notwithstanding this, HGV consents to Provider engaging third party Subprocessor to Process the Personal Information provided that: (i) Provider provides at least thirty (30) days’ prior notice of the addition or replacement of any Subprocessor (including details of the Processing it performs or will perform); (ii) Provider imposes data protection terms on any Subprocessor it appoints that protect the Personal Information to the same standard provided for by this provision; and (iii) Provider remains fully liable for any breach of this provision that is caused by an act, error or omission of any Subprocessor. Provider will maintain and provide updated copies of the list of Subprocessors set forth in Section 4 when it adds or replaces Subprocessors in accordance with this provision. HGV has the right to object to the engagement of any Subprocessor on data protection grounds, and Provider will either not engage the Subprocessor or HGV may elect to immediately suspend or terminate the Processing of Personal Information under the applicable written agreement and/or immediately suspend or terminate the agreement, in each case without penalty.
5. Disclosure Under Legal Process. If Provider is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoena, civil investigative demand or other similar process) to disclose any Personal Information to a third party, Provider will not disclose the Personal Information without complying with the provisions of applicable laws and providing HGV written notice of any such request or requirement at least forty eight (48) hours prior to disclosing the Personal Information so that HGV may, at its own expense, exercise such rights as it may have under law to prevent or limit such disclosure. Notwithstanding the foregoing, Provider will exercise commercially reasonable efforts to prevent or limit any such disclosure or to otherwise preserve the confidentiality of the Personal Information including, without limitation, by cooperating with HGV to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded the Personal Information.
6. Cross-Border Transfers of Personal Information. In respect of Personal Information where the GDPR applies and only to the extent applicable, the Parties agree to use an appropriate data transfer mechanism, which may include the Data Privacy Framework, located at https://www.dataprivacyframework.gov, or entering into the Standard Contractual Clauses. In respect of Personal Information where the UK GDPR applies and only to the extent applicable, the Parties agree to use an appropriate data transfer mechanism, such as entering into the UK Addendum.. Provider will not transfer Personal Information to any country (including for Processing by Provider’s Subprocessors) other than the country(ies) contemplated in Provider’s written agreement(s) with HGV, unless agreed to in writing by HGV. If any transfer mechanism in this section is subsequently cancelled, suspended, modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties shall cooperate in good faith to implement a suitable alternate mechanism that can lawfully support the transfer.
7. Data Safeguards. Provider will adopt, implement and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use or disclosure of Personal Information. Such procedures and practices will be compliant, at a minimum, with the terms of Provider’s agreement(s) with HGV, these Standards and Applicable Data Protection Laws. All such procedures and practices will take into account the nature of the Personal Information and the commensurate risks associated with such Personal Information.
(a) Provider agrees that: (i) its Authorized Personnel will be required, as a condition of employment or retention, to protect all Personal Information in Provider’s possession or otherwise acquired by or accessible to Provider; (ii) its Authorized Personnel who will be provided access to, or otherwise come into contact with, Personal Information, will receive appropriate training relating to the protection of Personal Information; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Information to the minimum number of Provider Authorized Personnel who require such access for purposes of providing goods and/or services to HGV; (iv) it will establish an internal supervision and surveillance system as well as verifications to ensure compliance with its privacy and information security policies and procedures; and (v) it will impose appropriate disciplinary measures for violations of its privacy and information security policies and procedures.
(b) If Provider disposes of any paper or electronic record containing Personal Information, Provider will do so in an appropriate manner based on the sensitivity of the information in order to prevent unauthorized access to such information in connection with its disposal. Upon request, Provider will certify to HGV that all forms of the Personal Information disposed of have been destroyed in accordance with these Standards, and will describe any exceptions.
(c) Provider shall review and, as appropriate, revise the Data Safeguards: (i) at least annually or whenever there is a material change in Provider’s business practices that may reasonably affect the security, confidentiality or integrity of Personal Information; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended or re-interpreted requirements under Applicable Data Protection Laws; and (iv) as reasonably requested by HGV. Provider agrees not to alter or modify its Data Safeguards in such a way that will weaken or compromise the security, confidentiality or integrity of Personal Information.
(d) Provider will provide HGV with all information necessary to demonstrate compliance with Applicable Data Protection Law.
8. Security Incidents. Provider agrees to notify HGV immediately (which in no event will be longer than twenty four (24) hours) at cyberincidentresponse@hgv.com in the event of a Breach. After providing such notice, Provider will investigate the Breach, take all necessary steps to eliminate or contain the exposures that led to such Breach, and keep HGV advised of the status of such Breach and all matters related thereto. Provider further agrees to provide all reasonable assistance, requested by HGV and/or HGV’s designated representatives, in the furtherance of any investigation, correction and/or remediation of any such Breach, including, but not limited to, any notification that HGV may determine appropriate to send to individuals impacted or potentially impacted and/or the provision of any credit monitoring or other identity protection service that HGV deems appropriate to provide to such individuals. To the extent permitted by applicable laws or regulations, Provider will not give notice to any regulatory authority, any individual or any third party of any actual or potential Breach without first consulting with, and obtaining HGV’s written permission. Provider shall reimburse HGV for reasonable costs HGV incurs to send all notifications as required by Applicable Data Protection Laws, provide credit monitoring and identity theft protection services to affected consumers, and for any forensic investigation, regulatory investigation, or litigation fees, including attorneys’ fees, costs, fines, and damages relating to the Breach.
9. Complaints; Investigations. If Provider receives any complaint, notice, or communication which relates directly or indirectly to Provider’s Processing of the Personal Information or either party’s compliance with applicable law in connection with Personal Information, it will promptly notify HGV. At HGV’s request, Provider will assist and support HGV in the event of such a complaint or an investigation by a regulator, data protection authority or similar authority, if and to the extent that such complaint or investigation relates to Personal Information. Such assistance will be at HGV’s sole expense, except where the complaint or investigation arose from Provider’s acts or omissions, in which case such assistance will be at Provider’s sole expense.
10. Requests for Personal Information; Cooperation and Data Subject’s Rights. Provider will immediately inform HGV in writing upon learning of any Data Subject request under Applicable Data Protection Laws, regarding any Personal Information received by Provider. Provider will not respond to these requests, unless explicitly authorized by HGV, or to the extent required by law. Provider will provide all reasonable and timely assistance to HGV to enable HGV to respond to: (a) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, opposition, erasure and data portability, as applicable); and (b) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Information. In the event that any such request, correspondence, inquiry or complaint is made directly to Provider, Provider will have the duty to promptly inform HGV providing full details of the same, so that HGV is in a position to provide an appropriate response in accordance with applicable laws. If for any reason Provider breaches its duty to inform HGV of any such request, correspondence, inquiry or complaint within a reasonable period of time, Provider will: (i) cooperate in complying with any measures imposed on HGV by a governing authority and (ii) indemnify HGV for all costs, fees, claims or actions associated with such breach.
ADDITIONAL PROTECTIONS FOR SENSITIVE PERSONAL INFORMATION
In addition to the provisions set forth above, Providers with access to Sensitive Personal Information agree to the following enhanced privacy and data protection measures set forth in Sections 11 and 12:
11. Disclosure of Sensitive Personal Information. Notwithstanding the foregoing, Provider agrees that it will not disclose Sensitive Personal Information to any of its Subprocessors except as required to fulfill the Permitted Purposes for HGV as expressly set forth in a written agreement between Provider and HGV.
12. Enhanced Data Security Measures. Provider will:
(a) adopt, implement, maintain and monitor a written information security program that contains administrative, technical and physical safeguards to prevent the unauthorized access, acquisition, destruction, modification, use or disclosure of Sensitive Personal Information;
(b) conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of electronic, paper and other records containing Sensitive Personal Information and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks;
(c) take reasonable steps to ensure the reliability of all Provider Authorized Personnel who will be provided with access to Sensitive Personnel Information;
(d) ensure that its information security program includes industry standard password, firewall, operating system and anti-virus and malware protections to protect Sensitive Personal Information stored or otherwise handled on computer systems;
(e) encrypt, using industry standard encryption tools, all records and files containing Sensitive Personal Information that Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; (iii) where technically feasible, stores on portable devices; and (iv) stores on any device that is transported outside of the physical or logical controls of Provider. Provider will safeguard the security, confidentiality and integrity of all encryption keys associated with encrypted Sensitive Personal Information;
(f) maintain an incident response program that specifies the actions to be taken by Provider when it suspects or determines that a Breach has occurred;
(g) implement such additional security measures as may be required under the Data Protection Requirements or specified in the agreement(s) between the parties, including measures to assist HGV in complying with the rights of Data Subjects under the Applicable Data Protection Law; and
(h) promptly, if Provider believes or becomes aware that its Processing of Personal Information is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, inform HGV and provide HGV with all reasonable and timely assistance required by HGV to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
ADDITIONAL PROTECTIONS FOR CARDHOLDER DATA
In addition to the provisions set forth above, Providers with access to Cardholder Data agree to the following enhanced privacy and data protection measures set forth in Section 13:
13. Provider agrees that it will comply with the PCI Standards with respect to Cardholder Data. Provider further represents and warrants that it will not take any actions that will compromise HGV’s ability to comply with the PCI Standards.
ADDITIONAL PROTECTIONS FOR HILTON GRAND VACATIONS NETWORKS
In addition to the provisions set forth above, Providers that directly, or through any of their Subprocessors, connect to HGV’s computing systems and/or networks agree to the following enhanced privacy and data protection measures set forth in Section 14:
14. Provider agrees that: (a) all Provider interconnectivity to HGV’s computing systems and/or networks and all attempts at same will be only through HGV’s security gateways/firewalls; (b) Provider will not access, and will not permit any other person or entity to access, HGV’s computing systems and/or networks without HGV’s authorization and any such actual or attempted access will be consistent with any such authorization; and (c) Provider’s systems connecting to HGV’s systems or networks, and those Provider systems which, if compromised, could affect the security, confidentiality, integrity or availability of HGV’s computing systems or networks, will be actively protected by an industry standard virus/malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of HGV’s computing systems and/or networks. Provider agrees that HGV may perform periodic network assessments, and should any such assessment reveal inadequate security by Provider or its Subprocessors, HGV, in addition to other remedies it may have, may suspend access to HGV’s computing systems and/or networks until such security issue has been resolved.
MISCELLANEOUS PROVISIONS
15. Violations of these Standards. Provider agrees to notify HGV immediately of any material breach or violation of these Standards. Without limiting other remedies that may be available to HGV for violation of these Standards, Provider agrees that HGV may, at its discretion, immediately terminate Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and HGV, without penalty, if Provider violates any requirement of these Standards. Provider agrees to fully indemnify, defend, and hold harmless HGV for all costs, fees, claims or actions associated with any failure by Provider or its Subprocessors to fully comply with or the breach of these Standards. Provider shall remain fully liable to HGV for (a) any breach of these Standards caused by an act, error, or omission by any Subprocessors or Authorized Personnel, and (b) any Breach. Any exclusion of damages or limitation of liability that may apply to limit Provider’s liability arising or under these Standards, howsoever caused, regardless of how such amounts or sanctions awarded are characterized and regardless of the theory of liability, shall not apply to Provider’s liability under these Standards.
16. Audits and Inspections. Upon HGV’s request, Provider will provide reasonable supporting documentation regarding the Data Safeguards, business continuity and recovery facilities, resources, plans and procedures. Upon reasonable notice to Provider, Provider will permit HGV, its auditors, designated audit representatives, and regulators, including data protection authorities, during normal business hours, to audit and inspect: (a) Provider’s facilities where Personal Information is Processed; (b) any computerized systems used to Process Personal Information; and (c) Provider’s security practices and procedures, data protection, business continuity and recovery facilities, resources, plans and procedures. The audit and inspection rights hereunder will be, at a minimum, for the purpose of verifying Provider’s compliance with these Standards and Applicable Data Protection Laws.
17. Return or Deletion of Personal Information. HGV has the right, in its sole discretion at any time and from time to time, to restrict, discontinue, suspend, cancel, terminate or modify Provider’s right to Process Personal Information. Upon the termination or expiration of Provider’s provision of goods and/or services under any or all agreements or arrangements between Provider and HGV, or upon HGV’s request, Provider will, and will cause its Subprocessors to return in a manner and format reasonably requested by HGV, or, if specifically directed by HGV, destroy or delete, any or all Personal Information in its possession, power or control, and Provider will certify the same, each as described in Section 7(b) above.
18. Changes to these Standards. HGV can change these Standards in its sole discretion at any time and from time to time. Any changes to these Standards will be binding upon Provider when posted online; provided, however, that Provider will have a reasonable period of time to implement any change in these Standards (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Provider is obligated to check that URL regularly for any changes.
19. Survival; Third Party Beneficiaries. Provider’s obligations under these Standards will survive the termination or expiration of its services or any related agreements and will continue for so long as Provider, or any of its Subprocessors retain or have access to Personal Information. Provider acknowledges and agrees that each entity referenced in the definition of “HGV” above, and Hilton Worldwide Holdings Inc. as set forth in Section 20 below, is an intended third party beneficiary of Provider’s obligations and liabilities under these Standards, including without limitation Provider’s obligations with respect to Personal Information, and as such, each will have a right of its own to enforce these Standards.
ADDITIONAL PROTECTIONS FOR HILTON WORLDWIDE HOLDINGS INC. PERSONAL INFORMATION
In addition to the provisions set forth above, Providers with access to Hilton Worldwide Holdings Inc. Personal Information agree to the following enhanced privacy and data protection measures set forth in Section 20:
20. Hilton Worldwide Holdings Inc. has the exclusive right to determine the purposes for which, and the manner in which Hilton Worldwide Holdings Inc. Personal Information is Processed. HGV has entered into a license agreement with Hilton Worldwide Holdings Inc. allowing HGV to Process Hilton Worldwide Holdings Inc. Personal Information and which requires any third party Processing of Hilton Worldwide Holdings Inc. Personal Information be approved by Hilton Worldwide Holdings Inc. prior to Processing. Hilton Worldwide Holdings Inc. is a third party beneficiary as it pertains to Hilton Worldwide Holdings Inc. Personal Information and is entitled to the rights and benefits herewith and may enforce the same as if a party herein. Nothing in this provision abrogates HGV’s rights to independently enforce its rights and benefits herewith.
First Issued May 2018
Latest Revision: August 12, 2024