Global


CWT Data Protection Policy

Last updated October 21, 2010

Carlson Wagonlit Travel (CWT) is a travel management company with operations in many countries around the world and provides business travel services and meetings and events services to its corporate clients. To provide such services, CWT receives individual data from such the Client's travelers.

Please note: CWT is currently reviewing certain parts of its data protection program. Until that review is complete, we have only updated the English version of the data protection policy and will wait to make the necessary translations once we have finished that review.

What are the Data Protection/Privacy Laws?

There are over 60 countries with Data Protection/Privacy Laws. The overall purpose of these laws is to secure the rights of individuals regarding their personal data. The laws generally establish the minimum standards for the collection, processing and securing of data. They also limit the use of the personal data to the purpose for which the data was given, by imposing destruction once the purpose has been fulfilled, and by providing the individuals with access to their personal data.

"Personal data" usually means any information that identifies a person, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

For examples of relevant laws, please see the following web sites:

Why do the laws apply to CWT?

CWT uses personal data of its clients' travelers, as further described below (see what we do with the personal data), and is thus subject to the data protection laws.

CWT has always had internal confidentiality standards. In order to comply with these data protection/privacy laws, CWT has established this Data Protection/Privacy Policy. Our policy is a global single policy that takes into account the national laws of the many countries where CWT operates, and in some cases surpasses the requirements set out therein. In particular, this policy requires that travelers confirm their consent to CWT's use of their personal data for providing business travel services.

Information that we store

The personal data that we store for each traveler may include: name, gender, date of birth, (address and phone numbers, email address, credit card references/number, travel destinations, travel schedules, travel preferences (seat, meal, smoking, etc.), as well as passport and visa details and next of kin information.

When servicing a given corporate client, CWT creates an electronic "Traveler Profile" with personal data for each traveler, which is kept on a computerized data base as a reference document and consulted each time a reservation is to be made. When a reservation is made, CWT creates a "passenger name record" (PNR), which contains all of the personal data needed to fulfill the travel request of each traveler (and reservation information) and also to fulfill regulatory requirements for travel to certain destinations such as SecureFlight program in theUnited States and the Advanced Passenger Information System in several countries like UK, China, etc.).

What we do with personal data:

In addition to creating Traveler Profiles and PNRs, CWT uses the personal data (usually the PNR) of the traveler for the following travel and other travel-related purposes.

Reservations: To make reservations, CWT needs to transfer personal data to various third party travel suppliers, computer reservation systems within the traveler's home country or in another country where the traveler may be traveling and often also to government bodies for certain destinations (DHS in the US, ...). Without this information travel will not be possible.

Consolidation of Travel Data: At the request of the client (the paying party for the travel), CWT or a third party prepares information reports that summarize and analyze the travel expenditures per destination, per travel supplier, etc. Such reports may include certain personal data from the traveler's profile.

Transfers to Third Parties at Corporate Client's request: CWT may also transfer personal data to third parties at the request of the client. For example, for data consolidation or emergency traveler tracking services. These transfers could involve transfers of personal data to other countries.

Compliance with Travel Policy: Also at the request of the client, CWT may report on the compliance of the travelers with the travel policy of the client and identify any exceptions to the compliance.

Collecting Travel Payments: CWT may transfer personal data to third parties in the traveler's home country or to another country for the purpose of collecting payments related to travel reservations.

CWT Databases: The electronic Traveler Profiles that CWT maintains are stored in a central database at a CWT location in the United States. However, some clients of CWT have opted for and selected their own online booking tool, which will also store traveler profile information. In this case the information is stored by the selected 3rd party - and CWT may only receive a replica for business purposes.


New Products and Services: Also with the goal of improving service and based on the data given to CWT, we may send additional information to the traveler if it applies to his/her trip or in advance of future trips. An example might be a list of restaurants near a specific hotel, in a specific city.


How is the traveler's consent obtained?

CWT standard procedures require the Client to act as the data controller. In this case, the Client manages the traveler consent process. CWT solely acts as data processor upon Client' instructions.

However, in exceptional circumstances CWT may act as data controller: CWT collects the consent of each traveler through a Data Protection Statement.

Application of the Policy

Data Protection Statement (DPS): For CWT as Data Controller, CWT has established a Data Protection Statement to ensure consent to various uses of personal data given to CWT. The Data Protection Statement appears when the traveler completes his/her traveler profile electronically. The traveler has the option of opting-in or option-out. However, travelers opting-out from the DPS will potentially incur a higher fee for the Client.

Transfer to Third Parties: Prior to a transfer, third parties (except for travel suppliers such as the airlines, computer reservation systems, hotels, or government entities, etc.) are required to sign a data transfer agreement with CWT, which requires them to follow the applicable data protection laws. An exception may be made for personal data collected in the E.U. if the third party is located in another EU country or in a country approved by the EU as having adequate data protection laws. This will ensure that even if the laws governing the third party are less strict than our standards, the level of protection that the traveler's data receives will be consistent. For instance, data consolidators are required to sign an agreement. Even subsidiaries of CWT in countries with data protection laws that are considered less strict also sign a transfer agreement. An EU model clause Data Transfer Agreement has been signed between Carlson Wagonlit Travel and its U.S. subsidiary. CWT's U.S. entities are also certified as Safe Harbor (see CWT's name under the Safe Harbor website at: https://www.export.gov/safehrbr/list.aspx).

Security: Pursuant to the various data protection laws, CWT has implemented appropriate technical and organizational measures to protect the personal data obtained from our clients' travelers, against accidental or unlawful disclosure or destruction.

Destruction: Under many data protection laws, personal data must be destroyed after a certain period of time. CWT keeps travel data only as long as required by law, a period of time which may vary according to the requirements for the various internal departments at CWT.These requirements are tied to financial reporting laws or to inquiries from clients on past travel activities.

Exceptional situations: : There are some situations, however, where the normal procedure will be impossible to follow, such as with groups, and ship and mining crews. In these cases, the information for the trip (including personal data) will not be given by the traveler, but by a third party. If the client provides personal data to us about a traveler, the client must ensure that it is entitled to disclose that data to us and that without us taking any further steps required by data protection/privacy laws, we may collect, use and disclose such information for the purposes described above. For example, the client should take reasonable steps to ensure the individual traveler concerned is aware of the various matters detailed in this CWT Data Protection/Privacy Policy as those matters relate to that individual, including our identity, how to contact us, the purposes of collection, our information disclosure practices, the individual's right to obtain access to the data and the consequences for the individual if the data is not provided.

Leisure travelers: In many instances our leisure operations also keep traveler profiles.

Travelers' rights

Generally, the traveler's principal rights are to:

  • amend his/her personal data, and upon written request to receive from CWT, within a reasonable amount of time, a copy of his/her Traveler Profile (for data held by third parties, please contact the third party); there may be a statutory fee or additional costs involved, if such Profiles have been archived;
  • know how his/her data is being processed, for what purpose and who is doing the processing;
  • choose whether or not to receive unsolicited services/direct marketing/information on other travel products and services;
  • revoke his/her consent or refuse to provide personal data.

Frequently Asked Questions:

What personal data is covered by the CWT Data Protection/Privacy Policy?

Personal data (see above) is defined as data, which relates to a living individual who can be identified from the data. If the personal data does not refer to or identify any traveler then, the data can be processed by CWT without the traveler's consent. For instance, if the management reports do not include any references to specific individuals, then the traveler's consent would not need to be obtained for CWT to reports to the Client. For examples of personal data which may be stored by CWT, please refer to the "Information that we store" section above.

Why is the travel agreement between CWT and the client not sufficient to protect the travelers' personal data?

The travel agreement is between the corporate client and CWT, not between the traveler and CWT. Data protection laws protect the rights of the individual traveler, and in processing the individual traveler's data, CWT has obligations under these laws which it has to fulfill itself and cannot pass onto the client.

What happens if CWT or the Client does not obtain the traveler's consent?

Practically speaking, it will be very difficult and in some countries even impossible for CWT to provide travel services to an individual traveler who refuses to allow CWT to process his/her travel data. Included in the data protection laws are harsh penalties for non-compliance; in some countries it is a criminal offense.

What obligations do CWT have in processing the data?

CWT must ensure, at the very least, that the personal data:

  • is processed fairly and lawfully,
  • is obtained only for specific and lawful purposes and shall not be further processed in any manner incompatible with these purposes,
  • is not excessive (in terms of the type of data requested) in relation to the purposes for which it is collected and further processed,
  • is accurate,
  • is kept secure and not held for longer than necessary.

Can CWT use the data to carry out its own analyses?

CWT may not use the data for promotion and marketing purposes by third parties unless the traveler gives his/her consent. CWT may, for instance, use the data to analyze the travel trends of its corporate clients in order to propose other CWT services to the clients, such as CWT Solutions Group services, without receiving the traveler's consent.

Notes

The following notes are to detail certain points and country specifics.

"Carlson Wagonlit Travel" refers to the group of companies of which the parent company is CWT B.V., a Dutch company, and its affiliates in over 40 countries around the world. CWT values the protection of personal data of all our travelers wherever they are based around the world.

Australia. We will use and disclose personal data for the primary purpose for which it was collected. We may also use and disclose personal data for purposes related or ancillary to the main reasons we collect it. Some examples of the way we use and disclose personal data are provided in this CWT Privacy/Data Protection Policy, for example, see under the heading "What we do with the personal data".

European Union. Under E.U. rules, personal data can flow from the 27 E.U. member states and three EEA countries (Norway, Lichtenstein and Iceland) to a list of designated third countries without any further safeguard being necessary. The E.U. has so far recognized Argentina, Canada, Guernsey, Isle of Man, Switzerland, U.S. Department of Commerce's Safe Harbor Privacy Principles, and the transfer of Air Passenger Name Record to the U.S. Bureau of Customs and Border Protection and to the Australian Customs Service as providing adequate protection. See below for U.S. arrangement.

United States Safe Harbor.The E.U. has negotiated with the U.S. Department of Commerce certain principles and guidelines for the transfer of data. These Safe Harbor Principles guide U.S. entities in providing an adequate level of protection for personal data. The voluntary decision by a U.S. entity to enter the Safe Harbor means that the entity must comply with the Principles, publicly declare that it is doing so, and obtain certification from the U.S. Dept of Commerce. For more information on Safe Harbor, including a list of the seven Principles, please go to http://www.export.gov/safeharbor/ (click on "Safe Harbor Overview" to see the Principles). CWT's U.S. entities are certified as Safe Harbor (search for "Carlson Wagonlit Travel" on the Safe Harbor website at: https://www.export.gov/safehrbr/list.aspx) and have also entered into the EU standard contractual clauses for the transfer of personal data to processors established in third countries.

This policy is subject to change. The changes will be posted on this web site, so please be sure to check the site regularly.