ETS Business Travel has affiliate travel agency operations in many countries around the world. ETS Business Travel's focus is to provide business travel services to the employees of businesses with whom ETS signs a corporate travel services agreement. In doing so, ETS receives individual data from the employees.

Why the laws apply to us and why ETS needs to obtain the consent of the traveller:

Data protection laws apply to the information received by ETS Business Travel because that data can be used to identify an individual person.

The purpose of data protection is to protect an individual's rights by keeping personal data secure and by regulating its processing, so that it may be used only for the purpose for which it was given/collected. ETS Business Travel is using the Data Protection Statement (see below) to request the consent of the traveller. For examples of such laws, please see the following web sites
http://europa.eu.int (for the European Directive on Data Protection - English version),
http://privacy.gov.au/act/index.html (for Australian privacy laws),
http://www.privcom.gc.ca/legislation/index_e.asp (for Canadian privacy laws).

Information that we store:

The travel data that we store may include: name, address, email address, credit card references/number, travel destinations, travel schedules, seating preferences, smoking or non-smoking accommodations, meal preferences and reservation information, as well as passport details and next of kin information.

When servicing a given corporate client, ETS Business Travel creates a "Traveller Profile" with travel data for each traveller, which is kept on file as a reference document and consulted each time a reservation is to be made. When a reservation is made, ETS Business Travel creates a "passenger name record" (PNR), which contains all of the information needed to fulfil the travel request of each traveller.

Based on the travel expenses incurred by travellers of each corporate client, ETS Business Travel produces reports that summarise and analyse the travel trends of that client.

What we do with the information:

In addition to creating Traveller Profiles and PNRs, ETS Business Travel uses the travel data with the consent of the traveller for the following travel and other travel-related purposes.

Reservations: ETS Business Travel may need to transfer travel data to various third party travel suppliers and computer reservation systems for the purposes of making reservations within the traveller's home country or to another ETS Buinsess Travel agency in another country where the traveller may be travelling.

Consolidation of Travel Data: At the request of the corporate client (the traveller's employer), ETS Business Travel or a third party prepares information reports that summarise and analyse the travel expenditures per destination, per travel supplier, etc.

Compliance with Travel Policy: Also at the request of the corporate client, ETS Business Travel may report on the compliance of the travellers with the travel policy of the client and identify any exceptions to the compliance.

Collecting Travel Payments: ETS Business Travel may transfer travel data to third parties in the traveller's home country or in another country for the purpose of collecting payments related to travel reservations.

ETS Business Travel Databases: In order to constantly improve the servicing of our clients around the world, the travel data is handled out of certain locations accessible by our travel agents around the world.

New products and Services: Also with the goal of improving service and based on the data given to ETS Business Travel, we may send additional information to the traveller if it applies to his/her trip. An example would be a list of restaurants near a specific hotel, in a specific city.

ETS Business Travel as a Data Controller or a Data Processor:

ETS Business Travel proposes two options:

1. ETS Business Travel is Data Controller: ETS needs to collect the consent of each traveller (Data Protection Statement).
2. Client is Data Controller: ETS is data processor while the Client manages the traveller consent process internally.

Measures we are taking:

Data Protection Statement: ETS has established a Data Protection Statement to ensure consent to various uses of travel data given to ETS. The statements are signed by the traveller either in paper form or in electronic form, as determined with the client.

Transfer to Third Parties: Prior to a transfer, third parties (except for travel suppliers such as the airlines, computer reservation systems, hotels, etc.) may be required to sign a transfer agreement with ETS, which requires them to follow the applicable data protection laws. This will ensure that even if the laws governing the third party are less strict than our standards, the level of protection that the traveller's data receives will be consistent. For instance, data consolidators are required to sign an agreement. Even subsidiaries of ETS in countries with data protection laws that are considered less strict also sign a transfer agreement.

Security: Pursuant to the various data protection laws, ETS is implementing appropriate technical and organisational measures to protect the personal travel data, obtained from our clients' travellers, against accidental or unlawful disclosure or destruction. The measures are being determined for each department, according to their handling of the travel data.

Destruction: Under many data protection laws, personal data must be destroyed after a certain period of time. ETS keeps travel data only as long as required by law, a period of time which may vary according to the requirements for the various internal departments.

Our policy may be subject to additional requirements in compliance with local legislation in certain countries. (Please see below, under "Notes")

Infrequent travellers:

Most infrequent travellers (those travellers who make three or less trips a year), or "one-offs," will fit into the global procedure we have outlined in this policy. One-offs such as consultants for our larger clients will fill out a Traveller Profile and make reservations in the same way as our frequent travellers. There are some situations, however, where the normal procedure will be impossible to follow, such as with groups, and ship and mining crews. In these cases, the information for the one-off trip (including personal data) will not be given by the traveller, but by a third party. If the client provides personal data to us about a traveller, they must ensure that they are entitled to disclose that data to us and that, without us taking any further steps required by privacy/data protection laws, we may collect, use and disclose such information for the purposes described above. For example, the client should take reasonable steps to ensure the individual traveller concerned is aware of the various matters detailed in this ETS Privacy / Data Protection Policy as those matters relate to that individual, including our identity, how to contact us, our purposes of collection, our information disclosure practices, the individual's right to obtain access to the data and the consequences for the individual if the data is not provided.

We will also send a letter to our clients informing them of their responsibilities as a third party providing us with the personal data of an individual traveller.

Itineraries:

In order to fulfil our responsibility to inform the individual traveller of our Data Protection obligations, we intend to include the following text at the end of each itinerary:

"All information provided by you, or by any other party such as your employer, to ETS Business Travel will be used by ETS, its related companies and other travel service providers requiring this information, in order to make and process your requested travel arrangements. This includes but is not limited to, airlines, car rental companies and hotels in this country or abroad. If such information is not made available to ETS, we may not be able to make reservations for you. The information contained on this itinerary and issued tickets, is representative of the type of information held and used by ETS. For further information on what other details are held or to amend any data please refer to your local ETS contact. . The cost of giving access to this information may be passed on to you".

Travellers' rights:

The traveller's principal rights are to:

1. amend his/her personal data, and upon written request and payment of a statutory fee or if none, a reasonable fee, to receive from ETS, within a reasonable amount of time, a copy of his/her Traveller Profile (see contacts at the bottom of this Policy) (for data held by third parties, please contact the third party)
2. know how his/her data is being processed, for what purpose and who is doing the processing
3. choose whether or not to receive unsolicited services/direct marketing/information on other travel products and services
4. revoke consent to the DPS (upon written request) or refuse to provide information.

Please note that if a traveller chooses not to sign, or to revoke consent to, the Data Protection Statement, ETS cannot accept his/her travel data and cannot service the traveller. If this is the case, we encourage the traveller to contact his/her employer.

Frequently Asked Questions:

What data is covered by data protection laws? Personal data- or travel data is defined as data, which relates to a living individual who can be identified from the data. If the traveller data does not refer to or identify any individual employee then, the data can be processed by ETS without the traveller's consent. For instance, if the management reports do not include any references to specific individuals, then ETS would not have to obtain the traveller's consent to the delivery of reports to the traveller's employer.

Why is the travel agreement between ETS and the client not sufficient to protect the travellers' data? The travel agreement is between the corporate client (employer of the traveller) and CWT, and not between the traveller and ETS. Data protection laws protect the rights of the individual traveller, and in processing the individual traveller's data, ETS has obligations under these laws which it has to fulfil itself and cannot pass onto the client.

What happens if ETS does not obtain the traveller's consent, and is therefore not in compliance with the data protection laws? Practically speaking, it will be very difficult for ETS to provide travel services to an individual traveller who refuses to allow ETS to process his/her travel data. Included in the data protection laws are harsh penalties for non-compliance; in some countries it is a criminal offence.

What obligations do we have in processing the data within ETS? ETS must ensure, at the very least, that the personal data:

* is processed fairly and lawfully
* is obtained only for specific and lawful purposes and shall not be further processed in any manner incompatible with these purposes
* is not excessive (in terms of the type of data requested) in relation to the purposes for which it is collected and further processed
* is accurate
* is kept secure and not held for longer than necessary

Can ETS use the data to carry out its own analyses? ETS may not use the data for promotion and marketing purposes by third parties unless the traveller gives his/her consent. ETS may, for instance, use the data to analyse the travel trends of its corporate clients in order to propose other ETS services to the clients.

Contacts:

For any questions concerning your personal travel data, please contact the ETS Business Travel Head Office. 118 South Ealing Rd, Ealing, London, W5 4QJ. 0870 755 0392.