DATA AND INFORMATION PRIVACY AND PROTECTION POLICY

THE NEXT STEP EVENTS, Inc. d/b/a Aviyant Corp

Introduction

This Policy applies to the collection, processing, use, disclosure and transfer of data and information about individuals by THE NEXT STEP EVENTS, Inc. , d/b/a Aviyant Corp ("Aviyant Corp"). As such and among other things, Aviyant Corp has elected to voluntarily participate in the European Union ("EU")-US Privacy Shield (the "Privacy Shield") and to certify its adherence to the Privacy Shield and its Principles, including the Supplemental Principles (collectively, the "Principles"). As such it has agreed to subject its compliance to the Privacy Shield and its Principles to the full breadth of current regulatory enforcement of the United States Department of Transportation and the United States Federal Trade Commission as well as any other statutory body empowered to enforce compliance with the Privacy Shield and its Principles. This includes the European Directive on Data Protection. Dir 95/45/EC and the Privacy and Electronic Directive Dir. 2002/58/EC.

Purpose

  1. As set forth above, various national and international laws and regulations protect the rights of individuals in connection with data relating to them. These rights include the right of a person to make sure that data about them is accurate, is processed fairly and lawfully, is kept secure and is only disclosed to others with their consent under agreed circumstances.

    The purpose of this Policy is to document Aviyant Corp' continuing commitment to ensuring that the aims of national and international laws and regulations on data protection, including but not limited to those set forth above, are respected and that the collection, processing, use and disclosure of data by Aviyant Corp is compliant with those laws and regulations.

  2. As a global travel management company, Aviyant Corp, among other things, receives data from within and outside the United States, including but not limited to the EU and delivers that data to its customers and other third parties in various formats; all at the request of and by agreement with its customers.

Scope of this Policy

  1. This Policy applies to Aviyant Corp' operations throughout the world. Where local laws and regulations which go beyond the scope of this Policy apply to the collection, processing, use and disclosure of data, then these may be included in an appendix to this Policy, which will specify the location to which it applies. In that location, the additional provisions of the relevant appendix will be observed along with all of the other provisions of the Policy.

Definitions

  1. "Personal Data" includes data that relates to a person and this person must be identifiable. The identification can be direct (for example, by reference to the person's name) or indirect (for example, by reference to a unique number that relates only to them).
  2. "Processing" of Personal Data means any operation or set of operations that is performed upon Personal Data, whether or not by automated means.
  3. "Controller" means a person or organization which, along or jointly with others, determines the purposes and means of the Processing of Personal Data.
  4. "Data Exporter" means the Controller who transfers Personal Data.
  5. "Data Importer" means the Controller or Processor who agrees to receive data from the Data Exporter for Processing.
  6. "Data Processor" means a person or organization that Processes Personal Data on behalf of a Controller.
  7. "Data Subject" means the individual whose Personal Data is being Processed.

Adherence to Primary Principles of Privacy Shield

  1. Notice, Choice and Accountability for Onward Transfer
    1. Aviyant Corp will inform its customers and business partners (e.g., vendors and other third parties) that it participates in the Privacy Shield. It will provide such notice in a variety of manners as may be appropriate, such as, language in its contracts with customers, clear notification on its website (/privacy-policy/), and a specific link to this policy that can be easily found.
    2. Aviyant Corp personal data may include, but is not limited to, information such as name, address, age, marital status, medical conditions, passport and visa information and corporate data.
    3. Aviyant Corp complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Aviyant Corp has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
    4. In compliance with the Privacy Shield Principles, Aviyant Corp commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Aviyant Corp at: dataprivacy@aviyantgroup.com. Aviyant Corp will respond within forty-five (45) calendar days of such request.

      Aviyant Corp has further committed to refer unresolved Privacy Shield complaints to the International Centre for Dispute Resolution/American Arbitration Association ("ICDR/AAA"), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit http://go.adr.org/privacyshield.html for more information or to file a complaint. The services of ICDR/AAA are provided at no cost to you.

    5. Aviyant Corp provides travel management services and reporting to corporate clients (typically, a Data Controller). In order to provide these services, Aviyant Corp requires Personal Data regarding persons authorized to travel for the client (the "Data Subjects") hereinafter referred to as the "Traveler" or "Travelers". This data may be collected from the Traveler, from the client, or from other sources such as travel agents. In order to complete travel arrangements requested by a Traveler, Aviyant Corp typically provides Personal Data to one of the global distribution systems or an internet booking engine. This data may include, but is not limited to, information such as name, address, age, marital status, medical conditions, passport and visa information and corporate data.

      Global distribution systems fulfill the travel arrangements requested through specific travel suppliers, such as airlines, hotels and rental car agencies. Aviyant Corp then confirms the completed travel arrangements and itinerary to the Traveler and the costs. Aviyant Corp does not exercise any control over the use of personal information transmitted using global distribution systems or other travel suppliers. As of the Effective Date, Aviyant Corp provides Traveler travel information to iJET/ISOS for travel risk management as well as to DataFlex for credit card reconciliation. Otherwise, travel arrangements are shared only with the client for whom the Traveler works.

    6. Rights of data subjects to obtain access to personal data
      1. Every Traveler about whom Aviyant Corp Processes Personal Data has a right to the following:
        1. to inquire whether or not Personal Data relating to him or her is being Processed by or on behalf of Aviyant Corp, a customer of Aviyant Corp and/or a Controller;
        2. if Personal Data relating to him or her is being Processed by or on behalf of Aviyant Corp, to be given the following information:
          1. a description of the Personal Data relating to him or her;
          2. the purposes for which that Personal Data is being or is to be Processed;
          3. the identity of any third parties to whom the data is or may be disclosed,
          4. and, in addition, the Traveler is entitled, upon written request, to be given a copy of the relevant data in an intelligible form.
      2. There may be restrictions on the amount of information that can be disclosed if such disclosure would necessarily involve disclosing information about another person or entity.
    7. In the event an individual desires to limit the use and disclosure of their personal data, including requests to "opt-out" Individuals have the right:
      1. to ask Aviyant Corp to correct or erase incorrect or incomplete Personal Data relating to them; Aviyant Corp will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current;
      2. Notwithstanding the above, as Aviyant Corp Processes Data that has been shared with the suppliers of travel (e.g. airline, car rental companies, hotels), it is not always reasonable for Aviyant Corp to permit individuals to correct, amend or delete this information; accordingly, unless the circumstances are truly extraordinary, it will not make changes based upon an individual's request, nor will Aviyant Corp permit an individual's access to such Data for that purpose;
      3. to ask Aviyant Corp to not or stop Processing Personal Data relating to them ("Opt Out"): In the event a Traveler Opt Out, they must also contact the customer of Aviyant Corp (the Traveler's employer). In the event that Aviyant Corp receives a similar request from an individual, it will notify its customer and seek instructions from that customer. As Aviyant Corp has a contractual duty to Process the individual's data for its customer, it does not have the authority to simply eliminate an individual's Personal Data from the data it processes. As such, Aviyant Corp must seek and take direction from its customer. Notwithstanding this duty of Aviyant Corp to its customers, an individual may submit an Opt Out request to support@aviyantgroup.com;
      4. to access their Personal Data by contacting their employer (the customer of Aviyant Corp) or by submitting a request to support@aviyantgroup.com. In the event Aviyant Corp receives an individual's request for access to his/her Personal Data, Aviyant Corp will notify its customer of that request.
      5. Aviyant Corp will respond to any inquiries directed to support@aviyantgroup.com within forty-five (45) calendar days of such request.
      6. Aviyant Corp understands that the notices referenced herein must be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to it. As set forth above, Aviyant Corp collects Personal Data at the request of its customers; as such, it will rely upon its customers to provide its Travelers with appropriate notice ("Notice") and to obtain any necessary consent ("Consent").
      7. Due to the nature of its contractual relationship with its customers and the services provided to them by Aviyant Corp, it will be difficult and in most instances, impossible for Aviyant Corp to provide individuals with Opt Out options. Individuals are therefore strongly encouraged to first request Opt Out with their employer (the customer of Aviyant Corp). Notwithstanding this, individuals may send their Opt Out request to Aviyant Corp as set forth above after which such request will be forwarded by Aviyant Corp to its customer.
    8. As a participant in the Privacy Shield, Aviyant Corp agrees to be subject to the investigatory and enforcement powers of the U.S. Department of Transportation ("DOT") and the U.S. Federal Trade Commission ("FTC"). Accordingly, Aviyant Corp may be required to disclose Personal Data to DOT or FTC or other applicable U.S. government agencies including the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
    9. Onward transfers to third parties:
      1. The Traveler's Personal Data, including Human Resources Data where applicable, may be transferred to third parties for the purpose of customer account management, customer program analytics consistent with customer agreements, travel and expense technology services, passenger name record enhancement, travel management risk services, detailed reporting of customer preferred suppliers and/or reconciliation of traveler booking data with credit card transactions. In each and every instance, Aviyant Corp shall be liable for the acts of such third parties.
      2. In order to facilitate travel arrangements, Aviyant Corp will be required to pass a Traveler's Personal Data to disclosed third parties including but not limited to operators of global distribution systems ("Third Parties"). Depending upon a Traveler's specific travel needs, this may potentially require transfers of Personal Data beyond the European Economic Area) to locations throughout the world.
      3. As set forth above, Aviyant Corp complies with the Privacy Shield and Principles regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. In accordance with the Privacy Shield, Aviyant Corp has self-certified its adherence to the Privacy Shield Principle, including sixteen binding supplemental principles, with the U.S. Department of Commerce. This policy supplements, but does not replace, all other policies, practices and/or procedures including, but not limited to applicable confidentiality or non-disclosure agreements. The implementation of this policy by Aviyant Corp shall be effective September 30, 2016 ("Effective Date"). Aviyant Corp recognizes that the Principles shall be applicable to it upon the Effective Date of the Certification. A copy of this policy can be found at: /privacy-policy/.
      4. Aviyant Corp has mechanisms in place to periodically monitor its compliance with the Principles.
      5. Transfers to Third Parties may also take place where any Aviyant Corp network offices or servers are located in a country outside the EU.
      6. By submitting their Personal Data to Aviyant Corp, the client of Aviyant Corp on behalf of its Travelers authorizes the use of the Traveler's Personal Data to complete their travel arrangements including any necessary transfers to Third Parties of their Personal Data as described herein and/or as may be required of Aviyant Corp by the Data Controller. Travelers can request that transfers not take place however Aviyant Corp may then not be able to deliver the specific travel arrangements.
      7. Where appropriate, Third Party transfer recipients will be expected to use such personal data in accordance with the provisions of this privacy policy, or in with their own privacy policies. Aviyant Corp will not transfer data to any third party that has not become certified, within the applicable certification timeframe, under the Privacy Shield, or with which Aviyant Corp does not have contractual agreements in place which provide at least the same level of protection as is required by the relevant Privacy Shield Principles. Aviyant Corp, however, cannot ensure that a Third Party recipient will abide by the provisions of this privacy policy, their own privacy policies or those of the Privacy Shield. In addition, United States or other government and law enforcement authorities may require access to a traveler's personal data under various laws, rules, regulations, or orders, as well as under various security screening protocols.
      8. Aviyant Corp will inform its customers and other Third Parties that it participates in the Privacy Shield including but not limited to appropriate language in its customer contracts and clear notification on its website as set forth above.
      9. In the event that Aviyant Corp is required to transfer Personal Data to a Third Party, it will comply with the Notice and Consent principles set forth herein. It will also enter into a binding written agreement with the Third Party recipient which shall provide that such data may only be processed for limited and specified purposes all consistent with the Traveler's Consent as set forth above and the contractual agreement between the Traveler and Aviyant Corp' customer. Such agreement with a Third Party will provide the same level of protection as set forth in the Principles. Such agreement shall further ensure that such Third Party takes reasonable and appropriate steps to ensure that it processes the Personal Data transferred to it in a manner consistent and appropriate with that organization's obligations under the Principles, as well as to, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing. Upon request, Aviyant Corp will provide a summary or a representative copy of the relevant privacy provisions of the relevant privacy provisions of its agreement with such Third Parties.
  2. Security
    1. Keeping Travelers' personal data secure is of paramount importance to Aviyant Corp. All Personal Data processed by or on behalf of Aviyant Corp is subject to stringent standards to make certain it is secure and that appropriate levels of confidentiality are maintained. Unauthorized persons are never allowed access to Personal Data. Hard copies of data are treated as confidential waste and shredded.
    2. Aviyant Corp will take reasonable steps and appropriate measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction.
    3. Aviyant Corp will only process Personal Data for the limited purposes of providing and/or assisting in the provision of management reporting to its customers as required by virtue of its customer contracts as well as any customer contractually mandated transfers to Third Parties. It will not process Personal Data for any purpose inconsistent with these limited purposes.
    4. Aviyant Corp' clients may review such information as travel spend, bookings and compliance with its travel policy.
    5. Aviyant Corp will keep security measures under review and updated as new technology becomes available.
  3. Data Integrity and Purpose Limitation

    Aviyant Corp is committed to Processing Personal Data for which it is the Data Processor, the Data Controller and/or the Data Importer in accordance with the following principles:

    1. Processing personal data fairly and lawfully.
      1. Aviyant Corp collects information electronically, either directly from Aviyant Corp' client, from the global distribution system upon which a Traveler reservation is made and/or from the travel agency that has made the Traveler's reservation, The information a Traveler submits is needed to respond to requests for information, to complete travel transactions, to enhance travel arrangements and to ensure that a Traveler's arrangements are in compliance with any existing travel policy of the client (their employer).
      2. Personal Data is only collected by Aviyant Corp where the Traveler gives this so that Aviyant Corp can fulfill any special travel needs. This data is not shared with a third party without the Traveler's consent ("Consent") and/or the Consent of Aviyant Corp' client on behalf of the Traveler. Aviyant Corp client has the obligation to obtain the consent of its employee, the Traveler.
    2. Ensuring Personal Data of a Traveler is only processed for purposes specific to Aviyant Corp' client before the processing takes place and which are lawful.
      1. Aviyant Corp will only disclose Personal Data to Third Parties for purposes specified in this policy.
      2. Aviyant Corp may sometimes be required or permitted to disclose Personal Data in order to comply with any legal obligation to which it is subject.
      3. Aviyant Corp will take all appropriate steps to ensure processing of Personal Data will be carried out in accordance with all applicable legislation and/or regulation.
      4. Any Aviyant Corp employee who uses Personal Data improperly will be subject to disciplinary action.
    3. Ensuring Personal Data is adequate and relevant the purposes for which the data is Processed.

      The Personal Data collected by Aviyant Corp relates solely to those items of information necessary in order to facilitate the range of a Traveler's potentially different travel requirements. Only the information reasonably required to facilitate travel arrangements is shared among Aviyant Corp, its affiliates, travel suppliers and Global distributions systems or booking engines used within the travel industry and only with Consent from the Client.

    4. Keeping personal data accurate; complete; and up to date.

      Aviyant Corp has automated processes and oversight to update our data repositories containing the Personal Data provided by Aviyant Corp' client in order to maintain such Data in an accurate, complete and up to date manner.

  4. Adherence to Supplemental Principles

    Many of the Supplemental Principals are extensively treated above. To the extent they have not been treated and are relevant to the role of Aviyant Corp as a travel management services provider, the following policies are applicable:

    1. The Role of Data Protection Authorities

      Aviyant Corp has set forth above the details of its adherence to the Principles, including the provision of recourse for individuals whose Personal Data is the subject of Processing by Aviyant Corp as well as mechanisms by which individuals may follow-up upon Aviyant Corp' adherence to the Privacy Shield. In the event a Data Protection Authority ("DPA") commences an investigation regarding Aviyant Corp' adherence to the Privacy Shield, Aviyant Corp will cooperate with such investigation. Moreover, Aviyant Corp will comply with advice given by a DPA or DPA panel where the finder of fact indicates that Aviyant Corp must take specific action to comply with the Principles, including corrective actions or compensatory measures for the benefit of individuals affected by non-compliance.

    2. Verification

      Aviyant Corp will self-verify its statements relating to its adherence to the Privacy Shield and its Principles. As such and in addition to the representations set forth in this policy, Aviyant Corp represents:

      1. This policy is accurate, comprehensive and implemented as of September 30, 2016.
      2. This policy will be prominently displayed at /privacy-policy/. Additionally, copies of this policy may be obtained by submitting a written request to IT@aviyantgroup.com.
      3. This policy conforms to the Privacy Shield and all of its Principles, including the Supplemental Principles.
      4. Individuals may obtain information regarding the filing of complaints as set forth in this policy. Additional information for European businesses and individuals in Europe may be found at: www.privacyshield.gov.
    3. Human Resources Data

      1. Aviyant Corp may require access to human resources-like data as a necessary component of the travel management services provided to its customers. Further, Aviyant Corp may obtain human resource data related to its own employees in the EU for typically employment related matters. To the extent either occur, such transfers enjoy the benefits of the Privacy Shield and this policy.
      2. Aviyant Corp commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.
    4. Obligatory Contracts for Onward Transfers

      In connection with travel management services provided by Aviyant Corp to its customers, all data received from such customers is subject to an agreement between Aviyant Corp and its customer, which agreement specifically sets forth the actions to be taken by Aviyant Corp with respect to such data on behalf of the customer.

Conclusion

Aviyant Corp is committed to ensuring that its customers' and their Travelers' Personal Data is handled confidentially, privately and appropriately. Aviyant Corp has, therefore, voluntarily elected to participate in the Privacy Shield and to be subject to the compliance and enforcement powers of the DOT, FTC and other U.S. governmental authorities. Information about Aviyant Corp' commitment to and compliance with the Privacy Shield may be obtained by submitting a written request to IT@aviyantgroup.com.