Click below if you would like to leave the CTM Australasia website and be directed to the CTM Investor Centre. To return, simply click the close button Visit X site

Local solutions, delivered globally

CTM provides local service solutions to customers around the world. Please select your local region, and start experiencing the CTM difference!

AUSTRALIA/NEW ZEALAND UK/EUROPE
NORTH AMERICA ASIA

Don’t show this again


Continue

About our Privacy Policy

At Corporate Travel Management, your personal privacy is very important to us, and so is being transparent about how we collect, use, and share the information we hold about you. This policy is intended to help you clearly understand:

Information we collect about you

How we use information we collect about you

How we share information we collect about you

How we store and secure information we collect

Retention of personal data

How we transfer information we collect internationally

How to access and control your personal data

Compliance with this Policy and data protection laws

Approval

Cookie Policy

Quick Links

UK / EU Addendum

Switzerland Addendum (CH Addendum)

California Addendum

U.S. Data Privacy Framework Notice

1. Overview

1.1 – This Policy describes how Corporate Travel Management may collect, use, share and otherwise process personal information collected (as controller of personal data), from a User to whom we provide Services.

1.2 – CTM offers a wide range of products and services, including travel booking services (both corporate and leisure), event management and group travel services, as well as technology products and applications such as online booking systems, customer portals, APIs and mobile applications. We refer to all these products and services, together with social media and other websites operated by us as “Services” for the purposes of this Policy.

1.3 – CTM’s privacy practices vary amongst regions in which we operate to reflect regional legal requirements. CTM complies with applicable data protection laws in the jurisdictions in which it operates in its handling of personal data. If you are based in a territory which is subject to the EU/UK GDPR, please see the UK/EU addendum at the end of this Policy. If you are based in Switzerland, please see the CH Addendum at the end of this Policy. If you are based in the State of California, please see the California addendum at the end of this Policy.

1.4 – “CTM”, “we” and “us” refers to Corporate Travel Management Limited, and any of its subsidiary or affiliated companies.

1.5 – “User”, “you” and “your” refers to a user of our Services, including CTM’s clients, their employees, contractors or other traveler nominated by CTM’s clients.

2. Purpose and scope

2.1 – This Policy applies to CTM’s Services, whether online or offline. The purpose of this Policy is to clearly describe:

  • What information or data we collect about a User
  • How we use the information we collect from a User
  • How we share information we collect from a User
  • How we store and secure the information we collect from a User
  • How a User can access and control the information we hold on a User

2.2 – As a User, you understand and agree that we collect, use, store, and disclose your personal data for the purposes of performance of a contract in accordance with this Policy.

3. CTM’s commitment

3.1 – CTM is committed to respecting your privacy through appropriate protection and management of your personal information.

TOP

4. Information we collect about you

4.1 – In the course of providing Services, CTM may collect, use, store, and disclose personal data (any information or an opinion about an identified individual or an
individual who can be reasonably identified from the information or opinion) about you.

4.2 – You may be asked to provide certain information when you use our Services, such as:

  • your name and contact details, including residential or business address, telephone number and email;
  • date of birth;
  • travel and identity documentation including passport, frequent flyer details, driver’s license and other similar information including traveler preferences;
  • traveler arranger and emergency contact names and information;
  • payment data (corporate/personal credit cards) and bank information;
  • company details (if applicable);
  • login credentials, user IDs, employee IDs, IP addresses, device and connection information and other browsing information;
  • cookies data (with your consent, where cookies are non-essential).

4.3 – If you submit any personal data relating to another individual in connection with the Services (e.g. as a travel manager making reservation for another individual), you represent and warrant that you have the authority to do so, have received consent from the individual and that you have informed the individual and the individual accepts CTM’s use of the individual’s personal data in accordance with this Policy.

TOP

5. How we use information we collect about you

5.1 – CTM’s use of information we collect depends in part on which Services you use, how you use them, and any preferences communicated to us for the performance of contract. For example:

  • to provide the Services including personalisation of your experience, including but not limited to booking and management of travel bookings, authentication and verification for safety and security purposes, providing peripheral services such as visa assistance and travel insurance, providing travel technology solutions and tailored features by analysing your activities to provide search results, notifications, and provide recommendations among others;
  • to communicate with you about the Services and provide support, and in addition we may direct market to you or your business where permitted under applicable laws, by text, phone, post, and/or email;
  • to promote and drive engagement with the Services including aggregated statistics for account analysis and business forecasting purposes, including communications aimed at driving engagement and maximising what you get out of the Services; and
  • reporting on corporate client’s travel policy compliance and travel expenses;
  • management of corporate client’s travel spend and budget analysis;
  • quality assurance and training purposes;
  • protect our legitimate business interests and legal rights where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, including information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

TOP

6. How we share information we collect about you

6.1 – In connection with the Services, we may share your personal information to third parties listed below:

  • your employer or travel sponsor, with whom we have service agreements. We may share your information with them to allow them to manage their travel needs, meet their duty of care requirements, and assure compliance with their policies. At the request of your employer or travel sponsor, we may also share your information with their third-party service providers;
  • third party service providers including travel providers such as airlines, hotels, rail providers, car rental providers, tour operators and event management companies, Global Distribution Systems (GDS) that provide inventory and reservation services to travel agencies;
  • third party technology providers for website and application development, hosting, maintenance, backup, storage, infrastructure, payment processing, analysis and other services for us, which may require them to access or use information about you;
  • subcontractors of CTM to provide support services to Such subcontractors may access your personal data but only for, on behalf of, and under the instructions of CTM, and are required to adhere to relevant CTM policies, procedures and processes and to comply with applicable data privacy laws;
  • safety and security service providers;
  • our third-party advisors, legal and compliance advisors, competent authorities, and auditors; and
  • card payment companies.

6.2 In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, to enforce our legal right and to protect the security or integrity of our Services or respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

TOP

7. How we store and secure information we collect

7.1 – CTM takes reasonable and appropriate measures to ensure and safeguard the confidentiality, integrity, and availability of data, including Personally Identifiable Information (PII). CTM’s information security controls are based on the security controls and practices specified within ISO/IEC 27001.

7.2 – We conduct regular reviews of our data collection, storage, processing, and security measures to verify we are only collecting, storing, and processing personal data that is required to fulfill our contractual obligations to provide Services. While we make reasonable efforts to protect the integrity and security of our network and systems, we cannot guarantee that our security measures will prevent illegal or unauthorised activity related to your personal data.

7.3 – Given CTM’s global operations, we use several locations across the globe for our data storage needs, based on legal and contractual requirements, including data residency.

7.4 – CTM stores PII on servers with ISO/IEC certified cloud service providers (mainly in the European Economic Area, United States, Australia and Singapore).

7.5 – For personal information collected in the People’s Republic of China (PRC), resident data is stored in the PRC.

TOP

8. Retention of personal data

8.1 – CTM will retain your personal data for a period not exceeding that required for the purposes for which they were collected to provide Services and comply with legal obligations such as financial reporting and within limits prescribed by applicable regulations, and to preserve evidence for the management of disputes, claims or litigation.

TOP

9. How we transfer information we collect internationally

9.1 – CTM collect information globally, and depending on the Services offered, we may not always store that information within your country of residence. We may transfer, process and store your information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing the Services, including to countries that may not provide the same level of data protection as your home country.

9.2 – For intra-group transfers, CTM has in place an intra-group data sharing agreement, including EU Standard Contractual Clauses and UK Addendum. In relation to any group transfers to Corporate Travel Management North America, Inc. (CTM NA), we comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss- U.S. DPF) as set forth by the S. Department of Commerce. CTM NA has certified to the U.S. Department of Commerce that it adheres to the same. To view the U.S. Data Privacy Framework notice, please see the U.S. Data Privacy Framework addendum at the end of this Policy.

9.3 – We will transfer your personal data in compliance with applicable data protection laws, including having adequate mechanisms in place to protect your personal data (e.g. DPF, Standard Contractual Clauses and appropriate approved Addendums within data protection agreements).

TOP

10. How to access and control your personal data

10.1 – To the extent required by applicable law, you have the ability to exercise various rights with regard to your personal data (e.g. access, correction, restriction, deletion, portability). However, if you choose not to provide certain details, your experience with some or all of our Services may be affected.

10.2 – We will handle such requests in accordance with applicable law, including in the time specified by applicable law, and where permitted by applicable law, may charge a reasonable administrative fee to cover the costs of responding to any such request. Where processing is based on consent, you have the right to withdraw consent at any time (where permitted by applicable law), without affecting the lawfulness of processing based on your consent before your withdrawal.

10.3 – If you wish to exercise any of your rights as described in this Policy, please contact your account manager or consultant in the first Otherwise, please contact us at our Global Enquiries address below, or, if you are a resident of the UK or European Economic Area, please contact our UK/EU Enquiries Contact below. If you are a Swiss resident, please contact our Swiss Contact according to the CH Addendum at the end of this Policy.

10.4 – We will respond to any enquiries or complaints received as soon as practicable and in any case within the timeframe required under applicable data protection laws.

How to contact us

If you have any enquiries, comments or complaints about this privacy policy or our handling of your personal information, please contact your account manager or consultant, or contact us at our Global Enquiries address, or, if you are a resident of the European Economic Area, please contact our EU Representative.

Global Enquiries Contact:

Corporate Travel Management Limited
Level 9, 180 Ann Street,
Brisbane QLD 4000 Australia
Email: privacy@travelctm.com

European Enquiries Contact:

UK
The Data Protection Officer
Corporate Travel Management (United Kingdom) Ltd
Rex Building
62 Queen Street London
EC4R 1EB
Email: EU.DPO@travelctm.com

EU
Corporate Travel Management (France) SAS
50 rue du faubourg Saint Antoine, Paris, 75012
Email: EU.DPO@travelctm.com

Switzerland
Corporate Travel Management (Switzerland) GmbH
Bahnhofstrasse 9 CH-6340 Baar
Email: EU.DPO@travelctm.com

TOP

11. Compliance with this Policy and data protection laws

11.1 – CTM is committed to complying with both this Policy and applicable data protection and privacy laws including but not limited to:

  • The European General Data Protection Regulation (GDPR);
  • The UK Data Protection Act 2018 (UK DPA);
  • The UK General Data Protection Regulation (UK GDPR);
  • The Privacy and Electronic Communications Regulations 2003;
  • The California Consumer Privacy Act (CCPA) ;
  • The Brazilian Law for the Protection of Personal Data (LGPD);
  • The Australian Privacy Act;
  • The New Zealand Privacy Act;
  • The Singaporean Personal Data Protection Act;
  • The Chinese Cybersecurity Law (CSL);
  • The Chinese Data Security Law (DSL);
  • The Chinese Personal Information Protection Law (PIPL);
  • Hong Kong Personal Data (Privacy) Ordinance;
  • Taiwan Personal Data (Privacy) Ordinance;
  • Japan Act on the Protection of Personal Information;
  • Swiss Data Protection Act (Swiss DPA).

12. Approval

12.1 – This Policy has been approved by the CTM Board of Directors

UK / EU Addendum

13. Purpose and scope

13.1 – If you are an individual based in the UK or EU, this UK/EU Addendum (UK/EU Addendum) applies and supplements the information contained in this

13.2 – We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK GDPR. We are also subject to the EU GDPR in relation to goods and services we offer to individuals and our wider operations in the EU.

13.3 – Corporate Travel Management Limited is our group parent company, incorporated in Australia. Our UK operating companies are Corporate Travel Management (United Kingdom) Limited (02229894), Corporate Travel Management (North) Limited (00488182), Portal Travel Limited (06791378) and Statesman Travel Service Limited (01480303). Our EU and EEA operating companies are Corporate Travel Management (France) SAS, Corporate Travel Management (Germany) GmbH, Corporate Travel Management (Netherlands) BV, Corporate Travel Management (Sweden) AB, Corporate Travel Management (Norway) AS and Corporate Travel Management (Poland) Sp. z.o.o.

14. How and why we use your personal data

14.1 – Under data protection law, we can only use your personal data if we have a proper reason (also known as a lawful basis). These are usually:

  • where you have given consent;
  • to comply with our legal and regulatory obligations;
  • for the performance of a contract with you (or your company) or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party; or
  • to protect your vital interests

14.2 – Where we process sensitive or special category personal data (such as any data which includes health information or reveals your race or ethnic origin, such as passport or identification documents), we are also required to ensure we have the right to do so, which usually involves where:

  • we have your explicit consent;
  • the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
  • the processing is necessary to establish, exercise or defend legal

15. Marketing

15.1 – We may use your personal data to send you updates (by email, text message, telephone or post) about our services, including exclusive offers, promotions or new products and services.

15.2 – We have a legitimate interest in using your personal data for marketing purposes (see above ‘How and why we use your personal data’) above. This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

15.3 – You do, however, have the right to opt out of receiving marketing communications at any time by:

  • contacting us at DPO@travelctm.com; and/or
  • using the ‘unsubscribe’ link in emails or ‘STOP’ in our messages, as applicable.

15.4 – We may ask you to confirm or update your marketing preferences if you ask us to provide further products and services in the future, or if there are changes in the law, regulation, or the structure of our business.

15.5 We will always treat your personal data with the utmost respect and never sell it with other organisations outside the CTM group for marketing purposes.

16. Data sharing – additional information

16.1 – We or the third parties mentioned above occasionally also share personal data with:

  • our external auditors, eg in relation to the audit of our accounts, in which case the recipient of the information will be bound by confidentiality obligations;
  • our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
  • law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations;
  • other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

17. How long your personal data will be kept

17.1 – We will not keep your personal data for longer than we need it for the purpose for which it is Different retention periods apply for different types of personal data. Following the end of the of the relevant retention period, we will delete or anonymise your personal data. We abide by internal retention and disposal guidelines. If you have any queries, please contact us using the details set out above.

18. Transferring your personal data out of the UK and EEA

18.1 – It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.

18.2 – We will transfer your personal data to:

  • members of the CTM group located outside the UK/EEA; and
  • our service providers located outside the UK/EEA.

18.3 – We will also transfer your personal data between the UK and EEA.

18.4 Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

  • the UK government has decided the particular country ensures an adequate level of protection of personal data;
  • in the case of transfers subject to EU data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or
  • a specific exception applies under relevant data protection law.

18.5 In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK/EEA unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this Policy.

19. Your rights

19.1 – You have the following rights, which you can generally exercise free of charge:

Access The right to be provided with a copy of your personal data
Rectification The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten) The right to require us to delete your personal data—in certain situations
Restriction of processing The right to require us to restrict processing of your personal data in certain circumstances, eg if you contest the accuracy of the data
Data portability The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object The right to object:

  • at any time to your personal data being processed for direct marketing (including profiling);
  • in certain other situations to our continued processing of your personal data, eg processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
Not to be subject to automated individual decision making The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
The right to withdraw consent If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time.

Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

19.2 – If you would like to exercise any of those rights, please email our UK/EU contacts listed above with details of which right you would like to Please note that we reserve the right to ask for identification, for security and verification purposes, before dealing with a request.

20. Cookies

20.1 – We use cookies and similar technologies to optimise your experience. You can reject non-essential cookies using our consent management platform, and you are able to amend your settings at any time. To find out more about our use of cookies and similar technologies, please see our Cookie Policy.

21. How to contact us and/or complain

21.1 – Please contact our UK/EU contacts listed above if you have any queries or concerns about our use of your personal data. We hope we will be able to resolve any issues you may have.

21.2 – You may also have the right to lodge a complaint with the Information Commissioner (the UK data protection regulator) and/or the relevant supervisory authority in your jurisdiction (for full details of all supervisory authorities across the EU, please see here ) Please contact us if you would like further information on how to exercise your rights.

TOP

Switzerland Addendum (CH ADDENDUM)

22. Purpose and scope

22.1 – If you are an individual based in Switzerland, this Switzerland Addendum (CH Addendum) applies and supplements the information contained in this

22.2 – We collect, use and are responsible for certain personal data about you. When we do so we are subject to the Swiss DPA. We are also subject to the EU GDPR in relation to goods and services we offer to individuals and our wider operations in the EU.

22.3 – Corporate Travel Management Limited is our group parent company, incorporated in Australia. Our UK operating companies are Corporate Travel Management (United Kingdom) Limited (02229894), Corporate Travel Management (North) Limited (00488182), Portal Travel Limited (06791378) and Statesman Travel Service Limited (01480303). Our EU and EEA operating companies are Corporate Travel Management (France) SAS, Corporate Travel Management (Germany) GmbH, Corporate Travel Management (Netherlands) BV, Corporate Travel Management (Sweden) AB, Corporate Travel Management (Norway) AS and Corporate Travel Management (Poland) Sp. z.o.o..

22.4 – Our operating company in Switzerland is Corporate Travel Management (Switzerland) GmbH.

22.5 – Corporate Travel Management (Switzerland GmbH), Bahnhofstrasse 9, CH-6340 Baar (the «company») is the controller for the Corporate Travel Management Limited’s processing under this CH Addendum, unless we tell you otherwise in an individual case, for example in additional privacy notices, on a form or in a contract. However, unless we tell you otherwise, this CH Addendum also applies where a group company of the Corporate Travel Management group is the controller, instead of Corporate Travel Management (Switzerland) GmbH. This applies, in particular, where your data is processed by a group company in connection with its own legal obligations or contracts or where you share data with such a group In these cases, this group company is the controller and only if it shares your data with other group companies for their own processing, will these other group companies also become controllers.

22.6 – You may contact us for data protection concerns and to exercise your rights in Switzerland as follows:

Corporate Travel Management (Switzerland) GmbH
Bahnhofstrasse 9
CH-6340 Baar
EU.DPO@travelctm.com

23. How and why we use your personal data

23.1 – Under data protection law, we can only use your personal data if we have a proper reason (also known as a lawful basis). These are usually:

  • where you have given consent;
  • to comply with our legal and regulatory obligations;
  • for the performance of a contract with you (or your company) or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party; or
  • to protect your vital interests.

23.2 – Where we process sensitive or special category personal data (such as any data which includes health information or reveals your race or ethnic origin, such as passport or identification documents), we are also required to ensure we have the right to do so, which usually involves where:

  • we have your explicit consent;
  • the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
  • the processing is necessary to establish, exercise or defend legal claims.

24. Marketing

24.1 – We may use your personal data to send you updates (by email, text message, telephone or post) about our services, including exclusive offers, promotions or new products and services.

24.2 – We have a legitimate interest in using your personal data for marketing purposes. This means we do not usually need your consent to send you marketing If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

24.3 – You do, however, have the right to opt out of receiving marketing communications at any time by:

  • contacting us at DPO@travelctm.com; and/or
  • using the ‘unsubscribe’ link in emails or ‘STOP’ in our messages, as applicable

24.4 – We may ask you to confirm or update your marketing preferences if you ask us to provide further products and services in the future, or if there are changes in the law, regulation, or the structure of our business.

24.5 – We will always treat your personal data with the utmost respect and never sell it with other organisations outside the CTM group for marketing purposes.

25. Data sharing – additional information

25.1 – We or the third parties mentioned above occasionally also share personal data with:

  • our external auditors, e.g. in relation to the audit of our accounts, in which case the recipient of the information will be bound by confidentiality obligations;
  • our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
  • law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations;
  • other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

26. How long your personal data will be kept

26.1 – We will not keep your personal data for longer than we need it for the purpose for which it is Different retention periods apply for different types of personal data. Following the end of the of the relevant retention period, we will delete or anonymise your personal data. We abide by internal retention and disposal guidelines. If you have any queries, please contact us using the details set out above.

27. Transferring your personal data out of Switzerland

27.1 – As explained above, we disclose data to other parties. These are not all located in Switzerland. Your data may therefore be processed in Europe, in the UK, in the United States in Hong Kong and in Australia. In addition your personal information may be disclosed to our overseas travel service providers in connection with facilitation of your travel booking, whereby such providers could be located in any country in the The location of a travel service provider relevant to your personal information will depend on the travel services being provided.

27.2 – If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the revised European Commission’s standard contractual clauses, which can be accessed here) unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing.

28. Your rights

28.1 – You have the following rights, which you can generally exercise free of charge:

Access The right to be provided with a copy of your personal data
Rectification The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten) The right to require us to delete your personal data—in certain situations
Restriction of processing The right to require us to restrict processing of your personal data in certain circumstances, e.g. if you contest the accuracy of the data
Data portability The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object The right to object:

  • at any time to your personal data being processed for direct marketing (including profiling);
  • in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
The right to withdraw consent If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time.
Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

28.2 – If you would like to exercise any of those rights, please email our CH contacts listed above with details of which right you would like to exercise. Please note that we reserve the right to ask for identification, for security and verification purposes, before dealing with a request.

29. Cookies

29.1 – We use cookies and similar technologies to optimise your You can reject non-essential cookies using our consent management platform, and you are able to amend your settings at any time. To find out more about our use of cookies and similar technologies, please see our Cookie Policy.

29.2 – Most web browsers allow some control of most cookies through the browser settings. You can block cookies from any website through your browser settings. To find out more about cookies in general, including how to see what cookies have been set, visit aboutcookies.org or www.allaboutcookies.org.

29.3 – Find out how to manage cookies on popular browsers:

  • Google Chrome
  • Microsoft Edge
  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Opera
  • Apple Safari

30. Social Media

30.1 – We may operate pages and other online presences («fan pages», «channels», «profiles», etc.) on social networks and other platforms operated by third parties and collect the data about you. We receive this data from you and from the platforms when you interact with us through our online presence (for example when you communicate with us, comment on our content or visit our online presence). At the same time, the platforms analyse your use of our online presences and combine this data with other data they have about you (for example about your behaviour and preferences). They also process this data for their own purposes, in particular for marketing and market research purposes (for example to personalize advertising) and to manage their platforms (for example what content they show you) and, to that end, they act as separate controllers.

31. How to contact us and/or complain

31.1 – Please contact our CH contact listed above if you have any queries or concerns about our use of your personal data. We hope we will be able to resolve any issues you may have.

31.2 – You may also have the right to lodge a complaint with Swiss supervisory authority (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDÖB) and/or the relevant supervisory authority in your jurisdiction (for full details of all supervisory authorities across the EU, please see here.) You can reach the Swiss supervisory authority here.

31. 3 – Please contact us if you would like further information on how to exercise your rights.

TOP

California Addendum

32. Purpose and scope

32.1 – This California Privacy Policy Addendum (California Addendum) supplements the information contained in this Policy and applies solely to consumers who are residents of the State of California (consumers or you). We adopt this notice to comply with California privacy Terms used in this California Addendum, such as personal information, consumers, and service providers, have the same meaning as they are defined in applicable California privacy law.

33. Information We Collect and How We Use It

33.1 – In the course of providing our services, we may collect, use, store, and/or disclose personal information about you, some of which might be considered sensitive personal information under California privacy law.

33.2 – The chart below identifies the categories of personal information we may collect.

Category Examples
Identifiers Full name, passport, driver’s license number, date of birth, login credentials, User IDs
Personal information Contact details (including residential or business address, telephone number, email), payment data (corporate/personal credit cards)
Characteristics of protected classes Age (40 years or older), race, citizenship, medical condition, physical or mental disability, sex
Commercial information Frequent flyer details, bank information, traveler preferences
Internet/electronic activity information IP addresses, device and connection information, other browsing information, cookie data
Geolocation data Physical location or movements
Professional or employment-related information Company details, employee IDs

33.3 – For more details about the information we may collect, see Section 4 ‘Information We Collect About You’ in this Policy. For more details about how we use information we collect about you, see Section 5 ‘How We Use Information We Collect About You’ in this Policy.

34. CTM Does Not Sell or Share Under California Law

34.1 – In the preceding twelve (12) months, we have not “sold” or “shared”, as those terms are defined by California privacy law, any personal information.

35. How We Use or Share Sensitive Personal Information

35.1 – CTM does not use or disclose sensitive personal information for purposes other than the limited purposes identified in Section 1798.121 and the regulations.

36. Personal Information of Minors

36.1 – We do not knowingly collect personal information from children under 16 years of age and we do not “sell” or “share,” as those terms are defined under applicable California privacy law, the personal information of children under 16 years of age.

37. Retention of Personal Information

37.1 – We will retain your personal information, including sensitive personal information, for no longer than is reasonably necessary to fulfill the purpose(s) for which it was collected. In certain cases, it may be necessary for us to keep personal information for an extended period of time in order to comply with a legal obligation or for the establishment, exercise, or defense of a legal claim, in accordance with applicable law.

38. Your Rights

38.1 – Subject to certain exceptions, as a California resident, you may have the right to:

38.2 – Know and access. You may have the right to know certain information about our collection, use, and disclosure of your personal information for the 12 months preceding the date of your request. You may also have the right to request that we provide you with specific pieces of your personal information.

38.3 – Upon receipt of your request, and after we verify your identity, we may provide you with information about the following:

  • The categories of personal information we collected about you.
  • The categories of sources from which we have collected your personal information.
  • Our business or commercial purpose for collecting the personal information.
  • The categories of third parties to whom we disclose personal information.
  • The specific pieces of personal information we collected about you (data portability).

38.4 – Delete. You may have the right to request that we delete the personal information we have collected from you. Absent an exception or exemption, upon receipt of your request, and after we verify your identity, we will delete and will request that our service providers delete your personal information.

38.5 – Correct Inaccurate Information. You may have the right to request that we correct inaccurate personal information we maintain about you. Absent an exception or exemption, upon receipt of your request, and after we verify your identity, we will correct any such inaccuracies.

39. Exercising Your Rights

39.1 – If you are a California resident and would like to submit a request, you may:

39.2 – Only you or a person you authorize to act on your behalf may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To authorize another person to make a verifiable request on your behalf, you must provide that person with written permission clearly describing their authority to make a request on your behalf. That individual must also be able to verify their identity with us and provide us with their authority to act on your behalf. An individual to whom you have provided Power of Attorney pursuant to Sections 4000 – 4465 of the California Probate Code may also make a request on your behalf.

39.3 – In order to verify your identity, we will collect your:

  • Name
  • Company
  • Email
  • Phone Number

39.4 – We will use this information to verify your identity using reasonable methods in order to process your rights These methods may include matching information you provided to us with information already maintained by us or through the use of a third- party identity verification service.

39.5 – We will use the information you provide to verify your identity and to respond to your rights request and for no other purpose.

39.6 – We cannot respond to your request or provide you with personal information if we are not able to verify your identity or authority to make the request or confirm the personal information relates to you.

39.7 – You are not required to have an account with us to make a verifiable request.

40. Right to Not Receive Discriminatory Treatment

We will not discriminate against you for exercising any of your CCPA rights, which means we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

41. Contact Information

41.1 – If you have any questions or concerns about this California Addendum, please contact us at DataPrivacy@travelctm.com.

TOP

U.S. Data Privacy Framework Notice

42. Scope and purpose

42.1 – Corporate Travel Management North America, (“CTM NA”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce. CTM NA has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU- U.S. DPF Principles) with regard to the processing of personal data and/or human resources data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. CTM NA has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please see here.

42.2 – Under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we are responsible for the processing of information about you we receive from the EU and onward transfers to a third party acting as an agent on our behalf. We comply with the DPF Principles for such onward transfers and remain liable in accordance with the DPF Principles if third-party agents that we engage to process such information about you on our behalf do so in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

42.3 – In compliance with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, CTM NA commits to resolve DPF Principles-related complaints about our collection or use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data and/or human resources data (in the context of the employment relationship) received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact CTM NA at:

Chief Legal Officer – North America
Corporate Travel Management North America, Inc. 2120 S. 72nd Street
Omaha, NE 68124
1.800.875.7655
NA.DataPrivacy@travelctm.com

42.4 – In compliance with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF, CTM NA commits to cooperate and comply, as appropriate, with the advice of the panel established by the EU data protection authorities (DPAs), UK Information Commissioner’s Office (ICO), Gibraltar Regulatory Authority (GRA) and Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data and/or human resources data received in reliance on the EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

42.5 – CTM NA is subject to the investigatory and enforcement powers of the Department of Transportation. CTM NA’s commitments under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

42.6 – CTM NA commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit here for more information or to file a complaint (free of charge).

42.7 – Under certain conditions, more fully described on the Data Privacy Framework website, including when other dispute resolution procedures have been exhausted, you may invoke binding arbitration.

TOP