Fifth Amendment to that Tour Operator Agreement, dated December 12, 2011, as amended

EX-10.1 2 ex_424377.htm EXHIBIT 10.1 ex_424377.htm

Exhibit 10.1

 

 

AMENDMENT NO. 5

 

 

National Geographic Partners, LLC (“NGS”)

1145 17th Street N.W.

Washington, D.C. 20036-4688

USA

Contact: Nathan Philpot

Tel: +44 (0 ###-###-####

Email: ***@***

Lindblad Expeditions, LLC (“Lindblad”)

96 Morton Street

New York, NY 10014

USA

Contact: Sven Olof Lindblad

Tel: 212 ###-###-####

Email: ***@***

 

This is the FIFTH Amendment (“Amendment 5”) dated as of September 9, 2022 (“Effective Date”) to that Tour Operator Agreement, dated December 12, 2011, as amended, between NGS and Lindblad, (collectively, the “Agreement”).

 

WHEREAS, the Parties wish to amend the Agreement to clarify and detail agreed upon procedures related to Personal Information (as defined herein), and data protection and security.

 

NOW THEREFORE, Lindblad and NGS hereby agree to amend the Agreement as follows:

 

 

1.

Section 19.8 shall be added to the Agreement:

 

Exhibit H. Data Protection”

 

 

2.

Section 21 (Data Protection and Security) shall be added to the Agreement:

 

Data Security and Protection: The parties agree as follows:

 

1)

For all NGE/Lindblad Trip Participants from which Personal Information (as defined in Exhibit H—Data Protection attached) is collected, Lindblad shall own and be the data controller with respect to such Personal Information in its control and NGS shall own and be the data controller with respect to such Personal Information in its control;

 

 

2)

Lindblad agrees to comply at all times with all the obligations and requirements set forth in Exhibit H—Data Protection (attached); and

 

 

3)

Lindblad represents, warrants, and covenants both for itself and on behalf of each such Other Provider, Lindblad shall acquire all necessary consents, waivers, disclosures, authorizations, notifications and approvals from NGE/Lindblad Trip Participants, as required by applicable law, to transfer, disclose, or otherwise share any Personal Information that Lindblad collects with NGS pursuant to this Agreement.

 

 

4)

One party’s provision, review, and/or approval of any materials or processes pursuant to this Agreement will not relieve the other party of its obligation to comply with applicable laws.”

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 1 of 11

 

 

 

 

3.

Section 22 (Confidentiality), shall be added to the Agreement:

 

“Confidentiality.

 

 

i.

Confidential Information. “Confidential Information” means any information relating to, disclosed, accessed, received or collected (in each case, by or on behalf of a party) in the performance of the Agreement that is or reasonably should be understood to be confidential to a party (or its affiliates), including, without limitation, the terms and conditions of this Agreement, schedules, creations, business plans, costs, names, marketing plans, licensing plans, research or other information relating to the planning, production, licensing or distribution of the other party’s products or services, financial, business, technical plans and strategies, such as any password, credentials, or other information disclosed to Lindblad for access or relating to any NGS Systems, pricing information, Personal Information, customer lists, creative content, participant complaints or other calls or emails related to the administration or delivery of a trip, inventions and new products, services, and technologies, and other information disclosed in the course of performance of this Agreement of a nature which a reasonable person would consider confidential.

 

 

ii.

Confidential Information of the Other Party. Each party agrees to maintain in confidence, and neither to disclose Confidential Information to any third party nor to use any Confidential Information for any purpose except those covered by this Agreement.

 

 

iii.

Exceptions. Notwithstanding the foregoing, a party ("receiving party") may make disclosure of Confidential Information: (A) if the prior written consent of the other party ("disclosing party") has been obtained; (B) on a need to know basis to its own attorneys, accountants, consultants and agents who are aware of the terms of this Section headed Confidentiality; (C) as may be required by applicable law or ordered by a court of competent jurisdiction, after giving the disclosing party notice and allowing such party to assist in resisting or limiting such disclosure; (D) as may be necessary in order to protect the receiving party's rights hereunder; (E) to the extent such information is already in the public domain other than due to a breach by the receiving party; or (F) to the extent the receiving party can establish that it knew such information prior to disclosure by the disclosing party, received such information from a third party not known to owe a duty of confidentiality to the disclosing party, or independently developed such information.”

 

 

4.

 All other terms and conditions of the Agreement shall continue in full force and effect, including, without limitation, all representations, warranties and indemnities.

 

 

5.

 Each capitalized term used but not defined in this Amendment 5 shall have the meaning ascribed to it in the Agreement.

 

SIGNATURE PAGE FOLLOWS

 

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 2 of 11

 

 

 

 

 

ACCEPTED AND AGREED:
         
         
NATIONAL GEOGRAPHIC PARTNERS, LLC   LINDBLAD EXPEDITIONS, LLC
     
By: /s/ Nancy Schumacher   By: /s/ Dolf Berle
Name: Nancy Schumacher   Name: Dolf Berle
Title: SVP, Adventures by Disney and National Geographic Expeditions   Title:  
Date: September 15, 2022    Date: September 15, 2022

 

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 3 of 11

 

 

 

EXHIBIT H

 

In the event of any inconsistency or other conflict between this Exhibit H and any other provision or Exhibit of this Agreement relating to the collection, use, maintenance, disclosure or secure destruction of Personal Information (as defined below), the terms of this Exhibit will prevail.

 

Defined terms in this Exhibit shall have the meaning defined in the Agreement, unless such terms are otherwise defined in this Exhibit. For the avoidance of doubt, NGS is not an Other Provider for the purposes of this Exhibit.

 

DATA PROTECTION

 

This Data Protection Exhibit, in combination with other applicable requirements of the Agreement, shall constitute a material part of the Agreement between the parties. If there are any conflicts between this Exhibit and the terms of the Agreement, the terms of this Exhibit shall control with respect to such conflict. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement.

 

1.         Definitions.

 

(a)         “Argentinian Model Clauses” mean the model contract for the international transfer of “personal data” (as defined under Argentina Data Protection Law) to other countries that do not provide an adequate level of protection for personal data related to Data Subjects residing in Argentina, as set out in Disposition 60-E/2016.

 

(b)          [Intentionally Omitted.]

 

(c)         “Data Protection Laws” mean any applicable treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance regarding the same, whether of or by any legislative, administrative, judicial, or other government authority, that relates to the confidentiality, security, privacy, or Processing of Personal Information.

 

(d)         “Data Subject” means any identified or identifiable individual, and shall also have any meaning as set forth in Data Protection Laws.

 

(e)         “European Data Protection Laws” mean the Data Protection Laws of (i) the European Union and the European Economic Area (“EEA”), including the GDPR; (ii) states party to the EEA, including European Union Member States; (iii) the United Kingdom (“UK”), including the Data Protection Act 2018 (together with any amended or successor Data Protection Laws thereto) and including any subsequent UK Data Protection Laws that adopt, implement, or are otherwise designed to comply with the GDPR; (iv)  any state that subsequently becomes a Member State of the European Union or of the EEA; and (v)  the Swiss Confederation.

 

(f)         “European Personal Data” means Personal Information originating from or Processed in the European Union or otherwise subject to European Data Protection Laws.

 

(g)         “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) (together with any amended or successor Data Protection Laws thereto).

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 4 of 11

 

 

 

(h)         “European Model Clauses” mean the “standard contractual clauses for the transfer of personal data to processors established in third countries” as set out in European Commission Decision 2021/914, and any amendments or successors to the same.

 

(i)         “NGS Systems” means any computer, computer network, computer application, imaging device, desktop or laptop computer, mobile computing device, server, equipment, computing environment (including, but not limited to, any development, test, stage, production and/or backup application and computing environment), storage media or software controlled by NGS and its affiliates, subsidiaries, and parent entities, or a third party acting on behalf of NGS.

 

(j)          “Personal Information” means any information or combination of information that Lindblad (or any of its Other Providers) Processes in connection with the Services, that refers to, is related to, is associated with, or can be reasonably linked to, an identified or identifiable individual (a “Data Subject”) or to a specific computing device, and shall include, but is not limited to, all “personal data,” “personal information,” or similar terms, as defined in any Data Protection Laws.

 

(k)         “Process or Processing” means any operation or set of operations that is performed upon Confidential Information, whether or not by automatic means, such as collection, using, accessing, recording, reproducing, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, evaluation or control, modification, blocking, restriction, erasure or destruction, or classification.

 

(l)         “Security Incident” means any known or reasonably suspected (i) loss or misuse, any unauthorized access, acquisition, use, disclosure, destruction, deletion, modification, or any other compromise, of Confidential Information; or (ii) other act or omission that compromises, or could compromise, the privacy, security, confidentiality, availability, or integrity of any Confidential Information or the proper functioning of NGS’s network resources.

 

2.         Processing of Personal Information by Lindblad and Lindblads Other Providers.

 

When Lindblad or Other Provider Processes Personal Information under the Agreement, Lindblad represents, warrants, and covenants both for itself and on behalf of each such Other Provider, that it shall:

 

(a)         acquire all necessary consents, waivers, disclosures, authorizations, notifications and approvals, as required by applicable law to the extent necessary to transfer, disclose, or share Personal Information with NGS pursuant to this Agreement or any Other Provider or third party;          

 

(b)         comply with all Data Protection Laws when Processing Personal Information, and shall not intentionally take any actions or intentionally fail to take any actions that would cause Lindblad , an Other Provider, or NGS to be in violation of Data Protection Laws;

 

(c)         Process Personal Information solely for the provision of the Services and/or otherwise on the documented instructions of NGS (acting on its own behalf or on behalf of an Affiliate, as applicable), which instructions may be specific or of a general nature as set forth in the Agreement, in any related statement of work or order form, as part of any configuration of the Services, or in a separate writing, unless Lindblad is required to Process Personal Information pursuant to Data Protection Laws. In the event Lindblad is required by Data Protection Laws to Process Personal Information, Lindblad shall provide prior written notice to NGS of such legal requirement, unless prohibited by such Data Protection Laws;

 

(d)          [Intentionally Omitted.]

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 5 of 11

 

 

 

(e)         not disclose any Personal Information to any third party, for any reason, whatsoever, unless such disclosure is: (1) to Other Provider, as necessary for the performance of the Services as required by the Agreement, if applicable, provided that Lindblad and Other Provider comply in all respects with Section 2(e) below; or (2) required by Data Protection Laws;

 

(f)         disclose, enable Processing of, or otherwise make accessible any Personal Information to Other Provider only under the following conditions: (1) Lindblad shall be responsible for all acts and omissions of the Other Provider; and (2) Lindblad agrees that it shall require each of its Other Providers, as a condition of performing work under the Agreement, to enter into a written agreement with Lindblad that contains obligations of confidentiality, security, and privacy at least as strict as those contained in the Agreement. Lindblad further agrees that it shall (x) conduct due diligence sufficient to ensure that each Other Provider (A) is competent to perform the Services subcontracted to it in conformance with the standards of the Agreement and (B) has adopted and can adequately implement comprehensive written protocols to carry out the obligations of confidentiality, security, and privacy required by the Agreement; (y) closely monitor all work by each Other Provider for compliance with the Agreement; and (z) prevent Other Providers from further assigning or subcontracting any part of their work without prior express written consent;

 

(g)         promptly, and in no event later than forty-eight (48) hours of such request, notify NGS if it receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including the right of access, right to rectification, right to restrict Processing, right to erasure (“right to be forgotten”), right to data portability, or right to object to the Processing, (collectively, a “Data Subject Request”). Lindblad shall provide to NGS, in writing (email shall suffice), all details surrounding such Data Subject Request. Further, Lindblad shall fully cooperate as requested by NGS to enable NGS to comply with any Data Subject Request;

 

(h)         [Intentionally Omitted.]

 

(i)         ensure that all Lindblad or Other Provider personnel engaged in Processing of Personal Information (1) Process Personal Information only as set forth in the Agreement and (2) have committed themselves to maintaining the confidentiality of Personal Information or are under an appropriate legal obligation of confidentiality;

 

(j)         provide assistance to NGS so that NGS may comply with its obligations under Data Protection Laws in connection with the Services provided under the Agreement, including, but not limited to, any assistance that Lindblad deems necessary to fulfill Data Subjects Requests;          

 

(k)         to the extent permitted by applicable law, make available to NGS all information necessary to demonstrate compliance with Data Protection Laws, including (1) allowing for and facilitating audits and inspections of Lindblad and Other Provider facilities conducted by NGS or NGS’s authorized representatives; (2) permitting NGS to regularly test Lindblad’s compliance with the security requirements under the Agreement, including, without limitation, testing security configurations (e.g., server parameters, security settings, and control environment) and network perimeter controls; and (3) providing NGS with accurate books and records (including, without limitation, all policies, procedures, papers, correspondence, data, information, reports, records, receipts, files, and other sources of information) consistent with generally accepted practices regarding Lindblad’s performance under the Agreement. Lindblad shall, at its own cost, make any changes reasonably requested by NGS to correct any compliance failures discovered during such audits, inspections, or tests;

 

(l)         maintain records of its Processing activities under the Agreement, which will include, without limitation, the name or title of Lindblad personnel who access Personal Information, the categories of Personal Information Processed on behalf of NGS, a description of any international data transfers conducted on behalf of NGS (including a list of any countries to which Personal Information has been transferred), a general description of the technical and organizational measures used to safeguard Personal Information, and any other information required by Data Protection Laws;

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 6 of 11

 

 

 

(m)         be directly liable (without seeking reimbursement or indemnification from NGS) to any Data Subject who has suffered damage as a result of Lindblad’s or Other Provider’s violation of the terms of this Exhibit or any violation by Lindblad or Other Provider of Data Protection Laws; and

 

(n)         limit any disclosure of Personal Information to those of its personnel and Other Providers who have a need to know the information to effect the use permitted herein, and keep a record of such disclosures.

 

3.         Security Practices/Information Security Program.

 

(a)    Lindblad shall implement, comply with, and maintain industry leading security procedures, technical measures, and practices (including, if applicable, adherence to any code of conduct approved by relevant government authorities), appropriate to the nature of the information, in connection with any Confidential Information that is Processed in connection with the Services. Such measures shall include, at a minimum, establishing, implementing and at all times complying with and maintaining a comprehensive, written information security program consistent with, and applying protective security measures at least as stringent as, the most protective standards set forth in (i) generally accepted technical industry standards (e.g., ISO/IEC 27001) and (ii) any applicable laws, including Data Protection Laws (the “Information Security Program”). The parties acknowledge that Lindblad is currently in the process of working towards reaching an ISO 27001 security standard.

 

(b)    The Information Security Program shall contain the following:

 

(i)         an organizational information security governance structure that is maintained in writing and that contains (1) comprehensive practices and procedures that address the entire organizational process, both physical and technical, and that ensure ongoing adherence to applicable laws, including Data Protection Laws, with accountability at the highest levels of senior management and executive staff; (2) training on the Information Security Program, on at least an annual basis, for all personnel and relevant Other Providers involved in Processing Personal Information; and (3) appropriate disciplinary measures for non-compliance with the Information Security Program;

 

(ii)         administrative, logical, technical, and physical controls, including anonymization, pseudonymization, and/or encryption of Personal Information, that Lindblad utilizes to: (1) monitor for, identify, assess, test, evaluate, and effectively protect against, internal and external risks to the security, confidentiality, and/or integrity of Confidential Information, or to the legal rights of Data Subjects; or (2) ensure the security of Lindblad’s Processing systems and services, with regular evaluation and testing of, and where appropriate, improvements to, the effectiveness of such controls; and

 

(iii)         detective and corrective controls that are designed to promptly recognize, escalate, and respond to Security Incidents and other incidents that threaten the security, availability, confidentiality, and/or integrity of Confidential Information, as well as minimize adverse impacts of such Security Incidents; facilitate the gathering of forensic evidence; restore the security, availability, confidentiality, and/or integrity of Confidential Information; and make systematic improvements to Lindblad’s management of data security risks as a consequence of any such incident.

 

(c)         Lindblad shall implement, maintain, comply with, and enforce its Information Security Program at each location from which Lindblad, or any of Lindblad’s Other Providers, provides any part of the Services or from which access is possible to Confidential Information or the systems on which Confidential Information is Processed. In addition, Lindblad shall ensure that its Information Security Program covers all networks, systems, servers, computers, mobile phones, and other devices and media that Process Confidential Information or provide access to NG Systems. Lindblad shall publish and communicate its Information Security Program to all personnel and relevant Other Providers on at least an annual basis.

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 7 of 11

 

 

 

4.         Data Transfer Requirements.

 

(a)         [Intentionally Omitted.]

 

(b)         [Intentionally Omitted.]

 

(c)         In the event that any Data Protection Laws that become effective after the Effective Date impose restrictions on the cross-border transfer of Personal Information that are not contemplated herein, the parties agree to meet in good faith to complete any formalities and enter into any documents as may be required by such Data Protection Laws.

 

5.         Obligations Regarding Security Incident. In the event of a Security Incident, including an intrusion into, interference with, penetration of, unauthorized access to, or other compromise of, Lindblad’s or its Other Provider’s network, computer resources, or electronic or other media on which Confidential Information is Processed or from which Confidential Information may be accessed, Lindblad shall promptly and without undue delay (and in no event later than forty-eight (48) hours after a Security Incident) inform NGS of such Security Incident by contacting the Disney IT Support Center at ###-###-####, or at ***@***. Such notice from Lindblad shall include, to the extent available, the categories and approximate number of Data Subjects and records containing Personal Information concerned, shall describe the remediation measures implemented by Lindblad to resolve the Security Incident, and shall identify a point of contact at Lindblad for any NGS or any affiliate or parent entity inquiry regarding the Security Incident. Such notice shall be timely supplemented to the level of detail reasonably requested by NGS, inclusive of investigative or forensic reports. Lindblad shall provide NGS with the name and contact information of its data protection officer, if required by Data Protection Law. Lindblad also shall cooperate with NGS, and its applicable service providers, in the investigation and remediation of any Security Incident. Under no circumstances, other than as required by Data Protection Law, shall Lindblad send notice concerning a Security Incident to any third party (other than Other Providers engaged for cyber security or other data protection), including, without limitation, government authorities and affected Data Subjects, without NGS’s prior written approval. Further, unless prohibited or otherwise prescribed by Data Protection Laws, Lindblad shall reasonably confer with NGS as to whether to notify any third party of the Security Incident, to determine the content of any such notice, and to determine the nature and extent of any remediation offered to any Data Subject; however, if the parties cannot reasonably agree on any such aspects, then NGS shall have final decision-making authority related to any notification that directly affects NGS’s customers, unless prohibited or otherwise prescribed by Data Protection Laws or other applicable laws. Lindblad shall promptly investigate the Security Incident, at its cost and expense, and shall provide NGS with the results of that investigation as soon as they are available. In the event of legal action brought by NGS against a third party in connection with a Security Incident, Lindblad agrees that it shall cooperate and provide such assistance as may be reasonably necessary to enable NGS or any affiliate or parent entity to successfully prosecute such legal action. Without limiting any other remedy in the Agreement, Lindblad shall reimburse, indemnify, and hold NGS harmless for all reasonable investigation, remediation (including the cost of notice to Data Subjects and/or government officials, daily credit monitoring, access to credit reports, and identity theft services), forensic and legal costs (including, but not limited to, attorney’s fees) and any related damages, losses, judgments, settlements, liabilities, awards, fines, penalties, costs and expenses incurred by NGS in connection with a Security Incident within thirty (30) days following receipt from NGS of an invoice for the same, and Lindblad further stipulates and agrees that each of the foregoing shall be deemed direct damages.

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 8 of 11

 

 

 

6.         Security Audits. On or before execution of the Agreement and annually thereafter during the Term, Lindblad shall (a) cause a reputable independent third-party audit firm to conduct Type II SOC1 and SOC2 audits under the SSAE 18 standard or any successor standard (“SSAE Audits”) of Lindblad, its Other Providers, and its and their dedicated data Processing environments, which includes servers supported by any necessary equipment or software, that are used to deliver the Services (“Data Centers”), and (b) provide to NGS the audit reports resulting therefrom (“SSAE Reports”). The SSAE Reports shall describe the security control policies and procedures, including a statement on the operating effectiveness of those policies and procedures and remediation plans for any significant or material deficiencies, of Lindblad and its Data Centers. The audit firm shall determine whether the controls currently in place meet industry best practices such as ISO/IEC 27001. Lindblad shall respond promptly to all of NGS’s questions and concerns with respect to the SSAE Reports. Lindblad shall be responsible for promptly remediating, at its cost, all failures, deficiencies, and risks identified in the SSAE Reports.

 

7.         Security Reviews. On or before execution of the Agreement and annually thereafter during the Term, NGS may, in its discretion and cost, inspect and audit Lindblad’s compliance with the Agreement and applicable laws, including Data Protection Laws, and including but not limited to its Information Security Program and any facilities or systems used by Lindblad to provide the Services. Such inspections and audits may, at NGS’s option, be conducted on-site by NGS or NGS affiliates’ personnel or NGS’s contracted third-party assessors. On-site inspections and audits will be conducted upon reasonable prior notice by NGS.

 

8.         Retention of Confidential Information. During the Term of the Agreement, and subject to Lindblad’s retention obligations under applicable laws, including Data Protection Laws, Lindblad shall adhere to NGS’s reasonable instructions with regard to retention (including, without limitation, deletion) of Confidential Information Processed pursuant to the Agreement. Further, and subject to Lindblad’s retention obligations under applicable laws, including Data Protection Laws, Lindblad shall, and shall cause its Other Providers to, immediately securely destroy (by making unreadable, unreconstructable, and indecipherable) any or all Confidential Information (including, without limitation, all electronic copies on hard drives, backup media, portable devices, optical, magnetic, or other storage media, as well as hard copies) upon the earlier to occur of the following: (a) termination or expiration of the Agreement or any applicable statement of work for any reason; or (b) cessation of Lindblad’s need to retain such Confidential Information to perform the Services. Lindblad shall certify in writing that such destruction has been completed. If NGS requests return or transfer of all or a portion of such Confidential Information prior to the destruction described above, Lindblad shall promptly return to NGS all such Confidential Information, through a secure method designated by NGS, or shall promptly transfer such Confidential Information to NGS’s designee, in accordance with the instructions of, and using the secure method prescribed by, NGS, following NGS’s written demand therefor at the sole cost of Lindblad. In either event, Lindblad shall promptly provide NGS with a certification by an officer of Lindblad that all Confidential Information has been removed from Lindblad’s and any Other Provider’s possession and/or control.

 

9.         Survival. Lindblad’s data protection obligations in the Agreement, including its obligations under this Exhibit H, shall continue for so long as Lindblad, or any of Lindblad’s Other Providers, continues to Process Personal Information, even if all agreements between Lindblad and NGS have expired or been terminated.

 

10.       Certification. By executing the Agreement, Lindblad certifies that it understands the restrictions on Lindblad’s Processing of any Personal Information under the Agreement.

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 9 of 11

 

 

 

 

Attachment 1 to Exhibit H

Description of Processing of Personal Information

 

Purpose of Processing and recipients

Subject-matter of the Processing

The subject matter of the Processing is information provided by participants for trips serviced by Lindblad.

Nature, purpose and scope of the Processing

Processing as stipulated as Services in the Agreement.

Duration of Processing

Unless stated otherwise in this Agreement, or agreed in writing between the parties, Personal Information will be Processed for the Term of the Agreement or the relevant statement of work or work order, inclusive of any amendments thereto.

Types of Personal Information

The Personal Information to be Processed as part of the Services may include (check all that apply):

√         Contact information

Any information allowing direct outbound contact to be made with an individual such as name, address, postcode, telephone numbers, email addresses.

√         Individual profile information

Age, date of birth, gender, clothing size, preferences or other individual characteristics

√         Government identifiers

Government issued reference numbers such as National Insurance or other social security number, Government ID, passport number, driving license number.

√         Financial information 

Data relating to income, wealth or assets, debts, liquidity or financial transactions. Bank account information, credit/debit/payment card details.

√         Browsing information

Any behaviour or action observed or recorded regarding an individual’s interactions with or use of any online content or advertising including but not limited to analytics, use of or visits to social media, websites or apps, time spent on social media, websites or apps, unique online or mobile device identifiers, cookies or other tracking technologies.

☐         Employment information

Any Personal Information related to employment such as previous work history, accreditations, education. 

☐         User account information

User account information such as user login, user settings, user change history

☐         Location data 

Location information that can be derived from mobile device ID, travel booking or other purchase, use of wi-fi or other services which determine a user’s access location

☐         Social media information

Social media identifiers or handles, information gleaned from social media sites such as social login data and posts.

☐         Other (please specify)

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 10 of 11

 

 

 

Special categories of Personal Information

☐          Race

☐          Ethnic origin

☐          Political affiliation

☐          Religious affiliation

☐          Trade union membership

☐          Genetic information

☐          Biometric information

☐          Health/medical condition

☐          Sexual orientation

√           None

Categories of Data Subjects

√          Customers (guests/consumers)

☐         Employees (current and past)

☐         Prospective employees

☐         Contractors (contingent workers; other non-employees)

☐         Service Providers and vendor employees

☐         Family members and other dependents

☐         Other (please specify)

Recipients

Lindblad and Other Provider personnel who have a need to Process Personal Information solely in connection with Lindblad’s performance of the Services.

□ Additional Categories of Recipients:

 

 

   _____________________________________________

 

□ N/A

Lindblad Data Center Locations (at provence/state level)

Lindblad’s Data Center locations, as approved by NGS as of the Effective Date

 

□ List all approved locations of Data Centers:

 

 

□ N/A

 

Contact details:

 

September 9, 2022

(Lindblad1201V)/TOA Amend 5/ig/se

Page 11 of 11