“Data Law” means, as in effect from time to time, any law, rule, regulation, declaration, decree, directive, statute or other enactment, order, mandate or resolution, which is applicable to either You or American, issued or enacted by any domestic or foreign, supra-national, national, state, county, municipal, local, territorial or other government or bureau, court, commission, board, authority, or agency, anywhere in the world, relating to data security, data protection and/or privacy, including the General Data Protection Regulation.
“Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“EEA” means the European Economic Area.
“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted from time to time.
“Model Clauses” means the standard contractual clauses for the transfer of Personal Data from the EEA to processors established in third countries which do not ensure an adequate level of data protection, as set out in the Annex to Commission Decision 2010/87/EU, or successors thereto.
“Other American Data” means any data or other information from any source that is not provided, obtained, developed, produced or Processed by You or Your systems in connection with the relationship or arrangements established by the Agreement (and thus does not fall within the definition of American Data) but that does identify or can be used to identify American, American’s products and services, or a Person (or a computer or device of such Person) in their capacity as an American customer. For example, an Internet tracking device, such as a cookie, that is dropped onto a passenger’s computer after visiting aa.com would be Other American Data if Processing of such cookies is not the subject of the Agreement.
“Permitted Data Uses” means the express permissions to use American Data specified in the Agreement.
“Personal Data” means any information relating to a Data Subject.
“Process” or “Processing” means any operation or set of operations that is performed upon American Data or Other American Data, whether or not by automatic means, including, but not limited to, obtaining, developing, producing, collecting, recording, organizing, structuring, accessing, using, adapting, altering, modifying, retrieving, consulting, copying, reproducing, analyzing, disclosing, disseminating, making available, aligning, combining, blocking, restricting, transmitting, transferring, selling, renting, storing, retaining, destroying, deleting, or erasing such data. For the avoidance of doubt, “Process” or “Processing” includes the compilation or correlation of American Data with information from other sources and the application of algorithmic analysis to create new or derivative data sets from American Data.
“Remediation Efforts” means, with respect to any Security Incident, activities designed to remedy a Security Incident which may be required by a Data Law or which may otherwise be necessary, reasonable or appropriate under the circumstances, commensurate with the nature of such Security Incident. Remediation Efforts may include: (i) development and delivery of legal notices to affected individuals or other Third Parties; (ii) establishment and operation of toll-free telephone numbers (or, where toll-free
