|TRIVAGO N.V. filed this Form 20-F on 03/06/2018|
We process, store and use personal data which exposes us to risks of internal and external security breaches and could give rise to liabilities, including as a result of governmental regulation and differing legal obligations applicable to data protection and privacy rights.
We may acquire personally identifiable information or confidential information from users of our websites and apps. Breaches or intrusions to our system, whether resulting from internal or external sources, could significantly harm our business. It is possible that advances in computer circumvention capabilities, new discoveries or other developments, including our own acts or omissions, could result in a compromise or breach of personally identifiable information and/or confidential user information.
We cannot guarantee that our existing security measures will prevent all security breaches, intrusions or attacks. A party, whether internal or external, that is able to circumvent our security systems could steal user information or proprietary information or cause significant disruptions to our operations. In the past, we have experienced “denial-of-service” type attacks on our system that have made portions of our website unavailable for periods of time. We may need to expend significant resources to protect against security breaches, intrusions, attacks or other threats or to address problems caused by breaches. Any actions that impact the availability of our website and apps could cause a loss of substantial business volume during the occurrence of any such incident and could result in reputational harm and impact negatively our ability to attract new customers and/or retain existing ones. The risk of security breaches, intrusions and other attacks is likely to increase as we expand the number of markets in which we operate and as the tools and techniques used in these types of attacks become more advanced. The new European data protection laws (described in detail below), introduce mandatory breach reporting to regulators and individuals across Europe. Security breaches could result in negative publicity, damage to our reputation, expose us to risk of loss or litigation and possible liability and subject us to regulatory penalties and sanctions as well as civil litigation. Security breaches could also cause users and potential users to lose confidence in our security, which would have a negative effect on the value of our brand.
We also face risks associated with security breaches affecting third parties conducting business over the Internet. Users generally are increasingly concerned with security and privacy on the Internet, and any publicized security problems impacting other companies could inhibit the growth of our business. Additionally, security breaches at third parties upon which we rely, such as hotels, could result in negative publicity, damage to our reputation, expose us to risk of loss or litigation and possible liability and subject us to regulatory or criminal penalties and sanctions as well as civil litigation. We currently provide users with the functionality to book directly with certain hotels, by completing a form on our website which enables users’ details to be transferred directly to the hotel’s booking forms. In connection with facilitating these transactions, we receive and store certain personally identifiable information, including credit card information. This information is increasingly subject to legislation and regulations in numerous jurisdictions around the world, including throughout the member states of the European Union as a result of European Commission Directive 95/46/EC and implementing legislation in effect in member states of the European Union, which will be replaced from May 25, 2018 by the EU’s General Data Protection Regulation 2016/679 (GDPR). In particular, EU laws regulate transfers of EU personal data to third countries, such as the United States, that have not been found to provide adequate protection to such personal data. A considerable number of our service providers and hotels operate in such jurisdictions. There are recent regulatory concerns about certain measures that can be used to validate such data export, as well as litigation challenging some of the mechanisms for adequate data transfer (i.e., the standard contractual clauses). We could be impacted by changes in law as a result of the current challenges to these mechanisms by regulators and in the European courts which may lead to governmental enforcement actions, litigation, fines and penalties or adverse publicity which could have an adverse effect on our reputation and business.
Government regulation of privacy and data security is typically intended to protect the privacy of personally identifiable information that is collected, processed and transmitted in or from the governing jurisdiction. Since we collect, process and transmit personally identifiable information in and from numerous jurisdictions around the world, we are subject to privacy, data protection and data security legislation and regulations in a number of countries around the world. We are in particular affected by the GDPR. The GDPR applies to any company established in the EU as well as to those outside the EU if they collect and use personal data in connection with offering goods or services to individuals in the EU or the monitoring of their behavior (for