Information about General Data Protection Regulation (GDPR) for Travel Leaders Group Customers

Introduction and Purpose

This document explains:

  • What is GDPR?
  • How does GDPR affect TLG and its Customers in the processing of Traveller Personal Data?
  • What actions is TLG taking to address GDPR readiness?

This document is intended to inform TLG’s Customers about our compliance readiness activities related to the processing of Personal Data (defined below) under the General Data Protection Regulation (“GDPR”),[1] and not necessarily those of our independent reservation agents or travel consultants. Our hope is that this document will address questions you may have about TLG’s GDPR readiness activities as it relates to using TLG as a travel booking services partner. In it, we describe how TLG services operate, and explain TLG’s role in providing marketplace services. This document may also be used by TLG Account teams and independent reservation agents and unaffiliated travel consultants when answering questions from TLG Customers about TLG’s GDPR readiness. This document is not intended to constitute legal advice.

What is the GDPR?

The EU General Data Protection Regulation went into full effect on 25 May 2018. GDPR represents an overhaul of existing European Union (“EU”) data protection law, building on existing Privacy Principles, and introducing particular focus on documentary evidence and Privacy by Design and by Default. These are the GDPR requirements of Transparency and Accountability. GDPR applies to companies with physical operations and employees in the EU. It also applies to companies that are not established in the EU, but either offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU.

GDPR applies to certain Personal Data that TLG may process about EU data subjects. “Personal Data” under GDPR is a broad term that includes any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

For booking and travel-related services, this would include processing of traveller data, such as data received by TLG in the context of bookings and other travel-related services (Traveller Personal Data) and, to a limited extent, Personal Data of employees and independent contractors of TLG Customers (Customer Personal Data) – e.g. information that TLG may collect about TLG Customer employees required by TLG to provide booking and travel-related services.

TLG has put in place a program to address the requirements that GDPR imposes on TLG, both as a Data Controller (the entity that determines the purposes and means of processing of Personal Data), and as a Data Processor (where TLG is processing Personal Data on behalf of a Data Controller).

Roles and Obligations under GDPR

Under GDPR, legal entities established in the EU either as a Data Controller or a Data Processor are in scope of the regulation. A Data Controller is a legal entity that determines the “purposes and means” for which Personal Data is collected, used, or otherwise processed. In this capacity, TLG would exercise overall control over the “why” and the “how” of a data processing activity for Personal Data. By contrast, a Data Processor is a legal entity that processes Personal Data on behalf of a Data Controller.

Data Protection Positioning under the GDPR

In relation to the booking or travel-related services it provides, TLG has determined that it is a Data Controller of the Traveller Personal Data processed for the purposes of making reservations or issuing tickets. This includes air, rail, cruise, or hotel bookings made through a Computer Reservation System. The factors that TLG relied on to reach this determination include that TLG exercises independent judgment about:

  • whether to collect the Personal Data in the first place and the legal basis for doing so;
  • which items of personal data to collect, i.e., the content of the data;
  • the purpose or purposes the data are to be used for;
  • which individuals to collect data about;
  • whether to disclose the data, and if so, to whom;
  • whether subject access and other individuals’ rights apply, i.e., the application of exemptions; and
  • how long to retain the data or whether to make non-routine amendments to the data.

The positioning of TLG as a Data Controller, however, does not mean that other parties involved in the processing (carriers, hotel chains, or other travel service providers) take the role of Data Processors. Several independent Data Controllers may be involved in the same traveller reservation and ticketing transaction. Hotel chains, travel agencies, and corporations could also be Data Controllers of the traveller reservation and ticketing transaction. These Data Controllers each determine the purpose of the processing of the Personal Data in parallel.

TLG’s GDPR Program

Privacy inquiries – Appointment of a Data Privacy Officer (“DPO”)

Article 37 of GDPR requires the appointment of a DPO in certain cases. TLG has concluded, however, that TLG’s processing of Traveller Personal Data will not require TLG to appoint a DPO, for two main reasons. First, TLG does not regularly and systematically monitor data subjects on a large scale. Second, TLG does not process special categories of data on a large scale, nor does it process data related to criminal convictions and offenses. Even though we will not formally appoint a DPO, TLG has put a structure in place to address privacy matters. The point of contact for inquiries about data protection will be the Privacy Department.

TLG GDPR Program Readiness

TLG has initiated a formal GDPR program to oversee and coordinate GDPR related activities across all functions and business units, which is divided into several project streams. One project stream covers the processing of Traveller Personal Data.

For the processing of Traveller Personal Data through the TLG’s booking and computerized travel systems, we have identified the GDPR requirements that need to be met:

  1. Data Mapping
  2. Register of processing
  3. Privacy by design and by default
  4. Security measures
  5. External privacy statements
  6. Data subjects rights
  7. Data breach notifications
  8. Vendor management

TLG will comply with applicable requirements in its position as a Data Controller, including those related to Privacy Notices. A privacy notice is necessary to comply with requirements under Article 14 of GDPR – Information to be provided where personal data have not been obtained from the data subject. This notice is made available to TLG Customers, and can be found by visiting https://www.travelleadersgroup.com/privacy-policy/.

If you have questions about this GDPR Information Guide, please contact the Privacy Department at privacy@travelleaders.com. Thank you.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016) (“GDPR”).