This article was written by Debbie Venn, Partner, DMH Stallard LLP for ABTA's seventh edition of Travel Law Today which can be downloaded here: abta.com/travellawtoday

The flurry of activity around the introduction of the General Data Protection Regulations (GDPRs) last year may have calmed down, however it did give businesses the opportunity to review how they process personal data, where it might come from and where it might go. Travel businesses must deal with personal data in accordance with the GDPRs (together with the UK Data Protection Act 2018) to avoid not only fines from the Information Commissioner’s Office (ICO), but also the potential bad publicity and action by data subjects.

Data controller or data processor?
A travel business will generally be acting as a controller of data as it will be determining how personal data is collected, stored and used within its business. As a controller, a travel business will be working with other suppliers who may be controllers (eg, sharing personal data with suppliers who also determine the purposes for processing an individual’s personal data when providing their services), or processors (ie, they will only be processing the personal data in accordance with the controller’s instructions).

The activity that the supplier will be undertaking in connection with the personal data will determine what agreement needs to be put in place between the travel business and the supplier. This will be either a Data Sharing Agreement (where both parties are acting as controllers, or joint controllers, in relation to personal data shared between the parties), or a Data Processing Agreement (where the processor will only be processing personal data in accordance with the controller’s instructions).

Handling of personal data and overseas suppliers
When a travel business sends personal data externally, how confident can it be about what happens to that personal data? As part of general supplier due diligence, it is recommended that checks are made about the processes the supplier has in place for keeping data secure, including staff training (to assess the potential for human error) and technical systems (eg, firewalls or other technical protections). Travel businesses have the added issue of personal data being sent outside the European Union and therefore being subject to additional legal controls to ensure the security of personal data. Under data protection laws, international transfers (ie, transfers outside the EU) of personal data need to be carried out with appropriate measures in place, by ensuring that:

1. the EU has given an ‘adequacy decision’, confirming that the country where the personal data is being transferred to has suitable protection measures in place to keep personal data secure; or that
2. there are ‘appropriate safeguards’ adopted for the transfer, including (among others) using the EU standard model contractual clauses to govern the transfer; or that
3. another exception applies, eg, the individual has given their consent to the transfer.

A controller will, therefore, need to consider what measures are appropriate for the transfer and what contractual provisions are appropriate for working with an overseas supplier, ie, will a Data Sharing Agreement or a Data Processing Agreement be
appropriate?

Data collected overseas
A further complication for travel businesses is what obligations it might be under in respect of personal data that a customer itself provides to an overseas supplier. For example, when a customer checks into a hotel, the hotel generally takes a copy of the traveller’s passport and a swipe of their credit card. Who is liable for protecting that personal data? If the traveller has booked a package, then in principle, an organiser could be responsible for the acts and omissions of its suppliers, which might include how that supplier handles a traveller’s personal data. If a hotel is collecting any additional personal data as part of the service provided as part of a package then it might be possible for a UK-based organiser to be responsible for the acts or omissions of a hotel where this has led to a data security breach. However, data protection laws generally make the party responsible for the data security breach directly liable for any fines or compensation payable to individuals. In any event, there needs to be good communication with suppliers, and agreed processes, to minimise any risk to customers and organisers.

The acts of employees who take personal data on a ‘frolic of their own’ and sell it on in their own country might be too remote to be within the scope of an organiser’s liability to a traveller. However, if a hotel can be vicariously liable for its employees, it is important to check with suppliers what training and processes they have in place to keep personal data secure, to make sure that an organiser is comfortable with how personal data might be handled by a supplier.

Supplier contracts
Supplier contracts should therefore:

• provide an indemnity for an organiser for acts and omissions of suppliers and their employees;
• provide an escalation process from suppliers in the event of a data breach/loss to be able to manage and mitigate risk;
• ensure standard processes align with the organiser’s Privacy Policy and what it is telling travellers about how their personal data is used and transferred to suppliers (particularly if consent is needed to make an international transfer);
• consider including a restriction against marketing by a supplier to customers, unless a customer specifically opts in;
• consider and record how the parties agree personal data should be retained/deleted.

These clauses can be added into an existing general supplier agreement, or a separate agreement can be signed, to reflect either data sharing or data processing provisions (as applicable). A travel business should also consider what insurance it has in place for dealing with data losses and whether additional cover is needed. Internal data protection processes should be kept up to date and provide a data security breach process dealing with notifications to the ICO and data subjects in the event of a breach (as necessary), as well as information on how the business works with its suppliers to whom it transfers personal data to enforce controls around data protection.