The following article is by Javed Ali Legal Consultant, Hill Dickinson LLP for Travel Law Today 4th ed. which can be downloaded rom ABTA's Member zone and read here.
You can help make sure your business is GDPR-ready by attending one of ABTA's forthcoming seminars:
A Beginner’s Guide to Travel Law – 5 December (Manchester)
Essential Business Travel Law – 25 January (London)
Data Protection and Cyber Security in Travel – 1 February (London)
Travel Law Seminar – 22-23 May (London)
The GDPR comes into force in the UK and across the EU in May 2018. The regulations offer greater rights to data subjects and more reporting requirements for companies that transact with and collect data from EU customers and suppliers. Under GDPR there will be joint and several liability on both data controllers and data processors.
Where personal data moves across borders outside the UK and EU this may put at increased risk the ability of customers and other data subjects to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of their personal information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders.
Chapter V of the GDPR governs the transfer of personal data to third countries (non-EU countries). This says that any transfer of personal data to a third country, including the onward transfer of personal data from that third country to another third country, shall take place only if the conditions laid down in Chapter V are complied with by the controller and processor.
The Chapter V conditions are:
Under Article 30 of the GDPR certain organisations that are data controllers are required to maintain a record of the processing activities that they carry out or which are under its responsibility. This record must include the categories of recipients to whom the personal data has been or will be disclosed, including where applicable recipients in third countries and the identification of those third countries and of any appropriate safeguards.
These obligations will not apply to an enterprise or organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
The Chapter V conditions are in addition to the general principles for processing data which require that personal data is processed fairly and in a transparent manner; is only processed for specific, explicit purposes; is adequate and not excessive; is not kept for longer than is necessary; and is subject to adequate security.
It is vital that you start to review your contracts in conjunction with your suppliers, including those suppliers that are based overseas, and ensure that you introduce adequate security measures so that your suppliers are fully committed to securing and safeguarding the data that you will be sharing with them. Where the supplier that you are dealing with is not in a country that has adequate levels of data protection you should implement measures to compensate for the lack of data protection by way of appropriate safeguards for your customers.
Such safeguards may consist of making use of binding corporate rules, standard data protection clauses or contractual clauses. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the UK or EU.