The following article was written by Alexandra Cooke, Commercial, IP and Technology Associate, Hamlins LLP for Travel Law Today, 4th Edition which can be read here.
You can help make sure your business is GDPR-ready by attending one of ABTA's forthcoming seminars:
A Beginner’s Guide to Travel Law – 5 December (Manchester)
Essential Business Travel Law – 25 January (London)
Data Protection and Cyber Security in Travel – 1 February (London)
Travel Law Seminar – 22-23 May (London)
The travel industry is, by its very nature, is concerned with the collection, storage and processing of customer personal data (any data from which an individual can be identified such as a name, address or passport details). The implementation of the EU General Data Protection Regulation (GDPR) in May 2018 will significantly change the current data protection regime. It is vital organisations in the travel sector ensure the contracts they have in place with third parties who are handling, processing and storing customer personal data on their behalf, or providing personal data, are up to date and compliant.
Contracts which involve the transfer of personal data to third parties should currently contain clauses obliging each party to comply with the Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations. However, under the GDPR, such cursory clauses will not be adequate to ensure compliance with the enhanced data protection obligations on data controllers (persons/ companies who determine how personal data is to be processed) and data processors (persons/companies who process data on behalf of the data controller).
The following areas are important to include when drafting robust data protection provisions.
Under the GDPR, organisations will need to maintain accurate and detailed records of all processing and storage of personal data, demonstrating compliance with the data protection principles. Any third party data processor should be contractually obliged to keep a record showing how it is complying with the data protection principles (as they are applicable to the processor) and to make such records available to the data controller and any supervisory authority (the Information Commissioner in the UK) for the purposes of an investigation.
Where an organisation obtains personal data from a third party, that third party should warrant they have obtained all necessary consents from the relevant individuals to process this personal data. Under the GDPR, consent must be clear and unambiguous and must be active (e.g. not inferred from silence or obtained through pre-ticked boxes). Parental consent is required for children under the age of 16 where personal data is obtained via online services.
Organisations will be obliged to report any data protection breach to the Information Commissioner. Any third party processor should therefore be contractually required to report any breach of its data protection obligations to the data controller and to assist with any notification to the authorities. Failure to notify the relevant authority can lead to fines of up to €10 million or 2% of global annual turnover, whichever is greater.
Transfer outside of the EEA
Data processors should be prohibited from transferring personal data outside the EEA without the consent of the data controller and without adhering to the Information Commissioner’s guidance and codes of practice on transferring personal data overseas.
Access by employees and subcontractors
Your contract should expressly prevent any of the processor’s employees or subcontractors from accessing the personal data unless they are authorised and require access to meet the processor’s contractual obligations and are informed of the confidential nature of the personal data.
Data subject access requests
Individuals will have the right to request a copy of their personal data, free of charge, in an electronic format. The data processor should be contractually obliged to cooperate fully with any data subject access request, and report any such request to the data controller if such request is received directly.
Storage period and erasure of personal data
It is critical the processor gives an indemnity to the controller against all liabilities, costs, expenses, damages and losses suffered or incurred by the data controller arising out of or in connection with any breach by the processor of any of its data protection obligations. This gives you recourse against the processor in the event the processor breaches any of its data protection obligations and may give you quicker, easier, fuller recovery than a claim for breach of contract.
Under the GDPR, organisations can be fined up to €20 million or 4% of global annual turnover whichever is the greater, for breaches. Not having the appropriate contractual protection could be hugely costly, particularly for large travel organisations. It is critical for data controllers to ensure they a) spell out the data protection obligations to the data processors they are engaging, and b) adequately cover off their liability in the event of any breach by the data processor of such obligations. The reputational costs of a data protection breach can be just as costly and setting out each party’s obligations at the outset of a contractual relationship could be invaluable.
Although the GDPR does not take effect until next year, most contracts in force or being negotiated will continue well beyond May 2018 so it is important to start future proofing your contracts for the GDPR now. Seeking professional advice is advisable and we are already working with organisations in the travel industry to review their contracts and draft appropriate model clauses and privacy policies to protect those businesses into 2018 and beyond.
You can download our other issues of Travel Law Today in the Member zone.