By the nature of its business, the aviation sector collects and has access to a huge amount of personal data. Airlines, airports and their service providers routinely hold and process passenger information, crew and employee details, customer lists and details of business contacts.
To read the PDF version of this factsheet, please click here. The complex global nature of the industry and high level of personal data processed and exchanged, often across national borders, can leave information vulnerable to security breaches, intentional or otherwise.
The aviation industry is therefore familiar with stringent requirements many jurisdictions impose on the transfer and processing of personal data. However, the requirement to protect passenger information from unauthorised transfer and usage will be in the spotlight and the minds of passengers when the EU General Data Protection Regulation (GDPR) comes into force across the European Economic Area (EEA) on 25 May 2018.
However, it will also apply to companies based outside the EEA which have an office within the EEA or offer goods or services in the EEA or to individuals based in the EEA.
Companies need to audit their existing processes and take necessary action now, as non-compliance can result in large fines and reputational damage. There are also commercial benefits to effective compliance: companies which protect the privacy of their passengers, employees and business associates and conduct properly targeted marketing campaigns will be more likely to attract and retain business and staff.
We set out below some of the issues to consider and how you can action them and demonstrate GDPR compliance.
Will the GDPR apply to non-EEA companies?
> The GDPR will apply to data processing carried out by companies based in the EEA. However, it will also apply to companies based outside the EEA which have an office within the EEA or offer goods or services in the EEA or to individuals based in the EEA.
> For example, a carrier based in China must comply with the GDPR if it has an office in the UK, operates flights into or out of the UK, or transports any UK-based passengers.
What personal data do you hold, where and why?
> The aviation sector typically holds a considerable amount of information on each passenger, including their name, contact details, passport number and payment details.
You should carry out audits on collected personal data to enable you to ascertain:
• what types of data you hold;
• why you hold it;
• where and in what format is it stored;
• how long it is retained; and
• who has access to it.
> Consider whether your systems need updating to ensure adequate data security, whether access to data should be restricted to certain individuals, and whether data should be deleted if no longer required after a certain period. What is your lawful reason for processing personal data and how do you record that?
> The processing of personal data will be lawful if it satisfies one of the following lawful processing conditions: consent from the data subject; necessary for the performance of a contract; compliance with a legal obligation; protection of the vital interests of an individual; public functions; necessary for the purposes of the legitimate interests of the data controller or 3rd party.
> Consent will be harder to obtain under the GDPR. You may lawfully process an individual’s data if they freely consent to it being processed for a specified purpose, but you must be able to demonstrate their consent for that specified purpose rather than generic consent. Consider whether adequate systems are in place to record consent, whether it is sufficient to add clauses to your Terms & Conditions and whether a separate pop-up during the booking process is necessary to draw attention consent requirements
> Processing of data relating to underage individuals requires parental consent. In the UK the relevant age limit will be 13 years old but this will differ for each Member State.
> Where consent has not been obtained from individuals it is likely the aviation sector will rely mainly on processing necessary for the performance of a contract and legitimate interests processing.
> Check that individuals on marketing databases have been given the opportunity to opt out from direct marketing when their contact details were first collected.
Do you hold any ‘special categories of data’?
> Except in certain circumstances, the GDPR prohibits the processing of ‘special categories of data’ which includes data revealing an individual’s racial or ethnic origin, sexuality, political opinions, religious beliefs, trade union membership, or relating to health (including genetic and biometric data).
> In an aviation context, ‘special categories of data’ could include:
• a passenger’s meal choice (e.g. Halal or Kosher);
• a request for assistance (e.g. wheelchair or other equipment);
• notification of a medical condition (e.g. a peanut allergy or pregnancy);
• data relating to security (e.g. images from full body scanners and biometric passport data); and
• crew/employee data (e.g. health information and ethnic monitoring data).
> Permitted reasons for processing ‘special categories of data’ include where an individual has given explicit consent to the data being processed for a specified purpose or where the data is necessary for the purposes of the individual’s employment, so consider incorporating processes for individuals to give explicit consent when providing this sort of data.
Who do you share personal data with, why and what controls do you have in place to protect that data?
> Most, if not all, aviation companies share personal data with service providers or other third parties (e.g. codeshare partners, travel agencies, catering suppliers, passenger assistance service companies, cloud storage providers).
> Make sure that your contracts with third parties have been revised to include the necessary data protection provisions. Consider asking third parties to complete an audit questionnaire to confirm that they are aware of and compliant with their responsibilities under the GDPR, including their duty to report data breaches and to notify changes to their data processing systems (e.g. offshoring).
> If you transfer data within the EEA, you will need to appoint a Lead Supervisory Authority (LSA). Check for any country-specific guidance published by the LSA or any secondary legislation enacted in that jurisdiction and seek assistance from the LSA on any areas of ambiguity.
> If you transfer data outside the EEA, you will need to consider whether any exemptions for transfers of personal data outside the EEA apply. If not, assess whether the requirements for transfer are met. In the case of multinational companies, consider adopting Binding Corporate Rules.
How do you deal with and report data breaches?
> Personal data breaches do not currently need to be reported to supervisory authorities and the UK Information Commissioner’s Office recommends doing so only if the breach poses a high risk to individuals. However, the GDPR requires mandatory reporting within 72 hours of becoming aware of a breach and notifying the data subject without undue delay in prescribed circumstances.
> Ensure that systems and processes are in place to notify a personal data breach to the relevant supervisory authority within the 72 hour period and to notify the data subject.
> Create and maintain a register of data breaches including details of how the breach occurred and what steps were taken to resolve it.
> Consider taking out a cyber and data risks policy as an extra layer of protection.
What processes do you have in place to deal with improved rights for individuals?
> Currently, a subject access request (SAR) carries a fee of £10 and companies must respond within 40 days. Under the GDPR, SARs are free and a response is required ‘without delay’ and in any event less than 1 month.
> Ensure processes are in place to deal with requests from individuals (passengers and employees) making data subject access requests and that responses are given within the period permitted for response.
> Ensure that staff responsible for handling personal data know how to deal with the new rights, including how to delete data if requested and how to provide data electronically.
Is your Privacy Notice GDPR ready?
> Consider implementing “just in time” notices (such as a text box which appears on the screen when the individual starts to input personal data) to explain how that information will be used.
> If you collect information on individuals from third parties (such as travel agents) ensure that the individuals are aware that you are processing their data and consider amending contracts with the third parties to ensure that this is done.
Do you need a Data Protection Officer?
> Designate someone to take responsibility for data protection compliance.
> Assess whether you are required to appoint a Data Protection Officer, or whether you wish to appoint one voluntarily (this may be advisable for companies which hold a lot of passenger data) and make arrangements accordingly.
> Considering outsourcing your data protection compliance and/or Data Protection Officer responsibilities to a specialist organisation which can provide such services.