The Irish Data Protection Commissioner (DPC) will conduct an audit exercise on travel organisations and engage with representative associations to ensure they are aware of their obligations under current data protection legislation and the upcoming General Data Protection Regulation (GDPR).
The news follows the DPC's participation in the 2017 Global Privacy Enforcement Network (GPEN) Sweep. GPEN is an informal, international network of data protection agencies. The sweep involved 24 data protection agencies examining 455 websites and applications across a range of sectors, to examine "privacy communications and practices in relation to user controls over personal information" – in other words, online privacy policies and other communications to service users regarding privacy and the use of their data. The DPC was responsible for investigating travel organisations as a specific sector, as well as the use of e-receipts.
The DPC examined how travel organisations obtain personal data online, how they communicate with users on their data processing operations and the ease with which users can exercise their rights in the course of using online travel services in Ireland. One of the key findings was of a general lack of transparency towards individuals regarding the processing of their personal data. The DPC expressed concern that some organisations "are not communicating the details of personal data processing to data subjects in a concise, transparent, intelligible and easily accessible form." The GDPR, which comes into force on 25 May 2018, emphasises transparency as a key principle to be observed by all who process the personal data of individuals.
As regards e-receipts, the DPC found that "in 94% of cases, retailers offering e-receipts to customers provided no information on their websites with regard to the processing or deletion of e-mail addresses gathered for this purpose." It also found evidence of e-mail addresses, collected for the purpose of sending e-receipts, being used to send marketing material. The sending of marketing material by email without appropriate consent is a criminal offence under the current Irish rules and this area is actively enforced by the DPC. The DPC will soon publish guidance for retailers on best practice in the use of e-receipts.