Airline companies, transfers and processes personal data on massive scales, which puts them in the spotlight of GDPR. With the introduction of EU General Data Protection Regulation (GDPR) in May 2018, many companies have been required to change their personal data policies reacting the potential liabilities that they may face under GDPR with regards to personal data of residents of European Economic Area (EEA). Airlines need to audit their current data processing systems and take necessary steps since being non-compliant with GDPR may cause them to lose reputation and pay heavy fines.

GDPR Applies to Non-European Companies As Well

The GDPR applies to all companies processing and holding personal data of data subjects (passengers, employees, etc.), residing in the EEA, regardless of the company’s location. For example, a carrier based in Turkey must comply with the GDPR if it has an office in Germany, operates flights into or out from the Germany, or transports any passenger resident in Germany. The purpose of the regulation is to regulate how companies, authorities and organizations that work within the EEA can collect, access, store and manage personal data and to give EEA residents better control over how their data is used, if at all.

Personal Data Processing under GDPR

Airline companies can process the personal data of its consumers passengers in some certain conditions, without violating GDPR.: if they receive consent from the data subject; if data processing is necessary for the performance of a contract; if they are holding the data for the compliance with a legal obligation; if data processing is necessary for the protection of the vital interests of an individual; and it is necessary for the purposes of the legitimate interests of the data controller or 3rd party. Where consent has not been obtained from individuals, in the aviation sector it is possible to claim as relying on processing necessary for the performance of a contract and legitimate interest in processing.

According to GDPR, obtaining consent is necessary for lawfully processing an individual’s data. If the passengers freely consent to their data being processed for a specified purpose, company shall be able to demonstrate their consent for that specified purpose rather than general consent. That means, if a company needs the information about customer for booking a ticket, the company should obtain a consent from the customer for processing her/his data.

GDPR gives enhanced rights to data subjects such as right to be forgotten and the portability of personal data. Data subject can request erasure of data from companies in case the data is no longer needed for the purpose for which the consent was taken. Also, the data subject can ask company to disclose the identity of third parties whom the data is disclosed. In these situations, company should make sure the date is erased and third party related disclosure adequately made.

For that reason, companies must make sure that the consent of the data subject taken in clear, plain and simple text (separated from terms and conditions). Besides the data subject shall be aware of the purposes for which data is collected and processed and be able to make informed decisions. If the companies are able to make sure they took these precautions, they can hold and process personal data being compliant with GDPR.

Special Categories of Data, a Red Flag

To comply with the GDPR, airline companies should be more careful as to storing and processing ‘special categories of data,’ which includes data revealing an individual’s racial or ethnic origin, sexuality, political opinions, religious beliefs, trade union membership, or health (including genetic and biometric data). In an aviation context, ‘special categories of data’ could include a passenger’s meal choice (e.g. Halal, Kosher or Vegetarian), a request for assistance (e.g. wheelchair or other equipment), notification of a medical condition (e.g. celiac or pregnancy), data relating to security (e.g. images from full body scanners and biometric passport data) and crew/employee data (e.g. health information and ethnic monitoring data).

Only in certain circumstances, airline companies are allowed to process ‘special categories of data’ including where a passenger has given explicit consent to the data being processed for a specific aim. The passenger of airline has given consent to process his/her special personal data for the purpose of flight booking and boarding Then companies may consider incorporating processes for passengers to give explicit consent when providing this sort of data, for example providing privacy notice to the passenger explaining why the airline companies needs to collect, record and store these kind of data. In this regard they may send an e-mail confirmation about the data categories being processed, purposes of data processing, the procedure to transport data and the passenger’s right to be forgotten. By doing so passenger can be informed about the personal data and its categories being processed. Consequently, informing the passengers may help gaining their consent.

Sharing with Third Parties

Airline companies generally share personal data with third parties such as service providers, travel agencies, catering suppliers, passenger assistance service companies etc. The contracts concluded between companies and third parties have to include the necessary data protection provisions requiring third parties to take adequate measures for data security and protection. Third parties must be aware of and compliant with their responsibilities under the GDPR, including their duty to report data breaches and to notify changes to their data processing systems. If the company is not EEA based and transfers data outside the EEA, maybe any of the exemptions for transfers of personal data outside the EEA can be applied. If not, companies should check whether the requirements for transfer are met.