The new European Union General Data Protection Regulation (GDPR), which will officially go into effect on May 25, two years after being adopted by European Parliament, will impact businesses both inside and outside of Europe, including travel agencies around the world.
Two of the largest distribution systems in the world, Sabre and Amadeus, spoke with Travel Market Report about what this means for them and what agents should know about the GDPR and how it impacts their GDS dealings going forward.
“Sabre takes privacy and data protection very seriously,” Sabre Data Privacy Officer David McKinney told Travel Market Report.
According to McKinney, Sabre has formed a “cross-functional project team and dedicated significant global resources” to deal with the implementation of the new rules. That includes adopting new legal requirements that will satisfy new GDPR requirements, and putting out new customer and supplier contracts to address the new rules.
“Where necessary, we have refined our system capabilities to accommodate new data subject rights request and revised in-scope policies," McKinney said. "We monitor the evolving regulatory landscape and will implement additional changes as appropriate.”
McKinney explained that Sabre has also put together a new website that will answer questions from customers about the new rules, including how Sabre is training its own employees on the GDPR, and a new dedicated email address to answer questions and concerns from customers.
Amadeus, which serves more than 195 countries on more than 948 million key billed travel transactions each year, said that it will comply with all GDPR rules on its hospitality website.
“Amadeus will comply with the contractual obligations it has with Customers and with direct responsibilities it may have as a Data Processor under the GDPR, this will include ensuring the appropriate organizational and technical measures in place to protect the Personal Data,” its website reads, though it says that it cannot confirm that any of its products or services are compliant.
Amadeus released an enhancement to its e-ticket and itinerary documents earlier this year that will enable its customers to be compliant with the IATA GDPR mandate (http://insights.sca.amadeus.com/Amadeus_Scandinavia_Product_news/iata-gdpr-compliance-in-eticket-and-itinerary-documents/).
Broad advice for travel agents
Sabre's McKinney said that the new rules are “a concern for North American travel agents who target customers who are EU residents,” though Sabre is “not in a position to provide legal advice or to advise what actions are required by our customers.”
He provided Travel Market Report with a brief overview of what the GDPR requires, which includes that “data considered ‘personal’ must be protected and processed only as permitted; access to this date is controlled and restricted contracts with third-party processors must contain certain specific terms,” and more.
He also pointed out that some larger agencies that have a lot of European clients, may need to look to outside help or add a member to their team, McKinney said.
“Because the GDPR is complex, some companies will require the appointment of a data protection officer … we recommend that companies review the requirements of the GDPR and decide if they need to speak with their legal counsel to determine its applicability to their business,” he said.
For agencies that do not have the ability to look to counsel or outside help, there is a one-hour presentation on the new rules available here that Sabre also recommends.
Amadeus told Travel Market Report that, “it is of crucial importance for travel agents to understand their role under GDRP, as it might have repercussions in the way they work or operate.
“The role that travel agencies have under GDPR will need to be determined by each of them depending on the services they provide. It is likely that travel agencies and other travel suppliers such as airlines, hotels and car rental companies (travel providers) will be considered as data controllers for the majority of processing activities.”
A data controller is the party that determines the means and purpose of the processing of the personal data.
According to Amadeus, agents “need to consider how they want that personal data to be processed, especially when working with third-party providers.
“The travel agency should ensure there are written agreements – data processing agreements – with these data processors, to make sure their standards and security measures to protect the personal data and other requirements under the GDPR are met,” the spokesperson said.