GDPR for Travel Companies + FREE GDPR Framework

by | May 11, 2018

GDPR for Travel Companies + FREE GDPR Framework
21 min read

When Paul Hewett, Commercial Director of In Marketing We Trust met Tim Bell, Managing Director of DPR Group (Data Protection Representatives Group) at SXSW earlier this year, IMWT partnered with DPR to bring you this webinar on GDPR for Travel Companies + a FREE GDPR framework to help you comply.

Skip the content. Download your FREE GDPR framework now.

download button

GDPR for Travel Companies + FREE GDPR Framework

What you need to know and do

Table of Contents

View our webinar slides on GDPR for Travel Companies below:

Disclaimer: The information below provides general comments on the obligations under GDPR and some actions which can be taken to move towards compliance. It is not intended to be a comprehensive description of GDPR, and is not a substitute for full legal advice, which should be sought before drawing any conclusions on your particular circumstances.

in marketing we trustGDPR for Travel Companies: Explained Simply

What we’ll cover:

  1. Why GDPR matters to non-EU companies
  2. Why GDPR matters for travel companies

Personal data

Personal data is growing. Each day we leave a trail of personal data across the web which is being collected by companies. And the volume of personal data just keeps growing. By 2020, the total amount of data is set to exceed 50 ZettaBytes, that’s equivalent to an audio recording of every word spoken by every human.
GDPR for Travel Companies: Personal Data is Growing
We are moving from storing and processing structured data to unstructured data, including images, audio and video. Much of this data is personal to us as consumers, including videos, photographs and other personal metadata, including IP and behavioural data. All of our digital interactions leave a trail of personally identifying metadata. There is growing concern about how this data is collected, processed and used, resulting in the GDPR.
Alibaba is at the forefront of this technology and the commercial applications and opportunities are incredible. For instance, as a hotel or a cruise liner, you could track your guests around a property or a ship to gain intelligence of preferences. You could discover which restaurants and bars they occupy the most and whether they make use of the spa, gym or smoking area.
GDPR for Travel Companies: When Personal Data Goes Bad

When Personal Data Goes Bad

While the use of personal data can be positive, there are some emerging downsides to sharing personal data so publically.
In China, Police are using mass facial recognition surveillance to monitor citizens. In a number of cities in China, jaywalkers are under surveillance. Their face is scanned and 15 seconds of their error is recorded. The images and video are then posted on social media and large screens to publically shame them. The personal data is stored in a police database.

When Personal Data Goes Bad: A Timeline

FacebookGDPR for Travel Companies: Facebook
  • 2011: Max Schrems brings action against Facebook in Ireland for breach of privacy laws – Facebook disables facial recognition software
  • 2013: Following Snowden revelations, Schrems brings further action, resulting in collapse of US-EU ‘Safe Harbour’ for data transfers
  • 2018: Belgian data protection authority requires Facebook to stop tracking non-Facebook users and delete data collected unlawfully using cookies (fined $311,000 per day for non-compliance)


GDPR for Travel Companies: WhatsAppWhatsApp
  • 2016: WhatsApp lose case in Holland for not appointing a local Data Protection Representative – €1m fine
  • 2017: French data protection authority demands WhatsApp stop sharing data with (owner) Facebook


UberGDPR for Travel Companies: Uber
  • 2016: UBER suffers massive data breach, losing the personal data of around 57,000,000 drivers and passengers
  • 2017: UBER admit to data breach and paying off the hackers


in marketing we trustIntroducing Global GDPR

What is the GDPR and why you NEED to know about it.

What is the GDPR

  • EU law on data protection and privacy
  • For all individuals within the EU
  • Gives individuals within the EU control of their personal data
  • Replaces the 1995 Data Protection Directive
  • Adopted into law 27 April 2016
  • Becomes enforceable 25 May 2018


Why GDPR Matters to You

GDPR is directly enforceable against Australia, Asian, American and all non-EU companies.

GDPR is Global

  • GDPR brings increased ‘Territorial Scope’
  • Any organisation which collects and/or processes the data of EU data subjects is required to meet the obligations of the GDPR



The risk for your organisation is significant

  • Large non-compliance fines
  • Globally enforceable
  • From 25 May 2018

GDPR for Travel Companies: Penalties

Penalty Potential

GDPR for Travel Companies: Penalty Potential

Global Enforceability

Authorities intend to enforce globally. It’s not in the EU’s interest to allow non-EU organisations breach data protection laws.

GDPR is an Opportunity

Consumers are becoming more data savvy by the day. Getting data privacy is a good business decision.

  • Tell your customers why you need their data
  • Tell them what you’re doing with their data

Be transparent. Tell your customers what you’re doing and why.

  1. Ask your customers for consent to use their data.
  2. Tell your customers what you’ll do with the data.
  3. Tell your customers how you’ll protect their data.


in marketing we trustTravel Companies Need to Pay Close Attention

Most travel businesses are global, whether they like it or not.

Travel is a Global Market

GDPR for Travel Companies: Hidden EU CustomersTravel websites are more at risk than most other ccTDL websites because they attract non-domestic customers.
If you take a hotel, car rental or theme park in Singapore for example, this product is of interest to global customers. Therefore, they are likely to attract EU users to their website. If the website is not setup for GDPR compliance, there is a risk of fines.
If you’re like other online travel companies, it’s likely you’re capturing data from EU users already. Even if you have country code top-level domains.
Travel is a unique category when it comes to GDPR. If you have a travel product based outside the EU, travellers from within the EU may be looking for your .au or .sg website.

How it Works

GDPR for Travel Companies: Capturing Personalised DataYou may be capturing personalised data the minute your web tags start firing. Some of this is personal data. If you take a look at your standard website through an EU lens, cookies have the potential to capture personal data which is covered under the GDPR. IP addresses are also classed as personal data.
When a visitor uses your website, 4 types of cookies are typically served:

  1. Analytics: web analytics such as Google or Adobe
  2. Anonymous: other anonymous cookies
  3. Personalisation: storing useful information that will make your experience better
  4. Advertising: DoubleClick, remarketing and IP forensics

Beyond this, we move to more transparent forms of data capture, including forms, progressive profiling and transaction data.
Consent is required from UK website users to activate cookies which track user behaviour.

PII Data

You may even be capturing high-risk PII data in your web analytics. Most of the web analytics accounts we see have PII info in them. This is bad news for 2 reasons:

  1. It’s a breach of the GDPR
  2. It’s a breach of Google’s Terms of Use

If Google catches you, your account will be terminated without warning and your data destroyed forever.
GDPR for Travel Companies: PII Data

in marketing we trustGDPR Compliance Obligations for Travel Companies

What you need to know about GDPR as a non-EU company

GDPR Concepts

There are three parties:

  1. Data subject – the person who could be identified by the personal data
  2. Data controller – the organisation which determines how the personal data is processed
  3. Data processor – an organisation which processes personal data on behalf of the data controller

GDPR for Travel Companies: GDPR Concepts

Key concept

GDPR for Travel Companies: Key ConceptThe data subject owns their personal data.
As a data controller or processor, you may collect and use the data with the strict permission of the data subject (some exclusions within Article 6).
In most cases, the data subject has the right to access and restrict use of their personal data.
The controller can collect and process the data only with a lawful basis, which is assumed as consent.
The data subject can access their data free of charge.
As the controller you’re responsible for the proper processing of the data.

What is a Data Subject?

The “data subject” is a human. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Subject Rights

  1. The right of access
  2. The right to rectification
  3. The right to erasure
  4. The right to restrict processing
  5. The right to be informed
  6. The right to data portability
  7. The right to object
  8. Automated decision making



  • Lawfulness, fairness and transparency
  • Purpose Limitation: specified, explicit and legitimate purpose
  • Data Minimisation: adequate, relevant and limited to purpose
  • Accuracy: accurate and up-to-date
  • Storage Limitation: no longer than is necessary for the purpose
  • Integrity and Confidentiality: appropriate security
  • Accountability: be responsible and demonstrate compliance


Your Obligations

Privacy by design and default

  • More ‘state of mind’ than law
  • Requires organisations to have data protection ingrained in their culture

You must have a lawful basis for collecting and processing data.

  • Typically, assumed to be consent
  • Freely given, specific, informed and unambiguous
  • Clear affirmative action (pre-ticked box not adequate)

But there are other justifications for processing personal data, including:

  • Contractual obligation
  • Legal obligation
  • Vital interest to individual
  • Public interest
  • Legitimate interest


Data Protection Officer

Organisations that must appoint a Data Protection Officer:

  • Public authorities
  • Core activities involve ‘regular and systematic monitoring of data subjects on a large scale’
  • Core activities involve processing of ‘sensitive data’ on a large scale

The Data Protection Officer is required to manage and oversee the data protection program. They can be outsourced – with care, though we recommend appointing someone internally.

EU Data Protection Representative

An organisation must appoint an EU Data Protection Representative where:

  • It processes the data of individuals in the EU
  • It is not established in the EU
  • (Exclusions apply for public sector, “occasional” processing)

The purpose of the EU Data Protection Representative is to allow EU-based persons and authorities to contact the processor. This obligation does not apply to EU-based organisations.
Although this obligation is hidden, failure to comply is clear – the Representative should be clearly identified to allow contact.

Processing Agreements

Where the data controller appoints a data processor, there must be a contract which sets out:

  • Subject matter, duration, nature and purpose of the processing
  • That the processor will only process on the instructions of the controller
  • Any non-EU countries where the personal data will be processed
  • And more …

Where the data processor appoints a sub-processor, an equivalent contract must be put in place between the processor and sub-processor.

International Transfer

When transferring data across international borders there must be adequate protections in place. Some countries have been granted ‘equivalent’ status, confirming a level of legal protection of personal data equivalent to that in the EU. Equivalent countries include, Argentina, Israel, New Zealand and Canada (commercial organisations only).
For US-EU transfers, the privacy Shield has replaced the Safe Harbour agreement, post-Snowden. The Privacy Shield is open to criticism under GDPR if the US can’t give sufficient reassurances about government interception of data. Organisations who wish to benefit from Privacy Shield must self-certify to the Department of Commerce.

Privacy Notice

Where personal data is collected, the data subject should be informed:

  • The identity of the Data Controller and Data Protection Officer (if applicable) and how to contact them
  • Why and where their data processing is being undertaken (including safeguards if being sent outside the EEA)
  • How long the data will be kept
  • The data subject’s right to object to the processing


Subject Access Request

A data subject (the individual) can issue a request to an organisation which is a data controller of their personal data to request (among other things):

  • Details of the personal data they hold
  • Correction of the personal data
  • Erasure of the personal data (the “right to be forgotten”)

Your obligations regarding subject access requests:

  1. Must respond within one month (30 days)
  2. Cannot charge for response
  3. Can refuse excessive requests


Data Breach Notifications

Where there has been a breach of personal data which could impact the rights and freedoms of the individual, the data controller must inform the relevant EU national data protection authorities within 72 hours of becoming aware. If a high risk to the data subject, they must also be informed directly. The processor is obliged to inform the data controller “without undue delay”.

Data Processing Record

An organisation must keep records of its processing activities for inspection. This should include:

  • What processing is undertaken
  • On what data
  • For what purpose
  • How the rights and freedoms of individuals are protected

An organisation must undertake an assessment of the impact on individuals’ rights when undertaking new processing activities, particularly when using new technology. This should also include the above information.

in marketing we trustGDPR: How to Comply

We’ve created a GDPR (& Data Protection) Compliance Framework to help Data Controllers and Data Processors become compliant. Get your Free GDPR Framework now.
Here’s a summary of what to do …

GDPR for Travel Companies: Understand Your RiskUnderstand Your Risk

Evaluate your user, customer and employee data. Is there any data from within the EU? If the answer is yes (even 1 person), you are required to comply with the regulation.

Appoint Your Data Team

  1. Appoint a Data Protection Officer
  2. Appoint an EU Representative
  3. Appoint Data Protection Champions


Compliance Gap Analysis

GDPR for Travel Companies: Understand GapsConduct a compliance gap analysis against 4 criteria:

  1. Transparency & Lawfulness
  2. Individual Rights
  3. Accountability & Governance
  4. Security, international transfers and breaches


Know Your Data

  • Know every data flow within your business
  • Identify where the data is
  • Identify where the data goes
  • Identify who has access
  • How long you need it for
  • If it is a risk
  • If it is being transferred outside the EU


Document Processors

  • Identify all your processors and sub-processors
  • Ensure they are compliant
  • As a controller it’s your responsibility


Process for Data Events (Requests)

  • Ensure your staff and customers have a method to make a subject access request
  • Make sure you have a process to handle the request


Assets & Process

  • Get your assets together
  • Get your processes together
  • Communicate them
  • Add a privacy notice to your website


Train Your Team

  • Training is not a tick box exercise
  • Train your staff on personal data protection
  • Train your leaders on personal data protection
  • Personal data protection as a concept
  • Personal data protection as a culture


Contact us for more information

Many thanks to Paul Hewett and Tim Bell for putting together this presentation. If you would like to request more information, you can contact them below.

 GDPR for Travel Companies: Paul Hewett  GDPR for Travel Companies: Tim Bell


Commercial Director

In Marketing We Trust


[email protected]


Managing Director

DPR Group


[email protected]


in marketing we trustFREE GDPR Framework


  1. Download your FREE GDPR Framework below
  2. Click the “copy base” button on the top left
  3. Sign Up for an Airtable account to save

Kirsten Tanner

Recommended for you

Get Our Newsletter

Sign up for our newsletter and receive monthly updates on what we’ve been up to, digital marketing news and more.

Your personal information will not be shared, and we don’t like mail spam or pushy salesmen either!