Knowledge Platform

Protection of Personal data: The Current Regime

The current EU data protection regime is enshrined in Directive 95/46/EC, which sets out the minimum standards for ensuring the protection of personal data when it is obtained or otherwise processed.

The aim of the Directive is to provide a consistent protection of personal data across Member States. In practice, however, as the Directive has been implemented into the national law of each member state through secondary legislation, this has created an inconsistent, fragmented and varying approach at a number of levels including for example for the compensation of personal data breaches.

Travel service providers (or any platform developed to provide for the ticketing of multi-modal travel) under the current regime will be subject to the EU data protection regime if customer data is processed or collected either on site, or online via a website or web platform (i.e. where cookies have been placed on the computer of a user within the EU [25]) in any EU member state.

In order to ensure compliance with the regulatory regime therefore, travel service providers must have processes in place to ensure that data is:

1.  processed fairly and lawfully;

2.  for limited purposes (i.e. for the purpose of the customer travel bookings);

3.  adequate, accurate and not excessive;

4.  accurate and where necessary, up to date;

5.  not kept for longer than is necessary;

6.  processed in line with the data subject's rights; 

7.  secure; and

8.  not transferred to countries outside the EEA without adequate protection.

Sensitive personal data such as information relating to a person’s health or medical condition – for example if a passenger is disabled and requires special assistance – is subject to data protection law. This usually means that a data controller/processor is likely to require the passenger’s explicit consent before it can share such sensitive data with any third parties. Obtaining and capturing this ‘consent’ process is something that will need to be considered when developing either the online platform of agent interface.

In addition to the above, it should be noted that there are further specific requirements where data is transferred outside of the EEA.

In order to ensure compliance with the above, the data controller must ensure that it has the administrative capacity to notify relevant national regulators that they are processing personal data and to respond to subject access requests.

Data Controller is defined in the Directive as:

“…the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law”

It should be noted that more than one data controller may be involved in respect of the same data.

Data Processor is defined in the Directive as: 

“…a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”.

Transport service providers, and agents involved with multi-modal ticketing may well at various times be considered data controllers and data processors and should be aware of their obligations under the Directive.

Legal liability under the Directive rests with the data controller regardless of whether any personal data is processed by a third party.

The use of third party processors is not new and all public and private transport service providers should already have a series of contractual arrangements in place with such third parties to ensure compliance with the regime and to ensure that they are adequately protected by way of an indemnity in the event of any data breach. 

[25] See

[26] Whether or not a party acts as a data controller in respect of customer data will depend on the extent to which the party has control over the manner and purpose for which it processes the customer data. For example, a travel agent who takes the booking and then processes the data in order to make the necessary travel arrangement for the booking will normally be acting as data controller in respect of that data and will therefore be required to comply with the data protection law in the relevant member state in respect of its processing of that data.

In terms of the travel service providers, it will depend on the extent to which they have any control over how they process the passenger data. If they are only using the data in order to provide the necessary travel arrangement as they are instructed by the travel agent (e.g. on the date and time and specific service determined by the travel agent), then they may be acting as the travel agent’s data processor. However, if the travel service providers have some control over the manner and purpose for which they process the passenger data then they may be acting as a data controller in their own right. This might be the case, for example, if the travel service provider will need (or wants to be able) to contact the customer direct itself in order to obtain further details or confirm details relating to the travel arrangements or to take payment, or if they want to use the data otherwise for the travel service provider’s own marketing purposes.

If there is a centralised computer system, the IT contractor(s) which design/host the platform will normally be acting as data processor, but it will be a question of fact depending on how much control they have the manner and purposes for which they process personal data.

See further ICP guidance on this point: