Knowledge Platform

Protection of Personal Data: The new Regime

The existing Data Protection regime is currently under review and is set to be replaced by a new Data Protection Regulation. The Regulation is currently in draft form and is in the process of going through the European legislative procedure, and it is expected that the final version of the draft Regulation will be agreed in early 2016 and will be brought into force in 2018.

As the new legislation will be a Regulation (rather than a Directive) it will be binding on all data controllers in all member states immediately upon coming into force without the need for implementation by the member states. The intention behind this is to harmonise data protection procedures and enforcement across all member states in the EU – which will enable the development of a multi-modal transport ecosystem by streamlining the data protection policies of all travel service providers, across modes and across member states.

One of the key changes proposed under the new Regulation is that obligations will be placed directly on data processors and not just on data controllers. In future, under the new Regulation, data controllers and data processors will be jointly liable for any breach of the data protection laws, until it is proven which party is responsible for the breach.

This is significant and means that once the new Regulations come into force, the travel service providers will be required to comply with the data protection regime (and will be liable for data breaches) whether or not they are acting as data controllers or data processors.

Under the draft Regulation, data controllers will also be required to enter into a contract with their data processor which must contain specific provisions including for example an obligation on the data processor to act only on the instructions of the controller and to comply with appropriate security obligations.

Whether or not it is expected that the travel service providers will be acting as data processors or data controllers in their own right, parties should consider entering into a contractual arrangement, under which the parties agree who will take what responsibilities in respect of the customer data, for example, who is responsible for updating / deleting data (along with agreed retention periods), the agreed format for any data submitted into the system, any agreed security procedures which the parties are going to be obliged to comply with, agreement as to who will be responsible for data subject to access requests, who is responsible for data breaches and appropriate indemnities, etc.

Whilst not an exhaustive list, other potentially significant changes which have been proposed under the draft Regulations are:

 Individual data subjects are likely to have significantly expanded rights, including a new ‘right to be forgotten’ (i.e. a right to request that a data controller delete any personal data held about them). Any platform or interface will need to enable this functionality.

 New obligations on data controllers, including an obligation to carry out a formal privacy impact assessment in relation to new projects and an obligation to appoint a data protection officer.

 Both data controllers and data processor will be required to maintain documentation relating to all processing operations under their responsibility (excluding organisation employing fewer than 250 persons).

 New very detailed requirements for privacy notices which mean that data controllers will have to give detailed information to data subjects about how they will be processing personal data, including specifically how long they are going to keep the personal data. This