This document explains:
- What is GDPR?
- How does GDPR affect Internova and its Customers in the processing of Traveller Personal Data?
- What actions is Internova taking to address GDPR readiness?
This document is intended to inform Internova’s Customers about our compliance readiness activities related to the processing of Personal Data (defined below) under the General Data Protection Regulation (“GDPR”), and not necessarily those of our independent reservation agents or travel consultants. Our hope is that this document will address questions you may have about Internova’s GDPR readiness activities as it relates to using Internova as a travel booking services partner. In it, we describe how Internova services operate, and explain Internova’s role in providing marketplace services. This document may also be used by Internova Account teams and independent reservation agents and unaffiliated travel consultants when answering questions from Internova Customers about Internova’s GDPR readiness. This document is not intended to constitute legal advice.
The EU General Data Protection Regulation went into full effect on 25 May 2018. GDPR represents an overhaul of existing European Union (“EU”) data protection law, building on existing Privacy Principles, and introducing particular focus on documentary evidence and Privacy by Design and by Default. These are the GDPR requirements of Transparency and Accountability. GDPR applies to companies with physical operations and employees in the EU. It also applies to companies that are not established in the EU, but either offer goods and services to individuals in the EU or monitor the behavior of individuals in the EU.
GDPR applies to certain Personal Data that Internova may process about EU data subjects. “Personal Data” under GDPR is a broad term that includes any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For booking and travel-related services, this would include processing of traveller data, such as data received by Internova in the context of bookings and other travel-related services (Traveller Personal Data) and, to a limited extent, Personal Data of employees and independent contractors of Internova Customers (Customer Personal Data) – e.g. information that Internova may collect about Internova Customer employees required by Internova to provide booking and travel-related services.
Internova has put in place a program to address the requirements that GDPR imposes on Internova, both as a Data Controller (the entity that determines the purposes and means of processing of Personal Data), and as a Data Processor (where Internova is processing Personal Data on behalf of a Data Controller).
ROLES AND OBLIGATIONS UNDER GDPR
Under GDPR, legal entities established in the EU either as a Data Controller or a Data Processor are in scope of the regulation. A Data Controller is a legal entity that determines the “purposes and means” for which Personal Data is collected, used, or otherwise processed. In this capacity, Internova would exercise overall control over the “why” and the “how” of a data processing activity for Personal Data. By contrast, a Data Processor is a legal entity that processes Personal Data on behalf of a Data Controller.
DATA PROTECTION POSITIONING UNDER THE GDPR
In relation to the booking or travel-related services it provides, Internova has determined that it is a Data Controller of the Traveller Personal Data processed for the purposes of making reservations or issuing tickets. This includes air, rail, cruise, or hotel bookings made through a Computer Reservation System. The factors that Internova relied on to reach this determination include that Internova exercises independent judgment about:
- whether to collect the Personal Data in the first place and the legal basis for doing so;
- which items of personal data to collect, i.e., the content of the data;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, to whom;
- whether subject access and other individuals’ rights apply, i.e., the application of exemptions; and
- how long to retain the data or whether to make non-routine amendments to the data.
The positioning of Internova as a Data Controller, however, does not mean that other parties involved in the processing (carriers, hotel chains, or other travel service providers) take the role of Data Processors. Several independent Data Controllers may be involved in the same traveller reservation and ticketing transaction. Hotel chains, travel agencies, and corporations could also be Data Controllers of the traveller reservation and ticketing transaction. These Data Controllers each determine the purpose of the processing of the Personal Data in parallel.
Privacy inquiries – Appointment of a Data Privacy Officer (“DPO”)
Article 37 of GDPR requires the appointment of a DPO in certain cases. Internova has concluded, however, that Internova’s processing of Traveller Personal Data will not require Internova to appoint a DPO, for two main reasons. First, Internova does not regularly and systematically monitor data subjects on a large scale. Second, Internova does not process special categories of data on a large scale, nor does it process data related to criminal convictions and offenses. Even though we will not formally appoint a DPO, Internova has put a structure in place to address privacy matters. The point of contact for inquiries about data protection will be the Privacy Department.
Internova GDPR Program Readiness
Internova has initiated a formal GDPR program to oversee and coordinate GDPR related activities across all functions and business units, which is divided into several project streams. One project stream covers the processing of Traveller Personal Data.
For the processing of Traveller Personal Data through the Internova’s booking and computerized travel systems, we have identified the GDPR requirements that need to be met:
- Data Mapping
- Register of processing
- Privacy by design and by default
- Security measures
- External privacy statements
- Data subjects rights
- Data breach notifications
- Vendor management
Internova will comply with applicable requirements in its position as a Data Controller, including those related to Privacy Notices. A privacy notice is necessary to comply with requirements under Article 14 of GDPR – Information to be provided where personal data have not been obtained from the data subject. This notice is made available to Internova Customers, and can be found by here.
If you have questions about this GDPR Information Guide, please contact the Privacy Department at firstname.lastname@example.org. Thank you.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016) (“GDPR”).