Q: Our agency is targeting European Union residents with two programs we are developing for them: On the corporate side, we are offering incentives to encourage the EU employees of our U.S. clients to book through us; on the leisure side, we are going to organize incoming "Visit USA" packages for groups of client employees and others. So I understand that, in both cases, we must comply with the new EU General Data Protection Regulation (GDPR). Here's my problem: In your April 9 Legal Briefs column, "Marketing to Europeans? Take these steps on personal data," you wrote that we "must have an agreement with every data processor, including every travel supplier ... [but] I realize that the average travel agency has no way of forcing a large travel supplier to agree to anything." So how can we possibly get such agreements with every airline, hotel or car company?
A: It has taken me five months, but I finally have an answer for you, thanks to a U.K. colleague who is both a GDPR expert and travel-law expert: Farina Azam of the Travlaw law firm in Leeds, England.
GDPR certainly applies to you because you are specifically targeting EU residents. So if you collect personal information from EU residents and then decide how it is used, you are deemed a "controller" under GDPR. On the other hand, if a controller tells you exactly what to do with the personal data, you are deemed a "processor."
Farina notes that a travel agency can be either a processor or a controller, depending on its exact role in a transaction. Likewise, a travel supplier can be either a controller or a processor.
Farina notes that it is certainly possible for you and each travel supplier to be controllers, and I concur, at least with respect to your corporate-travel scenario. This legal position is supported by an opinion of the so-called Article 29 Working Party, which is an EU government-appointed body of experts in legal issues related to data protection.
Although the opinion is from 2010 -- eight years before GDPR took effect -- it still has validity because the governing principles of controller and processor were in effect under a pre-GDPR regulation.
The document is titled "Opinion 1/2010 on the concepts of controller and processor." It contains an Example No. 7, which states, "A travel agency sends personal data of its customers to the airlines and a chain of hotels, with a view to making reservations for a travel package. The airline and the hotel confirm the availability of the seats and rooms requested. The travel agency issues the travel documents and vouchers for its customers. In this case, the travel agency, the airline and the hotel will be three different data controllers, each subject to the data protection obligations relating to its own processing of personal data."
In other words, in the typical corporate-travel scenario, the suppliers are controllers, just like you are. Therefore, you probably don't need a data processing agreement with each supplier.
On the other hand, in organized group travel, a supplier such as a hotel or transfer company that you book for incoming groups is probably more of a processor for you because it uses (or should use) the data only in accordance with your instructions.
So before you pass targeted EU residents' data to a hotel under a group hotel contract, for example, you should execute a data processing addendum to the group contract. If the hotel does not have such a form, you need to provide one.
In a future column, I will cover what an ideal data processing addendum should cover.