Q: A new corporate client of our agency has a small number of employees in various EU countries. The client's attorney has presented us with a Data Processing Addendum, or DPA, to our corporate account contract. The DPA states that we are subject to the EU's General Data Protection Regulations (GDPR). It further states that our GDS is our "subprocessor" and that we must obtain confidentiality agreements from all our subprocessors. First, are we really subject to GDPR? Second, is our GDS really our subprocessor? Third, do the standard GDS contracts state that the vendors will treat client data confidentially? Fourth, if not, what should we do?
A: If your agency has no European location, you are subject to the GDPR only if you specifically target EU residents with marketing offers or you track the online behavior of EU individuals for marketing purposes. Like the vast majority of U.S. agencies, you do not do these things so are not subject to GDPR.
Nevertheless, corporations with employees in Europe typically want their U.S. agencies to comply with GDPR, either out of an abundance of caution or because they want their vendors to follow the same data-protection rules worldwide. Therefore, they send DPAs to their vendors. By signing a DPA, you make yourself subject to GDPR voluntarily.
GDPR defines "processor" as an entity that processes personal data on behalf of a "controller," which is an entity that decides what to do with personal data. It is now generally accepted that a travel management company is a processor that processes data on behalf of the corporate client, which is the controller.
If a processor sends personal data to another processor, the latter is usually called a "subprocessor." The latter must agree to the same confidentiality clauses that the former has already agreed to under the DPA.
Since your agency enters personal data into the GDS, that system could indeed be called your subprocessor. The trouble is that the GDS vendors' standard contracts do not contractually commit to keeping personal data confidential.
For example, the standard Sabre contract states, "Each party agrees to comply with its published privacy policies with regard to confidentiality of traveler data and will comply with all applicable laws and regulations concerning the confidentiality of traveler data."
Worse, the GDS vendors are not even clear about whether they themselves are controllers or subprocessors. For example, Amadeus' website states that Amadeus is a "co-controller," and the EU regulation in effect before GDPR did deem GDSs to be controllers.
I see three options for you at this point: First, try to get a DPA from your GDS. Second, try to change the client's DPA to provide that you are not responsible for a GDS' acts or omissions. Third, decline to handle data from any employees in Europe.