Q: Data protection is a hot topic in corporate travel these days, so I have several questions related to the data that we maintain. In the past, you have written that corporate and individual traveler profiles in the GDS belong to the agency and not to the corporate client. Nowadays, we actually keep our profiles in our own computer system, so does that make any difference in your advice? If the corporation demands that we transfer the profiles to its new agency, do we have to do so? What if the corporation demands that we delete its data right after the corporation changes agencies? What if the corporation wants to change agencies and demands that we transfer pending airline and hotel reservations to the new agency? If we agree to these transfers, do the individual travelers have to consent?
A: Under U.S. law, data about a company or an individual, including personal information, belongs to the entity that has the data in its computer system. Just because the data is about someone, it doesn't mean that the persons own it.
So data in your computer system clearly belongs to you and no one else, and that legal status is even clearer than was the case when the profiles resided in the GDS. Since the data is your property, you can do what you want with it: Refuse to transfer it, agree to do so for free or for a fee, delete it when the client leaves or keep it as long as you want.
The exception to this general rule is that you could have an agreement that states otherwise. For example, with large corporate clients that use a so-called Master Service Agreement (MSA) with lots of verbose legal language, such an agreement often states something such as this: "Upon expiration or any termination of the agreement or any statement of work, or completion of supplier's obligations under the agreement or any statement of work, supplier shall (a) return in the format specified by company in the request, but in any case in a usable format or (b) destroy, each as company may direct, all material in any medium that contains, refers to or relates to company confidential information and retain no copies or reproductions."
On the supplier side, the American Airlines "Addendum" to the ARC agreement states, "Agent understands and agrees that as between American and agent ... any information or data that ... identifies American ... or relates to a transaction between a customer and American, including booking and payment data ... is and will be owned by American." While this seems more of a wish than a reality, agencies need to take note of it.
Of course, you may also do as the corporation wishes. In that case, you do not need the consent of the company's travelers because, as you know, the travelers do not own the data and have no right to prohibit its transfer under U.S. law.
Transferring pending airline or hotel bookings may be prohibited or restricted under your contracts with suppliers. For example, the standard ARC agreement prohibits Agency A from accepting a ticket in exchange for one issued by Agency B without the consent of the carrier.
Finally, keep in mind that transferred bookings could result in liability for your agency. For example, if the other agency doesn't follow the supplier's ticketing rules, your agency could end up with a debit memo. To avoid such losses, it's a good idea to get the corporation and the new agency to indemnify you against supplier and traveler claims related to acts or omissions of the new agency.