Call 01932 255600 ONLINE CHECK IN

General Data Protection Regulation (GDPR) Policy

Purpose

The purpose of this document is to supply information to Ian Allan Travel Customers about the EU GDPR Regulation, the impact on the processing of Personally Identifiable Information (PII) by Ian Allan Travel and the actions being taken by Ian Allan Travel to comply with the new regulations.

Ian Allan Travel have historically taken data protection very seriously and have for several years held accreditation both with PCI compliance as well as being certified in the information security governance of ISO 27001:2013 which has been fundamental in our review and preparations for GDPR, as many aspects are common across both.

Introduction

The EU General Data Protection Regulation (GDPR) applies from 25th May 2018. The GDPR represents an overhaul of existing EU data protection law, building on existing Privacy Principles and introducing particular focus on documentary evidence and Privacy by Design and by Default. These are the GDPR requirements of Transparency and Accountability.

All companies which are offering goods and services to individuals in the EU are in scope of the GDPR, even if the company has its seat outside of the EU. The GDPR applies to all types of Personal Data. For services supplied by Travel Agencies this would include processing of Personally Identifiable Information (PII). This policy addresses the processing of Personally Identifiable Information (PII).

Ian Allan Travel has put in place a program to address the requirements that the GDPR imposes on Ian Allan Travel.

Data Protection Definitions and Positioning under the GDPR

Legal entities established in EU are in scope of the GDPR. In addition, also those offering goods and services to individuals in the EU are in scope of the GDPR, even though the legal entity may not be established in the EU.

• A Data Controller is a legal entity that determines the purposes and means of processing of Personal Data.
• A Data Processor is a legal entity that processes Personal Data on behalf of a Data Controller.

The data protection positioning is the role of a legal entity as a Data Controller or a Data Processor for a specific data processing activity. The role is defined per processing activity so any legal entity may hold different roles (data controller or data processor) for different processing activities. Such positioning is relevant as the legal obligations under the GDPR of a Data Controller and Data Processor are different.

Roles, Responsibilities and Obligations under GDPR

Everyone who works for or with Ian Allan Travel has some responsibility for ensuring data is collected, stored and handled appropriately. Each team/ person that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. The Board of Directors is ultimately responsible for ensuring that IAT meets its legal obligations

The Data Protection Officer – Pamela Forbes is responsible for:

• Keeping the board updated about data protection responsibilities
• Reviewing all data protection procedures and related policies in line with an agreed schedule
• Arranging data protection training and advice for the people covered by this policy
• Handling data protection questions from staff and anyone else covered by this policy.
• Dealing with requests from individuals to see the data IAT holds about them
• Checking and approving any contracts or agreements with third parties that may handle the company’s
sensitive data.

The I.T provider is responsible for:

• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.
• Evaluating any third-party services that IAT use to store or process data – for instance cloud computing
services.

The Operations Director is responsible for:

• Approving any data protection statements attached to communications such as emails and letters.
• Where necessary, working with staff to ensure marketing initiatives abide by data protection principles.

Personally Identifiable Information (PII) processed through Ian Allan Travel

Ian Allan Travel can be acting as both/either a Data Controller & a Data Processor for the processing of Customers Personally Identifiable Information (PII) which is required for the purposes of making reservations on behalf of a Customer with third party suppliers e.g. airlines, hotels, car hire companies, rail companies etc

The positioning of Ian Allan Travel as a Data Controller does not mean that other parties are involved in the processing and all take the role of Data Processors. There are several independent Data Controllers involved in the same traveller reservation and ticketing information. Airlines and other third-party suppliers could also be Data Controllers of the traveller reservation and ticketing information.

These Data Controllers each determine the purpose of the processing of the Personal Data and are not joint Data Controllers. Ian Allan Travel have engaged an external consultant in this process who is supporting the business and ensuring that Ian Allan Travel will meet the deadlines for compliance under the GDPR.

Commercial contracts are being reviewed to meet the legal requirements and where amendments are required these will be communicated to the Customers.

The most complicated part of the GDPR directive is to bring user data protection to the fore of all our business processes so that whether within the company, in the use of any of the solutions we offer or even when exchanging data with customers or partners, moving forward it will be essential to only collect, share or process the data relevant for the use of the service.

No sensitive data can be collected without the explicit consent of the user and must be stored with the same level of criticality as bank data. This applies to Customer data as well as to our Employees’ data and while we will apply any necessary changes on internal processes, we will also be supporting our Industry Partners where applicable, to ensure that they too are compliant.

Ian Allan Travel may share personal data with service providers and partners who act on behalf of Ian Allan Travel. As a general principle information about the traveler is shared with the parties involved in the transaction (and service providers and partners who act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform the contracts that Ian Allan Travel have with Customers.

Ian Allan Travel may share personal data with its Affiliates, agents and third-party service providers such as suppliers of information technology services, security services and legal, financial/accounting and other similar professional advisers. Where such disclosure takes place the appropriate technical and organizational security measures are put in place to protect personal data against loss or unlawful processing.

Ian Allan Travel may also disclose personal data as required by law, subpoena, or regulation; when requested by government or law enforcement authorities or as otherwise required or permitted by law.

This document is not intended to constitute legal advice, rather it is intended to provide information to Ian Allan Travel Customers about how Ian Allan Travel services their Customers and explain the role of Ian Allan Travel and Industry Partners in respect of services provided by Ian Allan Travel.

Ian Allan Travel’ GDPR Program

Ian Allan Travel has initiated a formal GDPR program to oversee and coordinate GDPR related activities across all functions and business units which is divided into several project streams. One project stream covers the processing of Personally Identifiable Information (PII).

For the processing of Personally Identifiable Information (PII) Ian Allan Travel has translated the GDPR requirements that need to be met. Ian Allan Travel has taken into account that some of these requirements will only need to be met when Ian Allan Travel is a Data Controller of Personally Identifiable Information (PII):

1. Data Mapping
2. Register of processing
3. Privacy by design and by default
4. Security measures
5. External privacy statements
6. Data subjects’ rights
7. Data breach notifications
8. Vendor management

The legal basis for processing personal data is that the processing is necessary for the performance of a contract to which the traveler is a party.

Ian Allan Travel may also use personal data for research, analytical and statistical purposes, to identify preferences, interests and trends and other activities in the travel industry and to identify products and services that may be of interest to individuals.

The legal basis for processing the personal data for research, analytical and statistical purposes and to identify products and services that may be of interest to individuals is on the basis of the legitimate business interests of Ian Allan Travel. Where personal data is processed for these purposes the privacy impact on the individual whose
data is being processed will be considered.

Ian Allan Travel may share aggregated data which cannot identify individuals publicly and with other third parties.

Who is the Personal data shared with?

Ian Allan Travel may share personal data with Ian Allan Travel service providers and partners who act on behalf of Ian Allan Travel. Ian Allan Travel can decide who any personal data can be shared with. As a general principle information about the traveler is shared with the parties involved in the transaction (and service providers and partners who act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform the contracts that Ian Allan Travel GDS Users have with travelers.

Ian Allan Travel may share personal data with its Affiliates, agents and third-party service providers such as suppliers of information technology services, security services and legal, financial/accounting and other similar professional advisers. Where such disclosure takes place the appropriate technical and organizational security measures are put in place to protect personal data against loss or unlawful processing.

Ian Allan Travel may also disclose personal data as required by law, subpoena, or regulation; when requested by government or law enforcement authorities or as otherwise required or permitted by law.

International Transfer of Traveler Personal Data

Due to the global nature of the travel industry, personal data may be processed in different locations around the world. When personal data is transferred to another country it will continue to receive adequate protection through contractual or other arrangements put in place with Affiliates and third-party service providers.

Data Security and Integrity

Ian Allan Travel has taken the appropriate technical and organizational security measures to protect personal data from loss or unlawful processing. Ian Allan Travel also takes steps to keep personal data reliable for its intended use, accurate, current and complete.

Data Retention

Ian Allan Travel retains personal data no longer than is required or permitted by applicable law.

Data Access, correction requests and other questions

Ian Allan Travel collect personal information from the traveler and input this information into the systems being used by Ian Allan Travel. We recommend travelers contact Ian Allan Travel to whom they provided the information directly with any issues or requests they may have relating to personal data stored by Ian Allan Travel. Travelers can also direct requests relating to their own personal data, or any other data protection related questions, to Ian Allan Travel at helpdesk@ianallan.co.uk

Ian Allan Travel will require authentication of the identity of the traveler and may require additional information to confirm that the correct personal data is being accessed.

Your rights

Ian Allan Travel intends to carefully address any request and/or claim from you, as well as carefully process personal data. You are entitled to file any claim or complaint before the relevant data protection authorities, if the answer provided by Ian Allan Travel does not meet your expectations.

Policy Prepared by: DPO – Pamela Forbes
Policy approved by Board/ Senior Management: 3rd May 2018
Policy Operational: 4th May 2018
Policy review: 4th May 2019