GDPR and you

By | Category: Travel tips & opinions

What information might your holiday company have about you? © Dan Sperrin

GDPR stands for the General Data Protection Regulation and it came into law on 25th of May this year.

Why, then, a month later is Just about Travel, mentioning it now?

Because there is so much confusion on what it means and what companies and organisations must do that it was only after its implementation that the some of the interpretations became clear.

GDPR will affect how your travel agent, tour operator, airlines, excursions booking company and just about every organisation with whom you have contacts, communicates with you.

You will have more control over the information they hold about you than ever before. Or so we are told.

It will know how you paid for it if you bought it direct otherwise your travel agent will know

As an example of what data is held and why, take the case of a family of four booking a holiday in Spain this summer. At present the tour operator or travel agent with whom you book will have your address, the age of any children under 18 and possibly your age particularly if you are over 65. If you paid by credit card they will know that you possess a credit card, its number and the expiry date. If you paid by American Express or a gold card, for example, then they can deduce that you might have above average income. That may not necessarily be true but, in many cases, it is a reasonable assumption and they might think that that is worth trying to sell you a more expensive holiday in the future.

If you booked months ahead of your holiday that might suggest that you plan things in advance as opposed to someone booking at the last minute. Booking at the last minute might make them think that you will respond to a late booking if the deal is appealing enough.

If you are flying they know if you are a vegetarian if you have requested an in-flight vegetarian meal.  If they have booked a car hire for you then they know you can drive and the sort of car you hire gives a clue as to personal traits. Hiring the cheapest car may tell as much as hiring the most expensive!

If you have bought excursions the fact that you picked a heritage one and not one related to night life suggests you might prefer a quieter holiday and away from the main bustle in a destination.

All of the information that I have mentioned may be used in the future to try and sell  a holiday to you unless you decide to opt out of receiving that information.

It will know if you rented a hire-car but only provided it was via them.

I am not so sure now that we are a month into this new GDPR era. Suppliers might still use all this information because they could claim “legitimate interest.” This interpretation says that a holiday company would have a legitimate interest in using this information and contacting you because they are a holiday seller and this makes it easier to tailor a holiday that might suit you. If they used it to sell you a used-car that would certainly not be “legitimate interest!”

As it stands under GDPR, holiday suppliers need only keep the information for as long as they need to supply the items you have bought. But if you think that information is destroyed when your holiday ends you are mistaken, Under EU261 for example, you can still claim for a delayed flight for up to six years after the flight so most, if not all holiday suppliers, will keep data for six years to comply with the law.

But they should only use that information if you agree to it and if, every time they contact you, they give you the opportunity to opt-out.

it will know what sort of holiday you chose

What they cannot do is infill tick boxes leaving you to untick them. And they can’t bundle methods of contact with you such as by mail, mobile, landline and e-mail together so that one tick means you agree to being contacted by any means. What they must do is offer you separate options for mail, telephone and e-mail.

Those holding information about you must also make sure that they store it carefully and penalties for not doing so have risen substantially.

There is some confusion over what will be allowed after GDPR. Some organisations believe that any information they currently hold on you requires your permission for that to be held after GDPR or it cannot be used by them. Others say that provided you have been given the opportunity of opting out at previous points of contact that is sufficient.  But all those companies that contacted you before May 25th pleading with you to reply saying you wanted to stay in contact have probably shot themselves in the foot. They did not need to do so because of “legitimate interest” and now all those that did not reply should be removed from their files and not be used. As a result some subscription based websites have lost up to 80% of their readership. Those companies that didn’t follow this route can probably still use the information they had.

Probably only court cases will determine which attitude is correct.

It might have survey information that you have completed whilst on holiday or afterwards

What information does Just about Travel hold about you? The short answer is, very little. If you have subscribed then we know your e-mail address and your name but nothing else. If you just look at us online then, like other websites, we use cookies to track what you see. You can disable cookies but some sites don’t let you stay on their website if you won’t accept them. Some argue that this goes against the principle behind GDPR and you should be able to stay on the website if you reject cookies.

The interpretation of privacy is heavily geared towards electronic data. You, in the majority of cases, will have to give permission to be contacted by e-mail. The same may not apply to a letter unless you have indicated that you don’t want to receive something. But, unless you have registered with the Mailing Preference Scheme (MPS) organisations can contact you by using the electoral register  (unless you have opted out) or from an organisation that you have had dealings with and to whom you have given permission to be contacted for third-party mailings.

It could know your dietary preferences

Because so much of this law will be interpreted by the courts, some are writing vast screeds of privacy rules. In the case of PayPal for example, their privacy rules run to fourteen pages! But how many of us will read fourteen pages? How many of us will be aware of what we are – by default – committing ourselves to? Should companies be able to write such long documents which, by their very length, will deter us from finding out what information is being used?

After the UK leaves the EU, it seems that GDPR will remain incorporated in British law and therefore, the protections will continue to exist.

Our interpretation of GDPR may not agree with some. But that is what the law – any law – often throws up. We’ll know what the law really means only when the courts, as I mentioned earlier, have tested it.

Tags: , ,