24 October 2018
On 25 May 2018, the General Data Protection Regulation (‘GDPR’) will come into force.
For the aviation industry, this means that data protection obligations will significantly expand under the regulation and companies operating in the industry must ensure they are compliant with their legal obligations by the May 2018 deadline.
The GDPR applies directly to companies in Ireland and to those with a presence in Ireland. The regulation has an expansive reach with the GDPR crucially expanding to cover non-EU companies.
This 'extra-territorial reach' is likely to have a far-reaching effect on airlines and aviation finance companies that conduct their business in Ireland where they process or handle personal data from stakeholders. For example, companies operating in the airline industry may process personal data in relation to customer data. This includes payment, passport and contact details of customers. With airline bookings being taken up to a year in advance of travel, the collection of personal data arising from this may mean a heightened GDPR impact for airlines. Airline booking websites, when taking payment and travel information from EU customers are bound by the GDPR even where they are based outside the EU, in, for example, the USA. Similarly, price comparison websites not based in Ireland will be subject to the GDPR when processing EU resident data.
Apart from this personal data that is unique to the airline industry, data is also processed by airlines and aviation finance companies in relation to employees and company officers, for example the following:
A key focus of the GDPR is the principle of transparency, and the regulation explicitly requires those companies processing data to notify data subjects about how they plan to process such data. Airline websites should for example, provide a data protection notice in a simplified and non-legalese way.
Companies operating in the aviation industry should be aware that the GDPR has strong punitive measures, and fines for failure to comply with the regulation are to be '’effective, proportionate and dissuasive’'. Infringements, depending on their classification, may attract fines of up to €20m or 4% of annual worldwide turnover of a company, whichever is greater. Therefore, penalties for failure to comply with the GDPR will be significant under the regulation, in addition to any reputational damage that will inevitably occur.
The Court of Justice of the European Union (CJEU), has indicated that it intends to pursue an expanded protection approach to data protection in recent cases preceding the GDPR.
Therefore, companies operating in the aviation industry which handle data must take steps to ensure compliance with the GDPR.