Working Party on the Protection of Individuals with regard to the Processing of Personal Data

INTRODUCTION

Article 6, paragraph 1 (b) of Directive 95/46 requires Member States to provide that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes"; according to paragraph 1 (e) of the same provision, data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed".

Article 8 of the Directive requires Member States to prohibit the processing of personal data revealing, inter alia, racial or ethnic origin, religious beliefs and health. Derogations to this principle are admissible on the grounds set out in Article 8, paragraphs 2 and 3, and one of these grounds is the explicit consent of the data subject.

Pursuant to the Directive, the data subject enjoys specific rights including the right to be informed on the processing of his personal data (Articles 10 and 11) as well as the rights of access, rectification and erasure (Article 12).

Considering the specific aspects of airline reservations, and the Commission's recent initiatives in this field 2) the Working Party decided the creation of a Subgroup on Computerised Reservation Systems (CRS). This Subgroup met twice and decided to submit the results of its discussions to the Working Party with a view to the adoption of the present Recommendation.

1)OJ no. L 281 of 23 November 1995, p. 31.
2) Proposal for a Council regulation amending Council regulation (EEC) No 2299/89 on a Code of conduct for Computerised Reservation Systems (CRSs) : COM (97) 246 final of 9 July 1997.

EXPLANATORY MEMORANDUM

The air transport sector is characterised by a very advanced use of information systems. Databases with individual data exist in many contexts: in particular at airlines, travel agents and Computerised Reservation Systems. A number of the data bases (in particular, but not exclusively, CRSs) are located outside the Community.

Considering the international nature of aviation, general solutions are in principle the most appropriate solution.

In the opinion of the Working Party, the following issues deserve prior consideration:

1. Information and Right of access:

- The large majority of personal data are collected by travel agents and air carriers. For practical reasons, and without prejudice to the definition of "controller" under Directive 95/46/EC, the question of the data subject's right of access should therefore be directed primarily at these parties.

- However, certain aspects related to access can also be regulated directly with the CRSs, and this could be done in the draft Regulation proposed by the Commission on the CRSs code of conduct.

- The Code of Conduct for Computerised Reservation Systems confirms the right of passengers to be informed about data processing details. This should be strengthened by involving subscribers (e.g. travel agents) and air carriers.

2. Data erasure:

- It is desirable to ensure that personal data are taken off-line from the CRS as soon as they are no longer used for the travel.

- While such data may be needed for dispute settlement and may therefore need to be archived for a certain time, they should be used only for such purposes and thereafter destroyed.

- This does not affect the possibility for subscribers and air carriers to obtain consent from frequent flyers for the processing of their data in accordance with Directive 95/46/EC.

CONCLUSIONS

Considering the above, the Working Party recommends that :

ò The proposed Regulation amending Council Regulation 2299/89 on a ½ Code of Conduct for Computerised Reservation Systems", be completed by:

- A clear obligation to provide information to the consumer about the processing of individual data in the CRS. This information, which, for example, can be provided by way of standard leaflets, should include the name and address of the system vendor, the purposes of the processing, the duration of retention and the ways and means of exercising the data subject's right of access.

- An obligation on subscribers (e.g. travel agents) and air carriers to obtain the explicit consent of data subjects to the collection of sensitive data (i.e. disabled status, muslim meals etc.). If the CRS includes direct ticketing facilities, this obligation should apply to the system vendor 3).

- An obligation on the above parties to respond promptly to an access request received from a passenger wishing to see her/his own data.

- A requirement on CRSs to ensure that all identified personal data are archived off-line within no more than 72 hours after the journey in question has been completed 4) and destroyed within no more than 3 years. Access to such data shall be allowed only for billing dispute reasons. Notwithstanding the obligation to destroy data within 3 years, personal data may be retained for a longer time if and as long as needed in a specific case in order to settle a claim for damages, or as long as necessary for compliance with a legal obligation (e.g.: accounting and taxation rules).

- A requirement that appropriate changes are made in order to extend the scope of the audit required in article 21 a.

• Furthermore, consideration be given as a matter of priority to the specific problems raised:

The present recommendation, adopted by the Working Party on 28 April 1998, is addressed to the European Commission, the European Parliament, the Council of the European Union and the Economic and Social Committee.

3) According to the definition of the above mentioned Code of conduct, ½ system vendor ╗ means ½ any entity and its affiliates which is or are responsible for the operation or marketing of a CRS ╗.
4) As mentioned in the Explanatory Memorandum, the subscribers and air carriers' right to process sensitive data on frequent flyers in their own computer system, on the basis of the explicit consent of the data subject, remains unaffected.
5) Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (OJ L 24 of 30 January 1998, p. 1).

Done at Brussels, 28 April 1998

For the Working Party

P.J. HUSTINX