Duties of tour operators towards their clients in transfers of personal data abroad

The General Data Protection Regulation (GDPR) imposes specific obligations on everyone who transfers personal data abroad. Given that transfers of clients’ personal data to foreign partners with a view to performing a travel contract are an inherent part of operations of a majority of tour operators, or at least all outgoing agencies, the tour operators need to deal with this subject in due time and modify their processes and general terms and conditions by May 2018, when GDPR will enter into effect.

When transferring personal data abroad, it is necessary, in particular, to comply with two general principles of GDPR in practice: the principle of transparency and the principle of proportionality.

The principle of transparency, as defined in Art. 5 (1) GDPR, requires a tour operator to be as open (transparent) towards its clients as possible and advise them what kind of information it intends to transfer abroad and to whom.

The principle of proportionality imposes on tour operators the duty to minimise the quantity of data, and thus transfer abroad only information that is necessary. If a tour operator reserves a hotel for its clients in Greece, it will probably be sufficient if it notifies the hotel of the name, surname and date of birth of each client. Disclosure of the client’s account number would certainly be at variance with the principle of minimising personal data.

When transferring personal data, the travel agencies should determine whether they transfer only classical personal data or also data that are sensitive, i.e. special categories of personal data. Greater prudence is generally required in respect of the latter category.

Furthermore, travel agencies should ascertain whether the data are being transferred solely within the EU or also to third countries where personal data protection might not correspond to the GDPR standards. It holds in general that if a tour operator transfers personal data, it is always obliged to inform the client of the identity of the recipient, and if the agency intends to transfer personal data to a third country, the client must be advised of this intention and it must be specified by the agency whether or not there exists a decision of the European Commission on corresponding protection of personal data in the relevant destination. Nonetheless, non-existence of such a decision does not mean, in itself, that a travel agency is not authorised to transfer the given information.

Tour operators frequently transfer their clients’ personal data to hotels and airlines. In the case of hotels, the situation is relatively straightforward because details on the relevant hotel are provided in a catalogue which usually forms a part of the travel contract. The client thus knows before entering into the contract that his/her personal data will be provided to a hotel located in a certain country. If the hotel is in the EU, it will be more than sufficient for complying with the principle of transparency if general information is provided in the terms and conditions to the effect that personal data will be provided within the defined scope to the hotel specified in the travel contract. If the hotel is located in a third country, the client should be advised of this fact and should receive information on the existence or non-existence of a decision of the European Commission on corresponding protection.

The situation is more complex in respect of transfers of personal data to airlines because the travel agency is often unaware when entering into the contract which airline will eventually transport the clients. Nonetheless, under the principle of transparency, it would be advisable to notify the clients that personal data will be provided within the defined scope to an airline which might be established outside the EU. In order to be 100% sure about its compliance with the requirements of GDPR, the tour operator should advise the client which airline will provide for his/her transport once such information is available, and also provide information on the existence or non-existence of the relevant decision of the European Commission. However, we can understand that sending such detailed communications would be an unreasonable administrative burden for a majority of tour operators.

If travel agencies want to comply with the rules on transferring personal data abroad under GDPR, while not becoming overburdened by specifying in each case to whom, when and which personal data will be transferred, they should consider making a suitable modification of their terms and conditions, where the issue of transfers of personal data for the purposes of performing a travel contract could be regulated in sufficient detail. Adjusting the terms and conditions to GDPR belongs among legal services we provide.


(30.10.2017)