Tour operators frequently transfer their clients’ personal data to hotels and airlines. In the case of hotels, the situation is relatively straightforward because details on the relevant hotel are provided in a catalogue which usually forms a part of the travel contract. The client thus knows before entering into the contract that his/her personal data will be provided to a hotel located in a certain country. If the hotel is in the EU, it will be more than sufficient for complying with the principle of transparency if general information is provided in the terms and conditions to the effect that personal data will be provided within the defined scope to the hotel specified in the travel contract. If the hotel is located in a third country, the client should be advised of this fact and should receive information on the existence or non-existence of a decision of the European Commission on corresponding protection.
The situation is more complex in respect of transfers of personal data to airlines because the travel agency is often unaware when entering into the contract which airline will eventually transport the clients. Nonetheless, under the principle of transparency, it would be advisable to notify the clients that personal data will be provided within the defined scope to an airline which might be established outside the EU. In order to be 100% sure about its compliance with the requirements of GDPR, the tour operator should advise the client which airline will provide for his/her transport once such information is available, and also provide information on the existence or non-existence of the relevant decision of the European Commission. However, we can understand that sending such detailed communications would be an unreasonable administrative burden for a majority of tour operators.
If travel agencies want to comply with the rules on transferring personal data abroad under GDPR, while not becoming overburdened by specifying in each case to whom, when and which personal data will be transferred, they should consider making a suitable modification of their terms and conditions, where the issue of transfers of personal data for the purposes of performing a travel contract could be regulated in sufficient detail. Adjusting the terms and conditions to GDPR belongs among legal services we provide.