General Data Protection Regulation (GDPR), is a new set of rules designed to provide its EU citizens control over how their personal data can be used by companies across the globe. At its core, it aims to protect the data of its EU citizens. In theory, this means, organizations need to be well aware of the impact that this will bring on individuals and businesses who deal with EU citizen’s personal data. One also needs to be well prepared to follow a consistent data protection compliance requirements.
Enoya-one LTD (AeroCRS) is ready to provide you with more information about the GDPR
To get familiar with Controllers, Processors and Data Subjects. It is essential to understand and identify the difference in the roles of each.
- Data Controller – As the name implies, data controller is the one who controls the purpose and means of processing the personal data. The controller defines how the data should be put to use and why it should be used. Often the data controllers use an external service or another organization to process the data. This is where Data Processors come in. In this case the control over the personal data collected is not passed on. It is still with the controller.
- Data Processor – Organizations that process personal data on behalf of the controller becomes the Data Processor. They do not have control over what needs to be done with the data nor can they change the purpose of data collection. Processors get limited rights to process the data as per the instructions provided by the controller.
- Data Subject – The person whose personal information can be collected is a data subject. In a business, your customer is the data subject as you collect information from them and use the details such as name, address, phone number, email address, etc. to process and contact them for a business.
In our case, Enoya-one LTD (AeroCRS) is your Data Processor.
A data processor must be such that it has a secure system, tool or method to collect and store personal data. Enoya-one LTD (AeroCRS) is compliant by the GDPR rules that comes into effect on May 25, 2018. There are many options in AeroCRS system that designed to help you safeguard your customers’ data and meet the security and privacy standards set in GDPR.
We have worked together with a consultant in order to comply with the rules.
The following developments were added to your IBE in order to comply with rules:
- The option for the user to “OPT-OUT” from marketing campaigns – read more in this link.
- The option for the user to export all their travel data – read more in this link.
A part of this developments, the airline as a Data Controller already have the options to:
- Manage customer’s consent to be registered at the IBE of the airline (Website “policy pop-up”)
- Update customer data (using standard forms etc.)
- Manage permissions access to customers personal data (permission modules)
- Follow logs and information about access to data (PNR Logs)
- More about our security practices and infrastructure, visit this link.
- Our GDPR certificate is provided in this link
What do you need to do?
As GDPR will apply to companies located in the EU, as well as companies who do business with residents of the EU, irrespective of the company’s location, you also need to be compliant, in order to do so, you will need to consult with your attorney in order to gain the best practice according to your global location.
You will need to provide us with a Data Controller from your side for us to communicate with in case of incidents reported.
GDPR applies exclusively to personal data. Personal data as, “any information that relates to an identified or identifiable, person, or a data or subject.” This includes the data subject’s (passenger’s) name, email address, location, and other online identifiers, such as IP address, social media profile, and types of website cookies.
AeroCRS stores the information as a processor, airlines should make sure they don’t pass the information to 3rd party vendors, make sure customers have the ability to be forgotten etc.
GDPR compliance is applicable only for the people-related information in the airline. In AeroCRS system, GDPR applies to the passengers, customers, agencies and frequent flyer information.
Having AeroCRS GDPR compliant doesn’t make your airline GDPR compliant, you need to make sure that you have taken the correct steps in order to secure your passengers information.
Please note that we will be sending out a contract change notification in the next few days due to the above changes.
Should you or your GDPR compliancy consultant would like to discuss more information, please feel free to consult us at our support portal / e-mail.
Meir Hadassi Turner