TravelClick GDS Privacy Notice
Last Updated- February 2020
This TravelClick Privacy Notice (“Privacy Notice”) describes how TravelClick, Inc. (“TravelClick”) processes personal data included in travel information processed in the TravelClick Global Distribution System (“TravelClick GDS”). This Privacy Notice applies to personal data TravelClick process through the TravelClick GDS, globally.
This Privacy Notice does not apply to personal data that may be collected or processed by TravelClick for other purposes, such as through TravelClick websites or where TravelClick provides services for TravelClick Customers that are not provided through the TravelClick GDS. Where personal data is collected for other purposes, the relevant privacy notice will be provided explaining the purpose the personal data is being processed for.
This Privacy Notice describes how TravelClick processes personal data on the TravelClick GDS, a travel technology platform used for the distribution of travel services. This Privacy Notice is independent of notices that TravelClick GDS Users (e.g. travel providers such as airlines, hotels, and other travel suppliers and subscribers to the TravelClick GDS such as travel agents) may give travelers.
What personal data is processed and how is this personal data collected?
TravelClick processes personal data when TravelClick GDS Users (e.g. the travel agent or airline) input the personal data of travelers on the TravelClick GDS that they, the TravelClick GDS Users, have collected. The TravelClick GDS User will be responsible for giving any relevant privacy notices and informing the traveler about how they will process that personal data. To understand more fully how personal data is processed and who it is shared within the processing of a travel reservation, you should refer to the privacy notices of TravelClick GDS Users involved in the travel reservation.
The personal data processed includes a name, travel itinerary, and form of payment, and may also include additional information as deemed necessary by the TravelClick GDS User (e.g. contact information, telephone, email, billing information, date of birth, credit card information, preferences or special requests). This personal data will normally be part of a travel itinerary record which is called a Passenger Name Record (“PNR”). The information included in the PNR is required to process travel reservations and issue the relevant tickets and provide other travel-related services.
What is the personal data used for and what is the legal basis for processing?
TravelClick uses personal data to process travel reservations, to provide TravelClick GDS Users with access to such information, to issue tickets and other travel-related documents, to perform internal business processes (such as testing and quality assurance) for credit card processing, authentication, fraud prevention, and to provide other travel-related services.
The legal basis for processing personal data is that the processing is necessary for the performance of a contract to which the traveler is a party.
TravelClick may also use personal data for research, analytical and statistical purposes, to identify preferences, interests, and trends, and other activities in the travel industry, and to identify products and services that may be of interest to individuals. Personal data used for analytical purposes is derived from personal data, but when it is used it is in anonymized and aggregated form.
The legal basis for processing the personal data for research, analytical and statistical purposes, and to identify products and services that may be of interest to individuals, is on the basis of the legitimate business interests of TravelClick. Where personal data is processed for these purposes, the privacy impact on the individual whose data is being processed will be considered.
Individuals cannot be identified from aggregated data, but if individuals do not want personal data included in aggregated data they can object to this by making this request using the contact details found in the “Legal rights” section of this Privacy Notice. When making this request there should be a reference made to not wanting personal data used for the purposes of analytics.
TravelClick may share aggregated data that cannot identify individuals with other third parties.
Who is the personal data shared with?
TravelClick shares personal data with TravelClick GDS Users, service providers, and partners who may act on TravelClick GDS Users’ behalf. TravelClick GDS Users can decide who any personal data can be shared with. As a general principle, information about the traveler is only shared with the parties involved in the transaction (and service providers and partners who act on their behalf) and with other industry stakeholders (e.g. IATA) as necessary to perform the contracts TravelClick GDS Users have with travelers.
TravelClick may share personal data with its affiliates, agents, and third-party service providers such as suppliers of information technology services, security services, and legal, financial/accounting service providers, and other similar professional advisers.
Where such disclosures take place, TravelClick requires the appropriate technical and organizational security measures to be in place to protect personal data, and for personal data to be processed lawfully.
TravelClick only allows affiliates and third-party service providers to use personal data for specified purposes and in accordance with TravelClick’s instructions.
Further information on the affiliates and third-party service providers that TravelClick uses to process personal data on their behalf can be requested through using the contact details found in the “Legal rights” section of this Privacy Notice. When requesting this information, please make a reference to information about affiliates and third-party service providers so that the relevant information can be provided.
TravelClick may also disclose personal data as required by law, subpoena, or regulation, or when requested by a government, law enforcement authority, or as otherwise required or permitted by law.
International transfers of traveler personal data
When TravelClick shares personal data with its affiliates and third-party service providers who process personal data on behalf of TravelClick, this will involve transferring personal data outside the European Economic Area (“EEA”). When personal data is transferred to another country it will continue to receive adequate protection through contractual or other arrangements put in place with affiliates and third-party service providers. For these transfers at least one of the following appropriate safeguards will be implemented:
- Personal data will be transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
- Standard data protection clauses approved by the European Commission which give personal data transferred the same protection it has in EEA; or
- With affiliates and third-party service providers based in the US, Privacy Shield gives personal data similar protection it has in EEA.
Further information on the appropriate safeguards used when transferring personal data outside the EEA can be requested by using the contact details found in the “Legal rights” section of this Privacy Notice. When requesting this information please make a reference to the transfer of personal data outside the EEA.
Due to the global nature of the travel industry, personal data may be transferred to and processed by TravelClick GDS Users in different locations around the world. These transfers will be necessary for the performance of a contract between the traveler and the TravelClick GDS User.
Data security and integrity
TravelClick has taken the appropriate technical and organizational security measures to protect personal data from loss or unlawful processing. When personal data is processed on behalf of TravelClick, access is limited to those who require access on a business need-to-know basis. Personal data will be processed in accordance with the instructions of TravelClick and those who have access are subject to a duty of confidentiality.
TravelClick has in place procedures to deal with any suspected personal data breach and will notify individuals and any applicable regulator of a breach where they are legally required to do so.
TravelClick retains personal data for as long as necessary to fulfill the purposes it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The default retention period for a PNR is 5 years from when it becomes inactive. PNRs are active as long as a segment in the PNR is active (the related service is still pending). After the completion of the last segment of the PNR, the PNR is archived, and access to the PNR is restricted. After a period of 5 years, the PNRs are deleted.
TravelClick GDS Users collect personal data from the traveler and input this information in the TravelClick GDS. We recommend travelers contact the TravelClick GDS Users to whom they provided the information directly, with any issues or requests they may have relating to personal data stored in the TravelClick GDS.
Under certain circumstances, individuals can exercise rights under data protection laws. Individuals may exercise these rights relating to their own personal data or contact TravelClick for other data protection-related questions by emailing firstname.lastname@example.org.
TravelClick will require authentication of the identity of the traveler and may require additional information to confirm that the rights that traveler(s) may have under data protection laws are being exercised correctly.
For the following rights please make a reference to the following:
- Right to access: “Request for access to personal data”
- Right to object: “Object to processing of personal data for the purpose of analytics”
- Right to information about:
- “TravelClick affiliates and third-party service providers who process personal data on behalf of TravelClick”
- “Transfers to third countries – information about data transfers outside EEA”
TravelClick intends to carefully address any request and/or claim from you, as well as carefully process personal data. You are entitled to file any claim or complaint before the relevant data protection authorities if the answer provided by TravelClick does not meet your expectations.
This Privacy Notice is published by TravelClick, Inc. This Privacy Notice may be changed at any time. The date it was last updated is shown here: 24th February 2020.
Additional Privacy Disclosures for the United States California and Nevada
If you are a California or Nevada (United States) resident, please see our Additional Privacy Disclosures for the United States California and Nevada here, which is incorporated by reference into this policy.