25 May 2020 marked the second anniversary of the EU General Data Protection Regulation (“GDPR”), the EU's cornerstone data protection law that changed the regulatory landscape in Europe and exerts a far-reaching global impact.
Last year limited GDPR enforcement actions were reported throughout its first year of application; this year, we have seen increasing activity from regulators in the field of data protection enforcement and the investigation of high-profile cases, some of which have been within the aviation sector.
The GDPR has extra-territorial effect which affects many organisations in the aviation industry. The GDPR applies to these organisations where personal data is processed either (i) in the context of the activities of their establishments within the European Economic Area (“EEA”) (e.g. an airline having a sales office or branch in the EEA), or (ii) in respect of non-EEA establishments, where they process personal data in relation to offering goods or services to individuals in the EEA or monitoring the behaviour of individuals within the EEA (e.g. a non-EEA airline operating a website targeting the EEA market). Read our article for more information on how the GDPR applies to your organisation.
Airlines, airport operators and their service providers, such as ground handling companies, routinely process large amounts of personal data: information about passengers, crew and other employees as well as personal data relating to suppliers and other business contacts. The highly regulated environment in which aviation players operate and the international character of their operations add another layer of complexity in respect of data protection compliance.
In this article, we examine how the GDPR affects the aviation industry and we focus in particular on:
I. Recent data breaches and enforcement action in the aviation sector;
II. Key aspects of data protection compliance for aviation organisations; and
III. The impact of Brexit on data protection compliance.