DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Travel Agencies and Tour Operators: Booking Data, Passports, and International Transfers

#gdpr #privacy #travel #compliance

Travel agencies occupy a peculiar position under GDPR. No other sector routinely combines passport numbers, dates of birth, nationality, payment details, dietary requirements, medical conditions, travel insurance records, and itinerary data — and then transfers that entire package to a hotel in Bangkok, an airline in Dubai, or a tour operator in Peru.

If you run an independent travel agency or a tour operation and you haven't thought carefully about GDPR, this post is for you. We'll cover what data you actually collect, which lawful bases apply, where the international transfer rules bite hardest, and how to build a compliance checklist that doesn't require a law degree to implement.

What Data Do Travel Agencies Actually Collect?

Start by mapping your data. A typical booking for a ten-day group tour might collect:

  • Full name, date of birth, nationality — for airline bookings and visa applications
  • Passport number and expiry date — required by carriers and border agencies
  • Contact details — email, phone, home address
  • Payment information — card details, bank transfers, or instalment agreements
  • Dietary requirements — vegetarian, halal, kosher, severe allergies
  • Medical conditions or mobility needs — relevant for insurance, accessibility, or remote destinations
  • Travel insurance policy details — insurer, policy number, coverage level
  • Emergency contact information — third-party personal data
  • Children's details — names, ages, passport numbers, if family travel
  • Previous booking history — used for loyalty marketing and personalisation

That's a significant volume of sensitive data collected for a single transaction. And unlike a SaaS platform where data stays on your server, travel data moves: it goes to airlines via Global Distribution Systems (GDS), to hotels, to ground operators, to visa agencies, and often to government systems in the destination country.

Lawful Basis: Contract Is Your Primary Ground

For most of the data you collect, Article 6(1)(b) — performance of a contract is your lawful basis. When a customer books a holiday, you need their passport data to make the booking. You need their dietary requirements to arrange meals on a tour. You need payment information to process the transaction. All of this is genuinely necessary to deliver the service they've paid for.

This is strong, clean ground. You don't need consent for data that's directly necessary for contract performance.

But there are limits:

  • Marketing is not covered by contract. If you want to send past customers newsletters, promotional offers, or travel inspiration emails, you need a separate legal basis — either consent or legitimate interest.
  • "Necessary" means actually necessary. Don't collect data under the contract basis that you want for convenience rather than necessity. If you collect customers' social media handles "for the booking," that won't hold up.
  • Legitimate interest can cover some operational uses — fraud prevention, internal analytics, improving service quality — but you must conduct a Legitimate Interest Assessment (LIA) and document it.

Passport and Travel Document Data: Handle With Care

Passport numbers are not "special category" data under Article 9 of GDPR — they don't fall into the eight categories (health, race, biometrics, religion, etc.). But they are high-risk personal data. A passport number combined with a date of birth and nationality is a powerful identity document package. Regulators treat it accordingly.

Practical obligations:

  • Encryption at rest and in transit — non-negotiable for passport data
  • Access controls — only staff who need passport data for bookings should see it
  • Retention limits — you don't need passport numbers after travel has concluded (and associated records have cleared). Build a deletion schedule.
  • Breach notification — a breach involving passport data almost certainly triggers the 72-hour reporting window to your supervisory authority under Article 33

Health and Dietary Information: Special Category Data?

This is where many travel agencies get it wrong.

Dietary requirements can be special category data. If someone requests a halal meal, that information reveals their religion. If they request a strictly gluten-free diet for medical reasons, that reveals a health condition. Both religion and health are Article 9 special categories, requiring explicit consent (Article 9(2)(a)) or another specific ground.

In practice:

  • Collect dietary requirements with a clear explanation of why you need them and who you'll share them with (airline catering, hotel kitchen, tour guide)
  • Use an explicit opt-in checkbox rather than a free-text field that records more than you need
  • Don't retain dietary preferences after the trip — they're not needed for any ongoing purpose
  • If a medical condition affects travel suitability (e.g., a customer declares a heart condition relevant to altitude trekking), treat that data as special category, document your ground (likely explicit consent), and share it only with parties who genuinely need it

Mobility and accessibility information falls into the same category when it relates to a disability or health condition.

International Data Transfers: The Core Problem for Travel

This is the most complex area for travel businesses, and the one most likely to create genuine GDPR exposure.

Every time you send a customer's data to a hotel in Thailand, a tour operator in India, or a cruise line with servers in the United States, you're making an international transfer under Chapter V of GDPR. And most of those destinations don't have an EU adequacy decision.

Adequacy Decisions (the Easy Route)

The European Commission has granted adequacy decisions to a handful of countries — including the UK (post-Brexit), Switzerland, Japan, South Korea, New Zealand, and a few others. Transfers to entities in these countries are straightforward.

The United States has the EU-US Data Privacy Framework (DPF), but only for US companies that have self-certified. Many US hotel chains, airlines, and booking platforms are certified — check the DPF list before assuming.

Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions — Thailand, Indonesia, Mexico, Kenya, Vietnam, many others — you need a transfer mechanism. The most practical for small and medium travel agencies is Standard Contractual Clauses (SCCs), the model contracts approved by the European Commission.

You incorporate SCCs into your contracts with overseas suppliers. The challenge: many overseas hotels and ground operators have never heard of SCCs and won't engage with them. This is a real operational friction point for independent travel agents.

The Article 49 Derogations: "Necessary for Performance of Contract"

This is where travel agencies get significant relief.

Article 49(1)(b) provides that a transfer to a third country is lawful if it is "necessary for the performance of a contract between the data subject and the controller."

If your customer has booked a 14-night tour of Vietnam, and you need to send their name, passport number, and dietary requirements to the Vietnamese ground operator to deliver that tour — that transfer is likely covered by Article 49(1)(b). The customer contracted for the tour. The transfer is necessary to perform it.

Key conditions:

  • The derogation is for the specific transaction, not for general business operations
  • It must genuinely be necessary — not just convenient
  • You should document your reliance on Article 49(1)(b) in your Records of Processing Activities (RoPA)
  • You should inform customers in your privacy policy that their data will be transferred internationally for the purpose of delivering their booking

Article 49 is a legitimate tool for travel agencies. But it doesn't cover speculative or marketing-related transfers — only those directly necessary to fulfil the booking.

GDS Systems: Amadeus, Sabre, and Galileo as Data Processors

Most travel agencies don't book directly with airlines — they use a Global Distribution System: Amadeus, Sabre, or Galileo (now part of Travelport). These systems are data processors under GDPR Article 4(8).

That means you need a Data Processing Agreement (DPA) with your GDS provider.

In practice:

  • Amadeus, Sabre, and Travelport all publish DPAs and have GDPR compliance programmes
  • Review the DPA to understand what they do with the data, their subprocessors, and their international transfer mechanisms
  • Include GDS providers in your RoPA under the "processors" column

The same logic applies to booking software, CRM systems, and any other platform where customer data is stored or processed on your behalf.

Travel Insurance Data Sharing

When you arrange travel insurance as part of a package, or refer customers to an insurer, data flows in both directions: you provide customer information to the insurer, and the insurer may provide policy information back to you for the booking record.

These flows need:

  • A clear privacy notice disclosure explaining who you share data with and for what purpose
  • A DPA if the insurer is processing data on your behalf (unlikely — they're usually an independent controller)
  • A controller-to-controller data sharing agreement if you're jointly responsible for the data (more likely)

Health disclosures made to insurers — pre-existing conditions, declared medical history — are special category data. Ensure your privacy notice makes crystal clear that this information goes to the insurer, not to you.

Children's Travel Data and Parental Consent

Family holidays generate children's data: names, ages, passport details. GDPR's specific children's provisions (recitals 38 and 65, and Article 8 for online services) focus primarily on information society services, not travel bookings.

However:

  • Children's data collected under a booking contract is processed on the same Article 6(1)(b) basis as adults — no separate consent is needed for the booking itself
  • Marketing to families is different. If you want to market children's holiday clubs or school trip services to past customers, and you're identifying or targeting them based on having children, be conservative: get explicit parental consent
  • Keep children's data — especially passport details — under the same strict security controls as adult passport data
  • Delete children's data when it's no longer needed. A child's passport number from a 2019 family holiday should not still be in your CRM

Marketing to Past Customers: The Soft Opt-In

If you've run a travel agency for any length of time, you have a database of past customers. Can you email them about new holidays?

Under UK GDPR and PECR (and the equivalent ePrivacy rules across the EU), the soft opt-in allows you to market similar products to existing customers without fresh consent — provided:

  1. You collected their contact details in the course of a sale
  2. You're marketing similar products or services (other holidays, related travel services)
  3. You gave them a clear opportunity to opt out when you collected their data
  4. You offer an easy opt-out in every marketing message

If you can tick all four boxes, you can send past customers holiday promotions without needing explicit consent.

If you have contacts from enquiries that never converted to bookings, you need consent for marketing — the soft opt-in only applies to customers who actually made a purchase.

Document your marketing basis. If you rely on soft opt-in, record it in your RoPA and make sure your booking confirmation process includes the opt-out opportunity.

Retention: Booking Records vs. Data Minimisation

Travel agencies face a genuine tension between legal retention requirements and GDPR's data minimisation principle.

What you're required to keep:

  • Financial records for 6-7 years (VAT, corporation tax, HMRC requirements in the UK)
  • ATOL/ABTA records if you hold these licences
  • Records related to any insurance claims or disputes

What you don't need to keep:

  • Passport numbers after the booking has concluded and records have cleared
  • Health and dietary information after the trip
  • The full booking record in active systems — archive it in a restricted access system

A practical approach: after a booking concludes, redact or delete passport numbers and health data from your primary booking system, archive the financial record separately, and set an automated deletion schedule for archived records at 7 years.

Compliance Checklist for Independent Travel Agents

Use this as a starting point for your own assessment:

  • [ ] Privacy policy published and up to date — covers booking data, GDS transfers, international transfers, insurance sharing, and marketing
  • [ ] Lawful basis documented for each category of data in your RoPA
  • [ ] Special category data (dietary/health) collected with explicit consent and clearly labelled
  • [ ] GDS provider DPA signed and on file
  • [ ] DPAs in place with all UK/EU-based software providers (CRM, booking software, email platform)
  • [ ] International transfer basis documented — adequacy, SCCs, or Article 49(1)(b)
  • [ ] Passport and sensitive data encrypted at rest and in transit
  • [ ] Staff access controls — only those who need to see passport data can access it
  • [ ] Data retention schedule with automatic deletion dates for passport and health data
  • [ ] Marketing list reviewed — soft opt-in basis documented or fresh consent collected
  • [ ] Children's data handled under same security standards as adult data
  • [ ] Breach response procedure in place — know who to notify and when
  • [ ] Data subject rights process — know how to handle access requests, deletion requests, and objections

Scan Your Website Before You Build Your Policy

Your privacy policy should describe what your website actually does — not what you think it does. If you're using a booking widget, a live chat tool, a Google Analytics tag, or a Facebook Pixel without realising it, your policy may already be inaccurate.

Run a free scan at app.custodia-privacy.com/scan to see exactly which trackers are loading on your site, whether your cookie consent is compliant, and what your actual risk exposure looks like. It takes 60 seconds and requires no signup.

The Bottom Line

Travel agencies collect some of the most sensitive combinations of personal data of any business category. But compliance isn't as complex as the data suggests — the framework is actually reasonably well-suited to travel if you understand which provisions apply.

Contract is your primary lawful basis for bookings. Article 49(1)(b) covers most of your international transfers. GDS providers have GDPR infrastructure you can plug into. The hard work is in the documentation: mapping your data flows, signing the right agreements, setting retention schedules, and maintaining a privacy notice that's actually accurate.

Independent travel agents who get this right gain a genuine competitive advantage: customers increasingly choose businesses they trust with their data. A professional privacy posture isn't just compliance — it's a trust signal.

This post provides general information about GDPR compliance for travel agencies. It does not constitute legal advice. Data protection law varies by jurisdiction and individual circumstances differ. Consult a qualified data protection professional for advice specific to your business.

Top comments (0)