Personal Data in Tourism: Regulator’s Guidance and Key Requirements for Businesses

The tourism industry (in particular, the organisation of tours and related services) involves handling large volumes of personal data, including their cross-border transfer. As a result, companies in the tourism sector are under increased scrutiny from regulators and are more frequently subject to compliance inspections.

In order to clarify the legal requirements, the National Centre for Personal Data Protection (the “Centre”) has published guidance entitled “On the application of personal data legislation in the provision of tourism services”. The purpose of this guidance is to help organisations bring their personal data processing activities into line with legal requirements and update internal processes.

The document covers a wide range of issues: determining the roles of the operator and the authorised person, the legal grounds for processing data, obtaining data subjects’ consent, as well as certain practical situations typical of tourism activities.

Key aspects of data processing

1. Roles of the operator and the authorised person

According to the Centre’s position, in tourism activities tour operators act as personal data operators, while travel agents act as authorised persons.

When entering into agreements between tour operators and travel agents, it is necessary to expressly set out the procedure for processing personal data. The fact that a tour operator has a large number of travel agents does not relieve the tour operator of this obligation.

In addition to travel agents, other organisations engaged to process personal data on behalf of a tour operator or travel agent may also be authorised persons, including:

  • providers of advertising mailshots;
  • companies providing “cloud storage” and website hosting;
  • courier services;
  • contractors producing advertising and informational materials and business cards;
  • organisations providing legal, accounting and marketing services.

Since primary responsibility for compliance with the legislation rests with the operator, the operator should ensure oversight to confirm that authorised persons comply with mandatory measures for the protection of personal data.

2. Processing based on consent

Where personal data are processed for purposes not directly related to the performance of a contract for the provision of tourism services, the data subject’s prior consent is required. Under the legislation, consent must be freely given, unambiguous and informed.

The Centre notes that wording which does not enable the data subject to understand the scope and purposes of processing is unacceptable.

In particular, without the data subject’s consent, the following are unlawful:

  • posting the personal data of tour operators’ or travel agents’ employees on official websites and on social media;
  • publishing clients’ reviews and their photographs on official websites and on social media.

For example, as the Centre notes, the following wording is unacceptable:

“By accepting this User Agreement, the user unconditionally expresses consent to the sending to the specified telephone number (by means of SMS) of service and system messages necessary for the use of the Service, as well as any information required for the proper provision of services.”

3. Use of messengers and social media

The Centre pays particular attention to working through messengers and social networks (Viber, Telegram, WhatsApp, Instagram, etc.). In this context:

  • the use of such services may involve cross-border transfer of data to countries that do not ensure an adequate level of protection of the rights of personal data subjects, which requires a separate legal basis;
  • operators and authorised persons must take into account the existing risks of using foreign messengers;
  • sensitive information, including information protected by law, must not be transmitted via such services;
  • if the initiative to use a messenger comes from the tourism company, it is necessary to obtain the data subject’s consent to process the data;
  • the operator is not entitled to require the provision, via messengers, of photos or copies of documents containing personal data;
  • if a citizen sends data via a messenger on their own initiative, the operator must ensure their protection during processing.

4. Copies of identity documents

The Centre emphasises that making and storing copies of identity documents may be regarded as excessive processing of personal data and a breach of the data minimisation principle, if it is not justified by a specific lawful purpose.

Additional aspects of the procedure for processing data in tourism activities can be found in the Centre’s official guidance.

Authors: Liudmila Yepikhava, Aliaksandra Mahlysh.

REVERA lawyers advise tourism businesses on compliance with personal data legislation and interaction with regulators — from auditing processes and preparing documents to supporting inspections.

We are ready to discuss your objectives and propose solutions to reduce regulatory risks.

 

Contact a lawyer for further information

Contact a lawyer

Read more

articles

Overview of the Cryptobank Regulation in Belarus

Overview of the Cryptobank Regulation in Belarus articles

The National Center for Personal Data Protection has published a checklist on the technical protection of personal data.

The National Center for Personal Data Protection has published a checklist on the technical protection of personal data. news

REVERA Belarus to Speak at the Anniversary 5th Belarusian Forum “Construction Activity and Law

REVERA Belarus to Speak at the Anniversary 5th Belarusian Forum “Construction Activity and Law