The recent €14,4 million (R270 million) fine imposed on Amadeus by Spain’s data protection authority has refocused attention on how passenger information is handled across the travel sector.
According to the Spanish regulator, Amadeus used booking information from airline and hotel partners to create traveller profiles and track travel behaviour, including passenger information dating back to 2019. The case identified two infringements: a lack of sufficient legal basis for processing passenger data, and a lack of information and transparency towards travellers.
South African legal experts say South African travel agents remain responsible for ensuring traveller data is processed lawfully under POPIA, even when it passes through global booking systems, airlines and third-party platforms.
“Travel agents handle personal information every day, including passport details, contact details, payment information and more. When this information is entered into a GDS, airline system, hotel platform or other booking tool, agents remain responsible for processing it lawfully,” said ASATA’s Legal Counsel at Bold Law, Sarah Buerger.
Responsible parties
POPIA draws a distinction between two categories: responsible parties and operators.
As a responsible party, an agent or travel company has a direct relationship with the customer and bears primary responsibility for ensuring information is handled in compliance with POPIA.
“This includes adhering to eight conditions set out in POPIA, such as being specific about the purpose of processing, not retaining personal information longer than necessary, respecting data access rights, implementing appropriate security safeguards, and ensuring cross-border transfers of personal information are properly authorised,” said Wendy Tembedza, legal partner at Webber Wentzel.
As an operator, they may process personal information on behalf of the responsible party. “The primary obligation sits with the responsible party, for example, when a corporate customer engages a travel agent as a service provider. The agent should ensure that its contractual arrangements with the responsible party appropriately manage any liability that could arise from the responsible party’s failure to comply with POPIA,” said Tembedza.
Clients should be told before the booking is made, that their information may be shared with other systems.
“This should be explained in a plain-language privacy notice that covers what information is collected, why it is needed, who it may be shared with, whether it may be sent outside South Africa, and what rights the client has,” said Buerger.
Cross-border sharing
Client information often moves through global systems, foreign airlines, international hotels, cruise lines and more.
“The biggest risk is not knowing where the information goes, who can access it, and whether it is protected. Agents can use international systems, but they should understand the data flow and make sure clients know their information may be processed outside South Africa,” said Buerger.
According to Tembedza, POPIA contains a prohibition on cross-border transfers of personal information unless certain conditions are satisfied.
“Transfer of personal information outside of South Africa must fall within justifications set out in POPIA. These include obtaining consent to the transfer, ensuring the receiving party is subject to data protection laws similar to POPIA, or establishing that the transfer is necessary for the performance of a contract with the client,” said Tembedza.
Using a foreign service provider to process or store personal information (using cloud-based systems hosted abroad), does not not remove an agency's responsibilities under POPIA, even if the information is handled outside South Africa.
Data retention
Another key consideration is how long data can be retained for.
“The general rule under POPIA is that personal information must not be retained for longer than is necessary for the purpose it was originally collected for,” said Tembedza.
However, there are exceptions. “Retention beyond that period may be justified under several grounds, including if a client has consented to a longer retention period, where a law requires records be kept for a specified period, or where the record is required for the responsible party’s legitimate business activities,” she added.
Transparency
Section 18 of the Act establishes a transparency obligation, setting out categories of information agents must disclose to a client.
“These include the identity of the responsible party, details of information being collected, reason for collection, how the information will be used, and with whom it may be shared,” said Tembedza
ASATA has run free POPIA awareness workshops for agents and has provided guidance on responsible processing, privacy notices and the legal documents agencies should have in place.
The use of AI does not exempt agencies from their responsibilities under POPIA. “Whether AI is being used to derive market insights, build customer profiles or support back-office functions, POPIA governs how information is processed through these systems. Data security, processing of personal information, and cross-border data flows are all considerations that should form part of any due diligence exercise into AI technology,” said Tembedza.
