Welcome IITA Inbound Insider Webinar: An Introduction to GDPR October 31, 2018 Thank you for joining us! The Webinar will begin in a few minutes. A few reminders… Please place your phone on MUTE. Do not place the call on hold. If you need to leave the presentation please hang up and dial back in. Please save your questions until the end of the session.

Farina Azam Partner, Travlaw LLP

Farina Azam – Partner, Travlaw LLP International Inbound Travel Association Webinar: An introduction to GDPR 31st October 2018 Farina Azam – Partner, Travlaw LLP

Territorial Scope Applies directly in all EU member states; Applies to any controller or processor established in the EU (regardless of whether processing is in the EU); OR If not established in the EU BUT related to the offering of goods/services to data subjects in the EU (irrespective of payment); Monitoring of the behaviour of data subjects so far as their behaviour takes place in the EU.

Key Definitions (1 of 3) Personal Data: “any information relating to a data subject”. Data Subject: identified or identifiable person to whom the personal data relates. Identifiable: if he/she can be "can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity" of that person.

Key Definitions (2 of 3) Data Controller: “determines the purposes and means of the processing of personal data” Data Processor: a "natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller" Most obligations fall on the controller however GDPR also imposes specific and separate duties and obligations on processors.

Key Definitions (3 of 3) What is Processing? Processing means “…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."

Data Processing Principles (1 of 5) Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation Integrity & confidentiality Accountability.

Data Processing Principles (2 of 5) 1. Lawfulness, fairness and transparency: Personal data must be processed “lawfully, fairly and in a transparent manner”; For processing to be lawful under the GDPR, you need to identify a legal basis, known as “conditions for processing” (Article 6). 2. Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes.

Data Processing Principles (3 of 5) 3. Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c), GDPR). 4. Accuracy: Personal data shall be accurate and, where necessary kept up to date.

Data Processing Principles (4 of 5) 5. Storage limitation: Retention periods. Article 5 of the GDPR requires that personal data shall be: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. 6 years but may be able to justify a longer period. Also consider, which data you’re storing and why – only store that data which is required (data minimisation).

Data Processing Principles (5 of 5) 6. Integrity & confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 7. Accountability: Under the GDPR, controllers are not only responsible for compliance with the general principles of the GDPR, but must also be able to demonstrate that compliance.

Legal Conditions for Processing Data For processing to be lawful under the GDPR, you need to identify a legal basis, known as “conditions for processing”: Consent; Contract; Compliance with a legal obligation; Protect vital interest; Public interest; Legitimate interest.

Consent Processing will be legal where the data subject has given his or her consent to processing of their personal data for one or more specific purpose(s). Consent vs. Explicit Consent. Freely given, specific, informed, unambiguous. Some form of clear, affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Unbundled. Verifiable. Right to withdraw consent.

Contract Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. E.g. tour operator passing information on to a supplier for fulfilment of a travel booking (or travel agent to tour op).

Legitimate Interest Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. Controllers will need to be able to demonstrate how they balanced the legitimate interests against the fundamental rights and freedoms of the individual. Recital 47 provides some examples of a controller's legitimate interest, for example: Where there is a relevant and appropriate relationship between the individual and the controller in situations such as where the individual is a client or in the service of the controller. The processing is strictly necessary for fraud prevention. Pre-amble specifically mentions direct marketing as a possible legitimate interest which companies can rely on to contact customers.

Other legal conditions Compliance with a legal obligation - processing is undertaken in order to comply with a legal obligation, e.g. legal obligations as an employer. Protect vital interest - This legal basis should, in principle, take place only where the processing cannot be manifestly based on another legal basis. It is usually relied on in cases where the processing is essential to protect the life of the data subject or another person. Public interest - necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Additional Q&A Thank you! Farina Azam, Travlaw LLP E: farina@travlaw.co.uk W: www.travlaw.co.uk T: @Farina_Travlaw