Passenger Data and GDPR: A Practical Guide for Airlines and Airports

What Passenger Data Aviation Operators Hold

Airlines, airports, and aviation service providers typically hold:

• Booking and reservation data: Name, contact details, travel dates, itinerary, booking reference, payment method
• Identity documents: Passport number, nationality, date of birth — collected at booking and check-in
• Payment data: Credit/debit card numbers (subject to PCI DSS as well as GDPR)
• Special categories: Meal preferences (which may reveal religious beliefs or health conditions), disability and assistance requirements (health data), medical clearance information
• Biometric data: Facial recognition images at biometric boarding gates — special category data requiring explicit legal basis
• PNR data: Passenger Name Records held under government counter-terrorism obligations — detailed travel history retained for up to 5 years
• Frequent flyer data: Travel history, spending patterns, loyalty tier, preferences — a rich dataset with significant commercial value

Legal Bases for Passenger Data Processing

Aviation operators must identify and document the legal basis for each category of passenger data processing under UK GDPR Article 6:

• Contract performance (Article 6(1)(b)): Booking data and identity verification necessary to provide the flight service
• Legal obligation (Article 6(1)(c)): PNR data collection required by law; passport data for immigration purposes
• Legitimate interests (Article 6(1)(f)): Fraud prevention, security screening, operational communications — must be balanced against passenger rights
• Consent (Article 6(1)(a)): Marketing communications, non-essential cookies, optional loyalty programme enrolment
• Special category data: Health data, biometric data, and religious/dietary indicators require an additional Article 9 legal basis — typically explicit consent or vital interests

Technical Security Measures for Passenger Data

Following the British Airways enforcement, aviation operators should ensure passenger data is protected by:

• Encryption at rest and in transit for all passenger personal data and payment information
• Multi-factor authentication on all systems with access to passenger data — including DCS, reservation systems, and loyalty platforms
• Network segmentation isolating reservation and passenger data systems from other IT and OT networks
• Access control: Role-based access ensuring staff can access only the passenger data their role requires
• Monitoring and alerting on passenger data systems: Detection of bulk data extraction, unusual access patterns, or unauthorised queries
• Penetration testing of customer-facing booking portals and apps — at least annually
• Vendor due diligence for all data processors handling passenger personal data (GDS providers, check-in system vendors, etc.)

Data Breach Response for Passenger Data Incidents

When a passenger data breach occurs, aviation operators must act promptly:

• 72-hour ICO notification: Notify the ICO within 72 hours of becoming aware of the breach — even if investigation is incomplete. Failure to notify on time is itself a GDPR breach.
• Passenger notification: If the breach creates high risk for affected individuals (financial data, identity documents), notify passengers without undue delay
• Breach register: All data breaches — even those not requiring ICO notification — must be logged in your internal breach register
• Forensic evidence preservation: Do not destroy systems or logs until forensic investigation is complete
• Legal privilege: Consider engaging lawyers to commission breach investigation, potentially attracting legal privilege protection
• Regulatory cooperation: Full cooperation with the ICO investigation is expected — obstruction will aggravate any enforcement outcome

Frequently Asked Questions