1

Suppose we have an flight ticket booking system. As with many of these systems the account booking the ticket doesn't have to be the one using the ticket (i.e. you can book for someone else the ticket).

This is what I define as second degree user. Not actually a user of my system, but the personal data exists nonetheless in my system.

Let's assume that Customer A makes a booking for Guest B, thus the personal information of both the Customer A and Guest B are in the system. Suppose now that Guest B wants to anonymize his personal data.

  1. Is he allowed to do so?
  2. Am I obligated to do so?
  3. Suppose that Customer A doesn't really know Guest B, and he has just inputted at random the personal data of a person, that actually exist (e.g. maybe he did it as a joke). Does the answer of question 1 and 2 change?
Radu - Andrei Coandă
  • 11
  • 1

1 Answers1

1

Personal data is any information relating to an identifiable person, the data subject. Here, the “second degree user” (the passenger) is a data subject of your system. They have all the data subject rights, including the right to erasure.

It doesn't make sense to talk about anonymization here. In the GDPR, anonymization means removing identifying data so that the remaining data can no longer be connected to a specific person. For example, if you remove any passenger information from a booking, the remaining flight data is no longer personal data and can be used freely.

When a data subject exercises their right to erasure, you will have to analyse whether you have to fulfil their request – this isn't always the case. The details are in GDPR Art 17. Relevant aspects:

  • You are allowed to keep data if you need it for some legal obligation (such as for keeping accounting records), or for defence against legal claims. Otherwise:

  • You must delete personal data if it is no longer necessary for the purposes for which the data was originally collected.

  • If the processing was based on “legitimate interest”, you must delete the data unless there are overriding legitimate grounds.

Presumably, you would process the passenger's data because this “is necessary for the performance of a contract to which the data subject is party” (Art 6(1)(b)). (This flight ticket contract likely has four parties: airline, passenger, payer, you as the retailer). Then, you would only be required to delete the passenger data once the contract has been completed or is terminated, and you no longer need the records as evidence for possible lawsuits.

If you decide that you need to keep the data for some period, your privacy policy should outline for how long, or under which events the data will be deleted automatically. Compare your information obligations from Art 13 and Art 14.

What if the passenger's data was entered as a joke? That person is still a data subject so the above analysis still applies. It is unlikely that a flight ticket would be booked as a joke, but very feasible that a ticket would be booked against the passenger's interest. I am not sure what your obligations are in this case, e.g. whether a passenger should be able to cancel the ticket. From the GDPR perspective:

  • When you process a person's data, you must take reasonable steps to inform them about this processing – within one month or at the latest when you first contact them or when you share the data with a third party (such as the airline). See Art 14(3).
  • If you send updates to the passenger, they may be able to object to these notifications.
amon
  • 24,244
  • 3
  • 46
  • 77