Retail & sales

Customer rights

The main customer rights issues related to retail and sales activities are data privacy and the provision of correct information on products and services offered.

Data privacy

In travel and tourism, large amounts of customer data are shared, stored, and processed. Retail and sales offices need data about customers’ travel schedules, locations of stay, personal details, financial data including credit card details and sometimes health information, as well as other data. Privacy and security of stored data is therefore an important issue for tour operators’ retail and sales offices. The new EU General Data Protection Regulation, which came into force in May 2018, regulates data protection and privacy issues in the EU and the European Economic Area. As the law protects all EU citizens, it also concerns companies and institutions processing personal data in countries outside the EU. Personal data are an important source of information for tourism companies, such as when developing personal customer profiles. They therefore have a particular responsibility to protect customers’ data. The new regulation also includes an obligation to report data breaches.

Correct information

Retail and sales offices should make sure they provide customers with correct information about pricing, the content of the offers, standards of lodging and transport, available facilities at destination, etc. From a human rights perspective, this is particularly relevant for people with disabilities or specific needs. However, other customers should also be able to rely on information on the products they purchase. 

Data Protection Regulation
Data breach: Thomas Cook
Data breach: Orbitz
Data Protection Regulation
Data breach: Thomas Cook
Data breach: Orbitz

The German Travel Association developed an information sheet on the new EU Data Protection Regulation (GDPR) and aspects of particular relevance for tourism companies.

The British Travel Association ABTA provides information on the GDPR and how tour operators can deal with it on its website.

A digital security researcher managed to hack travel firm Thomas Cook’s data portal, exposing the names, email addresses and flight details of customers.

The researcher blogged about its access to the data and shared the system’s vulnerabilities with the company, who afterwards fixed the loopholes.

Thomas Cook has however not informed affected customers, which has raised concerns with the UK's data watchdog, the Information Commissioner's Office (ICO).

The management of the travel fare aggregator website Orbitz informed that customers’ full names, payment card information, dates of birth, phone numbers, email addresses, physical and billing addresses, and genders may have been leaked as part of the data breach, which occurred between October and December 2017. Approximately 880,000 payment cards were impacted as part of the incident.

Taking action 300x190

Take action

Policy and process

  • Integrate data privacy provisions in in the company policy and in the Supplier Code of Conduct to be signed by business partners.

Training and capacity building

  • Train sales staff on data privacy issues.

Communication and reporting

  • Provide communication material and / or information on accessibility of products and services to customers.

Find more information on potential measures to take on the "take action" site. 

Learn more

Find more information in the Resource Centre. 

Learn more