The main customer rights issues related to retail and sales activities are data privacy and the provision of correct information on products and services offered. Data privacy In travel and tourism, large amounts of customer data are shared, stored, and processed. Retail and sales offices need data about customers’ travel schedules, locations of stay, personal details, financial data including credit card details and sometimes health information, as well as other data. Privacy and security of stored data is therefore an important issue for tour operators’ retail and sales offices. The new EU General Data Protection Regulation, which came into force in May 2018, regulates data protection and privacy issues in the EU and the European Economic Area. As the law protects all EU citizens, it also concerns companies and institutions processing personal data in countries outside the EU. Personal data are an important source of information for tourism companies, such as when developing personal customer profiles. They therefore have a particular responsibility to protect customers’ data. The new regulation also includes an obligation to report data breaches. Correct information Retail and sales offices should make sure they provide customers with correct information about pricing, the content of the offers, standards of lodging and transport, available facilities at destination, etc. From a human rights perspective, this is particularly relevant for people with disabilities or specific needs. However, other customers should also be able to rely on information on the products they purchase. Data Protection Regulation Data breach: Thomas CookData breach: OrbitzPreviousNext PreviousData Protection Regulation Data breach: Thomas CookData breach: OrbitzNext Data Protection Regulation The German Travel Association developed an information sheet on the new EU Data Protection Regulation (GDPR) and aspects of particular relevance for tourism companies.The British Travel Association ABTA provides information on the GDPR and how tour operators can deal with it on its website.LinksDeutscher Tourismusverband e.V. (2018): Datenschutzgrundverodnung (in German on…ABTA (2018): Data protection – does technology provide all the answers? Data breach: Thomas CookA digital security researcher managed to hack travel firm Thomas Cook’s data portal, exposing the names, email addresses and flight details of customers.The researcher blogged about its access to the data and shared the system’s vulnerabilities with the company, who afterwards fixed the loopholes.Thomas Cook has however not informed affected customers, which has raised concerns with the UK's data watchdog, the Information Commissioner's Office (ICO).LinksSky News (2018): Names and flight details exposed in Thomas Cook customer data …Data breach: OrbitzThe management of the travel fare aggregator website Orbitz informed that customers’ full names, payment card information, dates of birth, phone numbers, email addresses, physical and billing addresses, and genders may have been leaked as part of the data breach, which occurred between October and December 2017. Approximately 880,000 payment cards were impacted as part of the incident.LinksDigital Guardian (2018): Orbitz breach exposes customer data, 880’000 payment c…PreviousNext Take actionPolicy and process Integrate data privacy provisions in in the company policy and in the Supplier Code of Conduct to be signed by business partners. Training and capacity building Train sales staff on data privacy issues. Communication and reporting Provide communication material and / or information on accessibility of products and services to customers. Find more information on potential measures to take on the "take action" site. Analyse country-specific risksLearn more about potential human rights risks when operating in a specific country.Analyse country-specific risks Learn moreFind more information in the Resource Centre. Learn more
Take actionPolicy and process Integrate data privacy provisions in in the company policy and in the Supplier Code of Conduct to be signed by business partners. Training and capacity building Train sales staff on data privacy issues. Communication and reporting Provide communication material and / or information on accessibility of products and services to customers. Find more information on potential measures to take on the "take action" site.
Analyse country-specific risksLearn more about potential human rights risks when operating in a specific country.Analyse country-specific risks