This document provides information relating to the compliance of CorpTrav in advance of 25 May 2018 when the EU Global Data Privacy Regulation (GDPR) becomes law. Under this regulation:
- Under Article 3 of the GDPR, a Controller is defined as one who “determines the purposes and means of processing personal data.” Client is identified as the Data Controller, the employer of the individual whose data is processed and used to deliver services contracted as identified in the Travel Service Agreement (TSA) between Client and CorpTrav. Data Controller under GDPR is described as the company that has determined the purpose for the processing of personal data (for example, by requiring their employees / guests / contractors to travel for business purposes) and the means by which this takes place by having appointed CorpTrav as their travel management company to process that data. Client as the Controller is responsible for demonstrating compliance with Article 6(1) of the GDPR.
- Client’s travelers, guests, contractors are identified as the Data Subject; the individual who is described by the personal data.
- Under Article 3 of the GDPR, the Data Processor “processes personal data on behalf of the Controller”. With this definition in mind, CorpTrav is identified as the Data Processor, who is under contract with the Controller to perform travel related services and activities.
CorpTrav is currently working with all clients to revise and update Travel Service Agreements to include language that will address the relationship of CorpTrav and the Client to the data, specifying who is Controller and who is the Processor.
Data Retention: CorpTrav will retain personal data in which it is necessary to fulfill travel services to the client (Data Controller) and their employees (Data Subjects). The retention period can vary depending upon the nature of the service and if that service is regulated by additional laws. (For example, in the US, the Airlines Reporting Corporation requires ticket data to be retained for two years). Additionally, if local or federal taxing authorities require data to be retained for tax or legal purposes, CorpTrav complies with those laws.
Data used for the specific purpose of reporting data and travel management information to the Client is retained for a rolling, historical 27 months. Data older than 27 months is purged from CorpTrav systems. If a client exercises their termination clause as per the stipulations in the Travel Service Agreement, CorpTrav will purge data within 60 days of final trading.
Data Transfer: CorpTrav does not transfer data into or outside the US. Any data transfer to clients within the US complies with PCI guidelines and standards and the laws of the United States.
Data Security: Storage of personal data (traveler profiles) is stored in Sabre’s secure facility in the US and is certified to ISO standards. A copy of Sabre’s ISO27001 certificate must be obtained from Sabre. Data for reporting purposes is limited to staff who have a need to process data for travel-related purposes. CorpTrav does not store profile information on CorpTrav servers or systems.
Data Handling: All CorpTrav employees are annually trained on safe handling procedures of personal data that is compliant to the Illinois Personal Information Protection Act and PCI guidelines and protocols.
NOTE: At this time, GDPR does not provide specific guidance or certification for compliance with the regulation. Language in the GDPR is ambiguous and defers to each EU member state to quantify and publish compliance standards. No member state has published the protocols or requirements for certification of GDPR compliance. Absent these certification protocols from the EU member states, CorpTrav complies with all laws of the United States, follows PCI guidelines to protect personal information.