Data Protection and Privacy Notice Implementation, with effectiveness from 1 April 2018

Airline Distribution Standards Airline Brief 2018-03-v4 Data Protection and Privacy Notice Implementation, with effectiveness from 1 April 2018 Changes (translations) highlighted in blue Date Issued 27 March 2018 Issued by IATA Airline Distribution Standards Distributed to registered participants of standard setting groups Schedules Information (SISC) Reservations (RESCom) Tariffs (COMP/RADWG) Ticketing (TKTCom) DCS (DCSMWG) Messaging Passenger and Airport Data Interchange (PADIS) BSP Data Interchange (BDISG) Revenue Accounting (IBSOPS) Prorate (GPM) Passenger (PSC) Services Background The General Data Protection Regulation (GDPR) makes significant changes to privacy law in the European Union and will be enforced from 25 May 2018. In addition to the GDPR, there are more than 70 pieces of legislation that govern data protection or privacy matters around the world. As a result, it was considered appropriate to add a data protection notice to the e-ticket and itinerary receipt documentation issued to passengers and amend Resolutions 722f, 722g, 722h, 724, 725f, 725g and 725h accordingly. Key Points and Explanatory Memorandum The GDPR will capture the activities of most major carriers, including all carriers that market their services to EU residents. In addition to the 70 other data protection and privacy laws in force worldwide, it is expected that legislative activity in the area will only increase. One critical aspect of compliance with these laws is a comprehensive privacy policy. 1 of 8

Carriers are able to link to their own privacy policy in a direct sales scenario. However, when a ticket is issued through a travel agent or interline partner this is not typically possible. A generic notice addresses this problem by linking to a central index of carrier privacy policies. A new data protection notice for agency and interline channels The IATA Legal Committee established the GDPR Task Force in 2017. The Task Force has been asked to consider whether changes should be made to IATA s common systems and standards in light of developments in data protection law. The Task Force recommended that a standard notice, to be inserted on the e-ticket/itinerary receipt and similar to that given in respect of the liability treaties and hazardous materials (affecting Resolution 724, 722f/g/h 725f/g/h), was appropriate. The notice would be applicable for agency and interline ticketing channels. This recommendation was subsequently endorsed by the Ticketing Committee and the Passenger Services Conference. The notice draws the passenger s attention to the fact that processing is occurring under a privacy policy (or policies) and refers the passenger to an IATA web page where the applicable privacy policy can be located. Text of notice The following notice has been added to Resolution 724, 722f/g/h 725f/g/h: Data Protection Notice: Your personal data will be processed in accordance with the applicable carrier s privacy policy and, if your booking is made via a reservation system provider ( GDS ), with its privacy policy. These are available at http://www.iatatravelcenter.com/privacy or from the carrier or GDS directly. You should read this documentation, which applies to your booking and specifies, for example, how your personal data is collected, stored, used, disclosed and transferred. (applicable for interline carriage) * * Note that applicability for 722f and 725f is for interline carriage. * Translations for Spanish, Chinese Simplified (Mandarin), Arabic, French, Portuguese, Russian, German, Italian, Korean, Japanese, Chinese Mandarin Traditional are available from page 4 2 of 8

Members should take the necessary action to ensure that the notices above appear in the relevant parts of their e-ticket and e-ticket itinerary receipts. For online e-tickets (i.e. direct sales), there is no requirement to include this notice and the carrier s own notice should be substituted. More Information For more information on this topic, please contact the Airline Distribution Team at standards@iata.org. You may wish to consult your own legal department. 3 of 8

Arabic ال م عمول ال خ صو ص ية ل س يا سة و فقا ب ك ال خا صة ال شخ ص ية ال ب يان ات جمعال ة س ت كون :ال ب يان ات حماي ة إ ش عار ح زك إت مام اء إذا ("GDS") ال ح ز ن ظام مو ر ل دى ب ها ال م عمول ال خ صو ص ية س يا سة عن الف ال ناق ل ل دى ب ها ال تال ي ال راب ط ع لى م تو رة ال خ صو ص ية س يا سات ت كون.ال مو ر هذا ع بر ال وث ي قة هذه ق راءة ع ل يك ت ب GDS. أو ال ناق ل من م با شرة أو http://www.iatatravelcenter.com/privacy ال شخ ص ية ب يان ات ك ت م يع ي ال جمت بعة ال طري قة ال م ثال س ب يل ع لى ت حدد وال تي ح زك ع لى ت نط بق ال تي ع نها واإل صاح ون ق لها وا س تخدامها وت خزي نها Spanish [see separate file] Comunicación sobre protección de datos: sus datos personales se procesarán de acuerdo con la política de privacidad aplicable del operador y, si su reserva se realiza mediante un proveedor de sistema de reserva ( GDS ), conforme a su política de privacidad, que estará disponible en http://www.iatatravelcenter.com/privacy, o en el operador o GDS directamente. Debe leer esta documentación, que se aplica a su reserva y especifica, por ejemplo, cómo se recopilan, almacenan, utilizan, revelan y transfieren sus datos personales. Chinese Simplified (Mandarin) 数据保护声明 : 您的个人数据将按适用的运营商隐私政策进行处理, 这是指如果您的预订是通过 预订系统提供商 ( GDS ) 根据其隐私政策进行预订 这可在 http://www.iatatravelcenter.com/privacy 或直接从运营商或 GDS 处获取 您必须阅读这份文件, 它适用于您的预订, 并且说明一些事项, 例如您的个人资料如何被收集 储存 使用 披露和转 移. French Avis relatif à la protection des données : vos données personnelles sont traitées conformément à la politique de confidentialité applicable du transporteur et, si votre réservation a été effectuée via un fournisseur de système de réservation («GDS»), à la politique de confidentialité de celui-ci. Celles-ci sont disponibles sous http://www.iatatravelcenter.com/privacy ou directement sur le site du fournisseur / GDS. Veuillez prendre connaissance de cette documentation s'appliquant à votre réservation et 4 of 8

précisant notamment la façon dont vos données personnelles sont collectées, stockées, utilisées, divulguées et transférées. Portuguese Aviso de Proteção de Dados: Os seus dados pessoais serão processados em conformidade com a política de privacidade aplicável da transportadora e, se a sua reserva tiver sido feita através de um provedor de sistema de reservas ("GDS"), em conformidade com a política de privacidade do provedor. Estas estão disponíveis em http://www.iatatravelcenter.com/privacy ou diretamente na transportadora ou GDS. Deverá ler esta documentação que se aplica à sua reserva e especifica, por exemplo, a forma como os seus dados pessoais são recolhidos, armazenados, utilizados, divulgados e transferidos. Russian Уведомление о защите данных: ваши персональные данные будут обрабатываться в соответствии с применимой политикой конфиденциальности перевозчика, а если ваше бронирование осуществляется через поставщика системы бронирования (GDS) в соответствии с его политикой конфиденциальности. Эти политики доступны по адресу http://www.iatatravelcenter.com/privacy, непосредственно у перевозчика или GDS. Вам следуют прочитать данные документы, которые касаются вашего бронирования и, например, определяют то, как ваши личные данные собираются, хранятся, используются, раскрываются и передаются. German Datenschutzhinweis: Ihre persönlichen Daten werden in Übereinstimmung mit den Datenschutzbestimmungen des jeweiligen Verkehrsträgers und, falls Ihre Buchung über einen Anbieter von Reservierungssystemen erfolgt, mit dessen Datenschutzbestimmungen verarbeitet. Diese sind unter http://www.iatatravelcenter.com/privacy oder direkt beim Verkehrsträger, bzw. Anbieter des Reservierungssystems erhältlich. Lesen Sie diese Unterlagen, die sich auf Ihre Buchung beziehen und z. B. beschreiben, wie Ihre persönlichen Daten erhoben, gespeichert, genutzt, weitergegeben und übermittelt werden. Italian Avviso sulla protezione dei dati: i dati personali saranno trattati in conformità con l'informativa sulla privacy vigente del vettore e, se la prenotazione è stata effettuata tramite un fornitore di sistemi di prenotazione ("GDS"), con l'informativa sulla privacy di detto fornitore. Tali informative sono consultabili all'indirizzo http://www.iatatravelcenter.com/privacy o 5 of 8

direttamente dal vettore o dal GDS. È necessario leggere la documentazione suddetta, relativa alla prenotazione effettuata, la quale specifica, ad esempio, come i dati personali vengono raccolti, archiviati, utilizzati, divulgati e trasferiti. Korean 데이터보호에관한고지사항 : 귀하의개인데이터는해당항공사의개인정보처리방침에따라 처리되며, 귀하의예약이예약시스템제공자 ("GDS") 를통해이루어진경우, 해당개인정보 처리방침에따라처리됩니다. 이러한사항은 http://www.iatatravelcenter.com/privacy 또는 항공사나 GDS 를통해직접확인가능합니다. 귀하는귀하의예약에적용되고예를들어, 귀하의개인데이터를수집, 저장, 사용, 공개, 이전하는방법을명시한본문서를읽어보셔야 합니다. Japanese データ保護に関する通知 : お客様の個人データは 該当する航空会社のプライバシーポリシー ならびに 予約が予約システムプロバイダー ( 以下 GDS という ) を通じて行われた場 合はそのプライバシーポリシーに従って処理されます これらのポリシーは http://www.iatatravelcenter.com/privacy のページか 航空会社または GDS から直接入手するこ とができます これらの文書はお客様の予約に適用され 例えば個人データがどのように収集 保管 開示 送信されるかが明記されていますので 必ずお読みください Chinese Mandarin Traditional 數據保護聲明 : 您的個人數據將根據適用運營商的隱私政策進行處理, 而如果您通過預訂系統提 供商 (GDS) 進行預訂, 則需遵守其隱私政策 您可從 http://www.iatatravelcenter.com/privacy 或直接從運營商或 GDS 處獲取這些信息 您必須閱讀此文檔, 它適用於您的預訂, 並説明您的 個人數據將如何被收集 存儲 使用 披露和傳送 6 of 8

Frequently Asked Questions Why is this notice required? The notice allows customers to locate the privacy policy (or policies) applicable to their itinerary, where the booking is interline ticketed or ticketed by a travel agency. This puts customers on a comparable footing to those that have booked directly with the carrier and would receive the carrier s own e-ticket or itinerary receipt, which usually include a data protection or privacy notice. When should the notice be added to tickets and itinerary receipts? The effectiveness date declared by the Passenger Services Conference is 1 April 2018. Is this notice required for the GDPR? The notice has been developed at the request of the GDPR Task Force to ensure greater transparency for customers. The notice draws their attention to the privacy policy (or policies) applicable to their booking. The notice is generic in nature and should also assist with data protection and privacy requirements in other jurisdictions. Should the notice be used on my online tickets and itinerary receipts? This is not required. Most carriers already have their own data protection and privacy notices and refer to these in existing online booking documentation. When will the central IATA web page go live? Very shortly. Before a full index of carrier privacy policies is available, a holding page with some limited information is available. See further http://www.iatatravelcentre.com/privacy. Why are reservation system providers mentioned? 7 of 8

Reservation system providers (GDS operators) will likely have their own privacy policy and customers may wish to refer to these documents as well. They will also be referred to on the central web page. 8 of 8