Farina Azam, a partner at TravLaw, presented a seminar at The Travel Network Group (TTNG) conference in Budapest in which she updated agents on the main points of the updated package tour regulations and GDPR compliance.
The Package Travel and Linked Travel Regulations 2018 replaced the regulations from 1992 which Ms Azam described as "out of date" largely because of the changes to the way travel is sold which have happened in the past 27 years. She told agents that the 2018 regulations "widen the definition of a package holiday" to close a loophole whereby regulations could be avoided if separate elements of a holiday were booked by the same agent but not sold or marketed as a package.
Under the new regulations, a package is a combination of at least two different travel services - or what Ms Azam described as "the classic definition of a package holiday" - with added clauses to broaden the definition, such as services combined by one trader at the request of the selection of the traveller with a single contract of services, with the services purchased as a single point of sale; or services offered, sold or charged as a total price; or advertised or sold under the term "package" or a similar term; or services combined after the conclusion of a contract whereby a traveller chooses a range of different additional services; or travel services are purchased from different traders and linked in an online booking process in which the traveller's name, payment details and email address are transmitted from one trader to another trader or traders.
To further complicate matters, airport transfers which are not part of the hotel booking but are instead provided by another provider are not considered part of a package under the regulations. Additionally, if a package is purchased with a provider such as Jet2 and the a new element is added but not included in the original price, the agent should still have public liability insurance to cover the extra element. Ms Azam said this especially important if the agent adds a separate transfer to a booking as the agent could be liable in the event of a road accident en route from the airport to the hotel, for example. Additionally, Ms Azam said a sale is not a package if only one component is booked by the travel agent, such as a room-only or flight-only sale, an element makes up a "significant proportion", i.e 25% of the value of the sale or is an essential part of the sale such as a spa treatment in a spa hotel.
For the second part of her presentation, Ms Azam outlined the requirements GDPR and Data Protection 2018, which she described as a means of "Brexit-proofing" the law in this area. Under the legislation, personal data is data from which someone can be identified, the data controller is the party responsible for the data, and the data processor is the party that processes the data on behalf of the controller. The data controller can be the data processor and if the data is shared between two parties, both parties can be data controllers, such as a travel agent and a tour operator.
Ms Azam told agents that the guiding principles for the legislation were lawfulness/fairness/transparency; purpose limitation (only using data for specific, legitimate purposes and only using the data for other purposes with consent); data minimisation (only taking data that is necessary for the purposes of the transaction); accuracy (data must be kept up to date or deleted if it has changed); retention periods (only keeping data for as long as it is needed); integrity and confidentiality (protecting the privacy of people whose data has been collected and ensuring it is stored safely); and accountability (data controllers are not only responsible for GDPR compliance but must also be able to demonstrate this).
The importance of getting consent before obtaining and using data was emphasised by Ms Azam. She told agents that "explicit consent" is essential, as defined by a "clear, affirmative action" that is unbundled and verifiable, and includes the right to withdraw consent at any time, adding that silence or pre-ticked boxes are not consent.
In regard to using data for marketing purposes without falling foul of GDPR requirements, Ms Azam said that while the bar for consent has been raised under the legislation, the principle of a "soft opt-in" provides a "limited exception to explicit consent" with electronic communications. For example, a marketing email can be sent if there is "an existing commercial relationship ... and the email must come from you". Such communications must give the customer the chance to opt out and an unsubscribe option must be included on every email. Ms Azam cautioned that future regulation changes could result in the loss of the soft opt-in principle.
"Legitimate interest" is another principle under which customers could be contacted by email if there is an existing commercial relationship, such as asking for feedback after a holiday.
Again, Ms Azam reiterated the importance of consent, saying that "the customer's right to say no always overrides legitimate interest".