The business itself will decide how to protect the privacy of its customers in connection with the adoption of the new GDPR European directive. Tour operators, hoteliers, and agents will be able to choose the best way to not disclose sub-bans to their customers that would lead to their identification. There is no specific regime to be followed, but companies are given the freedom to decide how to do so, as long as they can then prove that they have taken all the necessary measures within the meaning of the new EU regulation that enters into force from 26th of May.
This was made clear by the words of the Chief Secretary of the Bulgarian Commission for Personal Data Protection (DPS) Desislava Toshkova and the Head of the Directorate at the Ministry Plamen Angelov at 5th Annual Conference of Travel Academy, which took place from 29 to 30 March in Pravets. Companies can agree with their customers by signing a declaration, online consent or other technological solution, Angelov explained. The Directive also gives freedom to deal with partners and suppliers.
At the same time, the regime does not aim to create more bureaucracy, but to respond to the modern technology and internet environment, Toshkova explained. She gave an example of a situation where a client signs up his wife, relatives or friends for a holiday. In this case, in order to comply with the new EU directive, it is enough for the tour operator to enter into a contract with the main customer, who provides him with the data for the rest. Where the customer has the other data is a question of personal relationships between the passengers, it was clear from Toshkova’s words.
The committee also explained which data is considered personal and accordingly fall under the scope of the directive. To be considered as such, the data must lead to the personal identification of the individuals concerned. In this sense, the name Ivan Petrov Ivanov, as a common one, could not be considered as protected information, but a name like Violetka Kantardjieva Tzipova would be such as it could lead to the identification of the particular woman.
During the discussion, it was clear that the CPDP and the Ministry of Tourism are ready to draft a code of good practice and examples to help the tourism industry implement the directive because companies worry that the freedom they can then be interpreted as the possibility of being sanctioned. Fines for non-compliance with the directive or leakage of customer data are cruel.
A company can be sanctioned up to 4 percent of its global annual turnover or up to 20 million euros, with the highest possible sanction being valid. This would lead to the Bankrupt of any Bulgarian tourist company, which would be fined, worried about the sector. However, the commission has assured the native business that they are ready to clarify the regulation and answer any questions in order not to impose fines.
The committee stressed that there are no companies to certify data protection specialists, who can only perform physical work according to the directive, but they do not need special education but perform certain posts. Certification of winning companies with a distinctive sign will take years because the criteria are currently being discussed at European level, it became clear during the conference. Although according to the EU regulation personal data must be kept for as long as the service or the interest of the clients persist, they should not be destroyed if, according to other Bulgarian laws, they should be kept for a longer period, the CPDP explained. They gave an example of the accounting law, according to which the documents should be kept for 3 years.