Data Privacy
Privacy regulations, PII handling, and data protection requirements.
Scope
Regulations
- GDPR (EU General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- Other regional regulations (LGPD, PDPA)
Data Categories
- Personal Identifiable Information (PII)
- Sensitive personal data
- Travel data
- Payment information
Privacy Operations
- Consent management
- Data subject requests
- Breach notification
- Privacy by design
Research Topics
GDPR Compliance
Lawful Bases (Article 6)
| Basis | Airline Use Case |
|---|
| Contract | Booking, ticket fulfillment |
| Legal obligation | APIS, tax records |
| Legitimate interest | Fraud prevention, analytics |
| Consent | Marketing, profiling |
Data Subject Rights
| Right | Implementation |
|---|
| Access (Art. 15) | Data export portal |
| Rectification (Art. 16) | Profile edit |
| Erasure (Art. 17) | Deletion request flow |
| Restriction (Art. 18) | Processing flags |
| Portability (Art. 20) | Machine-readable export |
| Object (Art. 21) | Opt-out mechanisms |
Implementation
Data Subject Request Flow:
1. Receive request (web form, email)
2. Verify identity
3. Acknowledge receipt (within 72 hours)
4. Process request
5. Respond (within 30 days)
6. Document and audit
CCPA Compliance
Consumer Rights
- Right to know (disclosure)
- Right to delete
- Right to opt-out (sale of data)
- Right to non-discrimination
Required Disclosures
- Categories of data collected
- Purposes of collection
- Third parties shared with
- Sale of personal information
PII Classification
Data Categories
High Sensitivity:
├── Passport/ID numbers
├── Payment card data (PCI scope)
├── Date of birth
├── Biometric data
└── Health information (SSR codes)
Medium Sensitivity:
├── Full name
├── Email address
├── Phone number
├── Physical address
└── Booking history
Low Sensitivity:
├── Booking reference
├── Flight preferences
├── Seat preferences
└── Meal preferences
Handling Requirements
| Category | Storage | Access | Retention |
|---|
| High | Encrypted, restricted | Need-to-know | Minimal |
| Medium | Encrypted | Role-based | Business need |
| Low | Standard | General | Extended |
Data Retention
Retention Schedule
| Data Type | Retention Period | Basis |
|---|
| Booking data | 7 years | Tax, legal |
| Payment data | 7 years | Financial regulations |
| Marketing consent | Until withdrawn | GDPR |
| Web logs | 90 days | Operations |
| CCTV | 30 days | Security |
Deletion Process
Retention Period Expired
↓
Identify data locations
↓
Verify no legal holds
↓
Execute deletion
↓
Verify and document
Privacy by Design
Principles
- Proactive not reactive
- Privacy as default
- Privacy embedded in design
- Full functionality
- End-to-end security
- Visibility and transparency
- Respect for user privacy
Implementation Checklist
Consent Management
Consent Types
| Type | Use | Withdrawal |
|---|
| Marketing | Email, SMS offers | Unsubscribe link |
| Profiling | Personalization | Preference center |
| Analytics | Tracking | Cookie banner |
| Third-party | Partner sharing | Preference center |
Cookie Categories
Essential:
├── Session management
├── Security tokens
└── Load balancing
Functional:
├── Language preference
├── Currency selection
└── Recent searches
Analytics:
├── Page views
├── User journeys
└── A/B testing
Marketing:
├── Advertising
├── Retargeting
└── Social media
Cross-Border Transfers
Transfer Mechanisms
| Mechanism | Use Case |
|---|
| Adequacy decision | EU-approved countries |
| Standard Contractual Clauses | Most third countries |
| Binding Corporate Rules | Intra-group transfers |
| Explicit consent | Last resort |
APIS Data
Special handling for government data sharing:
- Legal basis: Legal obligation
- Minimize data to required fields
- Secure transmission
- No secondary use
Breach Response
Notification Timeline
| Authority | Timeline |
|---|
| DPA (GDPR) | 72 hours |
| Affected individuals | Without undue delay |
| CCPA | Most expedient time possible |
Response Process
1. Detect and contain
2. Assess scope and impact
3. Notify authorities (if required)
4. Notify affected individuals
5. Remediate
6. Document and learn