GDPR and Business Aviation – What you need to know.

PT 3 M minute read
GDPR and Business Aviation – What you need to know.

Please note that this article and its contents are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain legal advice regarding GDPR compliance.

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. This complex and far reaching regulation governs how an EU citizen’s personal data can be used and processed by businesses both inside and outside of the EU. It’s impacting industries and companies around the globe—including Business Aviation.

In this article, we’re going to cover some areas you need to think about in regards to how GDPR may impact your operation.

1. Your passengers today

If you are transporting EU citizens, then you are undoubtedly using their personal data—such as passport information, contact information, and so much more—to facilitate these missions. GDPR strictly governs how this data can be used and processed.

2. Your passengers tomorrow

Even if you aren’t transporting EU citizens today, if you think you ever will in the future, GDPR will apply.

3. Don’t forget your crew

Same goes for your crew—consider the crew you have today and the crew you may hire tomorrow. Contract flight attendants as well.

4. Watch out for the dual-citizenship

People with dual citizenship often claim only one when asked. You may want to consider specifically asking passengers and crew if they have EU citizenship.

5. EU citizens in another country on a work visa are still covered

This is another one that can be easily overlooked.

6. Non-EU citizens working in the EU

If you have any U.S. or other citizens on an ex-pat assignment in the EU, they may also be covered under the terms of GDPR.

7. Your service providers

Think about the service providers you work with—trip support providers, FBOs, caterers, ground transportation providers, etc. If you have EU citizens onboard your flight, you are going to have to transmit their personal data to these providers to conduct the operation.

Because of the complexity of GDPR, different companies are going to approach it differently. It’s important that you work with your service providers one-on-one to find out their individual approach to GDPR.

8. What is Universal doing?

We hear this question lot. At Universal, we take regulatory compliance very seriously, as well as the security of the information our customers share with us. With this in mind, we’ve been very focused on GDPR, and here’s some of things we’ve done:

  • We’ve updated our privacy policy so our customers know exactly how their data is being used.
  • We are Privacy Shield Certified by the U.S. Department of Commerce. This is certification deems Universal’s processes and procedures adequate to enable personal data transfer between the U.S. and EU and U.S. and Switzerland. This is a vital component of ensuring GDPR compliance.
  • We’ve updated our Terms and Conditions that we set with our ground handlers and ground transportation partners so that they will know their obligations with respect to your data.
  • We’ve asked our clients to sign a Data Processing Addendum (DPA). The DPA is meant to ensure that we have consent from our clients to process personal data and to give clients information about the protection of their personal data.
  • We’ve appointed a Data Protection Officer to oversee our privacy program. This is a required role as stated by GDPR.
  • We’ve implemented GDPR training for our 1,700+ employees worldwide so they understand the importance of protecting your data.
  • We’ve implemented cybersecurity measures and continue to enhance our cybersecurity program to minimize the risk of data breach.

Closing Thoughts

GDPR is still a new regulation with regulators, companies and operators still early in the process of understanding its full impact on business aviation. We can expect to see a greater understanding of how GDPR impacts our industry as European courts and administrative bodies issue opinions on cases presented before them.

If you haven’t already, we encourage you to consult with your attorney to understand GDPR’s impact on your specific operation.

Got a question for Kathy about this article?