The GDPR, which canceled previous European data protection regulations, represents the biggest change in those regulations in 20 years. Naturally, this amendment affects the methods of obtaining and processing personal data regardless of the size and structure of the companies doing so. All institutions in the transportation sector, including land, sea, air, and rail operators, agencies, airlines, and municipalities are also subject to the GDPR’s requirements.
Why is personal data being used in the transportation sector?
With the development of the Internet and especially the Internet of Things, the transportation sector has become modernized and “smarter” – and thus increasingly dependent on the personal data of its customers. Smart ticketing systems, marketing strategies, efforts to increase the profitability of companies by making faster and effective workflow planning, and new alternative transportation methods such as Uber and Lyft have significantly increased the use and sharing of personal data among companies, with names, surnames, contact information, addresses, travel habits, destination information, ranges that customers can afford to pay, travel hours, and even medical history being only some of the information which is processed within these “smart” systems.
In the transport sector, personal data is actively used: (i) in the establishment of smart ticketing and check-in systems in areas such as airports to increase efficient passenger flow; (ii) to improve efficiency in city planning systems and to allow for the development of autonomous traffic and transport systems and investment strategies in the field; and (iii) to improve the service sector by sharing data with 3rd party companies and organizations such as agencies and advertising companies.
In this context, the results of the processing of personal data in the transportation sector should be examined in two ways. Greater data allows companies to become more sophisticated, more efficient, and more profitable, while at the same time allowing those who use the transportation system to benefit from the sector in a faster, cheaper, and more personalized way. Companies can track customer transportation habits and locations with the personal data they process and offer them a smarter and more personalized service by highlighting useful content in online ticketing sites and applications.
GDPR compliance process of companies
Companies should act on the following issues to make their framework of compliance compatible with the GDPR: (i) review all contracts which the company has prepared and is a party to, including employee contracts, dealer contracts, and supplier contracts, and evenly distribute the risk within the scope of data security; (ii) prepare or update data and privacy policies and prepare clear consent texts specifying what personal data is being obtained for what purposes and from where, how it will be used, and whom it will be shared with; (iii) establish a data inventory system and determine how to store personal data, including geo-location information; (iv) take appropriate measures to ensure that personal data is stored in an encrypted and anonymous manner in all possible ways; (v) establish a process for use in personal data breaches; and (vi) provide in-house awareness trainings on data security.
Sanctions for non-compliance
Failing to comply with the GDPR will result in direct sanctions in Europe. Companies that do not comply with the law will face a penalty of EUR 20 million or 4% of their global turnover, whichever is higher.
As a demonstration of the seriousness of that threat, British Airways and its parent were fined GBP 183.39 million in 2018 for a data breach of 500,000 passengers. Also in 2018, Uber was fined EUR 400,000 by France due to a data breach that occurred in 2016 and affected 57 million users in total, and 1.6 million French citizens in particular.
Conclusion
With the Internet network covering the whole world and the transportation sector becoming “smarter,” the protection of personal data used in the sector has become a necessity. In order to avoid any sanctions, companies need to obtain and process personal data within a legal framework by enlightening people as transparently as possible about their compliance with the GDPR and taking the measures described above.
Since the successful completion of these compliance processes will increase the confidence and prestige of the company in the eyes of customers and increase their willingness to share their personal data, compliance with the GDPR will result in a much more profitable investment for companies in the long term.
By Nazli Sezer, Executive Partner, and Kaya Kayaoglu, Senior Attorney, Sezer & Utkaner
This Article was originally published in Issue 6.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.