European Data Protection Supervisor
European Data Protection Supervisor

Computerised reservation systems

Computerised reservation systems

Friday, 11 April, 2008

Computerised reservation systems

Opinion on the proposal for a Regulation on a code of conduct for computerised reservation systems, OJ C 233, 11.09.2008, p. 1.

The EDPS issued an opinion on the proposal for a Regulation on a Code of conduct for computerised reservation systems (CRSs).

The objective of the proposal is to update the provisions of the Code of Conduct for Computerized Reservation Systems that was established in 1989 by Regulation 2299/89. The Code would need simplification in order to reinforce competition - while maintaining basic safeguards, and ensuring the provision of neutral information to consumers.
A specific article on data protection has been developed in the proposal with a view to complementing the provisions of Directive 95/46/EC which continues to apply as a lex generalis.

The EDPS welcomes the inclusion of such principles in the proposal. He stresses that these provisions could nevertheless be usefully complemented by additional safeguards on three points:

  • ensuring the fully informed consent of data subjects for the processing of sensitive data;
  • providing for security measures taking into account the different services offered by CRSs;
  • protecting marketing information relating to individuals from access by third parties.

With regard to the scope of application of the proposal, the criteria that make the proposal applicable to CRSs established in third countries raise the question of its practical enforcement, taking into account the complexity of the CRS network.

It is deemed as essential to put the CRS question in this global context and to be aware of the implications of having a large amount of personal data, some of them sensitive, processed in a global network practically accessible to third state authorities.

The EDPS considers it as decisive that effective compliance is ensured by competent authorities for enforcement (i.e. the Commission), as foreseen in the proposal, as well as data protection authorities.

COM(2007) 709 final of 15.11.2007PDF icon