Processing personal data as part of a collaboration with members and other clients
TravelpoolEurope f.m.b.a. (hereinafter called ”TPE”) is a member association which performs services related to the booking of travel, follow-up on travel and travel expense management for employees and other persons related to TPE’s member companies, and to a limited extent also other companies (hereinafter called ”The Companies).
In connection with performing these services TPE will in many cases act as data controller to the individual in relation to processing personal data for employees and other persons affiliated with The Companies (hereinafter called “Data Subjects”).
The following is a description of how TPE process this personal data, and this description also includes the duty of disclosure which TPE in compliance with the EU General Data Protection Regulation (GDPR) and Danish data protection legislation is required to inform the data subjects about.
Data processed by TPE and disclosed to collaborators/business partners
The type of data most commonly processed by TPE and - depending on the character of the individual service in question – disclosed to The Companies and TPE’s business partners, is name, address, civil registration number, passport number, gender, year of birth, email address and phone number.
Also collected, processed and disclosed is data on credit cards, payments, travel routes, travel days as well as data on special requests regarding seating in flights, meals, requests for transportation and lodging etc.
The data collected, processed and disclosed may also include so-called sensitive personal data such as religious affiliation, information about health related issues and in rare cases questions concerning criminal matters, to the extent that this is required by authorities, airlines and travel agencies, or to the extent that this is relevant for processing special requests for the travel.
Objective of processing and disclosing personal data
The objective of processing and disclosing the personal data is to plan and book travel as well as perform a number of services related to travelling, including booking hotel stays, transportation, meals in hotels and restaurants, etc.
The objective is furthermore to carry out the travels, including making changes to already booked travels, to continually keep The Companies updated on itineraries and the location of the travellers as well as expenses.
Finally, the personal data will be processed and disclosed for analysis for the purpose of follow-up on The Companies’ travel policies as well as for statistical purposes related to The Company’s general bookings and use of travel services.
TPE’s disclosure of data
In addition to The Companies, the personal data may also be disclosed to and processed by a number of other companies which all - either as independent data controllers parallel with TPE or as data processor for TPE – assist the data subject and TPE in supplying services or data within the framework of the objective as stated above.
Depending on which service the company has at TPE, these independent data controllers and data processors include companies with activities in the following areas:
Disclosure outside of the EU
- Airlines Reporting Corporation (ARC) and Bank Settlement Plan (BSP).
- Airlines, trains, car rental companies, hotels, shipping companies, companies in charge of destination management and other similar suppliers of travel booking and ticket issuing for travel.
- AirRefund S.A., AirHelp Limited and other similar service suppliers which assist travellers in acquiring compensation in case of delay, cancellation or overbooking of flights.
- CIBT Inc. And other service suppliers which issue visas, passports, etc.
- Credit card companies.
- Credit report companies and other companies which perform credit ratings and payment collection.
- Companies in charge of data consolidation for the purpose of establishing reports and similar statistics within the travel business (to the extent that such data is disclosed without directly identifying the traveller or The Company).
- Data storage companies.
- Sellers of IT equipment and IT technologies which include for example suppliers of internet booking tools, software for registration of meetings and travel expense management, and audio visual services.
- Global Distribution Systems (GDS).
- iJet International, Inc., International SOS, Inc., The Anvil Group and other security and tracking services.
- International Airlines Travel Agent Network (IATAN) and International Air Transport Association (IATA).
- North Star Travel Media, LLC and other service suppliers which provide information regarding warnings about special conditions related to travel, travel destinations, etc.
- PRISM Group, Inc. and other companies which collect travel data on behalf of airlines for the purpose of optimising offers for companies and travellers.
- Companies which offer services for quality assessment of completed travels.
- Transportation Security Administration (TSA) and other public authorities.
- Other third parties involved in the planning and carrying out of travel and meetings that the traveller participates in.
TPE endeavours to ensure that data is only disclosed to and processed by companies which are either based in EU, or are based in a country approved by the EU for transfer of data, or are registered with the American scheme ”Privacy Shield”, or companies outside of the EU that have entered into an EU standard data processor agreement with The Company as data controller or with TPE or another data processor used by TPE.
In a few cases disclosure and processing of data may be done by companies outside of the EU which are not included in the above-mentioned. By agreement with TPE the Companies have obtained the consent of the data subjects.
Rights of the data subjects
In accordance with the GDPR the data subjects whose data we are processing have a number of rights.
As a person who has registered personal data with TPE you have the following rights:
- The right to know which of your personal data we are processing.
- The right to rectify and update the personal data we are processing.
- The right to have your personal data deleted, since we delete such data upon request, unless we are required by law or other impartial purposes to save them.
- The right to revoke consent regarding processing of sensitive personal data you may have provided, which means that processing will be terminated, unless we are required by law to process this personal data.
Access to personal data may however be restricted for the sake of other persons’ protection of privacy or for the sake of trade secrets and intellectual property law.
By writing us via email email@example.com or at the address Vermundsgade 38 A, 2100 København Ø, att.: Søren Schødt you may request a transcript of your personal data, request that your personal data is updated, object to the processing of your personal data, or request that your personal data be deleted.
The request must be signed by you and must include your name, address, phone number and email address.
You may also retrieve the data in available electronic form (dataportability).
You may also contact managing director Søren Schødt by phone 33 36 96 01, via email firstname.lastname@example.org or via letter to the address Vermundsgade 38A, 2100 København Ø, if you believe that we are processing your personal data in violation of the GDPR or other legislation.
If your objection is legitimate we will stop processing and delete your data, unless we are required by law to store them, or required by the character of the counselling and processing we have been carrying out until then.
Finally, you have a right to file a complaint with the Danish Data Protection Agency regarding our processing of your personal data. Such a complaint may be sent to Datatilsynet, www.datatilsynet.dk, Borgergade 28, 5., 1300 København K, phone number 33 19 32 00.