What is the GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) is a data privacy law that applies to any company, such as Sabre, that processes data of EU residents, regardless of the company’s business location. Broadly, the GDPR requires that:
- Data of EU residents considered “personal” must be protected and processed only as permitted;
- Access to this data is controlled and restricted;
- Contracts with third party processors must contain certain specific terms regarding their processing of the data;
- EU residents have numerous rights with respect to their personal data, including the right to restrict processing and to know the personal data a company holds on them; and
- Specific guidelines for data security incident notifications are followed.
What is “personal data” as defined by the GDPR?
Personal data includes any information related to an identified or identifiable natural person (an individual or “data subject”). A data subject can be identified or identifiable, directly or indirectly by a variety of pieces of information. Examples of information that may be considered personal data include a name, ID number, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address. The definition of personal data is very broad.
Who is affected by the GDPR?
The GDPR applies to any company, including Sabre, that process the personal data of EU residents in the context of the activities of the company’s business, regardless of the company’s location.
What actions must I take in order to be GDPR compliant?
As you can appreciate, we are not in a position to provide legal advice or to advise what actions are required on your part. Because the GDPR is complex, companies should review the requirements of GDPR for themselves and decide if they need to speak with their legal counsel to determine the applicability of the GDPR to their business.
What is the general overview of your GDPR compliance activities?
Sabre takes privacy and data protection very seriously. As a global company and trusted partner to the travel and hospitality industries, we regularly monitor developments in the locations where our services are offered to ensure we meet our legal, regulatory and contractual obligations. In anticipation of the GDPR, with executive support and oversight, Sabre formed a cross-functional project team responsible for driving compliance with the requirements of those new rules.
What support can I expect from Sabre with respect to my Sabre solutions?
Sabre evaluates its solutions against applicable privacy laws. To the extent any changes are made to a solution that processes personal data, you may be prompted to take action. For example, with respect to any Sabre systems that you operate from your data center, you will need to install any updates that may be made to the system code and ensure your local computing environment meets GDPR requirements. Your account team will communicate any actions needed on your part to the extent Sabre makes a change to a solution you are using.
How will customer data be anonymized?
Sabre addresses the technical aspects of data anonymization in accordance with industry practices and applicable privacy laws.
How will you be able to identify data that belongs to EU residents?
Sabre systems do not segregate data based on the data subject’s location, so we evaluate our entire suite of solutions against applicable privacy laws.
As it relates to the GDPR, is Sabre considered a processor or a controller?
Sabre is considered a processor for the majority of its services. Sabre’s customers and travel suppliers are considered controllers, and thus have responsibility for the requirements imposed on controllers under the GDPR, including having a lawful basis to process personal data and obtaining appropriate consent as may be required.
Is it better to communicate with the Sabre GDPR team directly through email or through our account manager?
The GDPR@sabre.com email address is monitored by the Sabre GDPR Readiness Team who will gladly respond to inquiries, or you can continue to work directly with your Sabre account manager.
What is being done to support data subject requests such as the right to be forgotten?
We have evaluated our policies and refined our system capabilities where necessary to accommodate data subject requests, which may be submitted here. Because Sabre is a processor across much of our business, we will also work with our customers and suppliers who act as controllers in responding to data subject requests.
What is your policy around destroying data?
We destroy data in accordance with the terms of our contracts, our retention policies, and applicable legal requirements.
Is Sabre prepared to meet the GDPR requirement that authorities are informed within 72 hours of any data breach?
Sabre has a holistic security program with systems in place to monitor our environments and alert us of suspicious activity. Sabre intends to inform any affected parties as required by law.
How can I transfer my data outside the EU?
Sabre has contractual provisions and processes in place that address applicable laws related to the transfer of data outside of the EU.
Is there any data residency requirement to locate Sabre’s servers within the EU?
There is no requirement in the GDPR to localize servers.
Are there limitations to the kind of data I can collect, and what are my notification obligations regarding collection?
There must be a lawful basis to process personal data, and the GDPR contains certain notification obligations. Because we are not in a position to provide legal advice or to advise what actions are required on your part, you should review the requirements of GDPR for yourself and decide if you need to speak with your legal counsel to determine the applicability of the GDPR to your business.
Along with GDPR, I’ve also heard a lot about Payment Card Industry Data Security Standard (PCI DSS) compliance – is there any connection between the two?
The GDPR relates to the personal data of EU residents, whereas PCI data is a subset of personal data that may or may not relate to EU residents.