Subject Access Request Attn: Data Controller
Subject: Request for access to the personal data processed by or on behalf of your company Dear , The undersigned, , a citizen of residing at
, files this request with your company pursuant to Section 7 of the U.K. Data Protection Act 1998, implemented pursuant to article 12 of the European Data Protection Directive 95/46/EC. I request that you provide me with all of the information to which I am entitled pursuant to that Act and that Directive. I note in particular that clause (1)(d) of Section 7 of the Data Protection Act 1998 applies to information used for evaluating matters relating to me, such as whether an airline or government agency conducts more intrusive or intensive questioning or search of my person or luggage, whether they identify me as a "selectee" or for "secondary screening", whether they permit me to check in for or board any flight, and whether they permit me to depart from any country or enter any other. Accordingly, I specifically request that you inform me of the logic to be involved in taking those decisions, to the extent that any data processed by your company is used to evaluate these matters. In accordance with the European Data Protection Directive, I also specifically request that you inform me whether any of my personal data have been transferred outside of the national territory of the U.K., in whatever form or by whatever means, whether to governmental or commercial or other entities, and if so exactly which data, when, to whom, for what purposes or programs such as the USA's "Automated Targeting System" (ATS) or "Advance Passenger Information System" (APIS), and subject to what enforceable contractual commitments from the recipient, including to which agency or agencies of the government of the United States of America and to which commercial entity or entities in the USA or other countries, including but not limited to PNR and transaction processing services (such as the Airlines Reporting Corporation (ARC), IATA’s Bank Settlement Plan (BSP) and its area banks, and the Amadeus division formerly known as Airline Automation, Inc.), and travel transaction and customer data aggregation and analysis services (such as the Vistrio joint venture of Sabre and the Equitec subsidiary of Acxiom). I also request that you inform me of your policies for use, access, retention, and destruction of this data, and those of any recipients of this data, particularly those outside the U.K. And in accordance with Article 11, Section 6 of the EU Code of Conduct for CRS's (Regulation (EC) No 80/2009 of the European Parliament and of the Council of 14 January 2009), I request that you provide me with with “the purposes of the processing, the duration of the retention of personal data and the means available to the data subject of exercising his or her access rights.” This request includes any data collected or processed by your company as well as any data collected or processed on your behalf by your agents, sub-agents, contractors, and subcontractors. I note that there should be no fee for this request, pursuant to Article 11, Section 7 of the EU Code of Conduct for CRS's (Regulation (EC) No 80/2009 of the European Parliament and of the Council of 14 January 2009): "A person shall be entitled to have effective access free of charge to his own data regardless of whether the data is stored by the system vendor or by the subscriber." This request includes all personal data processed by you of which I am the data subject, including but not limited to: 1.Airline hosting and/or travel agency Passenger Name Records (PNR's) 2.PNR histories 3.Cancelled PNR's and their histories 4.Archived or "purged" PNR's and their histories 5.System logs of access to these PNR's and PNR histories, including all records of retrieval or other access access to my PNR or other data by airline or CRS offices or travel agencies, and including records of what data was accessed, by whom, when, and from where (including whether such access was made from outside the EU) 6.Departure control system records and access logs 7.Advance Passenger Information (API) records and logs 8.AIRIMP, EDIFACT, or other message records 9.Ticketing records including complete virtual coupon records or ticket images 10.Bank Settlement Plan (BSP), interline, or other settlement records 11.Credit card processing, financial, billing, or payment records 12.Customer, Web user, or traveller profiles or records 13.Web site visitor, usage, and query records and logs, including all records of which of my PNR, profile, or other personal data was accessed via airline, CRS, or travel agency Web sites (including via online reservation management, check-in, or PNR-viewing sites, and including but not limited to VirtuallyThere.com, ViewTrip.com, MyTripAndMore.com, and/or CheckMyTrip.com), including by whom, when, and from where (including whether such access was made from outside the EU) I note that some of these records, particularly CRS or hosting system logs showing the terminal addresses, user sines, and exact queries which were used to access my data from those systems, may not routinely be retained for more than a few days, at most. Accordingly, I specifically request that you take immediate steps to ensure the retention of this data while this request is pending, including notification of this request to the relevant departments within your organization and to each of your agents, sub-agents, contractors, or subcontractors who might have had access to my data. Time is of the essence to ensure the retention of this data. This request includes, but is not limited to, personal data pertaining to my journeys as follows: I have attached copies of my tickets, itineraries, or reservation confirmation printouts for these flights. My frequent flyer number account number is . This request also includes all records related to any others of my journeys, to the extent that they are identifiable from this information or any other information in the records related to these journeys. Please note that, should you not answer this request within the legally required maximum of 40 days, or should your answer fail to fully answer my request, I reserve the right to bring the case before the competent judicial authorities, and/or to inform the Information Commissioner's Office of your failure to answer. Should you have any questions or require further information from me to expedite your response to this request, please contact me . Sincerely,