Subject Access Request Attn: Data Controller
Subject: Request for access to the personal data processed by or on behalf of your company Dear , The undersigned, , a citizen of residing at
, files this request with your company pursuant to Section 7 of the U.K. Data Protection Act 1998, implemented pursuant to article 12 of the European Data Protection Directive 95/46/EC. I request that you provide me with all of the information to which I am entitled pursuant to that Act and that Directive. I note in particular that clause (1)(d) of Section 7 of the Data Protection Act 1998 applies to information used for evaluating matters relating to me, such as whether an airline or government agency conducts more intrusive or intensive questioning or search of my person or luggage, whether they identify me as a "selectee" or for "secondary screening", whether they permit me to check in for or board any flight, and whether they permit me to depart from any country or enter any other. I also note that it is the responsibility of the data controller to provide such an explanation of the processing logic, regardless of whether the processing itself is carried out by the data controller, their agent or contractor, or a third-party or fourth-party recipient of data obtained from or on behalf of the data controller. Accordingly, I request that you inform me of the logic to be involved in taking those decisions, to the extent that any data held by or obtained from your company is used to evaluate these matters. In accordance with the European Data Protection Directive, I also specifically request that you inform me whether any of my personal data have been transferred outside of the national territory of the U.K., in whatever form or by whatever means, whether to governmental or commercial or other entities, and if so exactly which data, when, to whom, for what purposes or programs such as the USA's "Automated Targeting System" (ATS) or "Advance Passenger Information System" (APIS), and subject to what enforceable contractual commitments from the recipient, including to which agency or agencies of the government of the United States of America and to which commercial entity or entities in the USA or other countries, including but not limited to PNR hosting services (such as computerized reservation systems or global distribution systems), PNR and transaction processing services (such as the Airlines Reporting Corporation (ARC), IATA’s Bank Settlement Plan (BSP) and its area banks, and the Amadeus division formerly known as Airline Automation, Inc.), and travel transaction and customer data aggregation and analysis services (such as the Vistrio joint venture of Sabre and the Equitec subsidiary of Acxiom). I also request that you inform me of your policies for use, access, retention, and destruction of this data, and those of any recipients of this data, particularly those outside the U.K. This request includes any data collected or processed by your company as well as any data collected or processed on your behalf by your agents, sub-agents, contractors, and subcontractors. If you subscribe to a computerized reservations system (CRS), I request in accordance with Article 11, Section 6 of the EU Code of Conduct for CRS's (Regulation (EC) No 80/2009 of the European Parliament and of the Council of 14 January 2009), that you inform me of the name and address of the CRS system vendor, the purposes of the processing, the duration of the retention of individual data and the means available to the data subject of exercising her or his access rights. With respect to any PNR data, I specifically request that you provide copies of all my PNR’s (including “history” and ticket records) from all CRS’s or hosting systems, including both the PNR’s from your system and PNR’s created by airlines (including codeshare airlines) or other codeshare operators (such as train or bus operators) in their “host” systems or CRS’s. I also note that if you subscribe to a computerized reservation system, there should be no fee for this request, pursuant to Article 11, section 7 of the Code of Conduct for CRS's: "A person shall be entitled to have effective access free of charge to his own data regardless of whether the data is stored by the system vendor or by the subscriber." If you do not subscribe to a CRS, I agree to pay your fee of not more than the maximum of 10 pounds, as prescribed by the Data Protection Act. This request includes all personal data processed by you of which I am the data subject, including but not limited to: 1.Airline hosting and/or travel agency Passenger Name Records (PNR's) 2.PNR histories 3.Cancelled PNR's and their histories 4.Archived or "purged" PNR's and their histories 5.System logs of access to these PNR's and PNR histories, including any records of retrieval or other access access to my PNR or other data by airline or CRS offices or travel agencies, and including records of what data was accessed, by whom, when, and from where (including whether such access was made from outside the EU) 6.Departure control system records and access logs 7.Ticketing records including complete virtual coupon records or ticket images 8.Bank Settlement Plan (BSP), Airline Reporting Corp. (ARC), airline, or other settlement records 9.Credit card processing, financial, billing, or payment records 10.Customer or traveller profiles or records, including CRS/GDS and Web site profiles 11.Web site visitor, usage, and query records and logs, including all records of which of my PNR, profile, or other personal data was accessed via airline, CRS, or travel agency Web sites (including via online reservation management, check-in, or PNR-viewing sites, and including but not limited to VirtuallyThere.com, ViewTrip.com, MyTripAndMore.com, and/or CheckMyTrip.com), including by whom, when, and from where (including whether such access was made from outside the EU) This request includes any records collected, maintained, accesses, processed, or disclosed to third parties by any of your agents, sub-agents, contractors, or subcontractors, including but not limited to any alliance, codeshare, marketing, operational, or other "partners". I note that some of these records, particularly CRS or hosting system logs showing the terminal addresses, user sines, and exact queries which were used to access my data from those systems, may not routinely be retained for more than a few days, at most. Accordingly, I specifically request that you take immediate steps to ensure the retention of this data while this request is pending, including notification of this request to the relevant departments within your organization and to each of your agents, sub-agents, contractors, or subcontractors who might have had access to my data. Time is of the essence to ensure the retention of this data. This request includes, but is not limited to, personal data pertaining to my journeys as follows: I have attached copies of my tickets, itineraries, or reservation confirmation printouts for these flights. My frequent flyer number account number(s) is (are) as follows: This request also includes all records related to any others of my journeys, to the extent that they are identifiable from this information or any other information in the records related to these journeys. Please note that, should you not answer this request within the legally required maximum of 40 days, or should your answer fail to fully answer my request, I reserve the right to bring the case before the competent judicial authorities, and/or to inform the Information Commissioner's Office of your failure to answer. Should you have any questions or require further information from me to expedite your response to this request, please contact me . Sincerely,