Subject Access Request Attn: Data Controller
Subject: Request for access to the personal data processed by or on behalf of your company Dear , The undersigned, , a citizen of residing at
, files this request with your company pursuant to Section 7 of the U.K. Data Protection Act 1998, implemented pursuant to article 12 of the European Data Protection Directive 95/46/EC. I request that you provide me with all of the information to which I am entitled pursuant to that Act and that Directive. I note in particular that clause (1)(d) of Section 7 of the Data Protection Act 1998 applies to information used for evaluating matters relating to me, such as whether to conduct more intrusive or intensive questioning or search of my person or luggage, whether to identify me as a "selectee" or for "secondary screening", whether to permit me to check in for or board any flight, and whether to permit me to depart from any country or enter any other. I also note that it is the responsibility of the data controller to provide such an explanation of the processing logic, regardless of whether the processing itself is carried out by the data controller, their agent or contractor, or a third-party or fourth-party recipient of data obtained from or on behalf of the data controller. Accordingly, I request that you inform me of the logic to be involved in taking those decisions, to the extent that any data held by or obtained from your company is used to evaluate these matters. In accordance with the European Data Protection Directive, I also specifically request that you inform me whether any of my personal data have been transferred outside of the national territory of the U.K., in whatever form or by whatever means, whether to governmental or commercial or other entities, and if so exactly which data, when, to whom, for what purposes or programs such as the USA's "Automated Targeting System" (ATS) or "Advance Passenger Information System" (APIS), and subject to what enforceable contractual commitments from the recipient, including to which agency or agencies of the government of the United States of America and to which commercial entity or entities in the USA or other countries, including but not limited to PNR hosting services (such as computerized reservation systems or global distribution systems), PNR and transaction processing services (such as the Airlines Reporting Corporation (ARC), IATA’s Bank Settlement Plan (BSP) and its area banks, and the Amadeus division formerly known as Airline Automation, Inc.), and travel transaction and customer data aggregation and analysis services (such as the Vistrio joint venture of Sabre and the Equitec subsidiary of Acxiom). I also request that you inform me of your policies for use, access, retention, and destruction of this data, and those of any recipients of this data, particularly those outside the U.K. This request includes any data collected collected, maintained, accessed, processed, or disclosed to third parties by your company or by any of your agents, sub-agents, contractors, and subcontractors, including computerized reservation systems (CRS’s), PNR hosting companies, codesharing, alliance, other "partner" airlines and operators of trains or buses (such as trains and buses with airline “flight” numbers), or other parties. If you, your agent(s), and/or your contractor(s) subscribe to any computerized reservations system (CRS), I request in accordance with Article 11, Section 6 of the EU Code of Conduct for CRS's (Regulation (EC) No 80/2009 of the European Parliament and of the Council of 14 January 2009), that you inform me of the name and address of the CRS system vendor(s), the purposes of the processing, the duration of the retention of individual data and the means available to the data subject of exercising her or his access rights. With respect to any PNR data, I specifically request that you provide copies of all my PNR’s (including “history” and ticket records) from all CRS’s or hosting systems, including both the PNR’s from your “host” system and PNR’s created by your agent(s), other airlines (including codeshare airlines), or other codeshare operators (such as train or bus operators) in other CRS’s or reservation systems. I agree to pay your fee of not more than the maximum of 10 pounds, as prescribed by the Data Protection Act. This request includes all personal data processed by you of which I am the data subject, including but not limited to: 1.Airline hosting and/or travel agency Passenger Name Records (PNR's) 2.PNR histories 3.Cancelled PNR's and their histories 4.Archived or "purged" PNR's and their histories 5.System logs of access to these PNR's and PNR histories, including any records of retrieval or other access access to my PNR or other data by airline or CRS offices or travel agencies, and including records of what data was accessed, by whom, when, and from where (including whether such access was made from outside the EU) 6.Departure control system records and access logs 7.Advance Passenger Information (API) records and logs 8.AIRIMP, EDIFACT, or other message records 9.including complete virtual coupon records or ticket images 10.Bank Settlement Plan (BSP), interline, or other settlement records 11.Credit card processing, financial, billing, or payment records 12.Frequent flyer account records 13.Customer, Web user, or traveller records or profiles 14.Web site visitor, usage, and query records and logs, including all records of which of my PNR, profile, or other personal data was accessed via airline, CRS, or travel agency Web sites (including via online reservation management, check-in, or PNR-viewing sites, and including but not limited to VirtuallyThere.com, ViewTrip.com, MyTripAndMore.com, and/or CheckMyTrip.com), including by whom, when, and from where (including whether such access was made from outside the EU) This request includes any records collected, maintained, accesses, processed, or disclosed to third parties by any of your agents, sub-agents, contractors, or subcontractors, including but not limited to any alliance, codeshare, marketing, operational, or other "partners". I note that some of these records, particularly CRS or hosting system logs showing the terminal addresses, user sines, and exact queries which were used to access my data from those systems, may not routinely be retained for more than a few days, at most. Accordingly, I specifically request that you take immediate steps to ensure the retention of this data while this request is pending, including notification of this request to the relevant departments within your organization and to each of your agents, sub-agents, contractors, or subcontractors who might have had access to my data. Time is of the essence to ensure the retention of this data. This request includes, but is not limited to, personal data pertaining to my journeys as follows: I have attached copies of my tickets, itineraries, or reservation confirmation printouts for these flights. My frequent flyer number account number is . Please note that, should you not answer this request within the legally required maximum of 40 days, or should your answer fail to fully answer my request, I reserve the right to bring the case before the competent judicial authorities, and/or to inform the Information Commissioner's Office of your failure to answer. Should you have any questions or require further information from me to expedite your response to this request, please contact me . Sincerely,