To: Subject: Re: Your access request: new status Cc: , Date: Mon, 14 Jun 2010 18:52:59 -0700 Dear Dr. Kirchberg-Lennartz: Thank you for your e-mail message of 10 June 2010. This is the first response I have received to my letter and e-mail to you of 5 May 2010. Unfortunately, your message appears to indicate that Lufthansa is unwilling to accept your responsibilities under the German Federal Data Protection Act, particularly with respect to (a) your responsibility for the actions of your agents and contractors (including ticketing agents and Computerized Reservation Systems (CRS's) used by you and your agents) and (b) your responsibility to provide an accounting of the logic used in making automated decisions on the basis, in whole or in part, of personal data obtained from you, regardless of whether those decisions were made by you or by third parties who obtained personal data from you. Your message also appears to misstate several material facts. I discuss these issues in detail below. On 10 Jun 2010 at 12:07, "barbara.kirchberg-lennartz@dl" < > wrote: > parts of your request, dated May 5th,2010, should not be handled by us, > because we are not the controller of PNR data, I question the truth of this claim, since I believe that in fact your contracts with Amadeus probably provide that you retain control of personal data, such as mine, which you and/or your agents or other contractors (including other CRS's) provide to Amadeus. Is it your claim that Lufthansa exercises no control over personal data, once it is provided by you or your agents or other contractors (including other CRS's) to Amadeus? If so, your transfer of my personal data to Amadeus -- without retaining control over its subsequent use, onward transfer, retention, destruction, etc., so that you were no longer a controller of this data -- would be a serious violation of the German Federal Data Protection Act, the EU Data Protection Directive, and the Code of Conduct for Computerized Reservation Systems. > which is collected in the course of activities of the AMADEUS computer > reservation system for the purpose of making reservations or issuing > flight tickets on Lufthansa flights. To the best of my knowledge and belief, this claim is factually false. I had no dealing whatsoever, at any time in the course of the transaction and travel to which this request pertains, with Amadeus or any other CRS. I did not provide any data to Amadeus, only to Lufthansa. Any data pertaining to me obtained by Amadeus (or any other CRS) related to my journey on Lufthansa was obtained from you and/or your agents or contractors (including, potentially, other CRS's), not from me. If you have some evidence to support a claim that I provided personal data to Amadeus, and that they obtained such data other than through you, your agents, or others of your contractors, that evidence would itself constitute personal data pertaining to me, and would be part of the personal data which you are required to provide to me in response to this request for all of your data about me. In the absence of such evidence (which I do not believe exists), I reiterate my demand for all personal data pertaining to me controlled by you, your agents, or your contractors, including Amadeus and any other CRS's as well as codeshare or other airlines, to which you, your agents, or your contractors have disclosed it or allowed it to be accessed. > According to Article 11 of the Code of Conduct for computerised > reservation systems of 14th January 2009, the system vendor - in our case > AMADEUS - is with regard to the processing of that data to be considered as > a data controller in accordance with Article 2 (d) of Directive 95/46/EC. At least in the English-language version of the Code of Conduct for CRS's, the section quoted uses the pronoun "a", not "the". While Amadeus may also be "a" data controller, the use of "a" rather than "the" makes clear that the designation of the CRS as a data controller was intended to supplement, not replace, the responsibility of any other data controller, which in most such cases would of course be an airline. The legislative history of the Code supports this interpretation. It was clear from the discussion by the European Commission preceding the adoption of the amendment to the Code containing this clause (which was, in part, a response to comments which I had submitted to the Commission during its public consultation) that it was intended to avoid a situation in which a data subject was unable to obtain redress because neither the CRS, the airline, nor the airline's agent admitted to being a data controller. It was intended to provide additional responsibility for the CRS, not to eliminate any existing responsibility of any other party. Moreover, the Code of Conduct for CRS's could not, and did not, override the existing provisions of either the Data Protection Directive or the German Federal Data Protection Act, or alter Lufthansa's responsibilities under that Directive and Act. Paragraph 21 of the preamble to the regulation adopting the amended Code of Conduct for CRS's provides that: "The protection of individuals with regard to the processing of personal data is governed by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The provisions of this Regulation particularise and complement Directive 95/46/EC with regard to the activities of a CRS." Since the Code of Conduct for CRS's (a) is "complementary" to the Data Protection Directive, and (b) relates solely to "the activities of a CRS", it has no effect on the responsibilities of Lufthansa or your agents. Amadeus may be a data controller for some of the data about me which they obtained form you and/or your agents or other contractors, as may other CRS's. But Lufthansa is also a data controller for all of this data obtained from you and/or your agents or other contractors. > This includes the handling of data by the sales agent Airtrade > International (Vayama.com), who acts as subscriber of the AMADEUS GDS. I have, as yet, no information as to whether Airtrade International (Vayama.com) subscribes to Amadeus and/or to other CRS's. But that is simply irrelevant to your responsibility for their actions as your agent. Please clarify: Is it your claim that you are not responsible for the actions of your agents? If so, this would be a profound breach of your duties under the German Federal Data Protection Act and, I believe, under the applicable German contract law, under both of which the principal is liable for the actions of its agents. When you appoint an agent to act on your behalf, and they do so, you are liable for their actions, regardless of whether that agent is an individual Lufthansa employee or a corporation appointed as your agent. Neither the Data Protection Directive nor the German Federal Data Protection act were intended to alter the existing general legal responsibility of the principal for the actions of its agents. Neither the Directive nor the Act were intended to require an individual dealing with a large corporation such as Lufthansa, in order to exercise their rights with respect to their personal data, to interrogate each of the individual employees and other agents of the airline with whom they deal in the course of their journey -- ticket agents, ground handling agents, and so forth -- as to their individual identity, status, and contact details, or to make separate access requests to each of those agents. Lufthansa itself does not disclose the identity or status of these agents. You represent them, and they represent themselves, simply as agents of Lufthansa. Your customers are entitled to regard them as your agents, and to hold you responsible for their actions as your agents. For example, I travelled on a "Lufthansa highway bus" with a Lufthansa flight number. Your Web site does not say whether this bus is driven by a Lufthansa employee, or by an employee of a contractor. The driver wears a uniform with a Lufthansa logo, and identifies himself as operating the bus "for Lufthansa", i.e as your agent. Whether he is a Lufthansa employee or an employee of a contractor is irrelevant to your legal obligations. Similarly, I have no way to know whether the ground staff who checked me in at San Francisco International Airport were employees of Lufthansa, employees of a codeshare airline acting as your ground handling agent, or employees of another third-party ground handling agent. The flight carried three flight numbers of other airlines in addition to the Lufthansa flight number, and the same staff were checking in passengers for all four flight numbers, so clearly at least some of the airlines were being represented by agents who were not their own employees, but were employees of other codeshare airlines acting as their agents. As a practical matter, it is impossible -- and unnecessary -- for customers to determine whether your agents are actually employed by you or by individuals or corporations acting as your agents and contractors. Airtrade International (Vayama.com) represented itself to me as an agent of Lufthansa. According to their terms of service, when they issue tickets for a scheduled airline, they act *solely* as an agent of the carrier. I dealt with them *solely* on that basis. My contract of carriage, executed by them solely in their capacity as your agent, was with Lufthansa. My credit card statement shows that the charge for my tickets was made by Lufthansa. My tickets were issued by Lufthansa. By charging my credit card, and by accepting these tickets, you ratified the authority of Airtrade International (Vayama.com) to act as your agent, and to bind you to contracts of carriage to which you are the principal. > You may request access to such data, of which you are the data subject at > the following address: > > AMADEUS Data Processing GmbH > Mr. Oboama Addy > Senior Corporate Counsel & Group Data Protection Officer > Berghamer Strasse 6 > D-85435 Erding > > Email: oaddy@amadeus.com Thank you for informing me of my additional rights to obtain some of this information (I still do not know what information about me you and/or your agents or other contractors including other CRS's provided to Amadeus, and look forward to receiving this) from Amadeus, as well as from you. However, I am not obliged to withdraw my request for this information from you, and I do not wish to withdraw my request. I reiterate my demand for a complete accounting of all my personal data for which you are a controller, including data obtained via, held by, processed by, or disclosed to any of your your agents (including Airtrade International / Vayama.com) or contractors, including Amadeus and any other CRS's as well as any codeshare or other airlines who had access to my data. > According to section 34, paragraph 1, sentence 1, we will inform you > about the personal data > * we collected concerning your flights LH 455, 05 April 2010, LH 4576, 06 > April 2010, LH 6911, 23 April 2010, LH 418, 23 April 2010, LH 9368, 23 > April 2010 * the recipients or categories of recipients to which the data > has been transferred in order to fulfill the carriage contract * the > purpose of storage of that data. I trust that when you refer to "the personal data we collected", you include in that "we" all Lufthansa employees, agents, and contractors, for whose actions you are responsible as the principal. > An extended right of access according to section 6a FDPA is not given, as > the processing of passenger data by Lufthansa does not involve automated > individual decision making in the sense of that law. You refer to processing "by Lufthansa". At least in the English-language translation of the German Federal Data Protection Act, and in the English- language version of the Data Protection Directive, the obligation to provide such an explanation of the logic used in making decisions is determined by whether the decision is made *on the basis of* data obtained from you, regardless of whether the decisions are made *by* you. So the fact that Lufthansa itself may have carried out no such processing is irrelevant. Such processing was carried out by someone on the basis of data obtained from you. According to statements made both by Lufthansa and by United States Customs and Border Protection, personal data about Lufthansa passengers, obtained from you (or on your behalf from your agents or contractors, possibly including Amadeus and/or other CRS's), is used by United States Customs and Border Protection for making automated decisions. It would be a violation of the German Data Protection Act and the EU Data Protection Directive for you to provide personal data to any third party, to be used for such automated decision-making, without being able to provide, on request, a complete explanation of the decision-making logic. Accordingly, I reiterate my demand for a complete explanation of the logic used in making such decisions, regardless of whether they are made by you, by your agents or contractors, or by US or other government agencies or other third parties on the basis of data obtained from you. > If it is acceptable for you and if we could use encrypted mailing via > PGP, we would like to send our material via email. Please give us your > consent to this. Otherwise we send a letter via DHL. Thank you. I consent to your sending a copy by e-mail, unencrypted. I understand that this is not secure, but I intend to publish these documents anyway. E-mail is never entirely reliable. Since you say that you did not receive my message of 5 May 2010 until 27 May 2010, I assume that you received only the copy sent by the US Postal Service, and not the copy sent by e-mail. And I did not receive the earlier e-mail message which you say you sent on 27 May 2010, and which you copied with your latest e-mail. For these reasons, I respectfully request that you send a hardcopy as well as an e-mail copy of the information I have requested. Thank you for your message. I look forward to receiving my data. I apologize for writing to you in English, but I know no German, and my contract with Lufthansa was entered into entirely in English. If you have any questions, or if anything in this message is not clear, please feel free to call me in San Francisco at +1-415-824-0214. Sincerely, Edward Hasbrouck