Everyone who flies with Lufthansa and its Austrian subsidiary AUA must assume that their personal information will be kept for five years – no matter where they fly. Because and AUA both confirmed that the passenger name records (PNR) are kept for five years in the Amadeus booking system. Amadeus is used by Lufthansa, AUA, and a large number of other airlines and travel agencies.
"The Amadeus system has a uniform PNR retention period of five years. The statute of limitations for damage and other claims is three years, so we have to keep the records for that long so we can validate any passenger claims. The five-year retention period is used because the laws in some countries, such as Spain, require this, above all for the PNR that are generated by travel agencies. We have to meet all of these different requirements. So Amadeus stores all PNR for five years," confirmed the AUA press department for futurezone.
What is saved?
The PNR include not only information about when a passenger flew to where and for how long. In addition to the passenger`s name, they also include an address, telephone number, seat number, credit card number, meal wishes, and information about their state of health (for example if they need a wheelchair), plus information about who the person traveled with. Any available hotel and rental car booking information is also included. In total, a PNR contains roughly 60 items of information from 19 different categories.
But is it permissible to keep the PNR for so long? In Germany, the alliance Freiheit statt Angst was the first to voice doubts. "Such a five-year retention period is probably illegal, because there is no legal basis for keeping the information for this long. The business purpose usually ceases to exist after the trip is completed and the payment settled," it said in a blog entry .
Is there a "clear purpose"?
In Austria, the data protection laws require that there be a "clear purpose" when saving information, explained Hans Zeger from ARGE Daten in a statement to futurezone. AUA justifies the first three years of this period on the basis of the "statute of limitations for damage claims," but the period for the remaining two years is not entirely clear. "When the purpose is not justified sufficiently, the law actually requires that the data be deleted," said Zeger. But there is no general obligation to delete customer data in Austria. Zeger said that customer data can be saved indefinitely, for example for marketing purposes.
In its statement to futurezone, AUA stressed that the PNR thatare more than three years old are "logically separated and no longer accessible with the standard user permissions and retrieval transactions" and that "they can only be called up manually in Amadeus." This means that the PNR are effectively locked, and that the airlines cannot access them anymore. In Zeger`s opinion, "locking the data" is not enough if there is in fact no "clear purpose."
The PNR include all of the following:
- Fight date(s) and route(s)
- Flight number(s)
- Flight times
- Flight duration
- Booking class
- First and last name of the passenger(s)
- Home address and telephone number
- Address and telephone number at the destination
- Method of payment
- Billing address
- Frequent flyer entry
- Name of the booking agency and agent completing the booking
- E-mail address
- General comments
- Information about ticket issue
- Information about the air fare
- Seat information, luggage tag numbers
- History of flights not taken
- Special service requirements, for example for meals (kosher, vegetarian)
- Information about the commissioning agent
- All changes to the PNR with date, time, and action
- Any APIS information, in other words all information about a rental car or hotel booking