AUA Retains Passenger Data for Five Years

Everyone who flies with Lufthansa and its Austrian subsidiary AUA must assume that their personal information will be kept for five years – no matter where they fly. Because and AUA both confirmed that the passenger name records (PNR) are kept for five years in the Amadeus booking system. Amadeus is used by Lufthansa, AUA, and a large number of other airlines and travel agencies.

"The Amadeus system has a uniform PNR retention period of five years. The statute of limitations for damage and other claims is three years, so we have to keep the records for that long so we can validate any passenger claims. The five-year retention period is used because the laws in some countries, such as Spain, require this, above all for the PNR that are generated by travel agencies. We have to meet all of these different requirements. So Amadeus stores all PNR for five years," confirmed the AUA press department for futurezone.

What is saved?
The PNR include not only information about when a passenger flew to where and for how long. In addition to the passenger`s name, they also include an address, telephone number, seat number, credit card number, meal wishes, and information about their state of health (for example if they need a wheelchair), plus information about who the person traveled with. Any available hotel and rental car booking information is also included. In total, a PNR contains roughly 60 items of information from 19 different categories.

But is it permissible to keep the PNR for so long? In Germany, the alliance Freiheit statt Angst was the first to voice doubts. "Such a five-year retention period is probably illegal, because there is no legal basis for keeping the information for this long. The business purpose usually ceases to exist after the trip is completed and the payment settled," it said in a blog entry .

Is there a "clear purpose"?
In Austria, the data protection laws require that there be a "clear purpose" when saving information, explained Hans Zeger from ARGE Daten in a statement to futurezone. AUA justifies the first three years of this period on the basis of the "statute of limitations for damage claims," but the period for the remaining two years is not entirely clear. "When the purpose is not justified sufficiently, the law actually requires that the data be deleted," said Zeger. But there is no general obligation to delete customer data in Austria. Zeger said that customer data can be saved indefinitely, for example for marketing purposes.

In its statement to futurezone, AUA stressed that the PNR thatare more than three years old are "logically separated and no longer accessible with the standard user permissions and retrieval transactions" and that "they can only be called up manually in Amadeus." This means that the PNR are effectively locked, and that the airlines cannot access them anymore. In Zeger`s opinion, "locking the data" is not enough if there is in fact no "clear purpose."

The privacy policy on the AUA web site states that personal information are processed in accordance with the currently valid Austrian legal regulations. AUA also provides a notice to the right to information: "Upon request we will inform you whether or not your personal data have been stored with us, respectively what kind of data those are. Should the information stored be false despite our efforts to maintain accuracy and currentness of data, we will correct the data upon your request. You have the right to information on and the correction or deletion of stored personal data under the provisions of the Austrian Data Protection Act (in particular §§ 26 – 28 DSG 2000) at any time." The web site also provides the contact options.