Data Protection Commission launches inquiry into Ryanair’s Customer Verification Process
04th October 2024
The Data Protection Commission (DPC) has today announced that it has opened an inquiry into Ryanair’s processing of personal data as part of the Customer Verification Processes for customers who book Ryanair flights from third party websites or Online Travel Agents.
The DPC has received a number of complaints regarding Ryanair’s practice of requesting additional ID verification from customers who book travel tickets via third party websites, as opposed to booking directly on Ryanair’s website. Those verification methods may include biometric data [1].
Graham Doyle, Deputy Commissioner with the DPC commented: “The DPC has received numerous complaints from Ryanair customers across the EU/EEA who after booking their flights were subsequently required to undergo a verification process. The verification methods used by Ryanair included the use of facial recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR.”
The decision to conduct the inquiry under Section 110 of the Data Protection Act 2018[2], taken by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, was notified to Ryanair earlier this week. The inquiry is cross-border[3] in nature and will consider whether Ryanair has complied with its various obligations under the GDPR, including the lawfulness and transparency of the data processing.
NOTES TO EDITOR:
[1] Article 4(14) of the GDPR
‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
[2] Section 110 of the Data Protection Act 2018:
The Commission may conduct inquiry into suspected infringement of relevant enactment
(1) The Commission, whether for the purpose of section 109 (5)(e), section 113 (2), or of its own volition, may, in order to ascertain whether an infringement has occurred or is occurring, cause such inquiry as it thinks fit to be conducted for that purpose.
(2) The Commission may, for the purposes of subsection (1), where it considers it appropriate to do so, in particular do either or both of the following:
(a) cause any of its powers under Chapter 4 (other than section 135) to be exercised;
(b) cause an investigation under Chapter 5 to be carried out.
[3] Article 4(23) of the GDPR
Cross-Border processing means either:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Additional Information:
The DPC is the Lead Supervisory Authority under the GDPR where cross-border processing of EU/ EEA data subjects occurs and where a company has its main establishment based in Ireland.
The European Data Protection Board, in a recent Opinion 11/2024 , has recalled how the use of biometric data, and in particular facial recognition technology, entails heightened risks to data subjects’ rights and freedoms. Accordingly, the impact on these fundamental rights and freedoms must, in the view of the Board, be carefully considered in the context of any use of such technologies.