358 LEGAL IMPACTS OF COVID-19 IN THE TOURISM INDUSTRY intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision”19. These measures have to be interpreted in broader way in order to protect the data subject. They must include the right to be informed and safeguards, such as the right to obtain human intervention or the right to challenge the decision20. It is clear that tourism service providers and intermediaries in general are adapting their services in order to approach tourist’s personal expectations and this kind of activities fall in this notion of profiling; it is the so-called tourismrelated data. These activities can significantly affect the data subjects. The STD can extract some important insights from tourism data that could improve the way they interact with customers and profiling is an important feature in any tourism destinations. For STD, the private or public organisations that decide how and for what personal data has to be processed, are the so-called “data controllers”21. This subject falls within the “accountability principle” provided in art. 24 of the GDRP, according to which: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary”22. This means that STD organisations must process personal in respect to Article 5 GDPR (“Principles relating to processing of personal data”): fairly, lawfully and in a transparent manner in relation to the data subject23. Furthermore, we need to consider the principle of purpose limitation, which means to ensure that the purpose for which the data is collected is specified and lawful, while data minimisation means that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”24. 19 At the same time, the GDPR excludes automated individual decision-making that significantly affect individuals, Art. 22(1). Notably, in the opinion n. 8/2014, Art. 29 WP stated. “(…) analytics based on information caught in an IoT environment might enable the detection of an individual’s even more detailed and complete life and behavior patterns”. 20 As stated in Article 22(3). 21 On the role of the data controller end of the other subjects involved, see L. Greco, L’organigramma privacy: i soggetti del trattamento, in G. Finocchiaro (edited by), La protezione dei dati personali in Italia, Regolamento UE n. 2016/679 e d.lgs. n. 101, Zanichelli, 2019. 22 First part of Article 24 GDPR. 23 Art. 5(1)(a) GDPR. On the basic principles contained in Article 5 and related rights of the data subject, see A. Ricci, op. cit. 24 Art. 5(1)(c) GDPR.
RkJQdWJsaXNoZXIy MTE4NzM5Nw==