Personal data collected in the course of the activities of a CRS for the purpose of making reservations or issuing tickets for transport products shall only be processed in a way compatible with these purposes. With regard to the processing of such data, a system vendor shall be considered as a F1controller in accordance with Article 4(7) of Regulation (EU) 2016/679.

Personal data shall only be processed in so far as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Where special categories of data referred to under Article F29 of F3Regulation (EU) 2016/679 are involved, such data shall only be processed where the data subject has given his or her explicit consent to the processing of those data on an informed basis.

Information under the control of the system vendor concerning identifiable individual bookings shall be stored offline within seventy-two hours of the completion of the last element in the individual booking and destroyed within three years. Access to such data shall be allowed only for billing-dispute reasons.

Marketing, booking and sales data made available by a system vendor shall include no identification, either directly or indirectly, of natural persons or, where applicable, of the organisations or companies on whose behalf they are acting.

Upon request, a subscriber shall inform the consumer of the name and address of the system vendor, the purposes of the processing, the duration of the retention of personal data and the means available to the data subject of exercising his or her access rights.

A data subject shall be entitled to have access free of charge to data relating to him or her regardless of whether the data are stored by the system vendor or by the subscriber.

The rights recognised in this Article are complementary to and shall exist in addition to the data subject rights laid down by F4Regulation (EU) 2016/679, by the national provisions adopted pursuant thereto and by the provisions of international agreements to which the F5United Kingdom is party.

The provisions of this Regulation particularise and complement F6Regulation (EU) 2016/679 for the purposes mentioned in Article 1. Save as otherwise provided, the definitions in F7that Regulation shall apply. Where the specific provisions with regard to the processing of personal data in the context of the activities of a CRS laid down in this Article do not apply, this Regulation shall be without prejudice to the provisions of F7that Regulation, the national provisions adopted pursuant thereto and the provisions of international agreements to which the F8United Kingdom is party.

Where a system vendor operates databases in different capacities such as, as a CRS, or as a host for airlines, technical and organisational measures shall be taken to prevent the circumvention of data protection rules through the interconnection between the databases, and to ensure that personal data are only accessible for the specific purpose for which they were collected.