follow us
Planning your next holiday? Find an ATAS accredited agent here » ATAS Logo


If you're a new user and do not yet have a username/login.

Register Now

Participant Zone

Accredited ATAS participants click here for access to the secure business support area.


Returning users log in to commence or access your ATAS application.

My AFTA Login

News Hub

« Back

What is GDPR and why is everyone talking about it?

The European Union General Data Protection Regulation or GDPR is new data protection requirements coming into effect on the 25th May 2018. The new laws aim to harmonise data protection laws across the EU and replace existing national data protection rules. But is it relevant to Australian travel businesses?

New regulations that might apply to your travel business

This article discusses how you can determine whether you fall under the scope of the new regulations and need to take action.

Do I need to comply?

An Australian business of any size needs to comply if:

  1. They have an establishment in the EU;
  2. If they offer goods and services in the EU; or
  3. If they monitor the behaviour of individuals in the EU.

Some examples of Australian businesses covered include:

  • An Australian business with an office in the EU;
  • An Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language or enabling payment in euros;
  • An Australian business whose website mentions customers or users in the EU; or
  • An Australian business that tracks individual in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

The good thing for Australian businesses is that the GDPR and the Australian Privacy Act 1988 share many common requirements, so if you have effectively implemented these principles in your business you will already be ahead.

What’s the same?

  • The requirement to implement a privacy by design approach to compliance;
  • Be able to demonstrate compliance with privacy principles and obligations; and
  • Adopt transparent information handling practices.

There are some notable differences however, including certain rights of individuals, such as the ‘right to be forgotten’ which do not have an equivalent under the Australian Privacy Act.

Think it might apply to you?

If you think you might be captured or need to understand further, the Australian Privacy Commissioner has created Privacy business resource 21 to assist Australian businesses. You can access this here.

Want to know more?

Contact Naomi Menon – Head of Compliance and Operations, AFTA at