Handle passenger PII correctly and GDPR-compliantly in an agent booking pipeline

Verified steps

1. Identify all PII collected in the booking flow: full name, date of birth, passport number, nationality, contact email and phone, payment card details, and loyalty numbers — each has a different sensitivity level and retention requirement.
2. Establish a lawful basis for processing under GDPR (Article 6): for a booking, the primary basis is 'performance of a contract'; for marketing communications, you need explicit consent — do not conflate the two.
3. Transmit PII to third-party APIs (Amadeus, Duffel, Stripe) over TLS only; never log raw passport numbers, card numbers, or CVVs in application logs — use structured logging with field-level redaction for PII fields.
4. Define retention periods: booking PII must be retained for the duration of travel plus a reasonable dispute window (typically 13 months for payment disputes); after that, pseudonymize or delete — do not retain indefinitely.
5. Implement a data subject access request (DSAR) flow: if a passenger requests their data, you must be able to retrieve all PII stored across your system and any third-party processors within 30 days.
6. For data transfers outside the EEA (e.g. to a US-based API), ensure an appropriate transfer mechanism is in place (Standard Contractual Clauses with the API provider, or rely on the provider's EU Data Processing Agreement).