Journera and the GDPR

We have built our platform with privacy in mind since day one.

On Friday, May 25th Europe’s much talked about General Data Protection Regulation (GDPR) became effective, and in the past weeks you have undoubtedly seen many headlines on the subject and had your inbox filled by emails related to updated privacy policies. The new regulation has also triggered many questions for travel companies — what does this mean for my data and my customers? Do I need to change my business processes? Are my vendors, suppliers and partners compliant? How does this affect the security of my data?

At Journera we have been building our platform to address these questions since the founding of the company, and we wanted to take a moment to answer some of these questions and discuss how we address these concerns.

What is the GDPR?

The objectives of the GDPR are simple, even if the detailed provisions are complex: consumers, referred to as “data subjects”, should be able to know and control who receives their data, how it is used and stored and be confident that it is being well protected from unauthorized use, access, modification or destruction. It outlines specific rights for data subjects (e.g., the “right to be forgotten”) and defines roles that companies play in the use of data, in particular those of a “Controller” and a “Processor”. Although the GDPR was passed by the European Parliament nearly two years ago, its countdown to implementation has generated confusion around its scope and meaning, and it has caused a lot of last-minute scrambling to comply.

How Journera addresses privacy and the GDPR

At Journera, we were founded to serve the mission of improving traveler experiences. The modern travel experience involves data — lots of it — and how a traveler’s data is collected, used, managed and controlled is a necessary part of building better traveler experiences.

The modern travel experience involves data — and lots of it

Because of that, we take both privacy and data security very seriously, regardless of what regulations require of us. We have also had the advantage of building our platform after the GDPR was passed but before it came into effect, so for us there was no need to alter or modify legacy systems to comply. As a result, Journera is already designed for the GDPR world that lies ahead of us.

We are fully GDPR compliant. To use the terminology of these regulations, Journera is capable of fully complying with the GDPR as both as a Controller and a Processor. That means, as examples, we are fully equipped to respond to data subject requests regarding their rights under the GDPR, and our Privacy Policy reflects data subjects’ rights consistent with GDPR principles. Our commercial agreements operate in conjunction with the GDPR, and we work with our partners to address all data subject rights and requests.

We are Privacy Shield certified. In addition to being GDPR-ready, we are certified under the EU-U.S. and Swiss-U.S. Privacy Shield Framework. The Privacy Shield provides companies on each side of the Atlantic with a lawful mechanism to transfer personal data from the EU or Switzerland to the U.S. by creating a means to enforce compliance under US laws. This allows a company to use Journera as it relates to data governed by the GDPR. Additionally, if we are working with a company in the U.S. that is not Privacy Shield certified or that is located in a country that is also not deemed to have adequate data protection safeguards in place, we will assist with the additional compliance steps required for such transfers such as the use of standard contractual clauses approved by the European Commission.

We use extensive cryptographic techniques to secure data. While the GDPR is about privacy and not data security, the two go hand-in-hand — what use is it to give a traveler control over their data if any hacker can access it? As a company we do a number of things to secure our platform such as operating under “zero trust” principles. In addition, we have a patent pending technique for operating a platform while taking the extra step of cryptographically hashing personal information that identifies the data subject, such as email address, so that it can’t be read in its raw form by anyone — not even Journera employees. The beauty of our platform is that we can still operate it to improve traveler experiences and respond to data subject requests under the GDPR even while taking these extra steps to secure traveler data.


Although the GDPR went into effect on May 25th, it is in many ways just the beginning. It is a sweeping regulation and will require time, experience and perhaps regulatory interpretation before its terms are fully understood. Regardless, at Journera we are keeping privacy at the forefront and are committed to following developments closely as they unfold.

Like what you read? Give Chris Bruce a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.