FlyerTalk Forums - View Single Post - 9.4 million passengers’ data stolen from CX
Old Nov 1, 18, 8:53 pm
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,959
According to EU GDPR (if CX is seen as a HK company, then it would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then GDPR would apply to EVERYONE)

From the communications with someone on the BA Forum, this is a brief summary of what GDPR/UK Data Protection Act 2018 wrt personal data. (this was taken from private comms so i would keep the name out. it's pretty much taken out of the website so i figure its ok to share with like minds without rewriting it.)
Under the Data Protection Act (latest UK version is 2018, which includes GDPR) you can make a "Subject Access Request". Under Data Processing law any living individual is a "data subject" and can apply to any data processor (any person, company or legal entity) that has information about them.What is a data subject entitled to?

Individuals have the right to obtain the following from you:
  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information – this largely corresponds to the information that you should provide in a privacy notice
Other information

In addition to a copy of their personal data, you also have to provide data subjects with the following information:
  • the purposes of your processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient you disclose the personal data to;
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  • the existence of their right to request rectification, erasure or restriction or to object to such processing;
  • the right to lodge a complaint with the ICO or another supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling); and
  • the safeguards you provide if you transfer personal data to a third country or international organisation.
The law would therefore practically permit you to apply to get all data that BA holds about you, why it retains the data that it does, what data is shared with any third party, which data was shared with unknown third parties as a result of the data breach (there are other reasons).

BA have to respond within a month of your request, and there is no charge payable (the previous version of the Data Protection Act allowed a charge of up to £10 but this no longer applies since GDPR.

You may find this page useful:
and below is CX's point of contact regarding personal data usage.
Originally Posted by peasant View Post
Customers requesting more information or clarification on specific Personal Data usage are welcome to contact us at [email protected] or write to us at the below mailing addresses:

The Data Protection Officer
Cathay Pacific Airways Limited
6th Floor Cathay Pacific City
8 Scenic Road
Hong Kong International Airport
Hong Kong

Hong Kong Dragon Airlines Limited
5th Floor Cathay Dragon House
11 Tung Fai Road
Hong Kong International Airport
Hong Kong
A brief summary of what to write to DPO in very short...
asking for data that CX hold on you
highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

Last edited by kaka; Nov 1, 18 at 9:24 pm
kaka is offline