Ryanair faces GDPR turbulence over customer ID checks

Ireland’s Data Protection Commission (DPC) has launched an inquiry into Ryanair’s Customer Verification Process for travelers booking flights through third-party websites or online travel agents (OTA).

The concerns center around Ryanair’s practice of demanding extra ID verification from customers who don’t book directly through its website and what happens to that personal data, which may include biometrics.

Graham Doyle, Deputy Commissioner with the DPC, said: “The DPC has received numerous complaints from Ryanair customers across the EU/EEA who after booking their flights were subsequently required to undergo a verification process. The verification methods used by Ryanair included the use of facial recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR.”

Ryanair’s antipathy toward OTAs and third-party websites that sell tickets on its aircraft without the company’s permission is well documented. In July 2024, a US court ruled against Booking.com in a screen-scraping case that involved sourcing and reselling tickets.

The airline’s response to its tickets appearing in unauthorized places was to insist on a Customer Verification Process in which passengers are asked to upload information such as passport details and complete an ID check. This led to some customers with flights booked through OTAs losing entire holidays after failing the process.

However, the issue is not the inconvenience of the process or Ryanair’s dispute with third parties, but rather whether the process complies with GDPR. Ryanair is at pains to insist it does.

A Ryanair spokesperson said: “We welcome this DPC inquiry into our Booking Verification process, which protects customers from those few remaining non-approved OTAs, who provide fake customer contact and payment details to cover up the fact that they are overcharging and scamming consumers.

“Customers who book through these unauthorized OTAs are required to complete a simple verification process (either biometric or a digital verification form) both of which fully comply with GDPR. This verification ensures that these passengers make the necessary security declarations and receive directly all safety and regulatory protocols required when travelling, as legally required.”

According to the DPC, the inquiry will be cross-border in nature – more than one member state is involved – and will consider whether Ryanair has indeed complied with its GDPR obligations, including lawfulness and transparency of data processing. ®

READ MORE HERE