Coach companies: destroying passenger data
A coach company processes the data of everyone who travels along: names on attendee lists, booking and contact data, payment data, the driver's ride data and sometimes dietary needs or a mobility limitation in care transport. Part falls under the tax retention obligation, part has its own statutory period, and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: passenger and booking data you keep no longer than necessary for the ride and its settlement. The invoicing falls under the tax seven years, tachograph and driving-time data have their own period. What may go disappears confidentially and with a certificate.
Two frameworks: operations and GDPR
At a coach company two things run together. You need data to plan a trip, drive it and settle it, and part of that you must keep by law. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The retention obligation sets the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.
So treat the data per type. An attendee list for a day trip has a different status than an invoice or a tachograph file. If you make that distinction, you keep exactly what you must and clear out the rest on time.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the ride.
| Part | Starting point | Period |
|---|---|---|
| Invoicing and administration | Tax retention obligation | 7 years |
| Tachograph and driving-time data | Own statutory period | own period |
| Booking and attendee lists | Until settlement of the ride | purpose-bound |
| Payment data | Until settlement and tax | purpose-bound + 7 years |
| Dietary needs and care transport | Sensitive, storage limitation | as briefly as possible |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for the statutory rules. When in doubt, consult your trade organisation or privacy adviser. A broader explanation by document type is in how long you should keep documents.
Passenger and booking data
For every ride you record who travels along and how to reach that person. On group trips an attendee list is added, sometimes with particulars per person. That list has a purpose while the trip runs and during settlement, but afterwards the ground to keep it lapses. So clear out attendee lists as soon as the trip has been driven and no complaint or dispute is in play.
Do you keep the booking because the customer travels more often? Then record only what you truly need for that and separate it from the operational lists. That way you avoid old attendee lists lingering around for years. The approach resembles that of a travel organisation, as described in travel agency: destroying customer data.
Driver and ride data
Alongside passenger data you process data about your drivers and the rides themselves. Tachograph and driving-time data have their own statutory retention period and should be kept within it. Planning, ride sheets and telematics are personal data of your drivers and you keep them no longer than necessary for operations and any claims. How to handle these per item is set out in driver data and the GDPR in the fleet.
Location and ride data can be sensitive, because they show where someone has been. So treat them with the same care a taxi company applies to ride data, as explained in taxi companies: destroying ride data.
Dietary needs, care transport and sensitive data
On group trips and certainly in care transport you sometimes record particulars. A dietary need for medical reasons, an allergy or a mobility limitation can touch on health data, which is special-category personal data. Keep that information recognisably separate, use it only for the ride in question and clear it out afterwards. Keeping it to come in handy one day is not a valid ground.
How to handle it in 6 steps
- Split the data into administration, ride data, bookings and attendee lists.
- Limit the attendee list to what you truly need for the ride.
- Treat dietary and care data separately and clear it out after the ride.
- Keep tachograph and driving-time data for the statutory period.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Passenger data is destroyed confidentially, because it contains contact, payment and sometimes health data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old booking computer, a navigation device or a backup with passenger data belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Passenger data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping attendee lists forever. After the ride and its settlement the purpose lapses.
- Treating dietary and care data as ordinary paper. Those need extra care.
- Keeping ride data indefinitely. Keep it no longer than necessary for operations.
- Throwing away unshredded. An attendee list on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long may a coach company keep passenger data?
No longer than necessary for the ride and its settlement. The invoicing falls under the seven-year tax retention obligation. Attendee lists and booking data without a further ground you clear out as soon as the trip has been driven and no complaint or dispute is in play.
Do dietary needs and care transport count as special-category data?
Often they do. A dietary need for medical reasons or a mobility limitation in care transport can touch on health data, which is special-category personal data. Keep it separate, use it only for the ride and clear it out afterwards.
How long do I keep driver and ride data?
Tachograph and driving-time data have their own statutory period. Other ride and planning data you keep no longer than necessary for operations and any claims. Payment data falls under the seven tax years.
How do I destroy passenger data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A coach company works with contact, payment and sometimes health data of every passenger, between a retention obligation and the GDPR. Keep tachograph and driving-time data for the statutory period, keep the administration seven years and clear out attendee lists after the ride. Dietary needs and care data deserve extra care. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your passengers' data.
Read also: courier services: destroying delivery data, car body repair: destroying customer data, petrol stations: destroying customer data and the GDPR retention periods cheatsheet.
Have passenger data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.