You are here


Travel agency goes the extra mile to protect personal data

For Chan Brothers Travel, ensuring correct use of customers’ personal data extends beyond the management of its 120,000 strong customer database

PDPC_ChanBrothers 2.jpg
Adequately respecting and protecting personal data complete the user-experience and ensure great holidays for customers, says Ms Janet Chan of Chan Brothers Travel


Juggling the data protection preferences of thousands of individuals and maintaining satisfactory user experience in the face of PDPA compliance proved challenging for Chan Brothers Travel.

Steps Taken

. Formation of data protection team to monitor PDPA obligations and to assist colleagues with compliance

Market voices on:

· Enhanced IT security and frontline notifications to offer customers the option to opt out of marketing and publicity promotions

· Dedicated email account to handle access and correction requests


· Increased customer confidence and trust in Chan Brothers

· Better online user experience resulting in higher number of online transactions

· More effective internal handling of customers’ personal data

It is common for travel groups to take a picture together as a keepsake, and this is one of the bigger selling points marketed by tour agencies to entice travelers to take up celebrity packages.

Chan Brothers Travel (Chan Brothers) is one of those that offers such opportunities – travelers can take pictures with their favourite celebrity and even appear on television in “My Star Guide”, a local reality travelogue where selected local artistes play the role of a tour guide and “lead” tour groups overseas.

In its 11th season this year, the successful programme is one area of concern for Chan Brothers when implementing data protection policies for the tours, as the entire trip is captured on camera and presented on television.

“Not everyone in the tour wants to be on television or in photos that we use for marketing communication purposes,” says Ms Janet Chan, Chan Brothers’ Senior Business Development Manager for E-Commerce Marketing and Data Protection Officer (DPO).

“Even if they join the celebrity tour, it doesn’t automatically mean that they want to be photographed or filmed.”

To ensure compliance with the Personal Data Protection Act (PDPA) which allows individuals to decide how they want their personal data to be collected, used and disclosed, Chan Brothers makes it a point to notify customers of the nature of the tour. Customers may state their preference in relation to video or photo exposure when they purchase a tour package, especially for celebrity packages where the entire tour process is documented and presented on TV.

During pre-travel briefings, Chan Brothers’ travel advisors will once again verbally remind travelers to inform their tour leaders of their preferences during the trip.


Managing Chan Brothers’ customer preferences extends beyond the duration of the tours; it starts from the day the customer contacts Chan Brothers and ends long after the fulfilment of the tour package.

The company’s standard operating procedure (SOP) is to first notify customers of the purpose of the collection of their personal data once they express interest in signing up for a package. This is done by frontline staff. The information is generally mandatory for the company to see through the delivery of its services, such as to help customers with their hotel or airline reservations.

With regard to marketing, customers are given a choice to opt out. “One of the first changes we made to our processes was for our in-house information technology (IT) team to include an opt-out selection for customers. This seemingly small change made a huge difference to the overall customer experience,” says Ms Chan.

The IT team is also in charge of regularly reviewing the agency’s IT security polices and keeping up with the latest trends in cybersecurity, so that sufficient measures are in place to secure the company’s online transactions. Existing measures such as secured login, automated logout mechanisms and systematic updates of firewalls, to name a few, are constantly updated with the latest patches to ensure there are no loopholes in safeguarding customers’ data.

Ms Chan adds, “With enhanced IT security, customers are also more comfortable making online transactions, which has a positive impact on our revenue streams and user experience.”

Since the company has an estimated 120,000 customers and followers in its SMS and eDM (electronic direct mail) databases, and providing access as well as keeping personal data accurate are requirements of the PDPA, Chan Brothers has created a dedicated email account to handle all access and correction requests.


Aside from ensuring compliance in customer-facing practices, the company also enhanced its internal data protection policies to help employees handle personal data better. For example, all hardcopy registration forms must now be shredded before disposal. Retention periods for personal data, such as those found in obsolete tour bookings, have also been introduced. Third party vendors, too, are required to adhere to Chan Brothers’ data protection policies.

Ms Chan further shares that Chan Brothers’ data protection policies are made available on the company’s intranet for employees’ easy reference. As the DPO, she conducts regular training to keep employees up-to-date on data protection policies and practices.

She is supported by a team comprising  designated personnel from each major department, namely e-Commerce, Marketing Communications, Customer Service, IT, Human Resource and Finance. The team reviews existing procedures in their relevant departments every quarter to ensure that there are no loopholes in safeguarding customer’s personal data.


Although it took some getting used to, Ms Chan says that targeted marketing has proven to be both efficient and effective.

She explains, “We now only send marketing SMSes to customers who are willing to receive information by SMS, and this improves the effectiveness of our promotions. Checking our telemarketing list against the DNC Registry is also relatively quick. We usually set aside just one day for the checks to be completed.”

Aside from the purchase of credits to check their telemarketing list against the DNC Registry, Ms Chan attributes the bulk of the cost of complying with the PDPA to time and resources spent in implementing the company’s data protection policies and practices.

Ms Chan says, “Our efforts have been worthwhile because customers are now more aware of our personal data protection practices. Our policies have made our processes more transparent and increased customer trust in us.”