Answer given by Mrs Reding on behalf of the Commission
An Internet Protocol (IP) address is a unique numeric identifier that is needed by every device that connects to the Internet. It is attributed by Internet access providers and managers of local area networks. They can, using reasonable means, identify Internet users, as they systematically ‘log’ in a file the date, time, duration and dynamic IP address of their connection.
Such IP addresses can be considered personal data in the sense of Article 2 a) of the Data Protection Directive 95/46/EC (‘Directive’)(1)(2): Whether they constitute personal data depends on whether they leave traces, which combined with other information received by the servers can be used to create profiles and thereby directly or indirectly identify these individuals. This principle stems from the definition of personal data in the directive and is further developed in the General Data Protection Regulation proposed by the Commission(3).
Any processing of client data such as IP addresses must be in line with the national laws implementing the requirements of Directive 95/46/EC; inter alia personal data must be processed on legitimate grounds, for a specific purpose and must be proportionate to the aim pursued. The clients of the travel companies must be informed about the processing.
Without prejudice to the powers of the Commission as guardian of the Treaty, national data protection supervisory authorities are the competent bodies to monitor the application of the national measures implementing Directive 95/46/EC.
Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 of 23.11.1995, p. 31.
Court of Justice of the European Union, Case C-70/10, Judgment of 24 November 2011. Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), ECR  Page 00000, point 51. . Text; see also Opinion 4 of the article 29 Working Party on the concept of personal data adopted on 20.6.2007, p. 16.
Recital 24 of the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012)11, 25.1.2012.