Still have questions about GDPR? Consult our Best practises and Frequently Asked Questions below for some answers.
Also make sure to check out our:
There are three things that you might need to do depending on your situation and jurisdiction:
The legal requirement to inform the guests of the processing activities is an obligation for the Hotelier as the data controller.
Sign the Data Processing Agreement (DPA)
The data controller is obliged to sign a DPA with all of its processors. We have prepared a DPA together with our legal counsel to be in compliance with the GDPR.
We will send a version of our DPA for you to review and digitally sign a copy of it. If you have any questions about its contents, please email email@example.com.
DPAs will be published on your WebHotelier dashboard as soon as they are ready. Please check our live blog for the announcement.
Ensure you have proof of consent for all European Union residents or citizens
We recommend that you obtain explicit consent with a double opt-in approach. With double opt-in, upon signing up for email promotions, an individual receives an email with a verification link. When they click this link, it confirms both their consent and the accuracy of their email address. It also keeps a record of that consent, which is required by the GDPR.
Q: What is GDPR?
Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), is European privacy legislation that takes effect May 25, 2018. It will replace the existing EU member state laws that implement the EU Data Protection Directive, which has been in existence since 1995.
Q: Does GDPR apply to me?
GDPR applies to all EU data subjects so will apply to all companies and organizations who have EU citizens as part of their business or organization. GDPR will apply to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location.
Q: What is personal data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
Examples of personal data:
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone); an Internet Protocol (IP) address; a cookie ID;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Examples of data not considered personal data:
- a company registration number;
- an email address such as email@example.com;
- anonymised data.
Q: What does the General Data Protection Regulation (GDPR) govern?
Regulation (EU) 2016/6791, the European Union’s ('EU') new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
It doesn’t apply to the processing of personal data of deceased persons or of legal entities.
The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.
When the regulation applies
A company with an establishment in the EU provides travel services to customers based in the Baltic countries and in that context processes personal data of natural persons.
When the regulation doesn’t apply
An individual uses their own private address book to invite friends via email to a party that they are organising (household exception).
Q: What constitutes data processing?
Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.
Examples of processing
- staff management and payroll administration;
- access to/consultation of a contacts database containing personal data;
sending promotional emails*;
- shredding documents containing personal data;
- posting/putting a photo of a person on a website;
- storing IP addresses or MAC addresses;
- video recording (CCTV).
Q: What are Data Protection Authorities (DPAs)?
DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws. There is one in each EU Member State.
Generally speaking, the main contact point for questions on data protection is the DPA in the EU Member State where your company/organisation is based. However, if your company/organisation processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a DPA in another EU Member State.
(UPDATE: Download an up-to-date DPA list from: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080)
Q: Is the GDPR applicable to WebHotelier?
Yes, WebHotelier is covered by the GDPR in situations where WebHotelier processes personal data of hotelier customers, including but not limited to customer end users, if those individuals are located in the EU.
Q: Is the GDPR applicable to me as WebHotelier’s customer?
Almost certainly yes, but you should consult with your company’s legal counsel to determine if the GDPR applies to you.
Q: Is WebHotelier a Data Controller or a Data Processor?
WebHotelier may operate as either a Data Controller or Data Processor depending on the circumstances.
With respect to the personal data of its customers, WebHotelier generally is a Data Processor and WebHotelier’s customer is the Data Controller. The WebHotelier customer, the Data Controller, determines the purposes and means of the processing of personal data.
WebHotelier also operates as a Data Controller with respect to certain of its services and/or databases. For example with respect to hotelier user data accessing our backoffice applications, WebHotelier is the Data Controller.
Q: Does WebHotelier have a Data Protection Officer?
Yes, WebHotelier has a Data Protection Officer. You can contact our Data Protection Officer at:
Data Protection Officer firstname.lastname@example.org WebHotelier Technologies Ltd Mnasiadou 9, Demokritos Building, Office 16 1065, Nicosia Cyprus
Q: What are the legal bases under the GDPR for WebHotelier’s processing of personal data?
With respect to the booking engine and other services that WebHotelier provides to its customers (where WebHotelier acts as either a Data Processor), WebHotelier has a legitimate interest in processing the data.
The GDPR specifically references the “processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned” – among other cases, WebHotelier’s customer using WebHotelier’s services for publishing a website for direct bookings.
WebHotelier also provides services to its customers that include the processing of personal data (where WebHotelier acts as either a Data Processor or Data Controller) based on the consent obtained from its customers and its customer’s end users.
Q: How does WebHotelier handle data subject requests to exercise their rights under the GDPR?
Where WebHotelier operates as a Data Processor, WebHotelier will notify its customer if WebHotelier receives a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to processing, or right not to be subject to automated individual decision making (“Data Subject Request”). WebHotelier will also assist its customer in responding to a Data Subject Request, where legally required and permissible. WebHotelier’s customer is responsible for any costs arising from WebHotelier’s assistance with Data Subject Requests.
Q: Does WebHotelier have an incident response plan?
Yes, WebHotelier has a Written Information Security Program that includes an incident response plan.
Q: Does WebHotelier conduct Data Protection Impact Assessments (DPIAs)?
WebHotelier may conduct DPIAs with respect to the personal data of its customers where its processing operations are likely to result in a high risk to the rights and freedoms of natural persons. Where WebHotelier operates as a Data Processor on behalf of its customers, WebHotelier will assist its customers, the Data Controllers, where necessary and upon written request, in ensuring compliance with the customer’s obligations, if any, deriving from the carrying out of DPIAs. For further information, please contact our DPO.
Q: When is a Data Protection Impact Assessment (DPIA) required?
A DPIA is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is required at least in the following cases:
- a systematic and extensive evaluation of the personal aspects of an individual, including profiling;
- processing of sensitive data on a large scale;
- systematic monitoring of public areas on a large scale.
Q: Can WebHotelier deny a DPIA request?
Yes, if the request is not a subject of the above criteria.
In all cases WebHotelier will evaluate the severity of the request and may contact the Data Protection Authority before conducting the DPIA.
Q: Is WebHotelier infrastructure Privacy Shield certified?
Yes, WebHotelier uses exclusively Amazon Web Services for its infrastructure, therefore all servers and IT infrastructure are certified under the EU-US Privacy Shield. View the certification here.
You can read more about Amazon's Privacy Shield Framework here
Q: What are the main things I should do to ensure GDPR compliance?
First, be sure your data processing vendors offer easy-to-use, comprehensive solutions designed to help you reach GDPR compliance as it relates to the four main pillars: Proof of Consent, Right to Data Portability, Right to Erasure, and Right to Refuse Profiling.
Second, conduct a Privacy Impact Assessment so you understand the flow of your data, who has access to it, where it is stored, and what it is being used for.
Third, ensure that you have Proof of Consent from every European Union (EU) resident or citizen within your database. This may need to be done retroactively in order to communicate with them after May 25, 2018. You will need to be able to prove that they consented to receiving your email marketing communications.
Q: What do I have to do to remove EU contacts with whom I shouldn't communicate?
It’s important to get as much of your database to opt-in to your marketing campaigns as possible. Target known profiles in EU member states with a double opt-in campaign prior to March 25, 2018 to capture their proof of consent.
Q: Does the GDPR mean I need Double Opt-In?
Double opt-in is not required, but proof of consent is. The best way to establish proof of consent is through double opt-in.
Even without the GDPR, a double opt-in approach is still highly encouraged. It will help you create a healthier list by preventing bad email addresses from being added to your database. In addition, double opt-in is better for your sender reputation and email deliverability.
Q: Can I transfer personal data related to persons from the EU outside of the EU?
Organizations are only allowed to transfer personal data outside of the European Economic Area if they have in place appropriate safeguards to protect data abroad. Accepted transfer mechanisms include self-certifying to the Privacy Shield Framework (if a US organization), using the EU Commission’s Standard Contractual Clauses, transferring the data to a country that has been recognized by the European Commission as providing an “adequate” level of data protection, obtaining Binding Corporate Rules approval, as well as other less established mechanisms such as certifications and codes of conduct.