This is for current and future customers of GuestTraction products. This covers
everything you need to remain GDPR compliant while using GuestTraction products.
The General Data Protection Regulation (the “GDPR”) goes into effect on May 25, 2018. The regulation harmonizes the patchwork of privacy regulations currently in effect around Europe. The regulations help people stay in control of their information, and GuestTraction agrees with this principle.
We are not in the business of making money from selling customer data or using it for anything other than helping accommodation providers engage with their guests. GDPR requires that companies take security and privacy seriously. It also require transparency about how data is stored, moved, and processed.
Companies must allow data subjects to control their data, and EU residents can ask for their data to be corrected, deleted, or exported. Companies need to document how they bulk process their customers’ information. They must enforce policies to protect that data, and for larger data processing operations, they need to have a Data Protection Officer with the power to control how data is processed and protected. Like the laws currently in effect, the GDPR defines when it is okay for companies to move data out of the EU.
GuestTraction has used hospitality industry group recommendations and standards for GDPR compliance. In accordance with the regulation, we have balanced the need for security and data privacy protection with the legal, contractual, and commercial requirements of accommodation providers.
The GDPR requires that data controllers define how data processors use the data they get from controllers. These requirements belong in our contracts with accommodation providers. GuestTraction stores data in secure data centers based outside of the EU, and the GDPR allows this as long as we agree to and follow standard contractual clauses that guarantee the security and privacy of that data. GuestTraction has prepared a compliant SaaS agreement, which provides the necessary information and includes the required contractual clauses. It is available to all current and future accommodation provider customers.
What is the Compliance Status of our products?
What data do accommodation providers collect with GuestTraction products?
GuestTraction can collect the following kinds of information:
- Phone number
- Email address
- Reservation details
- Customer requests
- Application usage data
The GDPR gives additional protection to extremely personal information like ethnicity, health status, sexuality, and religious affiliation. GuestTraction products are not designed for accommodation providers to collect and store this kind of information.
How is this data protected?
The data collected is kept in a secure data centre that has up-to-date physical and technical measures for protection, including locked doors, ID passes for security, CCTV, and controlled access.
More importantly, the data we collect must be protected by your staff. Human error is the greatest threat to data security. Training around privacy and security can help your staff prevent data leakage. For example, staff should try to use strong passwords, and they should not allow guests to overlook screens bearing information of other guests.
Is my property a Data Processor or Data Controller?
Since accommodation providers decide what data they collect and they have the direct relationship with the guest, under the GDPR, accommodation providers are data controllers. GuestTraction is a data processor, so we are restricted in how we use the data we collect, and you control that. When you use GuestTraction, your guests’ data is processed in a GDPR-compliant and secure way.
As a controller you have the right to know anyone GuestTraction shares guest data with. We can only share data at the direction of you, the data controller.
As a data controller, you have the right to know exactly when GuestTracton processes your customers’ subject data and what we do with it.
What happens if GuestTraction Data is breached?
GuestTraction will notify you within 72 hours of discovering a breach of our secure storage systems, and we will assist you in determining your notification obligations.
How should our business handle data access requests?
The GDPR gives people certain rights to correct, erase or export their data, and these requests must be fulfilled within thirty days. When you receive a request it is critical that you communicate this request to all of your data partners, including GuestTraction, as soon as possible. GuestTraction is committed to complying with data requests within 25 days, in order to give you time to include our response in the thirty day period.
Do we need guest consent to use GuestTraction?
You should be transparent about any data processors you are working with, but explicit consent to use GuestTraction is not legally required by the GDPR. Any time you collect subject data you must have a legal basis to do so. One basis of consent is performance of a contract. Since you have a contract with your guest, you can collect and process data to perform that contract. GuestTraction provides the means for you to follow through on these contractual commitments, and this is all perfectly compliant with the GDPR without consent.
We cannot cannot give you legal advice and ultimately you are responsible for your compliance to all laws. This document represents a dedicated effort, working with industry consultants, to understand GDPR and its impact on hospitality.