General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) is a European Union (EU) data privacy law which came into effect on May 25, 2018, and affects any company that processes data for EU residents, regardless of the business location. GDPR will apply to your hotel if you have guests (and therefore hold data about them) from any of the EU countries.

To ensure HotelREZ is compliant with GDPR, we

  • Trained employees about GDPR and the impact on the way we handle data
  • Documented all of our data processing activities
  • Changed our systems, contracts and processes to comply with the GDPR
  • Created a way to communicate continual updates with regards to GDPR

We will continue to keep abreast of new legislation and best practice to identify ongoing privacy compliance requirements. We will also continue to train staff about data protection and security.

How does GDPR affect hotels?

The rules introduced in May 2018 will impact any organisation that processes personal data. The hotel industry is particularly affected for the following reasons:

  • Hotels obtain high volumes of personal data for guests, and process a large number of payment-card transactions daily.
  • Hotels receive personal data from many sources, such as third-party booking systems and corporate websites.
  • Some hotels may operate CCTV-systems.
  • Some hotels conduct profiling activities of customers.
  • Hotels enjoy a high turnover of employees, and independent contractors.

All of these activities involve the handling of personal and sensitive data on a larger scale.

Under the GDPR, a misuse or breach of personal data not only carries the risk of administrative fines, but could also hurt reputations and result in damage claims. The GDPR will affect owners and operators alike. Please watch this space for updates as they become available, or visit any of the following resources for additional information:

For information specific to your business, please send an email to [email protected]

 

GDPR Frequently Asked Questions

What is the GDPR?

GDPR establishes rules for how companies, governments, and other entities can process the personal data of data subjects who are in the EU. Many of these rules already existed under previous EU law, but some rules are now stricter, some are less burdensome, and some are brand new.
The rules reach beyond the physical borders of the EU and apply to any organization, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behaviour of those people (including through the use of cookies).

 

Key Principles of GDPR;
  • Organizations must always process personal data lawfully, fairly, and in a transparent manner.
  • Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.
  • Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
  • Personal data must be accurate and, where necessary, kept up to date.
  • Personal data must be kept only for as long as it’s needed to fulfil the original purpose of collection.
  • Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration.

The GDPR grants data subjects a number of rights regarding how controllers handle their data. These rights require controllers to have systems in place to respond to and effectively address data subjects’ requests.

  • Data Access: Data subjects have the right to confirm with a data controller whether the organization is processing their personal data. If it is, the controller must provide the data subject with information about such processing, including the specific data processed, the purposes of the processing, and the other parties with whom such data has been shared.
  • Right to Object: Data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes.
  • Data Rectification: Data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete.
  • Restriction of Processing: Data subjects can request that a controller stop access to and modification of their personal data. For example, the controller can mark or use technological means to ensure that such data will not be further processed by any party.
  • Data Portability: In certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (for example, a .csv file) so that they can transmit their own personal data to another company.
  • Right to Erasure: Also known as “the right to be forgotten,” this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing.

 

What data is “personal data” as defined by the GDPR?

Any information related to an identified or identifiable natural person (an individual or ‘data subject.’) A data subject can be identified or identifiable, directly or indirectly by a variety of pieces of information (e.g. name, ID number, location data, etc.). Some examples of potential personal data include a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address. The definition of “personal data” is very broad.

 

What actions must I take in order to be GDPR compliant?

We are not in a position to provide legal advice or to advise what actions are required on your part. The GDPR is complex and may involve hotels to make changes to their processes and policies. Your path to GDPR compliance will need an evaluation of areas such as (but not limited to);

  • What data do you currently hold?
  • Identify any shortcomings and weaknesses of data processing operations.
  • What procedures are there in place to deal with subject access requests and deletion requests?
  • Are your privacy notices up to date?
  • Are your consents up to date?
  • What processes have you in place to report and investigate data breaches?
  • Ensure that management understands the main issues and risks involved.
  • Review and update data-processing contracts with third parties.

 

How does the GDPR affect my relationship with HotelREZ?

We have issued contract modifications for our customers and suppliers. These contract modifications address data privacy protection concerns only – they do not address any commercial terms.

We modified our customer contracts by making changes to our standard terms on our website. These terms apply to most customer contracts but please check your contract with us if you are unsure if this applies to you. We modified our customer contracts to ensure your compliance with the GDPR in your dealings with us but that it is your responsibility to satisfy yourself as to your own compliance.

 

What changes has HotelREZ made to its systems?

HotelREZ has updated the way Hoteliers login to our customer portal to introduce further security measures. We have analysed all our other system code to support GDPR compliance across all systems that process personal data. We are also continuously monitoring and working with all of our suppliers to ensure that they are processing data to support GDPR compliance.

 

As it relates to the GDPR, is HotelREZ defined as a processor or a controller?

HotelREZ generally serves as a processor for most of its services, whereas HotelREZ’s hotel members are usually controllers. In most circumstances it is the hotel that is responsible for the requirements imposed on a controller under GDPR, including but not limited to having a lawful basis to process the personal data and obtaining the appropriate consent (when consent is required). Please note that the actions described under “How does the GDPR affect my relationship with HotelREZ?” only are only intended to cover your obligation to have a written agreement in place with HotelREZ in its capacity of data processor; they are not intended to deal with any of your other obligations under the GDPR, for which you are fully responsible.

 

How do we receive the latest updates on your GDPR compliance?

The content at www.hotelrez.com/GDPR will be updated with our latest details with regards to compliance.

 

Are there additional technical requirements related to HotelREZ’s connectivity partners?

As part of our GDPR readiness efforts, HotelREZ is working with all technology partners, including connectivity partners, to assess requirements.