General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) is a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens anywhere in the world.

At Hotelogix, we are not just hard at work ensuring that our own practices are GDPR-compliant, but it is equally important to us to help our partners and customers (like you) to understand what GDPR means for their businesses and build compliant processes of their own.

A big piece of that is ensuring that the Hotelogix platform sets you up for GDPR compliance. In full transparency, while the existing product can be used in a way that helps to comply with the GDPR, doing so can be difficult and involve complex workarounds.

With the regulations coming into force by May 2018, it hands EU customers the power to control their personal information that businesses store and handle. We are fully committed to enhancing the Hotelogix PMS to enable easier compliance with the GDPR.

We have created this page to serve as your one-stop shop for GDPR-related product updates.

Here is a quick case to understand legalese associated with the GDPR.

Let’s say that John, who is an EU citizen, is a guest of yours Hotel/Property named C Hotel. Here John is called the "data subject" and your organization C HOTEL is called the "controller" of that data. If you are a Hotelogix customer, then Hotelogix acts as the "processor" of John’s data on behalf of C HOTEL. With the introduction of the GDPR, data subjects like John are given an enhanced set of rights, and controllers and processors (C HOTEL and Hotelogix, respectively), an enhanced set of regulations.

Hotelogix as a Data Processor

Hotelogix recognizes its responsibilities as a data processor towards its customers. We have listed out all the steps that we are taking towards fulfilling all legal obligations under GDPR.

How is Hotelogix preparing for GDPR ?

Hotelogix is gearing up to become GDPR compliant across all its applications. As a data processor, Hotelogix understands its obligation to help customers get ready for the big day. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team to drive our organization to meet them. Some of our ongoing initiatives are:

• Identifying personal data
• Providing visibility and transparency
• Enhancing data integrity and security
• Portability and transferability of data

Our GDPR Compliance Roadmap

1. Create and sustain awareness within the company regarding the “Privacy by Default” and “Privacy by Design” principles that need to be kept in mind for ongoing development.
2. Bring together the product, marketing, compliance, and security team heads to oversee Hotelogix GDPR compliance initiatives.
3. Analyze all the areas of the product that GDPR would influence.
4. Create a data retention policy and have an automated process in place to adhere to the same Release features that would enable our customers to become GDPR compliant.
5. Update the privacy policy in accordance with GDPR and communicate the changes made to our customers.
6. Reach out to all our third-party vendors to make sure they are GDPR-ready.

Some actions we've been undertaking to become compliant with the GDPR Guidelines:

• We have chalked out a plan that will help hotels handle their guests’/customers’ PII (Personally Identifiable Information) data, when a guest/customer cancels/checks-out their booking with the hotels. This allows hotels to clear PII data while still ensuring that numbers are not affected in the aggregate reporting of data. This will be available in the app and as an API.
• Hotelogix will enable Hotels to give their end-users the option to view, update, edit or clear any personal information they have shared with them.
• We are also exploring other features in the context of GDPR and data security and will provide updates soon.

Hotelogix has designated a Data Protection Officer (DPO) who will be responsible for monitoring performance and providing advice on the impact of data protection efforts.

Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be shared with clients on request.

The DPO will always be reachable to answer all your queries regarding how the personal data is being used, the rights to have personal data erased, and what measures the company has put in place to protect all personal information.

He will also act as a point of contact between the company and the supervisory authority.
You can get in touch with our DPO for any of your query related to data protection and privacy at gdpr@hotelogix.com

FAQ's

You can refer the few of the FAQ’s related to GDPR here.

1. What is GDPR ?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). In other words, it is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

2. Does the GDPR apply to me?

The territorial scope of the GDPR will also apply to non-EU businesses which does any one of the following:
a) Market their own products to people in the EU
b) Monitor the behavior of people in the EU. Even if you’re based outside of the EU, but you control or process the data of EU citizens.

3. Does the GDPR require personal data to be stored in the EU ? What does Hotelogix do to ensure lawful data transfers from the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU remain largely unchanged. The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU-U.S. Privacy Shield continues to be one valid way to ensure adequate safeguards to be in place for personal data transfer from the EU to the U.S. The EU model clauses also remain a valid mechanism to lawfully transfer personal data. Hotelogix offers a GDPR compliant system with Data Processing Agreement that incorporates the model clauses to our EU/EEA customers.

4. Will Hotelogix be able to comply with the right to erasure (right to be forgotten) ?

Yes. When one of your hotel guests (i.e. data subjects) asks you to erase their details from your records, you will have the ability to do so quickly and easily. You will be able to execute a GDPR-compliant delete, which will remove every trace of the contact if that guest from your system, permanently.

5. What is Hotelogix? Data processor or Controller?

Hotelogix acts as a data processor for your hotel guests and you as a hotelier would have complete control over your guest’s personal data wherein you have the rights to update or remove their personal information as per their request.

6. Who is a data processor?

“Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

7. Who is data controller?

“Data Controller” is the one who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

8. What else is Hotelogix doing to prepare customers and partners for the GDPR?

In the past few months, we have created a slew of resources that go over the basics of the GDPR:

• The basics of the GDPR: Our primary resource page on the GDPR
• Created comprehensive documents: Documents mentioning the areas from where the information is entered/viewed/deleted and how to comply with GDPR
• GDPR checklist: For our customers and partners, a free compliance checklist to determine their next steps.
• GDPR research: How prepared are others for the GDPR? What do consumers think about the change ?

We will be putting out additional resources in the coming months with further product upgrade and will include GDPR content at any relevant Hotelogix event. In addition to our own resources, we have compiled a list of additional sites for more information around the new regulation.

9. How long can you keep personal data?

How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements, agreed practices and the rules/regulations of that country.

10. When will GDPR come into force?

European General Data Protection Regulation (GDPR) will come into force on May 25, 2018. It is expected to change how businesses and public-sector organizations can handle the information of their customers.

11. What is protection against data breach?

A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve accessing and/or disclosing any person’s Personal Health Information (PHI), Personally Identifiable Information (PII), trade secrets or intellectual property.

12. What are the eight main fundamental data subject rights of the Data Protection Act?

The eight main fundamental data subject rights are as follows:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision making and profiling

13. Who is a data protection officer?

A Data Protection Officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
You can reach our DPO at gdpr@hotelogix.com

14. Do we need to appoint a Data Protection Officer ?

Under the GDPR, you must appoint a DPO for any of the following cases:

• If you are a public authority (except for courts acting in their judicial capacity)
• If your core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking)
• If your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you are not required to. If you decide to voluntarily appoint a DPO, you should be aware that the same requirements of the position and tasks will apply (had the appointment been mandatory).

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organization has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO plays a key role in your organization’s data protection governance structure and can help in improving accountability.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.