General Data Protection Regulation (GDPR) is a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens anywhere in the world.
At Hotelogix, we are not just hard at work ensuring that our own practices are GDPR-compliant, but it is equally important to us to help our partners and customers (like you) to understand what GDPR means for their businesses and build compliant processes of their own.
A big piece of that is ensuring that the Hotelogix platform sets you up for GDPR compliance. In full transparency, while the existing product can be used in a way that helps to comply with the GDPR, doing so can be difficult and involve complex workarounds.
With the regulations coming into force by May 2018, it hands EU customers the power to control their personal information that businesses store and handle. We are fully committed to enhancing the Hotelogix PMS to enable easier compliance with the GDPR.
We have created this page to serve as your one-stop shop for GDPR-related product updates.
Let’s say that John, who is an EU citizen, is a guest of yours Hotel/Property named C Hotel. Here John is called the "data subject" and your organization C HOTEL is called the "controller" of that data. If you are a Hotelogix customer, then Hotelogix acts as the "processor" of John’s data on behalf of C HOTEL. With the introduction of the GDPR, data subjects like John are given an enhanced set of rights, and controllers and processors (C HOTEL and Hotelogix, respectively), an enhanced set of regulations.
Hotelogix recognizes its responsibilities as a data processor towards its customers. We have listed out all the steps that we are taking towards fulfilling all legal obligations under GDPR.
Hotelogix is gearing up to become GDPR compliant across all its applications. As a data processor, Hotelogix understands its obligation to help customers get ready for the big day. We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team to drive our organization to meet them. Some of our ongoing initiatives are:
Hotelogix has designated a Data Protection Officer (DPO) who will be responsible for monitoring performance and providing advice on the impact of data protection efforts.
Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be shared with clients on request.
The DPO will always be reachable to answer all your queries regarding how the personal data is being used, the rights to have personal data erased, and what measures the company has put in place to protect all personal information.
He will also act as a point of contact between the company and the supervisory authority.
You can get in touch with our DPO for any of your query related to data protection and privacy at firstname.lastname@example.org
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). In other words, it is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
The territorial scope of the GDPR will also apply to non-EU businesses which does any one of the following:
a) Market their own products to people in the EU
b) Monitor the behavior of people in the EU. Even if you’re based outside of the EU, but you control or process the data of EU citizens.
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU remain largely unchanged. The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU-U.S. Privacy Shield continues to be one valid way to ensure adequate safeguards to be in place for personal data transfer from the EU to the U.S. The EU model clauses also remain a valid mechanism to lawfully transfer personal data. Hotelogix offers a GDPR compliant system with Data Processing Agreement that incorporates the model clauses to our EU/EEA customers.
Yes. When one of your hotel guests (i.e. data subjects) asks you to erase their details from your records, you will have the ability to do so quickly and easily. You will be able to execute a GDPR-compliant delete, which will remove every trace of the contact if that guest from your system, permanently.
Hotelogix acts as a data processor for your hotel guests and you as a hotelier would have complete control over your guest’s personal data wherein you have the rights to update or remove their personal information as per their request.
“Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
“Data Controller” is the one who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In the past few months, we have created a slew of resources that go over the basics of the GDPR:
• The basics of the GDPR: Our primary resource page on the GDPR
• Created comprehensive documents: Documents mentioning the areas from where the information is entered/viewed/deleted and how to comply with GDPR
• GDPR checklist: For our customers and partners, a free compliance checklist to determine their next steps.
• GDPR research: How prepared are others for the GDPR? What do consumers think about the change ?
We will be putting out additional resources in the coming months with further product upgrade and will include GDPR content at any relevant Hotelogix event. In addition to our own resources, we have compiled a list of additional sites for more information around the new regulation.
How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements, agreed practices and the rules/regulations of that country.
European General Data Protection Regulation (GDPR) will come into force on May 25, 2018. It is expected to change how businesses and public-sector organizations can handle the information of their customers.
A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve accessing and/or disclosing any person’s Personal Health Information (PHI), Personally Identifiable Information (PII), trade secrets or intellectual property.
The eight main fundamental data subject rights are as follows:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision making and profiling
A Data Protection Officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
You can reach our DPO at email@example.com
Under the GDPR, you must appoint a DPO for any of the following cases:
• If you are a public authority (except for courts acting in their judicial capacity)
• If your core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking)
• If your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you are not required to. If you decide to voluntarily appoint a DPO, you should be aware that the same requirements of the position and tasks will apply (had the appointment been mandatory).
Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organization has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO plays a key role in your organization’s data protection governance structure and can help in improving accountability.
If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.