The GDPR: how to make sure your hotel complies with the new privacy law

The GDPR takes effect on May 25th, 2018. GDPR stands for General Data Protection Regulation (GDPR). Simply put, it’s new, advanced legislation that is part of European Data Protection Directive. Starting May 25th, any company collecting the personal data of EU citizens or providing EU citizens with products and services must be GDPR compliant. This new regulation also applies to hotels.

We have already updated TravelLine services to make them comply with the GDPR. However, if you work with EU citizens, you must make some changes on your side as well. In this article, we will tell you what makes TravelLine services compliant with the GDPR and how you can ensure your own compliance.

• What does the GDPR do?
• Does it apply to hotels?
• How do you comply with the GDPR?
• What happens if you do nothing?
• How does TravelLine help hotels comply?
• How was the TravelLine booking engine updated in order to comply?
• What’s new in the TravelLine account?
• Is a TravelLine Express website GDPR compliant?
• What if guest data is stored in TravelLine WebPMS?
• What if we use third-party services for personal data collection?

— What does the GDPR do?

The GDPR protects people in the EU against exploitation of their personal information and also addresses how data is exported outside the European Union. The main goal of the GDPR is to give people more control over their personal data. Also, the law standardizes the way the data of EU citizens is processed by companies collecting it.

— Does it apply to hotels?

No matter where your hotel is located or headquartered, you must comply with the GDPR if it falls under at least one of the following criteria:

• Offers products or services to those booking from the EU
• Asks for personal data from EU citizens: emails, mailing addresses, names, financial info, photos or videos, online identifiers like IP addresses, cookies, etc.

Regardless of which country a person is a citizen of, when they are booking a hotel from the EU, a hotel must comply with the GDPR.

— How do you comply with the GDPR?

Unfortunately, the law doesn’t provide a specific set of guidelines to be followed. Therefore, it is impossible to go into great detail in this article. But let’s go through the high-priority changes that must be made:

Update your privacy policy

We recommend that you take a careful look at your website privacy policy and make necessary changes to it.

The document should be in all languages that your website supports to make it clear for the  greatest number of people. Keep the text simple, drop legalese and and get rid of ambiguous phrases. A user should clearly understand what data they are being asked to provide, where and for how long it will be stored, etc.

The privacy policy must include:

1. Who the Controller is and who the Processor is

The Controller determines the goals and means of data collection and bears greater legal responsibility. The Processor is the acting agent that processes the data, including its collection, storage, classification, alteration, erasure, etc.

If you collect guests’ data via third-party services like a TravelLine booking engine, you are the controller, and TravelLine is the processor.

If you collect guests data by yourself via your own services or a contact form on your website, you’re both the controller and processor.

1. The contact details of the data Controller.
2. The contact details of the data protection officer (if you have one).
3. The 8 rights of users according to the GDPR.
4. Clear notification if providing data is mandatory.
5. Clear notification if data is transferred outside the EU. Provide information on how the data is protected and how it can be accessed.
6. The reason for data collection. While the Privacy Policy covers the legality of data collection, let users know what you need their information for.
7. A way to withdraw consent. Give clear indication as to what people should do to have their data deleted.

Seek consent to process personal data

According to the GDPR, you can email people only if they agree to receive emails from you. Otherwise, it’s illegal.

To ensure you may legally email new contacts, use a subscription form with an agreement checkbox. It’s important to leave the checkbox empty, since a user should deliberately show he/she agrees.

Users must have the choice not to provide personal data and know what happens if they don’t, e.g. “without providing your email address, you cannot create a user account.”

Reconfirm consent for existing contacts. To achieve this, ask existing users via email if they want to receive any further emails. You can’t send newsletters, special offers, and other info to those who don’t agree or never reply. It’s a good way to clear your database of uninterested contacts. It should increase your email campaigns efficiency since you’ll communicate with interested users only.

Provide notification on how you collect and process personal data

For example, let’s take a look at cookies. Most websites use cookies to remember users’ preferences and collect their personal information, such as session IDs, IP addresses, etc. We recommend that you add notifications that you are using cookies on your website and describe what cookies are.

The notification should contain a link to a document (e.g. your privacy policy) that explains what cookie files are used for and where they are stored. Also, let people know how to block cookies.

Please note that this is not an exhaustive guide on how to comply with the GDPR. We suggest that you thoroughly learn GDPR requirements.

— What happens if you do nothing?

— How does TravelLine help hotels comply?

— How was the TravelLine booking engine updated in order to comply?

We unchecked all checkboxes to let users knowingly agree to receive emails from hotels:

A guest can read the updated privacy policy by following the link in the booking engine. Here we also ask their permission:

Guests will be able to delete their personal data from their bookings by following the “MANAGE RESERVATION” link in a booking confirmation email...

... and clicking on “Delete personal data”:

If it’s a booking for a group of people, the personal data of all guests in the booking will be deleted.

— What’s new in the TravelLine account?

Hoteliers will be able to choose a storage period for guests’ data. When it expires, the data will be deleted automatically.

If you choose the option “infinitely” in the settings, the data will stay there unless you change a data storage period or unless a guest asks you to delete it:

— Is a TravelLine Express website GDPR compliant?

By May 25th, all TravelLine Express websites will be compliant with the GDPR requirements.

All TravelLine Express-based websites will include a pop-up window with a notification on Cookie files collection.

— What if guest data is stored in TravelLine WebPMS?

We’re adding an option to delete guest data should they make such a request. Remember to include in your privacy policy instructions on how guests can have their personal data deleted.

— What if we use third-party services for personal data collection?

Should you use any third party services other than TravelLine on your hotel website to collect personal data, make sure they are GDPR compliant. Make a list of such services and connect with their providers. If you have any doubts about services’ compliance with the GDPR, we recommend that you remove them from your hotel website.

We have put maximum effort into making TravelLine services fully compatible with the GDPR. However, we advise that you pay close attention to the new laws and regulations associated with the GDPR. Please note that there are many GDPR-related aspects a hotel should consider.

By taking the necessary steps to comply with these new policies, you will ensure that your establishment can still attract guests from the European market. We understand that there are many changes that must be implemented and we have every confidence that you will be able to do so successfully.