helpdesk: 365 days a year
from 8:00am to 8:00pm
GDPR: what changes for the ho.re.ca industry?
The General Data Protection Regulation (GDPR) will enter into force starting May 25th 2018 and replaces the current Data Protection Directive, issued in 1995. The fundamental principles of privacy and data protection have not changed; but the new regulation takes into account the changes caused by digitalization and applies in all EU countries. The most innovative aspects that characterize the new legislation are multiple:
If a company transfers data of European citizens to a country outside the EU, for example in the U.S., the organizations or companies that process such data will have to comply with GDPR. Indeed, the new rules, protect data of European citizens and apply to all companies that process or manage such data, regardless of the country in which they have their registered office or where data is processed.
Expensive fines will be introduced for companies that do not comply with the regulation, sanctions can reach 4% of the global annual turnover or 20 million euros. In which cases will companies be subject to fines? For example, if they do not implement adequate policies to request data processing consent or if they violate the principles underlying the concept of "Privacy by Design".
Privacy by Design
According to GDPR, data protection must not represent an additional component but relate to the design of systems. This means that any project must be developed taking into account confidentiality and protection of personal data from the start.
Companies that collect or process personal data must explicitly explain to users, all the conditions that regulate the collection and processing of such data and it is mandatory to declare how the requested data will be processed.
Increase in rights of data holders
Citizens will be able to exercise the right to request the cancellation of their data from the database of institutions and companies and the right of access to such information or the possibility to inquire about who is collecting their personal data and for what purposes. Furthermore, upon request, the company can be required to provide within 30 days to the data owner an electronic copy of the data in his possession.
Mandatory notifications of violations
The companies that hold personal data must communicate within 72 hours, both to customers and to the data controller, the occurrence of violations that could expose personal information of data owners
What does this mean for hoteliers and restaurateurs?
Before understanding in detail how hospitality entrepreneurs must comply with these rules, the new figures introduced by the European regulation must be explained: Data Controller and Data Processor:
The data controller determines the purposes for which and the means by which personal data is processed.
The data processor processes personal data only on behalf of the controller.
In summary, according to GDPR, the Data Controller is any company or organization that holds the personal data of European Union citizens - personal data means all information, including the name of your customers.
The Data Processor is instead the company or organization that deals with the processing and storage of this personal data on behalf of the Data Controller.
Applied to a real case reality: the Data Controller is the hotelier / restaurateur that owns customers’ personal data, while the Data Processor is Ericsoft, the company that provides the PMS software with which data are collected and processed.
Hotels and restaurants collect a lot of data from their customers, from their preferences in terms of stay to food allergies, we will analyze in detail how the legislation affects the data collected by accommodation facilities (examples are also applicable in the catering sector).
Guests staying at the property, provide different types of data to the hotel: in addition to personal information, they can also share more information on their consumption habits and preferences, which will be collected by the CRM (if the hotel has one) to be used in future marketing campaigns.
By controlling the collection, storage, processing and sharing of personal data, the new regulation wants to ensure that this data is managed correctly and in full respect of data holders. To be in line with the principles of the new regulation:
- the host, or data owner, must have given consent for the collection and processing of his personal data for one or more specific purposes clearly and explicitly stated by the hotel, or the hotel must demonstrate that the processing of such data is necessary to fulfill a legal obligation or to complete an action, as in the case of check in, where the consent for personal data collection and processing is implicit (it is considered as already provided during the booking phase);
- the hotel must be able to demonstrate that the guest has given his consent to the processing of his data explicitly and actively. For example, the subscription to a newsletter must include a checkbox, deselected by default, that the user must check to register his request;
- it is forbidden to process personal data concerning: racial or ethnic origin, political opinions, religious, philosophical and political beliefs, data related to the health issues, genetic data and sexual orientation of the individual;
- the guest has the right to obtain the cancellation of his personal data and the data controller will therefore have be forced to delete such data;
- the guest has the right to receive a copy of the personal data collected by the data controller (hotel) in a structured way, using a common format readable by automatic devices;
We have been creating complete and highly specialized technological solutions for the hospitality industry since 1995.
Having an exclusive focus on a single industry, our investments have always been entirely dedicated to the development of our software and innovative applications for hotel and restaurant management.
The experience gained over the years, together with what we acquire on a daily basis by being in contact with hospitality professionals, allows us to understand the real needs of the sector and to develop, based on new market trends and regulations, flexible and scalable solutions that can be customized according to the needs of each property, from independent ones to chains.
Ericsoft collects personal data for operation efficiency purposes and to offer customers and end users the best experience possible with its services and software. Data collected includes the following and refers not only to customers’ data, but also end users’ one:
Name and contact data: Ericsoft collects your first and last name, email address, postal address, phone number and other similar contact information.
Credentials: Ericsoft collects passwords, password hints and similar security data used for authentication and account access.
Payment data: Ericsoft collects data necessary to process your payment, such as credit card number and the security code associated with the payment method.
Customers and end users have choice options on the data collected and can therefore decline to provide such personal data; anyhow, if data necessary for service provision is not provided, some features or services may not be used.
Ericsoft uses the data that collected for two reasons: (1) to provide the services offered, (2) to send communications, including informational and promotional ones.
Services offered: include service functioning, service performance maintenance and improvement, as well as the development of new functionalities, research and customer support. Some examples include:
Customer support: Ericsoft uses data to diagnose service problems and provide support services.
Service Improvement: Ericsoft uses data to continually improve the services offered, including the provision of new features or capabilities.
Security, Safety and Dispute Resolution: Ericsoft uses data to protect the security and safety of its services and customers, to detect and prevent fraud, to confirm software licenses validity, to resolve disputes, and to enforce its contracts.
Communications: Ericsoft uses data collected to deliver and personalize its communications with customers. For example, Ericsoft may contact customers by email or other means to: inform them when a subscription is about to end, communicate that updates are available, demand for information relative to a service or repair request, invite a customer to take part in a survey or remind them to keep their account active.
Ericsoft shares customers’ and end users’ personal data with customers’ consent or based on the necessity to complete a transaction or provide a service requested or authorized by the customer or the end user. For example, when a customer or end user provides payment information to complete a purchase transaction, Ericsoft shares payment data with banks and other entities that process payment transactions or provide other financial services, for fraud prevention and credit risk reduction.
Ericsoft shares personal data with its affiliates and subsidiaries companies, vendors and agents that work on her behalf, for the purposes specified in this policy. For example, companies hired to provide customer service support or assist in protecting and securing systems and services may need access to personal data in order to provide these services. In such cases, these companies must abide by Ericsoft’s data privacy and security requirements and are not allowed to use personal data they receive from Ericsoft for any other purpose. Ericsoft may also disclose personal data as part of a corporate transaction such as a merger or asset sale.
Finally, Ericsoft will access, disclose and preserve personal data, including customers’ and end users’ content, when in good faith believes that doing so is necessary to:
comply with applicable law or respond to a valid legal process, including from law enforcement or other government agencies;
protect Ericsoft customers, for example to prevent spam or attempts to fraud users of the services, or to help prevent the loss of life or serious injury of anyone;
operate and maintain the security of the Ericsoft services, including actions to prevent or stop an attack on the Ericsoft’s computer systems or networks;
protect the rights and property of Ericsoft, such as enforcing the application of the terms that govern the use of the services.
helpdesk: 365 days a year
from 8:00am to 8:00pm
Offices: from Monday to Friday
from 09:00am to 01:00pm and from 02:30pm to 06:30pm
Address: S.S. Adriatica 62, Misano Adriatico (RN)