What is the goal of GDPR?

It streamlines privacy laws across all EEA states and strengthens/creates additional enforcement power and significantly higher fines. It also ensures transparency and that individuals are in control of the data that is collected on them.

Does it apply to my business if I don’t have a physical presence in the EEA?

If you are monitoring or gathering personal data from individuals in the EEA, for example through a website or app, you will need to comply. This applies even if your business doesn’t have a physical presence within the EEA.

What is the difference between a data processor and a data controller?

A controller is an entity that determines the purposes, conditions, and means of the processing of personal data. The processor is an entity which processes personal data on behalf of the controller. HotelTechReport, for most purposes, is a data processor.

What is considered to be Personal Data (PD)?

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

How has HotelTechReport prepared for GDPR?

We undertook a number of activities to ensure GDPR-readiness. This includes:

A full data mapping exercise;

Updated our standard terms of service and privacy policy (including GDPR disclosure requirements);

Reviewed and revised our downstream terms with our vendors;

Implemented measures to obtain verifiable, GDPR-standard consents from data subjects (where required);

Reviewed, identified and implemented any needed product changes (including enabling the deletion of data).

These steps are just the beginning of an ongoing process to ensure privacy and security across our entire offering.

Are the third parties that HotelTechReport interacts with also GDPR-ready?

Yes. Whenever we are in the client (or data controller) role, we are responsible for conducting a vendor assessment and confirming GDPR-readiness prior to using their services.

Which data protection methods does HotelTechReport use?

We use a variety of methods. These include Data encryption at rest, Data encryption in transit, DLP and more.

What is your contingency plan for personal data leaks?

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors, like HotelTechReport, will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. HotelTechReport will comply with these data breach processes.

How does HotelTechReport address Data Subject’s rights under GDPR?

HotelTechReport has processes in place to address Data Subject’s rights and requests for information, data deletion, data correction and data portability.

Q. Now that GDPR is in place, what has changed about how I use your services?

A. HotelTechReport is GDPR ready which means you can continue to use our services as before assuming you have received consent from the data subject. In cases where the data controller will not identify themselves, some services will require a change in setup. In most cases, this means the anonymization of the data subject’s personal data. In either case, you can be sure we are properly managing all personal data that we receive according to GDPR regulations.

Q. What is the difference between the Data Controller and Data Processor?

A. While there are some grey areas the general definitions are as follows:

A Data Controller is the entity that determines the purposes, conditions, and means of the processing of personal data.

The Data Processor is an entity which processes personal data on behalf of the controller.

Please note that agencies are often seen as a data controller. HotelTechReport would be a Data Processor.

Q: What is considered PD?

A: PD is any information related to a natural person, or “Data Subject”, that can be used to directly or indirectly identify that person or identifiable to a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. In some cases, data by itself is not PD unless it is combined with another piece of data.

Q: Do GDPR regulations apply in any way to aggregate data and reports primarily presented in summary form (typically in percent’s or mean scores, etc.), coming from a research buyer who purchases research services from suppliers?

A: Only data that qualifies as PD would be subject to GDPR requirements.

Q: If data properly collected on EEA residents is stored in the United States, is it still GDPR-compliant?

A: Yes, if the party storing the data is has entered model clauses with the client (Data Controller), then the transfer of data to the U.S. is allowed.

Q: How does HotelTechReport view and consider personal data such as IP addresses, cookies, mobile identifiers, etc.?

A: HotelTechReport will identify all PD collected, apply necessary safeguards, and follow GDPR guidance as required.

Q: How does HotelTechReport address a Data Subject Access Request (DSARs or SARs) for access or erasure?

A: If HotelTechReport receives a SAR directly from a data subject it will be communicated to the client prior to taking action. In either case, we are prepared to comply with the requests, per GDPR guidelines. Requests should be sent to legal@hoteltechreport.com.

Q: If a document with data subject information uses only initials and no other PD details, but a separate password-protected page carries full data subject details, is that considered GDPR-compliant?

A: The document with anonymized PD only would not constitute a risk. However, the existence of the second document with “data subject details” would automatically make both documents subject to GDPR requirements since they could be used together at some point in the future.

Did this answer your question?