As you may be aware, GDPR regulation took effect in full on May 25, 2018. This law protects the privacy of European (EU Member) guests. It does not currently apply to guests from the United States and all other non-EU guests. Please note that Canadian guests also have email solicitation restrictions under Canadian Law.
Innkeeper’s Advantage and GDPR
Innkeeper’s Advantage and Book It Now products are GDPR compliant. Here are a few details about how our systems protect personal data.
- Our servers are and have always been secured and the personal data protected within our technology environment. Innkeeper’s Advantage is also a PCI and PPI certified provider.
- We do not share your guests’ personal data with outside entities, except as required to process a reservation, such as a merchant processor, or to perform approved marketing services, such as sending a newsletter, on your behalf.
Things to know About GDPR
As a business owner, you are responsible for complying with provisions of GDPR law. The following is supplied as a convenience to you but is not intended to be legal advice.
Innkeeper’s Advantage Disclaimer
The information contained herein has been obtained from sources believed to be reliable. Impactiv , Inc. makers of Innkeeper’s Advantage and Book It Now, disclaims all warranties as to the accuracy, completeness, or adequacy of such information. Impactiv, Inc. shall have no liability for errors, omissions, or inadequacies in the information contained herein or for the interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Although the legislation originated in Europe, American business are subject to significant fines and penalties (up to 4% of your annual income) for violating the rules when dealing with guests of EU origin.
Under its provisions, an EU guest’s personal data cannot be stored, used, tracked in cookies or shared without the guest’s consent. Personal data is information related to a natural person that can be used to directly or indirectly identify the person. It can be a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Unless requested specifically by your guest, you are not required to delete or otherwise scrub any transaction that is required to process bookings or conduct business with guests. You may send email notices to guest to confirm reservations or interact with guests on a specific business activity.
We have created a check list here to help you navigate the requirements. Here are just some of the ways that innkeepers can avoid violating GDPR. It is not a comprehensive list. Please consult an attorney if you have additional questions.
Ways to Avoid Violating GDPR:
2. Separate your “I Agree” to terms and conditions from your “I Agree” for personal data consent. Booking and marketing are 2 separate activities and require 2 separate consent actions. You can use your email marketing program’s opt-in form to enable contacts to opt-in to marketing materials. You can also add an additional question at the end of your booking process to opt-in to marketing materials. You must respect the guests’ opt-in preferences.
3. Disclose any way in which you share personal data with 3rd parties such as re-targeting or sharing your email lists.
4. Do not share IA or BIN system login or visual access to the control panel screens with outside third parties not involved in your day to day operation. Only your authorized employees and IA support staff should have access to guest data.
5. Your employees must be trained regarding your GDPR policies.
6. Your employees should be granted access to personal data only on a need-to-know basis.
7. Delete or create a secure login to any personal data in downloads, reports or screen shots stored on your computer.
8. Get opt-in permission to send newsletters or offers to guests, former guests or other contacts.
9. Offer an unsubscribe link and functionality when sending marketing email.
10. Provide a way for individual guests to request access to their own data in an electronic format such as with an Excel Download.
11. Provide a way that guests can request to be forgotten. That means personal data must be deleted from all areas of your system and system backups. Innkeeper’s Advantage keeps 90 days of backups. Any data removed from your current database will cycle out within 90 days.
12. Have a contingency plan in the event that data is breached. That means notifying any guests whose data has been compromised.
Example Consent Notices:
You will be required to create your own newsletter opt-in and consent notices. Here are some examples, however, you should consult an attorney with any questions you may have about consent notices.
Thank you for booking with us. The personal data you enter below will be used for the sole purpose of managing your reservation(s) and to personalize our interactions with you. Your personal data will never be shared, transferred, or sold to third parties. Click the box below to grant consent for us to use your personal data as stated above.
You can withdraw consent to use your personal data at any time by contacting us here. (https://www.domain.com/contact-us).
Thank you for registering to receive email newsletters and promotions from us. Click the check box to grant your consent for us to use your personal data to send periodic emails. Your personal information will be used solely for the purposes of sending our promotional emails and it will never be shared, transferred, or sold to third parties.
You may elect to stop receiving promotional email by clicking the Unsubscribe link at the bottom of every email we send. You can withdraw consent to use your personal data at any time by contacting us at (https://www.domain.com/contact-us).
Sharing with third parties
Thank you for providing us with your personal information. By clicking the check box, you affirm your consent for us to use your personal data for promotions. At our discretion, your personal data will be shared with advertisers, market researchers, and other third parties for the purpose of targeting and tailoring promotional material to your specific likes and perceived needs.
You can withdraw consent to use your personal data at any time by contacting us at (https://www.domain.com/contact-us). You can also request details about your information and how it has been used, and we delete your personal data, if requested.