Politika e të Dhënave

When we are talking about managing the data of our customers, we could identify ourselves as Data Controllers, Data Processors or both.

Data Controller

In what concerns the identity of a Data Controller, we can define it as being the business or person, who decides what information are being collected, with what aim and in what way this information is being processed and/or used.

If we invoke the EU Law on Controller’s obligations, a Controller should take into account the following:

An organization/ business can have the role of both controller and processor.

Data Processor

The Processor is the business or person that processes personal data with the approval of data controller (For example: data analytic providers or storage services).

The obligations of a data processor are:

The definitions of the new GDPR might be laborious to translate into today’s diverse business relationships. What is crucial is that these regulations are valid for both controllers and processors, this means it concerns your business.

Your client’s data and 360 Tourist Management Pack

When it comes to your booking reservations, 360 Tourist Management Pack is a data processor because it collects and processes your clients/tourist’s data as part of the main service we offer to you and implicitly to your clients.

This doesn’t mean you are losing ownership of these data; you are still the only owner of it, but we store and process some parts of it. For example, your tourist’s email addresses, phone number, nationality – in order to provide you with reports and analysis, useful for your business.

Your venue and your tourists data are in good hands, because data safety is our top #1 priority. One thing that has been updated in the new regulations is that you must inform your clients that their information is being processed by 360 TMP platform (as a Data Processor).

We advise you to do the same for all your other services/third party businesses that process personal data you have ownership on, making sure you inform your customers properly about the purpose of their data usage and about the Data processor that is doing that.

Key changes

Even if the main principles of data privacy have the same features, still there are some new updates, some changes, as it follows:

a) Increased jurisdiction

The main change is the broaden jurisdiction of the GDPR. Starting with 25th of May 2018, the rules of data protection will be assign to all companies which are processing personal data of citizens from EU countries, no matter where the company is located.

b) Clear consent

The consent conditions have been increased as well. Now, companies are forbidden to use a very hard language for Terms and Conditions, that is difficult to understand or takes too long to read it. These terms and conditions should be presented in a very clear, plain and simple language, easy to be read and understood by the wide public.

c) The purpose of data processing must also be attached to this consent.

This compliance must have a clear form, be easy to distinguish from everything else and it must be as easy to withdraw as it is to give consent.

d) More power to the data subject

When it comes to the unfortunate case of data crack/breach, notifications will become compulsory, especially when this breach may put at risk the rights and freedoms of EU citizens.

Data subjects, in this case your tourists and customers, have the right to demand information from the data controller (the guest house owner / hotel manager) about their personal data, if this is being processed, where, by whom and for what purpose.

Moreover, data subjects can now receive the personal data they have already offered, in a commonly use and also in machine readable format. They can also send this data to another controller.

e) The Right to be Forgotten

Data subjects can also ask the data controller to erase their data, to halt further dissemination of the data and likely have third parties interrupt processing of that data.

Some of the possibilities leading to data erasure include the data no longer being relevant to its original purpose for processing, or data subjects withdrawing their consent.

For erasing data, as Data Processor, 360 TMP is entitled to act in accordance to data controller’s request. Thus, if the data controller or the data subject is asking us to erase, remove or transmit the specific personal data, we will enact accordingly to EU regulations. We commit to do it in the shortest time, but not later than 30 days.

All data that we process with your approval are stored on servers phisicaly located in Europe, owned by our company, thus making sure that we follow, apply and respect all EU procedures and legal injunctions for conducting this business and providing you with these services.

f) Privacy by Design

Data protection must be included from the system designing phase, not added subsequently.

To be more specific you must carry out relevant technical and organisational benchmarks to meet the requirements of the new EU regulations and thus protect you client’s personal data and rights.

Controllers are asked to hold and process only the data that is mandatory. Moreover, they are entitled to limit Data Processor’s access to personal data.

Penalties for non-compliance

If your business does not comply entirely to GDPR you will face a massive fine. The maximum can be up to 4% of your annual global turnover or 20 Million euro. These fines are applied for violations such as:

How to prepare

1. It’s vital to have a precise picture or your network, also about the data you control and especially about who has access to it. Access to that data must be deeply restricted and monitored at all times in order to avoid unaproved access.

2. Double check and properly assess the security measures you work with at the moment; this includes technology, your Data Processors and other people that have access to your data. When the case, make sure you take aditional measures to avoid data breach. You have to be able to trace an intruder in case he haked in your sistem, trace him and remove him/block any vulnerable spots.

3. The role of the Data Controller and the role of us, the Data Processor, is to create a better understading of these terms and legislastions that we obbey and integrate in our work as service providers.

Make sure you are also compliant with GDPR regulations, that you took all the neccessary measure to properly act under the new legislation.