When we are talking about managing the data of our customers, we could identify ourselves as Data Controllers, Data Processors or both.

Data Controller

In what concerns the identity of a Data Controller, we can define it as being the business or person, who decides what information are being collected, with what aim and in what way this information is being processed and/or used.

If we invoke the EU Law on Controller’s obligations, a Controller should take into account the following:

• offer valid, real and clear information to clients about the data they collect and especially about the reason for collecting it
• to guard personal data of its clients in case of accidents, hackers, illegitimate processing;
• to have written agreements with processors, that are allowing access to their customer’s data, this means that they are obliged to act according to their instructions and make sure they submit to all data protection demands.
• in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

An organization/ business can have the role of both controller and processor.

Data Processor

The Processor is the business or person that processes personal data with the approval of data controller (For example: data analytic providers or storage services).

The obligations of a data processor are:

• to process data in a fair way, according to EU laws and regulations and for legitimate purposes only;
• to apply all adequate security measures in order to properly protect the personal data;
• to inform the data controller promptly of any data cracks/breaches;
• to keep domestic records of all data processing actions

The definitions of the new GDPR might be laborious to translate into today’s diverse business relationships. What is crucial is that these regulations are valid for both controllers and processors, this means it concerns your business.

Your client’s data and 360 Tourist Management Pack

When it comes to your booking reservations, 360 Tourist Management Pack is a data processor because it collects and processes your clients/tourist’s data as part of the main service we offer to you and implicitly to your clients.

This doesn’t mean you are losing ownership of these data; you are still the only owner of it, but we store and process some parts of it. For example, your tourist’s email addresses, phone number, nationality – in order to provide you with reports and analysis, useful for your business.

Your venue and your tourists data are in good hands, because data safety is our top #1 priority. One thing that has been updated in the new regulations is that you must inform your clients that their information is being processed by 360 TMP platform (as a Data Processor).

We advise you to do the same for all your other services/third party businesses that process personal data you have ownership on, making sure you inform your customers properly about the purpose of their data usage and about the Data processor that is doing that.

Key changes

Even if the main principles of data privacy have the same features, still there are some new updates, some changes, as it follows:

a) Increased jurisdiction

The main change is the broaden jurisdiction of the GDPR. Starting with 25th of May 2018, the rules of data protection will be assign to all companies which are processing personal data of citizens from EU countries, no matter where the company is located.

b) Clear consent

The consent conditions have been increased as well. Now, companies are forbidden to use a very hard language for Terms and Conditions, that is difficult to understand or takes too long to read it. These terms and conditions should be presented in a very clear, plain and simple language, easy to be read and understood by the wide public.

c) The purpose of data processing must also be attached to this consent.

This compliance must have a clear form, be easy to distinguish from everything else and it must be as easy to withdraw as it is to give consent.

d) More power to the data subject

When it comes to the unfortunate case of data crack/breach, notifications will become compulsory, especially when this breach may put at risk the rights and freedoms of EU citizens.

Data subjects, in this case your tourists and customers, have the right to demand information from the data controller (the guest house owner / hotel manager) about their personal data, if this is being processed, where, by whom and for what purpose.

Moreover, data subjects can now receive the personal data they have already offered, in a commonly use and also in machine readable format. They can also send this data to another controller.

e) The Right to be Forgotten

Data subjects can also ask the data controller to erase their data, to halt further dissemination of the data and likely have third parties interrupt processing of that data.

Some of the possibilities leading to data erasure include the data no longer being relevant to its original purpose for processing, or data subjects withdrawing their consent.

For erasing data, as Data Processor, 360 TMP is entitled to act in accordance to data controller’s request. Thus, if the data controller or the data subject is asking us to erase, remove or transmit the specific personal data, we will enact accordingly to EU regulations. We commit to do it in the shortest time, but not later than 30 days.

All data that we process with your approval are stored on servers phisicaly located in Europe, owned by our company, thus making sure that we follow, apply and respect all EU procedures and legal injunctions for conducting this business and providing you with these services.

f) Privacy by Design

Data protection must be included from the system designing phase, not added subsequently.

To be more specific you must carry out relevant technical and organisational benchmarks to meet the requirements of the new EU regulations and thus protect you client’s personal data and rights.

Controllers are asked to hold and process only the data that is mandatory. Moreover, they are entitled to limit Data Processor’s access to personal data.

Penalties for non-compliance

If your business does not comply entirely to GDPR you will face a massive fine. The maximum can be up to 4% of your annual global turnover or 20 Million euro. These fines are applied for violations such as:

• faulty client’s consent to process their data;
• abuse of the Privacy by design concept
• not having your records up to date and organized
• not notifing in the shortest possible time (maximum 72 hours) the relevant authority or data subjects about a breach;

How to prepare

1. It’s vital to have a precise picture or your network, also about the data you control and especially about who has access to it. Access to that data must be deeply restricted and monitored at all times in order to avoid unaproved access.

2. Double check and properly assess the security measures you work with at the moment; this includes technology, your Data Processors and other people that have access to your data. When the case, make sure you take aditional measures to avoid data breach. You have to be able to trace an intruder in case he haked in your sistem, trace him and remove him/block any vulnerable spots.

3. The role of the Data Controller and the role of us, the Data Processor, is to create a better understading of these terms and legislastions that we obbey and integrate in our work as service providers.

Make sure you are also compliant with GDPR regulations, that you took all the neccessary measure to properly act under the new legislation.