General Data Protection Regulation (GDPR) comes into force on 25 May 2018 throughout the European Union.It replaces the existing EU current regulations relating to data protection.It is important that we have formal agreement (Contract) in place between us to ensure compliance to the new regulations and to ensure the security of our clients data that is exchanged between us as data controller (Convenus) and you our hotel partner as data processors.This information relates to Convenus LLP together with any service, partner or client that we operate this service for.
Why are contracts between controllers and processors important?
Contracts between controllers and processors ensure that we both understand our obligations, responsibilities and liabilities. They help us to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.
What data will we pass to you to process
To process personal data, we rely on the following legal basis:
Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
For example, if clients use our services to make an online reservation, we will use the information that they have provided to carry out our obligation to complete and administer that reservation under the contract that we have with them.
This includes transferring relevant reservation information to you, the hotel Provider selected when making the booking enquiry. This can include name, contact details, payment details, the names of the guests travelling with you and any preferences or other information you specified on your booking form.
Unless payment is made during the booking process we will forward credit card details (without the CVV number on the back of the card) to the selected hotel for further processing and to complete the booking.
In cases of any hotel reservation related disputes, we may provide the hotel with information about the reservation process as needed to handle the dispute. This may include a copy of the reservation confirmation as proof of booking together with confirmation numbers or any correspondence directly relating to the booking.
We will at all times do our best endeavours to assist in the resolution of reservation related disputes between guests and hotel providers, however the ultimate responsibility for any booking rests with the hotel provider, as we have acted as an introducing agent and offered the hotel in good faith based upon the information being accurate and correct as supplied by the hotel provider.
In certain cases, we may need to use provided information to handle and resolve legal disputes, for regulatory investigations and compliance.
How long can this data be retained for?
We will retain the clients data until the booking has been completed and all relevant invoicing completed. After this time all guest information will be deleted from our system and unretrievable. Hotels are requested to reflect this policy.
What responsibilities and liabilities do data processors have in relation to this contract?
As a data processor you are required to:
• only act on the written instructions of the controller, using the data provided for the specified use intended only; i.e to complete and manage a booking request and reservation. No other use is permitted such as direct marketing to guests in future without their express permission to do so.
• ensure that people processing the data are subject to a duty of confidence;
• take appropriate measures to ensure the security of processing;
• Only retain data provided for as long as it is required.
• only engage sub-processors with the prior consent of the controller and under a written contract;
• assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
• assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
• delete or return all personal data to the controller as requested at the end of the contract; and
• submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
What responsibilities and liabilities do data processors have in their own right?
A processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller) then it will be considered to be a controller and will have the same liability as a controller.
In addition to its contractual obligations to the controller, under the GDPR a processor also has the following direct responsibilities:
• not to use a sub-processor without the prior written authorisation of the data controller;
• to co-operate with supervisory authorities (such as the ICO);
• to ensure the security of its processing;
• to keep records of processing activities;
• to notify any personal data breaches to the data controller;
• to employ a data protection officer; and
• to appoint (in writing) a representative within the European Union if needed.
If a processor fails to meet any of these obligations, or acts outside or against the instructions of the controller, then it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
If a processor uses a sub-processor then it will, as the original processor, remain directly liable to the controller for the performance of the sub-processor’s obligations.
GDPR brings new opportunities for organisations including.
• Being known as a trusted organisation
• Win new clients
• Retain current clients
• Increase market share
• Increase profitability
• Enhance reputation
Who is responsible for the processing of personal data by the data controller and how to contact us?
Data Controller: Convenus LLP is registered in England & Wales - OC 308621. Our registered office is: Avebury House, St Peters Street, Winchester, SO23 8BN
Contact telephone: 00 44 (01)722 742603 or Email: firstname.lastname@example.org
Thank you for your support and cooperation in keeping client data secure.
Please contact us immediately if you feel that we have used any data inappropriately.