What is GDPR?
On Friday, May 25, 2018, a new EU regulation, the GDPR (General Data Protection Regulation), came into force, with the aim of improving the level of protection of personal data.
Does it affect my business as well?
Yes if you accept reservations from Restu, or if you use any of the Restu reservation products (e.g. Electronic Booking Book). Once we forward the guest's personal data associated with a particular reservation to you and the guest arrives at the reserved time, your business becomes a separate personal data controller and is fully responsible for their further processing.
What has changed in Restu products
A lot of the background processes have been modified and new features have been added to ERB and pro.restu administration. The main changes made are:
We have created processes for anonymizing personal information in reservations
We have added the ability to delete a guest (right to be forgotten)
We have modified the process of getting the consent with personal data usage for marketing purposes (newsletters)
We have launched new user roles with different access rights
1) Anonymization of reservations
We have launched processes for automatic anonymization of personal data in the reservation. This means that after a certain period of time the guest's personal data will not be visible in the particular reservation. The time is determined by the following rules:
Realized reservations - 5 years from the date of booking (or until the guest has applied the "right to be forgotten" see point 2.)
No-shows or canceled reservations - 44 days from reservation date or reservation cancellation
Note: In case of reservation from guest you already have in the guestbook, a 5-year period applies even if the reservation is not realized or canceled, based on his / her prior consent to personal data processing.
2) Guest deletion
We have added a guest deletion function to the pro.restu administration (see "Guests" section on the detail of a particular guest). When a guest is deleted, all personal data associated with the email address is deleted. Reservations (as well as any reviews) remain anonymous.
Note: Only historical data is deleted. If a guest has scheduled future bookings, they must be cancelled first, otherwise the personal information will be retained for the purpose of reservation processing.
Additionally, we will notify you about all guests who’s recommended retention period (5 years) has expired. With these guests you have the option to delete them or keep them (extend their data storage period for another 5 years).
3) Getting consent for usage of personal data for marketing purposes
In order to process personal data for direct marketing purposes, you must have explicit consent from the guest. This can be obtained directly from the guest in the reservation form.
Another option is to enter the guest's consent manually on the guest card in your pro.restu administration.
All guests with consent can then be downloaded to the CSV file in the pro.restu administration ("Guests" section) and used for marketing campaigns.
Caution! If you add consent manually, in case of an inspection you must be able to prove retrospectively how the consent was obtained.
4) User roles with different access rights
With user roles, you can set what information individual users can access within the administration and which settings they can edit. The following roles are available:
Admin (access everywhere, can create additional users)
Manager (access everywhere except billing and tariff change)
Staff (limited access for reservation management)
You can set user roles in the pro.restu administration in the section "Settings > User Management" (available for users with the "Admin" role).
Have more questions?
If you have any questions, please contact your partner manager.