When it comes to GDPR, is “consent” the sole contributor to compliance?
GDPR sets a high standard for obtaining valid consent and it is considered one
of the lawful bases for processing personal data, but such a requirement is not
always needed. However, legal aspects like the necessity of processing for the
performance of a contract, compliance with a legal obligation, protection of
vital interests, and many other legitimate interests exempt the liability on
consent.
Apart from obtaining consent of data subjects, GDPR compliance also involves
various other obligations and principles, such as transparency, purpose
limitation, data minimization, accuracy, storage limitation, and security of
personal data, in addition respecting the subject’s to right to access,
rectification, erasure, and objection.
Consent does not become the sole contributor to compliance with GDPR. The
following are some of the areas that are essential to be covered by any
assessment process for GDPR compliance.
Data Mapping and Inventory:
• Identify and document all personal data collected and processed by the hotel.
• Determine the sources of personal data and the purposes of processing.
• Maintain an inventory of personal data categories, including guest
information, employee data, marketing data, etc.
Lawful Basis for Processing:
• Establish a lawful basis (e.g., consent, contractual necessity, legal
obligation) for processing guest and employee data.
• Ensure that guests are informed of the specific purposes for collecting their
personal data.
Privacy Policies and Notices:
• Create a comprehensive and transparent privacy policy detailing how the hotel
collects, uses, and protects personal data.
• Ensure the privacy policy is easily accessible and written in clear and
understandable language.
Consent Management:
• Implement a consent management system to obtain and manage guest consent for
processing their personal data.
• Provide clear options for guests to give and withdraw consent, and keep
records of consent received.
Guest Rights:
• Enable guests (customers) to exercise their rights, such as the right to access, rectify,
delete, restrict processing, and data portability.
• Establish procedures for handling guest requests and ensure timely responses.
Data Security:
• Implement appropriate technical and organizational measures to protect
personal data from unauthorized access, loss, or theft.
• Regularly assess and update security measures, including encryption, access
controls, and employee training on data security.
Data Retention:
• Define and adhere to specific retention periods for different categories of
personal data.
• Regularly review and securely dispose of data that is no longer necessary for
the identified purposes.
Third-Party Processors:
• Ensure that any third-party service providers or processors handling personal
data (e.g., cloud storage, reservation systems) comply with GDPR requirements.
• Establish data processing agreements with third parties to clarify their
responsibilities and ensure adequate protection of personal data.
Data Breach Response:
• Develop a data breach response plan outlining procedures for detecting,
reporting, and responding to data breaches.
• Notify the relevant supervisory authority and affected individuals promptly
and in accordance with GDPR requirements.
Staff Training and Awareness:
• Provide training to employees on data protection principles, GDPR
requirements, and their responsibilities regarding personal data handling.
• Foster a culture of privacy awareness and regularly update employees on
changes in data protection regulations.
Cross-Border Data Transfers:
Ensure compliance with GDPR rules for transferring personal data outside the
European Economic Area (EEA), using mechanisms such as Standard Contractual
Clauses (SCCs) or Binding Corporate Rules (BCRs).
Data Protection Officer (DPO):
• Designate a Data Protection Officer if the hotel's processing activities meet
the criteria defined by GDPR.
• Ensure the DPO is knowledgeable about data protection laws and acts as a point
of contact for privacy-related matters.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
Leading provider of data management, market research, analytics and business intelligence solutions. Pioneer in data unification and bringing cognitive solutions to practical systems.
Services
Contact Co-Ordinates
Times World Information Technology LLC
Suite 304, Spectrum Building,
Sheikh Rashid Road
Post Box 49730, Dubai
United Arab Emirates
Tel: +971 (4) 250 8130
Location map
13, Floor 1, Sahya Tower
Govt. Cyberpark Campus
Calicut, Kerala, India 673 016
Tel: +91 (495) 243 1830
2305, Floor 3, Yamuna Building,
Technopark Campus Phase III
Trivandrum, Kerala, India 695583
Tel: +91 813 8801 830
Suite 500, Park Place Building
666 Burrard Street, Vancouver
BC V6C 3P6, Canada
Reg. Office: 2110 - 650, West Georgia Street
Vancouver, BC V6B 4N8, Canada
Phone: +1 (778) 200-0160
Timesworld is certified for ISO 9001:2015 and ISO 27001:2022.
Timesworld is registered with the ICA Data Protection Act 2018 No. ZA473769 and EU-GDPR knowledge certified by Information Security Institute & endorsed by European Risk Policy Institute. Timesworld is a corporate member of ESOMAR (European Society for Opinion and Market Research).
Copyright © 2024 Times World Information Technology LLC. All Rights Reserved. Privacy Policy