Your GDPR readiness project is likely to spend some time considering the use of technology to process personal data.
It is a part of your business where you are likely to use third party processors (Data Processors) to help you get the job done.
Hotel people know all about running hotels. They don’t know much about how email servers, booking systems, website servers or integration APIs work. That’s why you employ third parties to provide those services for you. In effect you outsource your processing to a service provider.
There is an issue you need to be aware of. At the time of writing, this hasn’t had much profile. Whether it becomes a problem remains to be seen.
The GDPR specifies that you, as a Data Controller, issue instructions and create a contract to govern the processing of personal data as carried out by your chosen Data Processor. This contract clarifies the nature of the working relationship you have with your Data Processors and specifies what they do with the personal data you share with them.
The problem starts with this. As the Data Controller you call the shots, you have huge responsibilities. But you know nothing about how the processing will be done – so how can you specify what should be done?
It is generally accepted in the world of outsourcing that this is the case. The customer is reliant on the know-how provided by the supplier.
So you have an intriguing situation where you want your bookings to be handled by a booking engine on your website, which also shares inventory with OTA websites in such a way that you have control over prices and availability, you don’t get overbooked, the reservations data is passed straight to your internal PMS and payments are automatic.
In such a scenario, your Data Processors look like this:
Depending on how your processing is organised, some of these systems might be combined by one provider or they could all be separate. There might even be other operators involved.
To administer one, single, reservation you need to involve all of these.
The Payment Handler is actually a Data Controller. Your relationship to them is that of a Data Processor (they decide what you collect and how it is to be used, not you – you just do as you’re told).
The Online Travel Agent is a Joint Data Controller with you. You both make decisions regarding the processing of the personal data belonging to your customers. If your hotel effectively “borrows” customers from OTA websites, the OTA makes decisions regarding how that data subject finds your hotel, you make decisions regarding how their stay is administered.
The GDPR gives you both responsibilities and these need to be clarified and set by a contract between you. Have you created your Joint Data Controller contracts for each of your OTA partners yet?
Or are you just going to sign the one they send to you?
Caution required. This is how hotels ended up paying unsustainable commission rates and giving away last room availability.
Developing the contractual relationship is a part of your Readiness Project with GDPR for Hotels. Given the level of complexity we are about to encounter, you may need to consider some proper legal advice.