In these guidelines we will explain the most important points on the subject of data protection, and also highlight what we have done at bookingkit to ensure that we comply 100% with GDPR and what steps you might have to take. Please note that this article does not represent or replace legal advice, but is simply for information.
1. What is the GDPR?
The new General Data Protection Regulation (GDPR for short) has been in force since 25.05.2018. This is a European Union regulation which aims to harmonise the processing and storage of personal data and strengthen the rights of EU citizens in data protection matters.
The GDPR applies to all legal entities and natural persons within the European Union who process or store personal data. The regulation also applies to organisations outside the European Union which process data on EU citizens.
In general, the purpose of the GDPR is to ensure that end consumers obtain better control of their personal data. Customers should be able to find out what is happening to their data or request that their data be deleted at any time.
But what exactly are personal data?
Article 4 of the GDPR defines what exactly personal data are: “All information which relates to an identified or identifiable natural person”
So all data which can be traced back or assigned to an individual. In specific terms, this could mean the following information, for instance:
- Email address
- Date of birth
- Telephone no.
2. Am I affected by it?
In general terms, all businesses which collect, store or process personal data on end customers, employees or even competitors are affected by the GDPR.
As a provider of Experiences who sells and markets your activities online, you collect and store the personal data of your customers. On the one hand, if you specifically receive a booking on your website. On the other also via cookies or newsletter messages. So in all cases you must take the necessary steps to comply with GDPR. Otherwise there is a risk of a substantial fine of up to 20 million Euros or 4% of worldwide annual turnover.
3. Steps we have taken at bookingkit:
It is of course a major and important concern for us that we comply 100% with the GDPR, and we took all the necessary precautions in advance:
- From now onwards, your end customers can call up a Data protection declaration at the Checkout where all the important information about use of personal data is explained.
- Completely new: within the framework of the GDPR, your end customers must confirm your terms and conditions and data protection declaration by ticking a box before they can complete the order process.
- Under Account > Company data you can also as of now upload your data protection declaration in addition to your T&Cs and legal notice. Your end customers can look at these at the Checkout, as well as bookingkit’s data protection declaration, and they have to confirm these together with the T&Cs.
- We have also published a Data protection declaration which is specifically aimed at our Suppliers.
- We have likewise revised our T&Cs and they are now fully compliant with the GDPR.
4. Steps which you should take:
Of course it’s not enough that we at bookingkit adjust our processes to comply with the GDPR. You may also need to make a few changes:
- Create your data protection declaration in accordance with the GDPR and place it on your website. You should add this to your bookingkit account under Account > company data.
- In your data protection declaration you should mention Mangopay as well as bookingkit, as we both process your customers’ personal data. If you also offer PayPal as a method of payment, please include this in your data protection declaration. It is advisable to list all the service-providers mentioned above under “Third party services” in your data protection declaration.
- At bookingkit we process your Customers’ data on your behalf. For this purpose we have already sent you a Contract Data Processing Agreement (CDPA) by email, with its attachment Technical and Organisational Measures (TOMS). If you have not already done so, please fill out the CDPA, check the TOMS and send the signed version back to us by email at firstname.lastname@example.org.
- At the request of your customers, you must delete customer information from your data sets. This may mean, for instance, email addresses from email marketing, or also data from an order. Invoices, or other documents related to bookings, may not be deleted for tax reasons. If you do have to delete data, feel free to contact us at email@example.com.
- If you still feel uncertain about any of this, have a quick look at our GDPR-checklist. And, of course, you can contact us at any time at firstname.lastname@example.org. Please be aware, however, that we do not offer legal advice on the subject of the GDPR and are not a substitute for this. If you need this sort of help, a lawyer specialising in IT matters will be able to advise you.