General Data Protection Regulation (GDPR)

GDPR is the General Data Protection Regulation, a regulation of the European Union which has far-reaching implications for how companies handle personal data of citizens residing in specific E.U. countries. The regulation went into effect May 25, 2018 and applies to all companies who collect, store, process, or share personal data of those E.U. citizens, regardless of whether the company maintains a business presence in the E.U.

This extensive regulation is comprised of 99 articles which specify steps companies must take to safeguard personal data and define how that data may be used and under what circumstances. For further details of the regulation, please visit this website.

In most instances, Inntopia’s relationship to you is that of a “data processor” under the GDPR framework. That is, Inntopia processes data on behalf of you, the “data controller”. As a data processor, Inntopia has many responsibilities around safeguarding and handling the data you and your guests entrust to us. These responsibilities include but are not limited to:

• Protecting and Safeguarding Data – Inntopia takes measures to protect the data we store and process. Through initiatives such as our PCI compliance, Inntopia has developed a mature information security program aimed at ensuring we know where your data is, who has access to it, how it is handled, and reducing the risk that it may fall into the wrong hands.

In addition to our already robust set of policies, procedures, and technical measures, Inntopia has adopted the ISO 27001 framework for Information Security Management. This internationally-recognized information security standard expands and enhances our existing technical and procedural controls to ensure we are taking every possible action to protect your data.

• Enabling Your Compliance – Inntopia is committed to helping you facilitate your own GDPR compliance and has internal processes in place to assist with any GDPR activities you may be called on to perform. Among these are:
  • Data Retention Activities – Our guest data-retention polices are in accordance with GDPR requirements and ensure that data is never kept beyond its legally allowable lifetime, and that the privacy obligations to your guests are met.
  • Processes to Manage Rights of the Data Subject – Inntopia has internal processes in place that support the rights of the data subject such as data portability, data deletion (“right to be forgotten”), and data correction. These processes allow Inntopia to assist you in fulfilling valid requests your organization may receive from your GDPR guests to update, delete, and retrieve guest data.

  For questions or assistance with any GDPR requests you receive from your guests, email: privacy@inntopia.com.

Inntopia has contracted with a law firm specializing in data privacy and GDPR in particular. We actively work to verify our compliance with GDPR requirements with an attorney who is an expert in the field. This work includes keeping our privacy policy current and relevant, creating contract addenda for third-party processors with whom we share data, and ongoing representation as our Data Protection Officer (DPO) in the EU.

You can find the Inntopia privacy policy here: https://corp.inntopia.com/privacy-policy/.

First and foremost, if you don’t have in-house expertise, you should obtain qualified assistance with making sure you are compliant with GDPR. If you collect the personal data of E.U. citizens, you do have obligations under the regulation.

Some specific steps you may need to take, depending on your particular business situation, are listed below. This is not an exhaustive list, and in some cases, you may have more or fewer obligations than what is include here.

• Update your Privacy Policy – Your privacy policy must comport with GDPR requirements. You, as the data controller, have an obligation to inform your customer of the lawful reasons for which you are processing their data and how you are processing it. This should include mention of Inntopia as a processor of their data.
• Obtain and Document Consent – You may have an obligation to obtain consent for the processing of data from your E.U. guests, particularly in the case of certain email marketing. You should keep a record of that consent should the need for it arise in the future. Be aware that consent requirements have changed from “opt-out” to “opt-in”.
• Maintain Agreements with Processors – Any entities who process data on your behalf (including Inntopia) must maintain a Data Processing Agreement with you. You may receive a Data Processing Agreement from Inntopia, in the form of an addendum to any existing contract in place, that spells out responsibilities of both Inntopia, as the data processor, and you, as the data controller.
• Respond to Requests from Data Subjects – You, as the data controller and the one who maintains the business relationship with the guest (data subject), must respond to inquiries and requests for correction, deletion, or retrieval of personal data. Make sure you have a process in place and that staff are educated on this requirement.

Inntopia is committed to your success. For questions or assistance with any GDPR requests you receive from your guests, email: privacy@inntopia.com.