Revinate’s commitment to GDPR

GDPR readiness: A hotelier’s guide

At Revinate, we are all about making the complicated less complicated. At the moment, one of the most complicated things out there is the European Union’s new privacy law, the General Data Protection Regulation (GDPR). To help you navigate this legislation, we are presenting the more complex nuances of it in a way that is simple and useful. This Guide will help your hotel and employees better prepare for compliance with the GDPR.

What is Revinate doing about the GDPR?

  • Thoroughly researching the areas of our product and our business impacted by the GDPR
  • Appointing a responsible person for privacy and data protection
  • Developing a strategy and requirements for how to address the areas of our product impacted by the GDPR
  • Rewriting our data protection agreement
  • Performing the necessary changes/improvements to our product based on the requirements
  • Implementing the required changes to our internal processes and procedures required to achieve and maintain compliance with the GDPR
  • Thoroughly testing all of our changes to verify and validate compliance with the GDPR (being done incrementally as changes are completed)
  • Finalizing and communicating our full compliance (this will be done when all work is completed which will occur prior to the effective date of the GDPR)

GDPR customer FAQ

What you need to know

What are the main things I should do to ensure GDPR compliance?

First, be sure your data processing vendors offer easy-to-use, comprehensive solutions designed to help you reach GDPR compliance as it relates to the 4 main pillars: proof of consent, right to data portability, right to erasure, and right to refuse profiling.

Second, conduct a privacy impact assessment so you understand the flow of your data, who has access to it, where it is stored, and what it is being used for.

Third, ensure that you have proof of consent from every European Union (EU) resident or citizen within your database. This may need to be done retroactively in order to communicate with them after May 25th, 2018. You will need to be able to prove that they consented to receiving your email marketing communications.

Revinate offers customers the opportunity to easily send a double opt-in campaign to all known profiles in EU member states and beyond who currently have implicit consent.

We recommend including an opt-in call-to-action in your transactional emails (including confirmations, pre-arrivals, and modifications) to encourage sign-ups at every stage of the booking process.

What do I have to do to remove EU contacts with whom I shouldn’t communicate?

It’s important to get as much of your database to opt in to your marketing campaigns as possible. Target known profiles in EU member states with a double opt-in campaign prior to March 25th, 2018 to capture their proof of consent.

Once the GDPR comes into effect, Revinate will add a checkbox to help users avoid sending any promotional campaign to those known EU residents/citizens with whom you do not have explicit consent.

Does the GDPR mean I need double opt-in?

Double opt-in is not required, but proof of consent is. The best way to establish proof of consent is through double opt-in.

Even without the GDPR, a double opt-in approach is still highly encouraged. It will help you create a healthier list by preventing bad email addresses from being added to your database. In addition, double opt-in is better for your sender reputation and email deliverability.

Can I transfer personal data related to persons from the EU outside of the EU?

Organizations are only allowed to transfer personal data outside of the European Economic Area if they have in place appropriate safeguards to protect data abroad. Using the EU Commission’s Standard Contractual Clauses allows for the transfer of data to a country that has been recognized by the European Commission as providing an adequate level of data protection. Revinate’s Data Processing Addendum refers to these Standard Contractual Clauses.

What you need to do

There are 3 things that you might need to do depending on your situation and jurisdiction:

Update your privacy policy

The legal requirement to inform the guests of the processing activities is an obligation for the customer accommodation provider as the data controller.

Please ensure your privacy policy properly communicates how you are using Revinate and similar services to process personal data and for which purposes the processing takes place. This requirement is also part of Revinate’s Terms of Service.

Sign the data processing agreement (DPA)

The data controller is obliged to sign a DPA with all of its processors. We have prepared a DPA together with our legal counsel to be in compliance with the GDPR.

We will send a version of our DPA to all Customer Accommodation Providers for you to review and digitally sign a copy of it. If you have any questions about its contents, please email privacy@revinate.com.

Ensure you have proof of consent for all European Union residents or citizens

We recommend that you obtain explicit consent with a double opt-in approach. With double opt-in, upon signing up for email promotions, an individual receives an email with a verification link. When they click this link, it confirms both their consent and the accuracy of their email address. It also keeps a record of that consent, which is required by the GDPR.

Revinate’s appointed Data Protection Officer is Dean Holloway, dean.holloway@revinate.com

Learn about Global Data and Privacy laws from other areas, visit our Global data and privacy laws here

Let’s chat

We hope these updates will further empower you and all of your hotel marketing efforts. Need further assistance? Please drop us a note — let’s chat!