HotSoft GDPR Compliance FAQ
This FAQ is for Hoist Group customers who use HotSoft 7, HotSoft 8, HotSoft Online and/or Serviator. It is meant to provide a basic overview of Hoist Group’s GDPR compliance efforts and preview the information you are entitled to know as a data controller.
On May 25th 2018 the General Data Protection Regulations (GDPR) came into force in the EU. They apply to Hoist Group and all of its customers. The idea behind the GDPR is that information about people (‘data subjects’) should be in the control of those people. Hoist Group agrees.
The GDPR requires that information about people (‘subject data’) be protected from physical and technical theft. It aims to put people (‘data subjects’) in charge of their own data. The GDPR requires that the movement of subject data between companies be transparent and explained in a contract and that companies only export subject data out of the EU in certain secure circumstances.
The GDPR requires that companies have the ability to:
- delete subject data at the request of the data subject;
- correct that data at their request, and;
- provide the data subject a copy of the information that they hold.
The GDPR requires that companies document their efforts to track subject data, institute policies to protect that data, and for some companies, the GDPR requires that they install a Data Protection Officer. The GDPR requires that it is easy to find out what data a company holds and who they share it with.
Throughout 2017, Hoist Group has used external legal consultants to audit its products and processes for GDPR compliance, and has carefully balanced, in accordance with the regulations, the need for protection of data with the commercial interests of its customers.
The GDPR requires that certain information be communicated between data processors and data controllers in their contracts. Hoist Group has prepared a compliant Contract Supplement which provides that information. It will be issued in February/ March. The Contracts have software instructions attached to them, which must be followed.
What is the Compliance Status of the HotSoft Products?
HotSoft 7: HotSoft 7 is an older product that does not have ideal logging and deletion capacity. In order to use HotSoft 7 in the most compliant manner possible, it is essential that all customers follow the software instructions that will be issued for HotSoft 7 in January, along with its contract update. Ultimately, there are plans to discontinue HotSoft 7.
What is the Issue with HotSoft 7?
Technology evolves rapidly, and so does the definition of appropriate technical and physical protection of data. HotSoft 7 does not have the state-of-the-art protections we think regulators would like to see, so we are phasing out the product.
The issues with HotSoft 7 are:
Log-in: The GDPR requires data to be protected, which includes having a reasonable way to control access to the data. In a perfectly compliant system, each user would have a password protected log-in and it would be possible to know which user of HotSoft had changed what data.
Fix: There are several steps you can take to patch this compliance gap. You can keep an Excel spreadsheet log of who worked when in order to have that information in case data is stolen. You can (and should) have your employees and contractors sign confidentiality agreements that obligate them to keep subject data confidential.
Deletion: HotSoft 7 doesn’t really delete data. The GDPR requires you to inform data subjects how long you will keep their data, to keep data only as long as necessary and to permanently delete data upon the request of a data subject or after a period of time. You are the data controller and that period of time is up to you. The software instructions that are App.1 to your Contract Supplement will explain how to delete subject data.
Note: Hoist Group will support your transition to HotSoft 8, as there are plan to discontinue HotSoft7. Please contact your local Hoist Group office for further information about upgrading to HotSoft 8.
What data do I Collect with HotSoft?
All HotSoft products collect the following subject data:
- ID information
- E-mail address
- Postal address
- Planned dates of travel
The kind of data collected is at your discretion, provided that you only take the data necessary to provide hospitality services. For instance, for marketing purposes, HotSoft allows you to collect:
- Trip Purpose
However that information should only be collected if necessary. Further, the GDPR gives additional protection to what it calls ‘sensitive information’ about things like ethnicity, health status and religious affiliation. The HotSoft products are not designed for you to collect sensitive information. In fact, it is a condition of HotSoft processing that you do not collect sensitive information.
How is the Data Collected by HotSoft protected?
First, HotSoft is a proprietary system, so data stolen from it would be unreadable without a copy of the program. However, subject data can be downloaded from HotSoft 7 and HotSoft 8.
Second, for HotSoft 8 cloud customers, the data collected is kept in a secure data centre in Sweden that has up-to-date physical and technical measures for protection, including locked doors, ID passes for security, CCTV and controlled access.
Most importantly, however, the data collected by HotSoft products must be protected by your staff. Human error is the single greatest cause of data breaches, but good data habits can limit human error. Ensure that screens bearing HotSoft information are not visible to hotel guests. You have the capacity to download or print reports of aggregate subject data. Once those reports are downloaded, they are subject data in your sole control. You are obligated to keep those reports confidential.
Is My Hotel a Data Processor or Data Controller?
Since you decide what data you collect and you have the relationship with the hotel guest whose data you are collecting, under the GDPR (unchanged from previous data protection laws), you are the Data Controller and Hoist Group is the Data Processor. That means that you direct and control what data is collected and how it is stored. It also means that you have the right to require Hoist Group to process data on your behalf securely with all reasonable industry technical and physical security.
When you use HotSoft 8, Serviator and HotSoft Online with our additional cloud service, your guests’ subject data is processed at our data centre in Sweden. The data centre is GDPR-compliant and secure. The data is backed up. If HotSoft 7, HotSoft 8 or Serviator is locally installed at your hotel site, or is otherwise outside of our cloud environment, Hoist Group has only sold you software, and therefore only actively holds and processes subject data when, for instance, providing maintenance.
What Are My Rights and Obligations as a Data Controller?
You have the right to know anyone Hoist Group shares the subject data with. Hoist Group only shares subject data at the direction of you, the data controller.
As a data controller, you have the right to know exactly when Hoist Group processes your customers’ subject data and what we do with it.
Hoist Group processes subject data:
- when providing maintenance or back-up assistance on the licensed software;
- when the data is hosted on our server in Sweden, and;
- when an end user makes a reservation using HotSoft Online.
Payment information: HotSoft does not take payment information from data subjects. HotSoft hosts third parties’ payment methods, and provides only the interface under which a third party of your choosing takes payment on your behalf. Hoist Group’s HotSoft interfaces are PCI-compliant.
For your information: In the hospitality sector, the biggest data protection issues to date have been with payment interfaces at points of sale (POS) in hotels.
Breach notification: In the event that your system is breached and data is stolen, you may have an obligation to inform a supervisory authority, or to inform the data subjects involved. Hoist Group will notify you within 72 hours in the unlikely event that there is a breach of the Cloud storage, and will assist you in determining your notification obligations.
Length of processing: You have the right to know how long a data processor will be processing your data. Hoist Group will continue to process the subject data until termination of its contract with you.
Subject access requests (SARs)
GDPR gives people certain rights to access, correct, move, erase or port their data. It is the responsibility of the data controller to comply with people’s requests regarding their data, and to provide them their own data in a common electronically readable format.
Hoist Group will assist you as far as possible, but as processor Hoist Group has no more data than you as controller, and data subjects are likely to make these requests to you. You must provide a data subject with a copy of the data that they request, after you have verified that data subject’s identity.
You must also delete a data subject’s subject data upon their request. The software instructions will provide further details.
Do I Need to Get Consent From Every Guest?
Any time you collect subject data you must have a legal basis to do so. One basis of consent is performance of a contract. You have a contract with your guest to provide hospitality services. You can collect the data you need to perform that contract and HotSoft provides the means for you to do so and this is all perfectly compliant with the GDPR without consent.
You can even use that guest’s email to send them news of offers and promotions your hotel is offering. If you do that, the guest must be able to easily unsubscribe, and the news must be only about the hotel that the guest stayed in and not any other sister hotel or company.
If you want to collect your guests’ subject data to sell to third parties, you will need your guests’ explicit consent. That is between you and your guest and is beyond the scope of HotSoft.
HotSoft 8 has a specific feature to track consent, this is not available in HotSoft 7 and has to be done manually.
What are Hoist Group´s Obligations to My Hotel?
- Hoist Group agrees that all of its personnel who access HotSoft subject data will be subject to appropriate confidentiality obligations and will only access the data either on your written instructions or for maintenance or back-up purposes.
- Hoist Group agrees that access to HotSoft is subject to GDPR-compliant security measures and encryption.
- Hoist Group will delete all HotSoft subject data associated with your contract upon termination of the contract, including back-up copies of that data.
- Hoist Group will demonstrate GDPR compliance as reasonably requested by you.
- Hoist Group will not delegate processing to any sub-processor without your written consent.
- Hoist Group is obliged to implement, and has implemented, appropriate technical and organisational measures in order to meet the requirements of the GDPR.
- Hoist Group protects all rights of data subjects.
- Hoist Group will, at the Client’s request, delete or return subject data to the hotel after the end of the provision of services relating to processing and will delete all additional copies of this data.
This represents Hoist Group’s considered and best legal and technical thinking on GDPR as it relates to HotSoft products. This FAQ is a predecessor document to the Contract Supplement Hoist Group will issue in January for HotSoft customers. To use HotSoft in a GDPR-compliant way it is vital that you follow the App. 1 software instructions for your product. In the spirit of transparency and communication between processors and controllers that underscores the GDPR, Hoist Group is sharing this information with you, our HotSoft customers. However, Hoist Group cannot give your hotel legal advice and ultimately your compliance is your responsibility.