The General Data Protection Regulation (GDPR) is an EU regulation on personal data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It affects properties around the world—if you collect personal data from someone in the EU (such as a European customer booking their stay from home), your property is subject to the requirements of the GDPR.

Three main roles in GDPR

In terms of personal data, GDPR defines three roles:

  • Data subject (human beings from whom or about whom information is collected in connection with your business and its operations)

  • Data controller (person or organization that determines the purposes for which and the means by which personal data is processed)

  • Data processor (processes personal data on behalf of the controller)


Is Mews data controller or data processor?

Mews can be either data controller or processor depending on the context of the data.

Mews is the data processor when it comes to data collected in the PMS. We process personal data on behalf of an accommodation provider acting as data controller. The processing of this personal data is governed by the privacy policy of the accommodation provider.

Mews is the data controller when it comes to the voluntary personal data collected necessary for Mews to provide a guest access to the Mews guest portal. The collection and processing of this data is governed by the Mews privacy policy.

Note: Data collected in the context of a particular reservation is only ever shared with the relevant property and chain. This data is never shared otherwise and Mews doesn't provide or sell this data to any third party nor use it for contacting guests with Mews marketing offers, etc.

Guest portal and data requests

Every guest invited to join the guest portal can decide whether to consent and create a profile or opt out.

After creating a profile, our guest portal gives guests full control over their data—they can view all personal information that has been shared with properties and request that it be either sent to them or deleted entirely. (Please note that these options are only available to customers after they have physically stayed at a property because their data is required for processing the reservation.)

Mews doesn’t delete a guest’s personal data collected by accommodation providers. When a guest uses the guest portal to request that their data be either sent to them or deleted, we’ll send you an email letting you know. Then you can clear their information from their customer profile.

Can properties disable the guest portal?

The Mews guest portal is voluntary for guests and delivers features which are proven to increase guest satisfaction and help properties speed up and automate processes. We don't recommend disabling it, but you can follow this guide to learn how to do so.

Our recommendations to you

Mews recommends that you appoint a data protection officer (DPO) per location or chain to monitor your property’s compliance. Although you are not legally required to submit any information to Data Protection Authorities (DPAs), we highly recommend that you become acquainted with your national DPA in case you need to report a data breach—which must be done within 72 hours of becoming aware of the breach.

It may also be beneficial to conduct an internal audit of all software used at your property, so you are fully aware of who is collecting and storing guests' data.

Mews appointed an external DPO to oversee our compliance with the GDPR. In the case of a data breach, the DPO would be responsible for informing our users. For all privacy-related claims, contact [email protected].

Did this answer your question?