The General Data Protection Regulation (GDPR) is an EU regulation on personal data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). If you are a property anywhere in the world that collects personal data from someone such as a European customer booking their stay from home, then your property is subject to the requirements of the GDPR.

In this article you can learn about:

• The three main roles in GDPR
• Mews: Data controller or data processor?
• Guest Portal: Data collection, handling data requests and disabling
• Mews recommendations
• Handling privacy-related claims

The three main roles in GDPR

In terms of personal data, GDPR defines three roles:

• Data subject: The persons from whom or about whom you collect information in connection with your business and its operations.
• Data controller: A person or organization that determines the purposes and the means of processing of personal data. 
• Data processor: An entity processing personal data on behalf of the controller.

Mews: Data controller or data processor

Mews can be the data controller or data processor depending on the context of the data collection.

Mews is the data processor when you collect data in the property management system. Mews processes personal data on behalf of an accommodation provider acting as the data controller. The privacy policy of the accommodation provider governs the processing of this personal data. 

Mews is the data controller when it comes to the collection of voluntary personal data necessary for Mews to provide a guest access to the Mews Guest Portal. The Mews privacy policy. governs the collection and processing of this data. 

Note: Data that you collect in the context of a particular reservation is only ever shared with the relevant property and chain.

Mews:

• never shares this data otherwise and
• doesn't provide or sell this data to any third party or
• use it for contacting guests for promotions such as Mews marketing offers.  

Guest Portal: Data collection, handling data requests and disabling

• The Mews Guest Portal gives guests full control over their data.
• They can view all their personal information shared with properties as well as request to either send it to them or delete it entirely.

• These options are only available to customers after they physically stay at a property as properties need their data for processing the reservation.
• Mews doesn’t delete a guest’s personal data collected by accommodation providers.
• When a guest uses the guest portal to request to either send it to them or delete it, Mews sends you an email to inform you. You can then clear their information from their customer profile.

Mews recommendations

Mews recommends that you appoint a Data Protection Officer (DPO) per location or chain to monitor your property’s compliance. Although you are not legally required to submit any information to Data Protection Authorities (DPAs), Mews highly recommend that you acquaint yourself with your national DPA in case you need to report a data breach; which you need to do within 72 hours of becoming aware of the breach.

It may also be beneficial to conduct an internal audit of all software that you use at your property, so you are fully aware of who is collecting and storing guest data..
 

Handling privacy-related claims

Mews has an external DPO to oversee Mews compliance with the GDPR. In the case of a data breach, the DPO is responsible for informing our users. For all privacy-related claims, contact [email protected].


You can learn about the Payment Card Industry (PCI) Data Security Standards (DSS) here.