General Data Protection Regulation (GDPR)
GDPR (General Data Protection Regulation) is a European law which affects all businesses and how they use personal data. The regulations are extensive but are essentially all about giving consumers (ie your guests) more control of their own data.
Full data mapping
We built an exhaustive map of all data handled by SuperControl, including connections with other Data Processors which ensures that we have the correct Data Processing Agreements with all partners.
GDPR introduced much tighter rules around subscriptions. Your guests need to opt-in to receive any marketing communication from you, including how you want to send this. For example, if you want to send them email marketing and a brochure this will now count as two subscription options.
The standard "opt-in" tick box on every form in SuperControl has a feature that lets you create your own subscription options. When guests tick subscription options we will correctly log this consent.
You will be able to filter by the different consent options and export data.
We also provide additional subscription links for channel or bookings that you add manually.
Guest data search
GDPR means that guests can contact you to find what data you are holding about them. A guest can also request for data to be removed, if it is no longer required. SuperControl has the tools to help you find, remove and mask guest data.
Prior to GDPR the email invitations to guests to place a review came directly from UpFront Reviews. This changed and now they come directly from you, like other booking emails. We hope that this will also encourage more guests to place reviews.
Ongoing security projects
Behind the scenes we continue to carry out a range of other security projects. We have a very experienced security consultant in-house who is constantly testing and improving our application and hosting environment.
Our aim is to implement "privacy by design" across the whole company. Privacy and security will be at the core of all future system developments.
Is there some text I can add to our Terms and Conditions to explain how our relationship with SuperControl?
Yes, our legal advisor suggests that you could tell your guests the following:
“We use SuperControl to manage our online booking process. We have a written contract with SuperControl to ensure that they will process your data on our behalf in compliance with all applicable Data Protection Laws.”
No. You just need to show it on your website. If you do not have a website, we recommend you seek legal advice.
Yes. Under Admin > Terms and conditions.
Do I need to ask permission in the booking confirmation letter to keep contact details?
No. You don't need specific permission to process a transaction.
Do I need to tell my guests about the booking websites I advertise my properties on?
Providing you don't input personal data on any of the sites yourself, then no.
Do I need to tell guests that their booking is added to my SuperControl account?
No. SuperControl is a Data Processor. It's system exists to process your data on your behalf.
If previous guests do not want me to keep their details, do I need to inform SuperControl?
At the moment, yes. You need to raise a support ticket requesting SuperControl to remove the data from your account on your behalf. We will then send you a form to complete to detail the exact criteria of data that you would like to be permanently deleted.
Do I have to ask all of my previous guests for their consent to keep them on my mailing list?
If previous guests subscribed to your newsletters in the past, those permissions have been transferred to the default consent option.
All existing guest records where guests have not subscribed to the new opt-in methods would need to re-subscribe - similar to all of the opt-in emails you probably received on the lead up to May 2018 from websites you had used in the past. You could do this using a marketing email tool, eg MailChimp.
Do I need to ask PayPal to delete guest records as well?
No. The guest enters their data directly into PayPal.
If an iPhone is used to store images of payments or to send holiday business information to a third party, how does this comply with GDPR?
You need to ensure you are not capturing personal data unnecessarily.
If there is anything you are uncertain about, we strongly advise you to seek legal advice.