What is Nor1’s Relationship with GDPR?
– Nor1 is a data processor for hotel companies. Hotel companies are the data controllers; they control the transfer to Nor1 for processing. Nor1 processes guests’ and hotel employees’ personal data as broadly defined by GDPR. Nor1 must comply with GDPR because of customers in the EU.
GDPR & Nor1’s Products
What is the GDPR impact on CheckIn Merchandising?™
– The hotel will be concerned with US data transfer, which is addressed by the Privacy Shield Frameworks. Nor1’s view of the check-in process obtains guest consent for a room upgrade.
What is the GDPR impact on eStandby® (including eXpress™)
– The Privacy Shield Frameworks address the international data transfer concern for eStandby and eXpress. A second risk is Nor1’s ability to send offer emails; discussed in the next section.
Can Nor1 send offer emails directly to guests without consent?
– Yes, because the hotel has the authority to contact the customer under ‘soft opt-in’ principles. Nor1 is clearly acting as an agent of the hotel by sending an email. Nor1 has the GDPR Data Processing Addendum in place with the hotel. Nor1 has an opt-out on the offer email that can be tracked by both the hotel and Nor1. A second argument is ‘legitimate interest’ as defined in GDPR Article 6(1).
What is soft opt-in on the offer emails?
– Nor1 offer emails as viewed as transactional and not marketing. Nor1 uses the ‘soft opt-in’ exception to consent. The guest email was obtained from the sale of a good or service (the reservation), the marketing relates to similar products and services, and the guest is an existing customer. The majority of EU customers support Nor1 on this matter.
Can EU Companies transfer data to Nor1 under GDPR?
– Yes, Nor1 is certified for the EU-US and Swiss-US Privacy Shield frameworks to process data from EU citizens in Nor1’s US-based, secure data centers. The frameworks were designed by the US Dept. of Commerce, European Commission, and the Swiss Administration to comply with data protection requirements on both sides of the Atlantic. Privacy Shield, along with the Safe Harbor provisions it superseded as of Q3 2016, is an agreement between the US and the EU to address current US data protection laws. The frameworks’ function is a legal basis for the transfer of EU citizens’ personal data to and from the US, to meet this requirement of the GDPR.
Can Nor1 transfer EU data to 3rd parties under GDPR?
– Yes, under the principles of the GDPR, Nor1 has proactively evaluated all 3rd party services for compliance with GDPR, EU-US and Swiss-US Privacy Shield Frameworks. These 3rd parties are necessary to complete the delivery of Nor1 services to Nor1’s customers. If a 3rd party vendor does not comply Nor1 will switch to compliant vendors with equivalent services.
Does Nor1 sign new or additional agreements with EU customers?
– Yes, the hotel customer will enter into our GDPR Data Processing Addendum. Nor1 has a template for this addendum that can be easily customized per customer. While data protection is already regulated in the majority of our agreements, EU customers may proactively request this Data Processing Addendum in prep for GDPR.
Does the UK still need to comply with the GDPR?
– Yes, until Brexit happens the UK will comply with GDPR. Brexit will likely not happen before May 25th (GDPR is in effect) and UK hotels will likely stay with the GDPR post Brexit because little reason to implement a new framework.
What is legitimate interest?
– Legitimate interest is a legal basis under GDPR Article 6(1) to process personal data. An example is a hotel sending an email to a guest to personalize their experience during their stay. The legitimate interest needs to be disclosed with a privacy notice. Legitimate interest allows the hotel or Nor1 to send offer emails without consent.