What is Nor1’s Relationship with GDPR?

– Nor1 is a data processor for hotel companies. Hotel companies are the data controllers; they control the transfer to Nor1 for processing. Nor1 processes guests’ and hotel employees’ personal data as broadly defined by GDPR. Nor1 must comply with GDPR because of customers in the EU.

Can EU Companies transfer data to Nor1 under GDPR?

– Yes, Nor1 is certified for the EU-US and Swiss-US Privacy Shield frameworks to process data from EU citizens in Nor1’s US-based, secure data centers. The frameworks were designed by the US Dept. of Commerce, European Commission, and the Swiss Administration to comply with data protection requirements on both sides of the Atlantic. Privacy Shield, along with the Safe Harbor provisions it superseded as of Q3 2016, is an agreement between the US and the EU to address current US data protection laws. The frameworks’ function is a legal basis for the transfer of EU citizens’ personal data to and from the US, to meet this requirement of the GDPR.

Can Nor1 transfer EU data to 3rd parties under GDPR?

– Yes, under the principles of the GDPR, Nor1 has proactively evaluated all 3rd party services for compliance with GDPR, EU-US and Swiss-US Privacy Shield Frameworks. These 3rd parties are necessary to complete the delivery of Nor1 services to Nor1’s customers. If a 3rd party vendor does not comply Nor1 will switch to compliant vendors with equivalent services.

Does Nor1 sign new or additional agreements with EU customers?

– Yes, the hotel customer will enter into our GDPR Data Processing Addendum. Nor1 has a template for this addendum that can be easily customized per customer. While data protection is already regulated in the majority of our agreements, EU customers may proactively request this Data Processing Addendum in prep for GDPR.

Does the UK still need to comply with the GDPR?

– Yes, until Brexit happens the UK will comply with GDPR. Brexit will likely not happen before May 25th (GDPR is in effect) and UK hotels will likely stay with the GDPR post Brexit because little reason to implement a new framework.

What is legitimate interest?

– Legitimate interest is a legal basis under GDPR Article 6(1) to process personal data. An example is a hotel sending an email to a guest to personalize their experience during their stay. The legitimate interest needs to be disclosed with a privacy notice. Legitimate interest allows the hotel or Nor1 to send offer emails without consent.