LAST UPDATED March 26, 2018
This FAQ is for current and future customers of ALICE products and ALICE GoConcierge. This covers everything you need to remain GDPR compliant while using ALICE products.
The General Data Protection Regulation (the “GDPR”) goes into effect on May 25, 2018. The regulation harmonizes the patchwork of privacy regulations currently in effect around Europe. The regulations help people stay in control of their information, and ALICE agrees with this principle. We are not in the business of making money from selling customer data or using it for anything other than helping hotels delight their guests. GDPR requires that companies take security and privacy seriously. It also requires transparency about how data is stored, moved, and processed. Companies must allow data subjects to control their data, and EU residents can ask for their data to be corrected, deleted, or exported. Companies need to document how they bulk process their customers’ information. They must enforce policies to protect that data, and for larger data processing operations, they need to have a Data Protection Officer with the power to control how data is processed and protected. Like the laws currently in effect, the GDPR defines when it is okay for companies to move data out of the EU.
For the past year, ALICE has worked with world-class legal, privacy, and cybersecurity consultants to audit its products and processes for GDPR compliance. In accordance with the regulation, we have balanced the need for security and data privacy protection with the legal, contractual, and commercial requirements of hoteliers.
The GDPR requires that data controllers define how data processors use the data they get from controllers. These requirements belong in our contracts with hoteliers. ALICE stores data in secure data centers based outside of the EU, and the GDPR allows this as long as we agree to and follow standard contractual clauses that guarantee the security and privacy of that data. ALICE has prepared a compliant SaaS agreement, which provides the necessary information and includes the required contractual clauses. It is available to all current and future hotel customers.
WHAT IS THE COMPLIANCE STATUS OF OUR PRODUCTS?
(ii) GoConcierge is secure but it is not legally GDPR-ready. GoConcierge continues to operate as a secure platform that is PCI-compliant, meaning it is audited for security purposes and allowed to hold credit card data. However, there are legal requirements about how customers can request their data be exported or deleted, and unfortunately the GoConcierge platform cannot comply with those requests in a timely manner. ALICE is focused on the future design and upkeep of ALICE Concierge and the ALICE Suite, rather than GoConcierge. We encourage GoConcierge customers who require GDPR compliance to switch over to ALICE Concierge, which has been designed with customer control of data and privacy as a principle and has been audited to confirm that.
WHAT DATA DO HOTELS COLLECT WITH ALICE PRODUCTS?
The ALICE systems can collect the following kinds of information:
- – Name
- – Phone number
- – Email address
- – Reservation details
- – Customer requests
- – Application usage data
The GDPR gives additional protection to extremely personal information like ethnicity, health status, sexuality, and religious affiliation. ALICE products are not designed for hoteliers to collect and store this kind of information.
HOW IS THIS DATA PROTECTED?
The data collected is kept in a secure data centre that has up-to-date physical and technical measures for protection, including locked doors, ID passes for security, CCTV, and controlled access.
More importantly, the data we collect must be protected by your staff. Human error is the greatest threat to data security. Training around privacy and security can help your staff prevent data leakage. For example, staff should try to use strong passwords, and they should not allow guests to overlook screens bearing information of other guests.
IS MY HOTEL A DATA PROCESSOR OR DATA CONTROLLER?
Since hoteliers decide what data they collect and they have the direct relationship with the guest, under the GDPR, hotels are data controllers. ALICE is a data processor, so we are restricted in how we use the data we collect, and you control that. When you use ALICE, your guests’ data is processed in a GDPR-compliant and secure way.
As a controller you have the right to know anyone ALICE shares guest data with. We can only share data at the direction of you, the data controller.
As a data controller, you have the right to know exactly when ALICE processes your customers’ subject data and what we do with it.
WHAT HAPPENS IF ALICE DATA IS BREACHED?
ALICE will notify you within 72 hours in the unlikely event that there is a breach of our secure storage systems, and we will assist you in determining your notification obligations.
HOW SHOULD OUR HOTEL HANDLE DATA ACCESS REQUESTS?
The GDPR gives people certain rights to correct, erase or export their data, and these requests must be fulfilled within thirty days. When you receive a request it is critical that you communicate this request to all of your data partners, including ALICE, as soon as possible. ALICE is committed to complying with data requests within 25 days, in order to give you time to include our response in the thirty day period.
DO HOTELS NEED GUEST CONSENT TO USE ALICE?
You should be transparent about any data processors you are working with, but explicit consent to use ALICE is not legally required by the GDPR. Any time you collect subject data you must have a legal basis to do so. One basis of consent is performance of a contract. Since you have a contract with your guest, you can collect and process data to perform that contract. ALICE provides the means for you to follow through on these contractual commitments, and this is all perfectly compliant with the GDPR without consent.
We cannot cannot give you legal advice and ultimately you are responsible for your compliance to all laws. This FAQ represents a dedicated effort, working with world-class counsel and consultants, to understand GDPR and its impact on hospitality.