ExperienceBank GDPR Compliance
ExperienceBank GDPR Compliance: Ensuring Data Protection and Privacy
What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that came into effect on May 25, 2018. It is designed to protect the personal data and privacy of EU citizens and residents, and it applies to all organizations, regardless of location, that process the personal data of individuals within the EU.
The GDPR aims to give individuals greater control over their personal data, ensuring that it is handled transparently, securely, and with their explicit consent. It imposes stringent requirements on organizations to safeguard data and provides significant penalties for non-compliance, including fines of up to €20 million or 4% of the organization’s global annual revenue, whichever is higher.
How Does the GDPR Work?
The GDPR outlines several key principles and requirements for data protection:
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently. Organizations must provide clear information about how data will be used.
- Purpose Limitation: Data should be collected for specific, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
- Data Minimization: Only the data necessary for the intended purposes should be collected and processed.
- Accuracy: Personal data must be accurate and kept up to date. Inaccurate data should be corrected or deleted promptly.
- Storage Limitation: Data should be stored only as long as necessary for the purposes for which it was collected.
- Integrity and Confidentiality: Data must be processed securely to protect against unauthorized access, loss, or damage.
- Accountability: Organizations must be able to demonstrate compliance with GDPR principles and obligations.
Additionally, the GDPR grants individuals several rights, including the right to access their data, the right to rectification, the right to erasure (the “right to be forgotten”), and the right to data portability.
Data Collection and Processing at ExperienceBank
As a channel manager, ExperienceBank plays a crucial role in the travel and tourism industry, connecting suppliers and distributors to enhance the booking experience. In this capacity, we collect and process various types of personal data. Ensuring GDPR compliance is a top priority for us, and we take several measures to protect the data of our end-users and suppliers. And one of the important steps is to anonymize the personal data of the end-user (guest) on ExperienceBank.
What Data Does ExperienceBank Collect?
ExperienceBank collects several types of personal data, including:
- End-user contact details (Names, email addresses and phone numbers)
- Booking Notes
- Guest Names
- Cancellation Notes
- Custom Fields
Anonymizing personal data within ExperienceBank
According to our GDPR requirements as a Data Processor under Art. 25: Data protection by design and by default, ExperienceBank applies an automatic data anonymization process affecting all personal guest data on our platform. This automation takes place 60 days after the service date, or 60 days after the cancellation date, whichever comes first.
Note: The service date is the date the customer is booked to participate, attend or start the experience. All data will remain intact from the booking date until 60 days after the service date, allowing ample time for suppliers to control invoices and payments coming from OTAs.
In accordance with Art. 17: Right to erasure (‘right to be forgotten’), individual anonymisation requests can be submitted and fulfilled at any time before the 60 day retention period, providing that the data isn’t still required in order to complete the contracted booking.
In the ExperienceBank database, the anonymisation process will replace the following personal data fields with asterisks (*****).
- Guest Names
- Booking Notes
- Cancellation Notes
- Custom Fields
- Contact details (name, email, phone number)
This ensures that the Data Subject’s protected information is not stored on our database beyond the minimum required period in order to complete the contracted service.
All other non-personal booking data, including booking reference number, dates, passenger numbers etc remains visible on our platform beyond the 60 day retention period.
Note : It is important to note that since the anonymization process only affects data in ExperienceBank, it does not impact any data visibility in the booking system TrekkSoft or marketplace. The Data Subject’s personal data will remain available on the OTA platform according to their own Data Privacy Policy, and on the booking software platform according to your Data Privacy Policy as a Data Processor, and that of the Merchant as a Joint Data Controller.
Summary
- All personal data will be anonymised 60 days after service date.
- Historical data older than 60 days will be anonymised starting from 15/June/2024
- The data on the OTA side is not affected.
- The Data on TrekkSoft is not affected.
Conclusion
At ExperienceBank, protecting the personal data of our users and clients is of utmost importance. We are committed to complying with the GDPR and ensuring that data is handled with the highest standards of security and transparency. If you have any questions or concerns about our data protection practices, please do not hesitate to contact us.