How reenio helps with GDPR
The reenio reservation system is a software tool that, among other things, processes the personal data of customers of companies using the reservation system. With a view to protecting and handling this data, reenio offers a range of features that meet the requirements of GDPR. Although the system provides these functions, it is always necessary to address the processing and protection of personal data in general, taking into account the specific area of business and the rules defined by the personal data controller. The reservation system is therefore a personal data processor tool for companies that provide services to their customers and act as administrators. It is the administrator's responsibility to fulfill the formal requirements of GDPR (and not just within the reservation system).
Always remember that GDPR concerns not only the on-line reservation system, but the overall handling of personal data throughout your business.
Secure your data using Microsoft Azure cloud
Our system fully utilizes the possibilities of modern technologies in the field of cloud services. All internal server parts incl. databases are operated on the Microsoft Azure platform and servers that are geographically located in the EU. Utilizing Microsoft Azure infrastructure delivers guaranteed quality of service, including the appropriate level of security for their operations and data. You can find more information about service security on the special Service Trust Portal page.
A common standard today is also the use of secure transmission using HTTPS protocol, which we automatically offer FREE of charge on all reservation sites that are operated on our main domain (reenio.com), but also other national or complementary domains. In the case of operation on its own domain, secure operation on its own certificate is possible, but it must be provided by the operator of a specific reservation page.
The processing of personal data
GDPR Regulation defines a number of responsibilities and rights that apply to you (administrators) and your customers when processing and handling personal data. One of the main points is then defining the purpose and the corresponding legal title for the processing of personal data. There may be several of these titles and each assumes a different process of handling personal data. For the normal operation of the reservation page and the fulfillment of the purpose of providing the reserved services the most frequent legal title will be the legitimate interest or performance of the contract. If you wish to use your personal data for other purposes, then such a purpose may be based on the legal title of consent.
Personal data processed in the system are divided into two basic groups - basic data and form data. Basic data are defined by the system and are standard data needed to ensure normal functionality of customer registration or reservation, eg name, e-mail address, telephone number. These data are directly linked to the individual customer. Personal data from forms are then such data that each reservation site operator can define according to their needs (within the framework of setting their own reservation forms). This information is not directly linked to the customer, but to his or her individual reservations - even each reservation may include a different set of personal information depending on the form used at a particular date.
If you use the reservation system, you will surely process and handle personal information. The key point of ensuring that your business complies with GDPR is the fulfillment of the so-called information obligation. It is your responsibility as an administrator to inform your customers of all key moments in the processing of their personal data. In particular, it concerns information on the scope and purpose of the processing of personal data, who and how it will process it and to whom it can be transferred. Another part of the information duty is a description of the way in which the rights of personal data subjects are fulfilled, in particular the right of erasure, the right of rectification or the right of access to personal data.
Settings - Reservation page - Terms and conditions
In order to fulfill your information duty, a number of options are available to you within the scope of specification of the terms and conditions. You can find this setting in Settings - Reservation page - Terms and conditions. Include all relevant information for your customers in the relevant sections, not only with regard to the bookings themselves, but especially in relation to the entire business and the services offered. Specification of business conditions and other essentials is also important for trouble-free operation of the GoPay online payment gateway. next.
Keep in mind that the reenio reservation system is only a tool for processing booking information (including personal data) that helps you in your business. Regardless of the tools used, you should be able to resolve the issues related to the protection and processing of personal data, ie even if you process your reservations in a paper diary, for example. GDPR (or Data Protection) applies to the general treatment of data within your business, not specifically to the use of on-line tools.
From the point of view of on-line reservations, the legal title for the processing of personal data will most often be a legitimate interest or performance of the contract. Of course, it is always necessary to take into account the purpose and scope of specific personal data. Therefore, if you define the specific purposes of processing under this title, it is sufficient to fulfill the information obligation and there is no need to obtain specific consent from customers for the processing of personal data. However, if you use personal data outside these defined purposes, or if you process personal data beyond the need to fulfill these purposes, it is necessary to ask your customers for specific consent. Consent must be defined specifically, limited in time and its granting/non-granting must not affect the possibility of using the services offered. Consent may be withdrawn at any time, which is a fundamental right of the data subject. Typically, you can use such specific consent when synchronizing with SmartEmailing and then sending marketing messages.
Settings - GDPR
Working with consents is quite simple in the reservation system. In Settings - GDPR you will find individual approval management, as well as an overview of granted/withdrawn approvals by individual customers. When you create your consent, you have the option to enter its name, descriptive text, expiration date, and grouping. Consent groups allow individual consents to be offered to customers as part of the booking, registration or even specific dates. If you edit an already used consent, this does not affect the previously given consent for individual customers, ie the customer still agrees with the original wording of the consent. The new version of the consent is used only for subsequent granted approvals, resp. the customer can give his/her consent to a new form of consent when booking. There is also a overview of all granted approvals, including information about the customer who granted or subsequently withdrawn consent. Consent information is also available in each customer's detail. It is also important to be able to influence the export of customers according to the consent given by the individual customer or not.
Access to personal data
The fundamental rights of data subjects include the right to information and access to their data. In this, our reservation system can be very helpful as it offers features that automate the processing of these requests. The customer thus via the web form or of his/her user profile after login (if registered), he/she can access an overview of the data that is generally processed about him/her, what consent he/she has granted and modify those consent, what data is processed for individual reservations or can download this data in machine .
A customer who identifies themselves with their e-mail address can use a personal information management page. It is accessible via a link in the footer of each reservation page. After you enter the e-mail address, an e-mail will be sent with information on the next steps. The result of the process is a page where the information related to the customer with the given e-mail address is presented. If the customer is registered and can log on to the reservation page, then a similar summary of information and features is available within their user profile.
Deleting personal information
One of the principles of personal data processing is that data should not be processed unless there is no longer any reason to do so. In this case, there are two possible approaches in our reservation system - a request for customer data removal and automated personal information removal. If the customer requests the deletion of his/her personal data, this requirement is recorded and the booking site operator then evaluates and decides whether and in what form deletion - this can not be automated due to the possible complex consequences of legal titles, purposes and consent for processing personal data (eg need to claim the service provided). Automated removal of personal data is then based on the setting of time limits, after which the system deletes personal data automatically - only personal data is deleted, ie it remains an overview of reservations, even if some data and links specific customers are no longer in the database specifically contained in its original form. The next level of deletion is the de facto removal of complete data records on reservations or customers.
If the customer makes a manual request to remove personal information, the request will be registered and will be available in the administration (Settings - GDPR or notification in administration). The booking site operator then evaluates this application and processes it with respect to the set rules of the customer's personal data processing needs. When processing the application has the opportunity to send the customer an e-mail directly from the system.
Settings - GDPR - Settings
In the case of an automated process of deletion of personal information, setting individual time limits for deletion is crucial. The system distinguishes between three types of deletion - reservation forms, customers and accounting documents. In the case of individual reservations, personal data is deleted within a defined period after the date of the given reservation (only those data marked as personal data are deleted in the form). Customer's personal information is deleted after the date of the last future booking or registration date, whichever comes later. The deadline for removing accounting documents is affected by legislation.
Appropriate parameter settings for GDPR and automated deletion are recommended as one of the primary tasks when starting to use the reservation system.
Settings -Reservation page - Analytics
If no analytics are used on the reservation page, the info bar will not be displayed. If the setting is active and one of the tools is also activated, the toolbar will always be displayed until the visitor has accepted it.