Professional Documents
Culture Documents
GDPR Handbook - Final
GDPR Handbook - Final
Table of Contents
1. Introduction........................................................................................................................................3
1.1. Purpose........................................................................................................................................3
Mac Hai Long – 10422046 Hotels and Resorts Alliance
1. Introduction
1.1.Purpose
The purpose of this Policy is to establish the common and general principles and guidelines for
conduct that are to govern Hotels and Resorts Alliance (later mentioned as the Group) as
regards personal data protection, ensuring compliance with applicable law under all
circumstances.
In particular, this policy guarantees the right to the protection of personal data for all natural
persons who establish relations with the companies belonging to the Group, ensuring respect
for the rights to reputation and to privacy in the processing of the various categories of personal
data from different sources and for various purposes based on their business activities, all in
compliance with the Company's Policy on Respect for Human Rights.
1.2.Overview of GDPR
This handbook is designed to provide a comprehensive guide for GDPR (General Data Protection
Regulation) compliance, essential for any business operating within the European Union or
handling the data of EU citizens. The GDPR, a landmark regulation, introduces stringent data
protection requirements, revolutionizing the way personal data is managed globally. It
emphasizes transparency, security, and accountability, ensuring that organizations prioritize the
privacy and protection of personal data.
The importance of GDPR compliance cannot be overstated. It is not merely a legal obligation but
a crucial aspect of business integrity and customer trust. Non-compliance can result in
significant penalties, including substantial fines, which could have a profound impact on your
business’s reputation and financial stability.
This handbook outlines the GDPR’s scope, including its key principles, the rights of data
subjects, and the obligations it imposes on data processors and controllers. It serves as a
practical resource for navigating the complexities of GDPR, ensuring your organization's
adherence to its stringent standards, and fostering a culture of data protection and privacy.
can be identified or who are identifiable, directly from the information in question; or
who can be indirectly identified from that information in combination with other
information.
Personal data may also comprise special categories of personal data or information about
criminal convictions and offenses. These are deemed more sensitive and may only be processed
in certain circumstances.
Pseudonymized data can help lessen privacy threats by making identifying individuals more
difficult, but it is still personal data.
If personal data can legitimately be anonymized, the anonymized data is exempt from the
GDPR. It is critical to understand what personal data is to determine whether the data has been
anonymized.
Because information about a deceased person does not constitute personal data, it is not
covered by the GDPR.
Personal data does not include information about businesses or government agencies.
However, information about individuals working as single traders, workers, partners, and
corporate directors, and information belonging to them as individuals, may constitute personal
data.
A name is the most popular way to identify someone. However, whether any prospective
identifier truly identifies an individual is context dependent.
To identify an individual, a combination of identifiers may be required.
The GDPR specifies a non-exhaustive set of identifiers, which includes a name, identification
number, geographical data, and an online identity. 'Online identifiers' include IP addresses and
cookie identifiers, which may contain personally identifiable information. Other factors can be
used to identify a person.
your organization exceeding its legal powers or exercising those powers improperly.
an infringement of copyright.
a breach of an enforceable contractual agreement.
a breach of industry-specific legislation or regulations; or
a breach of the Human Rights Act 1998.
Although processing personal data in violation of copyright or industry regulations (for example)
will result in unlawful processing in violation of this principle, this does not mean that the ICO
can pursue allegations that are primarily about violations of copyright, financial regulations, or
other laws that fall outside of our remit and expertise as a data protection regulator. In this
case, there are alternative legal or regulatory avenues of recourse where the issues can be
addressed in a more appropriate setting.
Fairness: means that you should only use personal data in ways that individuals would expect,
rather than in ways that have justifiable negative consequences for them. You must pause and
consider not only how you can utilize personal data, but also if you should.
Personal data processing must always be both fair and legal. If any component of your
processing is unfair, you will be in violation of this principle, even if you can demonstrate that
the processing is legitimate.
Assessing whether you are processing information fairly depends partly on how you obtain it. If
anyone is deceived or misled when personal data is obtained, then this is unlikely to be fair.
To assess whether you are processing personal data fairly, you must consider more generally
how it affects the interests of the people concerned – as a group and individually. If you have
obtained and used the information fairly in relation to most of the people it relates to but
unfairly in relation to one individual, there will still be a breach of this principle.
Transparency: is fundamentally tied to fairness. Transparent processing entails being upfront,
transparent, and honest with people about who you are and how and why you utilize their
personal data from the outset.
Transparency is always vital, but it is especially important when people have a choice whether
to get into a relationship with you. Individuals will be able to make an informed decision about
whether to join into a relationship or to try to renegotiate the parameters of that connection if
they know what you will do with their information from the start.
Even if you have no direct interaction with the individual and receive their personal data from
another source, transparency is essential. In some circumstances, it is even more critical,
because individuals may be unaware that you are collecting and exploiting their personal data,
limiting their capacity to claim their data rights. This is sometimes known as ‘invisible
processing.’
Group companies shall not collect or process personal data relating to ethnic or racial origin,
political ideology, beliefs, religious or philosophical convictions, sexual orientation or practices,
trade union membership, health data, or genetic or biometric data for the purpose of uniquely
identifying a person, unless such collection is necessary, legitimate, required, or permitted by
applicable law, in which case they shall be co-collected.
3.2.Purpose limitation
The purpose limitation principle ensures that personal data may only be used for one or more
specific reasons. Personal data obtained for one reason cannot be freely utilized for another.
The notion of purpose restriction is likewise contained in EU Charter Article 8(2).
While the controller is allowed to specify any legitimate purpose, Article 5(1)(b) establishes the
principle of purpose limitation in personal data processing. It requires that personal data be
acquired for specific, explicit, and legitimate reasons, and it ensures that data are not used for
purposes that are incompatible with the original purpose(s) provided.
3.3.Data minimization
The data minimization concept derives indirectly from Article 8 of the EU Charter, which states
that any interference with the basic right to data protection must be reasonable. This data
reduction principle is thus strongly tied to the principle of purpose limitation, and it only leads
to accurate results if the controller defines the specific goal precisely. A controller must evaluate
the requirement of each step of a processing operation and each data element to achieve the
goal.
The three elements in Article 5(1)(c) GDPR are redundant and overlapping:
Personal data is 'adequate' if it is appropriate to use such data for the purpose (for
example, the address of a person is not appropriate information for credit ranking).
Personal data is 'relevant' if it leads to a different outcome in relation to the purpose (for
example, the address of a customer is relevant to deliver a product).
Personal data is 'limited to what is necessary' when the purpose cannot be achieved
without the processing of that personal data.
3.4.Accuracy
According to Article 5(1)(d), personal data must be correct and, when required, maintained up
to date, and all reasonable steps must be taken to remove or rectify inaccurate data as soon as
practicable. This retirement is intended to safeguard data subjects from damage, as erroneous
information might have catastrophic repercussions. One of the key elements of the right to
informational self-determination is data accuracy, which embodies a broader principle of
correct representation of the individual at all levels and in all circumstances.
When a controller employs systems that are a "black box" even to the controller, such as
"artificial intelligence," "self-learning," or "big data" analytics, the accuracy principle becomes
extremely difficult to apply. The GDPR, on the other hand, discourages such practices. Article
5(1)(d), on the other hand, is meant to safeguard against computers making arbitrary and
incorrect conclusions. Regardless of the technology employed, controllers are accountable for
the accuracy of the personal data they process.
3.5.Storage limitation
Personal data shall not be maintained for any longer than is necessary for the purposes for
which they are processed, unless otherwise required by law.
3.7.Accountability
Group firms are responsible for adhering to the principles outlined in this Policy as well as those
required by applicable legislation and must be able to demonstrate compliance when required.
Group firms must conduct a risk assessment of their processing to identify the actions to be
implemented to ensure that personal data is processed in line with legal requirements. When
required by law, they must conduct a preliminary evaluation of the risks that new products,
services, or IT systems may pose to personal data protection and take the appropriate steps to
minimize or mitigate such risks.
Group companies must keep an activity log in which they describe the personal data processing
that they do during their business.
In the event of an incident, such as accidental or unlawful data destruction, alteration, or
unauthorized access to mentioned data, the Group will have an internal protocol for
documenting and measuring the scope of affected data, as well as sufficient measures to
mitigate and resolve.
In circumstances where law enforcement requires it, a DPO will be designated to verify that the
Group complies with data protection laws.
Prior to data acquisition: Individuals have the right to be notified prior to the gathering
of their personal data. This includes information about the controller's (the organization
collecting the data's) identity, the purposes of the processing, the legal basis for the
processing, the categories of personal data collected, the recipients of the data, and the
data subject's rights (e.g., rectification and erasure).
Conciseness, transparency, and simplicity of access: The information presented should
be succinct, transparent, and simple to understand.
Additional information: In some cases, further information, such as the data retention
duration, the existence of automated decision-making, and the possibility to file a
complaint with a supervisory body, may be necessary.
Right to Access:
Confirmation and access: Individuals have the right to obtain confirmation from the
controller whether their personal data is being processed and, if so, to access their
personal data.
Specific information: The right to access encompasses a range of information, including
the categories of personal data processed, the purposes of the processing, the recipients
of the data, and the planned duration of storage.
Copy of the data: Individuals have the right to obtain a copy of their personal data in a
portable format, facilitating its transfer to another controller if desired.
Important note:
The right to be informed lays the foundation for the right to access. Knowing what data is being
collected and why empowers individuals to exercise their right to access effectively.
Accessing their data allows individuals to verify the accuracy of the information held about
them, identify potential misuse, and exercise other GDPR rights such as rectification or erasure.
Both rights have certain limitations and exceptions, for example, where disclosure would
prejudice the rights and freedoms of others or where it is impossible due to the anonymization
of the data.
Individuals can exercise their rights through various means, such as submitting a data subject
access request to the controller.
Supervisory authorities play a crucial role in ensuring compliance with GDPR and upholding
individuals' data rights.
4.2.Right to rectification
The right to rectification is one of the crucial data subject rights granted by the General Data
Protection Regulation (GDPR). It empowers you to ensure the accuracy and completeness of
your personal data held by organizations.
The right to rectification allows customer to request that a controller:
Correct any inaccurate personal data about you. This includes factual errors, outdated
information, or incomplete data.
Delete any personal data that is incomplete or no longer necessary for the purposes for
which it was collected.
Anyone whose personal data is being processed by a controller within the scope of GDPR can
exercise the right to rectification. This applies regardless of nationality or residency.
You can submit a request to the controller in writing, clearly stating the inaccuracies or
incompleteness you identified in your personal data. You can also provide evidence to support
your request if available.
The controller must respond to your request within a reasonable timeframe, typically one
month. They should:
Acknowledge your request: Confirm receipt and provide an estimated timeframe for
response.
Investigate your request: Analyze the accuracy and completeness of your data based on
the information provided and any available evidence.
Rectify the data: If the data is found inaccurate or incomplete, the controller must rectify
it by correcting or adding the missing information.
Inform you of the outcome: The controller must inform you of the decision, whether
they have rectified the data or not, and their justification for any refusal.
While the right to rectification is powerful, there are some limitations and exceptions:
Public interest: In rare cases, public interest may override the right to rectification, such
as when data is necessary for historical, statistical, or scientific research purposes.
Excessive burden: If rectifying the data would impose an excessive burden on the
controller, we may be able to refuse. However, we must still provide customers with a
justification and inform them of their right to complain.
If customers need help exercising their right to rectification, contacting the data protection
officer (DPO) of the controller is recommended.
4.3.Right to erasure
The right to erasure, also known as the "right to be forgotten," is a powerful tool granted by the
General Data Protection Regulation (GDPR) in Europe. It empowers individuals to request the
deletion of their personal data from an organization's systems under certain circumstances.
When customers can exercise this right:
The data is no longer necessary for the purposes for which it was collected or
processed. For example, if you've closed an account and the company doesn't need your
data for any further legitimate purpose.
You withdraw your consent to the processing of your data. This applies if your consent
was the legal basis for the processing.
The data processing is unlawful. This includes situations where the data was obtained
without your consent or in violation of other GDPR principles.
The data must be erased to comply with a legal obligation. This could be a national or EU
law.
The data is excessive, inappropriate, or no longer relevant. This applies to data collected
for marketing purposes, for example.
The controller responsibilities:
Acknowledge customer request: we should confirm receipt and provide an estimated
timeframe for response.
Consider customer request: we must assess whether the conditions for erasure are met.
Erase the data: If a customer’s request is granted, we must delete your data from our
systems and any third-party systems where it may have been shared.
Inform the customer of the outcome: We must inform the client whether we have
erased the data or not, and our justification for any refusal.
Customer object to the processing of your data for legitimate reasons. If a customer
objects to the processing for reasons other than direct marketing, they can request
restriction while the controller considers customer’s objection.
The processing is unlawful, but the customer does not want the data deleted. In such
cases, customers can request restriction instead of erasure.
The controller no longer needs the data for the original purposes, but the customer
needs it for legal claims. If you need the data for legal purposes, customer can request
restriction even if the controller no longer needs it for its initial purposes.
4.6.Right to object
The right to object empowers customers to oppose the processing of your personal data in
certain situations, giving them rights in how their information is used.
Customer can object to the processing of their personal data if:
Direct marketing: Customer have the absolute right to object to the processing of their
data for direct marketing purposes, including profiling related to such marketing. This
means Customer can stop us from sending Customer unwanted emails, targeted ads, or
personalized marketing messages.
Processing based on legitimate interests: Customer can object to the processing of their
data if it's based on the controller's legitimate interests, unless they demonstrate
compelling legitimate grounds that override their interests, rights, and freedoms. This
applies to situations where their data is used for purposes such as fraud
prevention, market research, or improving services.
Automated decision-making: Customer have the right to object to decisions made solely
by automated means (e.g., algorithms) that significantly affect Customer, such as credit
scoring or insurance pricing. Customer can also request human intervention or contest
the decision.
Once the objection is resolved, the controller must cease processing the customer's data unless
we have a compelling legal reason to do so. We must also tell customers about our internal
decisions and give them the option to file a complaint with a supervisory authority.
The choice is completely based on automatic means: There was no human intervention
in the decision-making process.
The decision has legal consequences for you or has a substantial impact on you: As
already said.
be collected only for specified, explicit and legitimate purposes, and not be further
processed in any manner incompatible with those.
be adequate, relevant, and limited to what is necessary in relation to the purposes for
which it is processed.
not be kept as identifiable data for longer than necessary for the purposes concerned;
and
be processed securely.
Risk Assessment: Conduct a thorough risk assessment to identify potential data security
vulnerabilities and threats. This assessment should consider data sensitivity, the possible
consequences of a breach, existing security procedures, and industry best practices.
Access Control: Implement strong access control systems to ensure that personal data is
only accessed by authorized personnel. This includes creating unique user accounts,
requiring strong passwords, adopting multi-factor authentication when applicable, and
reviewing and changing access privileges on a regular basis.
Encryption: Use encryption techniques to protect personal data in transit and at rest.
This includes encrypting data during network transmission and storing sensitive data in
an encrypted manner to prevent unauthorized access.
Data Minimization: Apply the data minimization principle by collecting and retaining just
the personal data required for the intended purpose. Avoid collecting too much data and
frequently review and delete old or superfluous data.
Data Backup and Recovery: Set up frequent data backup methods and test data
recovery processes to ensure that personal data can be recovered in the case of a data
loss disaster. Backups should be kept in a secure location, and restoration methods
should be recorded and validated on a regular basis.
Employee Training and Awareness: Employees should receive extensive training on data
security best practices, such as data handling, secure communication, password
management, and spotting and reporting any security events or breaches. Reinforce
awareness on a regular basis through continued training and communication.
Incident Response Plan: Create a solid incident response strategy that describes what to
do in the event of a data breach or security incident. This plan should include protocols
for reporting events, containing the breach, assessing the impact, alerting affected
parties, and executing corrective actions.
Vendor Management: When working with third-party service providers or vendors, be
sure they follow relevant data security standards. Establish specific contractual
responsibilities and evaluate their security policies on a regular basis to ensure the
security of personal data provided with them.
Regular Security Audits and Assessments: Conduct frequent security audits and
assessments to examine the effectiveness of security measures in place and identify any
vulnerabilities or areas for improvement. Penetration testing, vulnerability scanning, and
security assessments by internal or external experts are examples of such audits.
Compliance Monitoring: Continuously monitor compliance with data protection rules,
such as the GDPR, to ensure continued legal compliance. Review and update policies,
processes, and controls on a regular basis to keep up with growing security standards
and regulatory changes.
Provide customers with easily accessible and understandable information about how
their data is collected, processed, and shared.
Allowing users to decide how their data is used and shared, such as opting out of
targeted advertising or data sharing.
Only data related to booking and staying on the premises should be collected. When the
transaction is finished, any unnecessary data should be removed from the system.
Data stored in the system should be encrypted and protected from unauthorized access.
This data should only be accessed when requested by the customer, or any lawful
request regarding the user data.
Sharing data with third parties: Sharing guest data with third-party service
providers, marketing partners, or law enforcement requires careful consideration and
might trigger a DPIA.
We should Clearly describe the types of personal data collected, the purposes for
processing, and the technologies used. As well as identifying and preventing the potential risks
to individuals' data privacy and fundamental rights, such as unauthorized
access, profiling, discrimination, or surveillance.
6. Compliance Process
6.1.Risk assessment
Risk assessment should focus on several key areas of compliance process:
Data inventory and mapping: Identify and map the flow of all types of personal data
gathered, processed, and stored by our systems and processes.
GDPR Fundamentals: Explain crucial topics such as personal data, legal bases for
processing, data subject rights, and accountability requirements.
Train personnel on correct guest identification methods, data minimization principles,
and gaining informed consent for data gathering.
Data Security: Discuss data storage and encryption procedures, password security, and
secure data disposal.
Subject Rights to Data: Explain how guests can access, rectify, remove, or limit the
processing of personal data, as well as how these requests are handled.
Incident Response: Train workers to recognize and report data breaches, adhering to
established containment and notification protocols.
Role-Specific Education: Training should be tailored to specific jobs, such as
housekeeping (guest room access and data security) or marketing (targeted advertising
and data subject rights).
Agreements for third-party data sharing: Contracts with all third-party providers with
whom you share guest data, defining their data protection duties.
A data breach response plan is a step-by-step approach for detecting, mitigating, and
reporting data breaches.
Training documentation and materials: Employee training on data protection policies
and best practices must be documented.
Internal audit reports: Records of any internal audits performed to ensure that data
protection requirements are being followed.
Best practices for the documentation are:
Make sure your documentation is understandable to both technical and non-technical
readers by using clear and simple language.
Keep a central repository: All documents should be kept in a safe, centralized area for
easy access and retrieval.
Version management: Implement a system for document tracking and updating to
ensure you are always using the most recent version.
Review and update on a regular basis: Review and update your paperwork on a regular
basis to reflect changes in regulations, technology, or your hotel's data protection
practices.
6.7.Retention of records
Retention Periods and Key Record Categories:
Guest registration and identification: Retention terms vary by country but are commonly
5 to 10 years following the guest's stay.
Financial records: Tax regulations frequently demand financial records to be kept for 7 to
10 years.
Emails, phone conversations, and other communication logs from guests might be
stored for various periods of time depending on their purpose. Consider storing
operational messages for a shorter amount of time and complaint logs or legal issues for
a longer period.
CCTV footage: Security footage retention periods commonly range from 30 days to 3
months.
Employee records: Depending on local legislation, HR papers such as contracts,
performance reports, and disciplinary records should be kept for the duration of
employment and for a period after the employee leaves.
7.2.Appropriate safeguards
Transfers to countries that do not have an adequacy determination must include adequate
measures to guarantee the data is protected to the same level as it would be within the EU.
These precautions may include the following:
Standard contractual clauses: Contracts between the sender and the receiver that
include specified data protection requirements.
Binding corporate rules are internal data protection rules within a multinational
corporation that have been approved by the relevant data protection authorities.
Derogations: Limited exceptions to the general transfer ban, such as contractual
necessity or consent.
9. Enforcement of GDPR
9.1.Supervisory authorities
Each EU country has its own data protection authority in charge of executing the GDPR. These
authorities have the authority to conduct data breaches investigations, levy fines, and require
corporations to cease non-compliant data processing operations.
10. Appendices
10.1. Glossary of terms
The term “user” here means an individual whose personal data is processed by a
controller or processor (also known as the data subject).
The term “controller” means any person or legal entity involved in determining the
purpose and ways of processing personal data.
The term “processor” means any person or legal entity involved in processing personal
data on behalf of the controller.
The term “the Group” means Hotels and Resorts Alliance
[1] “Official Legal Text,” General Data Protection Regulation (GDPR), https://gdpr-
info.eu/ (accessed Dec. 16, 2023).