The General
Data Protection Regulation or GDPR supervises the processing of personal data
in the European Union.
The
data protection rules change to follow the evolution of the new digital world.
This
new European regulation reinforces and enhances people’s control over the use
of their data. The GDPR harmonizes the rules in Europe by providing a unique
legal framework for all EU countries.
The
GDPR is applicable from 25 May 2018.
Warning! E-mail marketing is governed
by the e-Privacy Directive which is applicable across Europe and will soon be
replaced by the new e-Privacy Regulation. The e-Privacy Regulation is expected
by the end of 2018 / beginning of 2019. It will prevail on the GDPR to the specific rules applicable to e-marketing.
What is the difference between
a regulation and a directive?
A
regulation, unlike a directive, is directly applicable throughout the European
Union without requiring local legislation in the different Member States. The
same text will therefore apply throughout the EU which offers a better level of
harmonisation.
Any
organisation, whatever its size, the country in which it is established or its
activity may be concerned.
Indeed,
the GDPR applies to any organisation, public or private, which processes
personal data on its own behalf (data controller) or on behalf of a third party
(data processor) if:
§ the
organisation is established in the European Union, or
§ the
organisation’s activity directly targets European residents.
For
example, a company established in France which exports all of its products to
Morocco for its Middle Eastern customers shall comply with the GDPR.
Also,
a company established in China, offering an e-commerce website in several
European languages and delivering products in Europe, shall comply with the
GDPR.
The
GDPR also concerns data processors who process personal data on behalf of other
organisations.
My hotel is based outside of
the EU, am I affected by the GDPR?
YES,
because you offer your services to people located in the EU through the group
website www.accorhotels.com or brand sites (ibis.com, mercure.com, sofitel.com
...) which are available in several European languages and on which it is
possible to pay in euros.
What is a personal data? What
is the difference with “pseudonymised” data and “anonymised” data?
The
concept of "personal data" must be understood very broadly.
A
"personal data" is "any information relating to an identified or
identifiable natural person". A person can be identified:
§ directly
(example: surname, first name), or
§ indirectly
(example: client number PMID, a phone number, several elements specific to
her/his physical identity, etc.).
The
identification of a natural person can be realised:
§ with a
single piece of data (example: social security number, DNA)
§ with a
cross of a set of data (example: a woman living at such address, born such day,
subscribed to such magazine)
Example: a marketing database containing a lot
of precise information on the age, tastes and customer purchasing behaviour, is
considered as a processing of personal data, since it is possible to identify a
specific natural person based on this information.
“Pseudonymisation”
is a technique that consists of replacing an identifier (or more generally
personal data) with a pseudonym, so that it is no longer possible to assign
data to a specific person without recourse to additional information. This
technique therefore allows the re- identification or the study of correlations
in case of particular need. “Pseudonymised” data remains personal data
submitted to the GDPR (since it can be attributed to a natural person), but
improves the security of this data.
Example:
By referring to a customer using its PMID (internal customer number to Accor),
rather than its first and last names, the security of the data is improved. For
someone outside the organisation, it will be more difficult to assign a PMID to
a specific person.
”Anonymisation”,
unlike “pseudonymisation”, is an irreversible mechanism that consists of
removing any identifying character from a set of data. This means that all
directly or indirectly identifying information is deleted or modified, so that
any re-identification of a natural person is impossible.
What is a processing of
personal data?
The
conception of processing of personal data is very broad.
A
"personal data processing" is an operation, or set of operations,
automated or not, relating to personal data, whatever the process used
(collection, recording, organisation, retention, adaptation, modification,
extraction, consultation, use, communication by broadcast transmission or any
other form of provision, reconciliation).
Example:
maintaining a customer’s file, collecting prospect details via a
questionnaire/form, updating a supplier’s file etc.
However,
a file containing only company details (for example, company "Company
A" with its postal address, the telephone number of its reception and a
generic contact email "compagnieA@email.fr") is not a processing of
personal data.
A
processing of personal data is not necessarily automated: the paper files are
also concerned and must be protected under the same conditions.
A
processing of personal data must have a purpose i.e. you cannot collect or
process personal data just in case it would be useful to you one day.
Each processing of personal data must be
assigned a purpose, which must be legal and legitimate with regard to the
professional activity.
What are the main principles I
have to respect if I am affected by the GDPR?
When I
am concerned with the GDPR, I have to respect the 10 golden rules (flyer):
1. I
can only use personal data if:
§ I
obtained the consent of the person, OR
§ This
is necessary for the performance of a contract to which the person is party, OR
§ This
is necessary to comply with a legal obligation, OR
§ This
is necessary in order to protect the vital interests of the person, OR
§ I have
a legitimate interest in using personal data and I do not affect persons’
rights
2. I
can explain why I need such personal data.
3. I
only use personal data that I really need. If I can achieve the same result
with less personal data, I have to do it.
4. I
inform the persons about the way I use their personal data.
5. I
allow people to exercise their rights: access to their personal data,
rectification, deletion and opposition to the use of their personal data.
6. I
keep personal data for a limited time.
7. I
ensure the security of personal data, i.e. their integrity and confidentiality.
8. If
a third party uses personal data, I have to enter into a written contract with
this third party and ensure its ability to protect the personal data.
9. If
personal data is transferred outside Europe (even via a simple consultation
from a country outside Europe): I have to frame this transfer with specific
legal tools.
10. If
personal data is compromised (lost, stolen, damaged, unavailable…): I have to
notify such breach to the authority and to the person if the breach is likely
to generate a high-risk for these individuals.
Under the GDPR, is the consent
of individuals always required to process their data?
NO.
According
to the GDPR, the consent of the person whose data is being processed is not
necessary when these data are collected:
§ for
the execution of a contract (eg contract of sale, rental, employment, etc.) or
pre- contractual measures (eg a quote, talks, etc.) to which the data subject
is a party;
§ because
a legal text makes the use of data mandatory;
§ for
the performance of a mission of public interest or of public authority;
§ to
safeguard the vital interests of a person;
§ to
pursue a legitimate interest (eg prospecting, fraud prevention, transfers
within a group, network security, etc.), unless the interests or fundamental
freedoms of the data subject prevail.
It is
the person, the service or the company that determines the purposes and the
means of the processing of personal data. The data controller decides to
implement the processing of personal data and defines the conditions.
The
data controller is legally responsible for the compliance of the processing of
personal data and ensures compliance with the obligations.
A
processing of personal data can be jointly implemented by several data
controllers.
For
example, Accor S.A is the data controller of customers’ personal data contained
in its central database, the data being either collected directly from
customers via websites or call centers, or indirectly via hotels, agencies,
etc. and interconnected with the Group’s central reservation system.
What is a data processor? What
are its obligations?
The
person, the department, the management team or the company that processes
personal data on behalf of the data controller. It can be a service provider (e.g.
digital platform publisher, electronic communications provider ...).
For
example:
Company
B is a data processor of the Company A when it processes personal data on
behalf of, on instruction and under the authority of Company A.
Company
A is the data controller.
Are
data processors:
§ IT
service providers (hosting, maintenance, etc.)
§ Software
integrators
§ IT
security companies
§ Digital
service companies when they have access to data
§ Marketing
or communication agencies that process personal data on behalf of clients.
Warning! Materials manufacturers
(software, badge reader, biometric material, etc.) are not data processors
because they do not have access to or process personal data.
A data
processor is a data controller for the processing of its own files, for
example, its employees file.
The
data processor has specific obligations under the GDPR regarding security,
confidentiality and accountability.
The
data processor must advise the data controller on compliance with certain
obligations of the GDPR (privacy impact assessment, data breaches, security,
deletion of data, contribution to audits).
How the GDPR affects the
relationship with service providers?
When
an entity, as data controller, contracts with a service provider acting as data
processor, the GDPR requires the conclusion of a written agreement whose
mandatory provisions are listed in Article 28 of the GDPR.
This
contract shall specify:
§ the
subject-matter and duration of the processing
§ the
nature and purpose of the processing
§ the
type of personal data and categories of data subjects
§ the
obligations and rights of the data controller
§ The
obligations of the data processor:
ð The
data processor processes the personal data only on documented instructions from
the data controller.
ð The
data processor ensures that persons authorised to process the personal data
have committed themselves to confidentiality or are under an appropriate
statutory obligation of confidentiality.
ð The
data processor takes all measures required to ensure the security of personal
data.
ð The
data processor shall not engage a subsequent processor without obtaining prior
specific or general written authorisation from the data controller.
ð Where
the data processor engages another processor for carrying out specific
processing activities on behalf of the data controller, the same data
protection obligations as set out in the contract between the data controller
and the data processor shall be imposed on that other data processor by way of
a contract.
ð The
data processor assist the data controller for the fulfilment of the data
controller’s obligation to respond to requests for exercising the data
subject’s rights.
ð The
data processor assists the data controller in ensuring compliance with the
obligations concerning data privacy impact assessment, data breaches, security,
deletion of data, contribution to audits.
ð At the
choice of the data controller, the data processor deletes or returns all
personal data to the data controller after the end of the provision of services
relating to processing, and deletes existing copies.
ð The
data processor makes available to the data controller all information necessary
to demonstrate compliance with its obligations, allow for and contribute to
audits, including inspections, conducted by the data controller or another
auditor mandated by the controller.
What is Privacy by Design and
Privacy by Default?
The
"Privacy by Design" aims at ensuring that the protection of
personal data is taken into account from the design stage of a project and
throughout its execution.
For each
new application, product or service that processes personal data, companies
must offer their users or customers the highest possible level of protection of
their data.
The
"Privacy by Default" consists in taking appropriate technical
and organisational measures to ensure that, by default, the greatest protection
of personal data is guaranteed.
Examples
of measures:
§ Minimise
the amount of personal data processed
§ Ensure
transparency of the processing
§ “Pseudonymize”
personal data as soon as possible
§ Implement
security measures and improve them continuously
What data security measures to
implement?
The
data controller and the data processor shall implement the appropriate
technical and organisational measures to ensure a level of security appropriate
to the risk, including, as appropriate:
(a) “pseudonymisation” and encryption of
personal data
(b) Measures ensuring the ongoing
confidentiality, integrity, availability and resilience of processing systems
and services;
(c) Measures to restore the availability of
and access to personal data in good time in the event of a physical or
technical incident;
(d) A procedure to test, analyse and
regularly evaluate the effectiveness of technical and organisational measures
to ensure the security of the processing.
For
example:
§ Physical
security measures: security of access to the premises;
§ IT
security measures: antivirus, password security, etc.
The
data controller and data processor must also ensure that only authorised
recipients can access the data.
To be noted: Contracting with a data
processor does not relieve the data controller of its obligation of security
and confidentiality.
Warning: the communication of
information to unauthorized persons or even their imprudent disclosure of
personal data can be punished.
What does accountability mean?
The
GDPR introduces a new concept: the principle of accountability.
The
primary goal of this principle is to make the data controller actively
responsible for data processing compliance.
The
accountability refers to the obligation for companies to implement appropriate
internal mechanisms and procedures (technical and organisational measures) to
ensure that the processing of personal data is carried out in accordance with
the GDPR and to be able to demonstrate such compliance.
Companies
have to implement effective and appropriate measures to comply with the GDPR,
but also identify and document such measures taken to report the evidence to a
supervisory authority.
What is a DPIA (Data Privacy
Impact Assessment)?
When
processing data which is likely to result in a high risk, the data controller
have to conduct a full data privacy impact assessment, showing the
characteristics of the processing, risks and measures adopted.
It
concerns the processing of sensitive data (data that reveals racial or ethnic
origin, political, philosophical or religious opinions, trade union membership,
health or sexual orientation, genetic or biometric data), and the processing of
data based on the “systematic and extensive evaluation of personal aspects
relating to natural persons which is based on automated processing, i.e.
profiling.
It is
a security breach resulting in the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of personal data transmitted, stored or
otherwise processed, or unauthorised access to such data.
What is a DPO, when is it
necessary to have one and what should it do?
DPO
means Data Protection Officer, a new position specifically created by the GDPR.
Data controllers and data processors must appoint a DPO if:
§ they
belong to the public sector,
§ their
main activities lead to regular and systematic monitoring of people on a large
scale,
§ their
main activities lead them to process (always on a large scale) sensitive data
or data relating to criminal convictions and offenses.
Apart
from these cases, the designation of a Data Protection Officer is still
possible. The DPO has to:
§ inform
and advise the data controller or data processor and its employees
§ monitor
compliance with the GDPR and national data protection law
§ advise
the organisation on the implementation of a privacy impact assessment (PIA) and
verify its execution
§ to
cooperate with and be the point of contact of the supervisory authority.
Accor
has appointed a DPO and each Business Unit has a Regional Data Protection
Coordinator.
If you
have any questions, you can contact your RDPC (please see the RDPC’s list)
For corporate headquarter
(DPO): accorhotels.data.protection.officer@accor.com
What are the risks for
non-compliance with the GDPR?
Data
controllers and data processors may be subject to significant administrative
penalties for failure to comply with the provisions of the GDPR.
Administrative
fines may reach, depending on the category of the offense, EUR 10 million to
EUR 20 million or, in the case of companies, 2% up to 4% of the annual global
turnover, the highest amount being withheld.
Other
risks for data controllers and data processors: an image and reputational risk
that could lead to a loss of customers.
What are the consequences of
the Brexit on the application of the GDPR in the United Kingdom?
The
exit procedure is scheduled to end on 29 March 2019. Until that date, the
United Kingdom remains a Member State of the European Union.
The
Information Commissioner's Office ”ICO” (UK supervisory authority) has
indicated that the GDPR will enter into force in the United Kingdom on 25 May 2
2018, as in all the Member States of the European Union.
Does the GDPR impact
e-marketing?
NO!
Surprising as it may seem, there are no specific provisions applicable to
e-marketing in the GDPR. The GDPR does not affect the rules already applicable
in e-marketing, whether in B2C or B2B.
E-marketing
is governed by the e-Privacy Directive which is applicable across Europe and
will soon be replaced by the new e-Privacy Regulation.
The
e-Privacy Regulation is expected by the end of 2018 or the beginning of 2019
and will prevail on the GDPR in relation to the specific rules applicable to
e-mail marketing.
Reminder: What are the
specific rules applicable to e-marketing (Opt-in / Opt- out)?
According
to the e-Privacy Directive, soon replaced by the new e-Privacy Regulation
expected by the end of 2018 or the beginning of 2019 and which will prevail on
the GDPR:
I) E-marketing requires the prior consent of the
recipient (Opt-in)
II) By exception, such consent is not necessary
(Opt-out) if:
§ Contact
details of the recipient were collected directly from him on the occasion of a
sale or a service provision
§ The
communication concerns similar products or services to those already provided
by the company
§ When
contact details are collected, the customer was informed of the use of its
contact details for e-marketing
§ The
customer is given clearly and expressly the opportunity to oppose, at no cost
and in a simple way, to such use:
ð when
its contact details were collected, and
ð during
each subsequent e-marketing communication.
III) In all cases, each e-mail must:
§ specify
the identity of the advertiser, and
§ propose
a simple way to oppose the receipt of new requests (for example via the link to
unsubscribe at the end of the message).
Warning! if you do a mailing yourself,
always put the recipients of your e-mails in a hidden copy!
What steps to take to protect
employees’ data?
Many
personal data relating to employees is needed to manage their career. For
example, you need a lot of information to ensure:
§ the
compensation and the mandatory social declarations
§ the
administrative management of the staff
§ the
organisation of work.
Ask
your employees only the information useful to do their jobs and avoid
processing sensitive data (union activity, political opinions, religion, ethnic
origin, health).
If you
have to deal with sensitive data, special obligations apply. Contact the DPO
(for corporate headquarter) or RDPC in your region (for BUs).
Make
sure to ensure the confidentiality and security of your employees' personal
data. Only authorised persons must have access to this personal data.
What compliance obligations
apply to Accor headquarters and Group’s hotels?
Compliance
of the “central” tools is handled by the central teams (i.e. Tars, ResaWeb, the
loyalty programme, HotelLink etc…).
Compliance
of the use of personal data by the hotels is their responsibility (i.e. HR
data, PMS data etc…).
To
help you, the Group will issue guidelines about the measures to be put in place
to process personal data in compliance with the GDPR.
In
case one or a group of the corporate client’s employees makes a reservation at
a preferential rate as per the contract with this corporate client, Accor S.A
and the hotel act here as data controller towards the personal data of this
employees.
The
corporate client remains data controller for the processing of its employees’
personal data for purposes of travel and trips management.
Therefore,
the contract between a sales office or a hotel with a corporate client must
specify that each party undertakes, as data controllers, to collect, process
and store personal data for their own purposes, in compliance with the data
protection regulation.
It is
therefore not necessary to adopt any specific contractual measures (as stated
in article 28 of the GDPR) as neither Accor S.A, the BU or the hotel processes
personal data on behalf of the corporate client.
Warning! If a Corporate client sends
you a document providing a sub-processing of personal data between a data
controller and a data processor, this document is not applicable to your
situation.
ð Contact
the Corporate Legal Department if Accor S.A is party to the contract: a clause
template will be sent to you.
ð Contact
the RDPC if a local sales office manage the relationship with the corporate client:
a clause template will be sent to you.
We are
currently working on updating contract templates!
According
to e-marketing rules: the recipient must have been informed of the use that
will be made of his email at the time of collection and the right to oppose it,
except special local provisions.
In all
cases, each e-mail must:
§ Specify
the identity of the advertiser, and
§ Propose
a simple way to oppose the receipt of new requests (for example via the link to
unsubscribe at the end of the message).
Warning! If you do a mailing yourself,
always put the recipients of your e-mails in a hidden copy!
Where can I find the Group
data protection policies and procedures?
We are
currently setting up a dedicated intranet page. You will find all the necessary
information.
You
can already find the customer personal data charter on the website www.accorhotels.com through this link: https://www.accorhotels.com/security-
certificate/index.en.shtml
Who can I contact for
questions about data protection?
For
corporate headquarter: accorhotels.data.protection.officer@accor.comFor
BUs: the RDPC (see the
RDPC’s list)