At SevenRooms, we are fully committed to enhancing our platform to help customers like you easily comply with every applicable General Data Protection Regulation (GDPR) requirement. We are proactively working towards compliance for the May 25, 2018 enforcement deadline.

As a data processor under the law, we will support our customers with compliant data protection, data access, data portability, and governance.

Below are the basics that you need to know:  

(Disclaimer: This content is for informational purposes only. It is intended to inform SevenRooms’ customers of how GDPR compliance as it relates to us as a processor and them as a controller of data within our platform. You should work closely with your legal counsel to know how this regulation affects your business as an individual entity.)

• The 10-Second Version
  
• The 10-Minute Version
  
• What is “personal data,” technically speaking?
  
• How am I capturing personal data through SevenRooms?
  
• What is SevenRooms doing to keep me compliant?
  

The 10-Second Version

What GDPR stands for: General Data Protection Regulation

Who it affects: Any company that collects or processes, as part of its business operations, personal data about individuals’ that reside in the the European Economic Area (EEA) — this includes the EU, Iceland, Liechtenstein, and Norway.

How it works: This regulation splits companies that collect information to use on their own (controllers) versus those that collect information as a vendor for another company’s use (processor).

In the context of using SevenRooms, we are the processor; you are the collector. We’ve taken proactive measures to ensure you’re in compliance as a collector.

What you need to do:

1. Know what personal data constitutes. (Keep reading.)
2. Make sure that your company has a clear plan of action in place to give any EU requester access to the data you’ve collected on them and to delete any data, if requested. (We give you this ability.) 
3. Have a policy in place for customer-facing employees to know how to respond to requests from the public.

By when: This regulation becomes officially enforceable on May 25, 2018. While it is hard to predict how strongly enforced it will be, we strongly encourage you to be prepared.

How much noncompliance costs: Penalties for violating GDPR requirements can be as high as 20 million Euros or 4% of a controller’s global annual turnover, whichever is higher.

The 10-Minute Version

What is the GDPR?

The General Data Protection Regulation is a European law on information privacy that was approved in 2016 by the European Commission. It was established to strengthen, make consistent, and modernize EU data protection, especially as it applies to individual rights. It gives, as a human right, anyone in the EU the ability obtain and eliminate the personal data any business around the world captures about that person.

Because of this, companies outside of the EU must comply if they have even one type of personal data about one person in the EU. It’s called “extraterritoriality.” It doesn’t matter where your business is or where the data processing happens, as long as it involves an EU citizen.  

Even though the law was officially adopted in April of 2016, the months leading up to May 2018 have served as a grace period to allow businesses to develop and implement the right policies to ensure compliance.  

What does the GDPR require?

Right to be forgotten: An EU citizen may request that a business delete all information about him or her, and this must happen without undue delay (one month maximum).

Right to object: An EU citizen may prohibit certain data uses.

Right to restrict processing: An EU citizen must give explicit consent in order for a controller to collect and process his or her data and/or opt him or her into marketing programs.

Right to rectification: An EU citizen can request that incomplete or incorrect data on him or hers be completed or fixed by a controller.

Right of access: An EU citizen has the right to know what person data is being processed & how. This means providing the person with a copy of their data free of charge.

Data portability: An EU citizen has the right to request that his or her personal data be transported from one organization to another.  

Right to be informed: As a business, you must be transparent about how you gather personal information, and you must have policy & clear communication in place before you collect data.

What is “personal data,” technically speaking?

Personal data is any information that is able to — either on its own or in conjunction with other data — identify an individual. That’s a broad-reaching definition. Let’s go through examples:  

• Name
  
• Social security number
  
• Physical address
  
• Phone number
  
• Email address
  
• IP address
  
• Behavioral data
  
• Health information
  
• Biometric data (i.e. a picture, signature, etc.)
  
• Financial information
  

How am I capturing personal data through SevenRooms?

Here are the types of personal data that you might be collecting:

• First and last name
  
• Phone number
  
• Profile picture
• Email address
  
• Preferences or Allergies
  
• Mailing address

What is SevenRooms doing to keep me compliant?

Below are the ways in which SevenRooms is proactively making GDPR compliance easier for customers like you in using our product. We are committed to:

1. Establishing governance for data protection

We are continually reviewing and refining our procedures, processes, and data processing architecture to maintain security and exceed all related compliance requirements.

2. Vendor audit
We are reviewing all vendors who act as sub-processors for SevenRooms data, auditing their approach to GDPR, and entering into DPAs where necessary.

3. Research

Working with independent consultants, legal counsel, and other technology firms to understand best practices, interpretation, and standards as they relate to GDPR.

4. Communication

Reaching out to and educating our customers on GDPR and its impact.

Assets for our customers: 

• Webinar recording for customers based in the European Economic Area (EEA)
• Webinar recording for customers outside of the EEA with data on guests from the EEA
• GDPR one-pager

5. Product enhancements

By May 25, 2018, we will support faster, easier data processing for the export, deletion, and retention of data, so that you can to respond to your own data subjects requests on a lawful basis.

Exporting Client Data

Adding a button for SevenRooms users to quickly and easily export client data, upon request. This will contain all profile information — including email and SMS communications from all reservations the guest has had.

Deleting Client Profile

Adding a button for SevenRooms users to easily and quickly delete a client profile, upon request. Deleting a profile will still maintain the integrity of your cover reporting, but will remove personal data like name, email, and phone number attached to this person and any reservations.

Seeing Activity History

For each guest Client Profile, you will be able to view a log of their opt-ins as well as your exports and modifications of their profile.

Opt Ins for Venue Groups and Individual Venues

During the reservation-booking process, guests will now see an option on your reservation widget to opt in at a venue group level (if applicable) or just for the individual venue that they are booking a reservation with.

The options that a guest chooses will show up in his or her Client Profile as a toggle ON/OFF (on a per venue basis) and show the consent and purpose of the opt-in.

Minimum Age of Consent

Venues will have the option to turn on a checkmark for their widget to ask guests whether they are of the appropriate minimum age to provide consent (13-16 years old, depending on country). You can also choose your own age to ask about (just make sure that your minimum age is low enough to comply with your country's requirements). 

Subscription Center Link for Confirmation Emails

For any reservation made through your SevenRooms booking widget, there will be a link in the confirmation email a guest receives, where he or she can change their subscription settings. The email will link to a landing page where the guest can toggle ON or OFF what he or she is subscribed to.

GDPR Page Linked To For Guests, From Your Widget

This will be a page on the SevenRooms website that your widget links to, explaining that we are a processor and you are a controller of guest data. If you wish to link to your own page, you can replace our link with your own.