Over the past several months, Cloudbeds has been preparing for the GDPR so that we can support our customers in their compliance efforts, while at the same time ensuring our compliance as well.
Please read on to discover what Cloudbeds has done to support these efforts as well as our ongoing commitment to the GDPR and Data Privacy.
What is the GDPR?
Over a year ago, the European Commission approved and adopted the GDPR (the “General Data Protection Regulation”), which is the biggest change in data protection laws in Europe in over two decades. The GDPR aims to strengthen the security and protection of personal data in the EU and will replace the Directive and all local laws relating to it.
Is Cloudbeds committed to the GDPR and other Privacy Controls?
Absolutely - and that's why Cloudbeds has made numerous product, policy, and technology changes to ensure that your data, and the data of your guests, is GDPR compliant. We are also working toward compliance within the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Cloudbeds complies with the provisions of the General Data Protection Regulation (“GDPR”) made effective in the EU on May 25, 2018, and we are pursuing certification under the EU and Swiss Privacy Shield protocols. We are committed to protecting the security of your personal information, and we take commercially reasonable technical and organizational measures that are designed to that end.
If you wish to opt out of any disclosures of your information to third parties or to prevent the use of your personal information for a purpose that is materially different from the purpose for which it was originally collected, you may log into your account and make changes necessary. The use of your information can be limited, or the information can be corrected, deleted, or exported to you or a third-party of your choice, except as required by law as indicated above.
Please read below to discover additional information about how Cloudbeds stores and processes data, and the changes we have made for GDPR and Data Privacy.
Although the GDPR was adopted by the Europian Union, it has far-reaching implications to any business that maintains a web presence and markets to or provides services to a citizen of the EU. In short, any business that collects and/or processes personal data of an EU Citizen will need to abide by the GDPR. And even if you don't, similar Privacy Controls are currently being planned in the U.S. and other parts of the world.
Per Section 22 [GDPR Obligations] within our Terms of Service:
If you (1) are established in the European Union (“Union”), (2) offer goods or services to data subjects in the Union (whether or not they have to pay anything), or (3) monitor the behavior of any individuals that occurs in the Union, then you must comply with the provisions of the GDPR with respect to your use of the Services. Without limiting the generality of the foregoing, you must:
1. Obtain the consent of any data subject about whom you gather any personal data (as that term is defined in the GDPR using the Services, unless you have established that you are authorized to process information about such data subject under another lawful basis (such as a legitimate interest or contractual basis for processing such information). The consent you obtain must be clear and in compliance with the provisions of the GDPR;
2. Use the personal data you obtain using the Services only for the purposes for which consent is given or for other purposes allowed by the GDPR;
3. Notify us immediately if any data subject makes a complaint regarding your use of their personal data; and
4. Comply with any reasonable request we may make regarding compliance with the GDPR and cooperation with any applicable data protection authority.
The EU General Data Protection Regulation (GDPR) will go into effect on May 25, 2018.
There are many websites and resources to learn about GDPR. Some of the ones we recommend are:
- The official GDPR website: https://www.eugdpr.org/
- The UK Information Commissioner's Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Searchable version of the GDPR: https://gdpr.algolia.com/
The personal data transferred concern the following categories of data subjects:
- Prospects, customers, business partners and vendors of data exporter (who are natural persons)
- Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of data exporter (who are natural persons)
- Data exporter’s Users authorized by data exporter to use the Services
Categories of Data
The personal data transferred include, but not limited to, the following categories of data:
- First, Middle, and Last Name
- Contact Information (Company, email, phone, physical home address)
- ID Data
- Professional Life data
- Personal Life data
- Connection data
- Financial Data (credit cards, banking information)
- Localization data
Special categories of data (if appropriate)
The personal data transferred include, but not limited to, the following special categories of data:
Data exporter may submit special categories of data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Cloudbeds implements security best practices, including encryption of sensitive data, secure transmission of sensitive data, and strong access control via firewalls, virtual private networks (VPN), and multi-factor authentication (MFA)
Cloudbeds will process personal information as long as necessary for the purposes described in the Data Processing Addendum, unless a longer retention is required by law.
Cloudbeds will process personal information by handling, storing, sharing with Subprocessors, accessing and reviewing Personal Information for the Processing purposes set out adjacent.
Excellent question. Here is a list of the many ways in which Cloudbeds is evolving to ensure your data is protected
Updated Terms of Service
Information about accepting our Terms of Service is located here.
Data Processing Agreement
Enbaling Security Compliance Settings for GDPR
Learn how to Enable Security Compliance Settings.
Guest Data Extraction (right to data portability)
Discover how to Extract the Guest details.
Guest Data Anonymization (right to be forgotten)
Learn about how to Anonymize Guest Data.
Guest Opt-In Controls (Marketing Consent)
Secure Marketing Consent for your guests.