The General Data Protection Regulation (GDPR) is a law that was passed by the European Union (EU) relating to data security and privacy for all citizens of the EU. The law came into effect on May 25th, 2018.
Amongst other things, the law covers:
- The obligations of companies based in the EU or who receive data from EU citizens;
- The rights of EU citizens with relation to the data they share
Actions TourRadar has taken to become GDPR-compliant
TourRadar has sought and acted upon advice from external legal advisors, our investment board and GDPR specialists to ensure we comply with the provisions of the GDPR framework.
In the time since the law was adopted in April 2016, TourRadar has taken a whole range of steps to align with the requirements of the law, including but not limited to:
- Full encryption of all data storage areas
- Implementation of advanced intrusion detection
- Addition of dual-factor authentication for TourRadar's infrastructure access
- Creation of appropriate customer consent workflows for collecting and using personal data
- Documentation of processes and policies for data handling
Actions Tour Operators must take to become GDPR-compliant
The GDPR introduces the concepts of a 'Data Controller' (organisation who originally receives the data from a customer) and a 'Data Processor' (organisation engaged by the Data Controller to provide a good or service for the customer).
For all bookings processed via the TourRadar platform, TourRadar can be considered the 'Data Controller' and each tour operator the 'Data Processor'. In some cases, you might also be considered a 'Data Controller' in which case you need to ensure that you also comply with GDPR regulations as a controller. This relationship involving the sharing of customer data for the purpose of providing their requested services implies some actions and responsibilities.
- The GDPR enshrines the right for a customer to request to be forgotten (have their personal data removed from systems). If a customer of TourRadar were to make such a request, then the tour operators providing the services need to work with us to comply with the customer request.
- If a tour operator becomes aware of a data breach of their systems which could have exposed personal data of TourRadar customers, there is a requirement to inform TourRadar of this breach in a meaningful timeframe.
- Without explicit consent from the customer and TourRadar, GDPR legislative framework prohibits the sharing of a customer's personal data with any 3rd parties not required for the provision of the services requested.
All Tour Operators with Tours listed on the TourRadar website (Marketplace) are required to agree to a ‘Processor and Non Disclosure Agreement’. Understanding and agreeing to the points in this document is a legal requirement for all companies in response to laws passed by the European Union.