Oaky’s Commitment
to the GDPR

Hi lovely customers,

see The GDPR (General Data Protection Regulation) is around the corner. Many of you have contacted us to be ready for May 25th 2018. To help you with quick overview, we have created this page.

Now is the time to grab yourself a yummy cup of coffee or tea. Find out what we’re doing, and what you need to do to be GDPR compliant with Oaky (and any other data processor you may be using).

You can always reach out to us at privacy@oakyapp.com if you have any questions at all.


In this page we cover:

  • Section 1: Quick overview
  • Section 2: Oaky’s GDPR Roadmap
  • Section 3: What do Oaky customers need to do?
What is Oaky?
Oaky is a tool used by our Customers Accommodation Providers (hotels, hostels and serviced apartments) to communicate with their guests, and to offer specific services and upgrades that relate to the upcoming stay of their guests.
Data controller and Data Processor
The difference between a data controller and a data processor is that the controller determines the purposes and the means of processing, where the processor processes personal data only source on behalf of the controller. In the context of our services, the Customer Accommodation Provider is the data controller, and Oaky is the data processor.
Data Processing Agreement
According to the regulation, the data controller and data processor must sign a Data Processing Agreement (DPA) that stipulates their relationship in regards to Client Personal Data. The DPA is specific per customer and will be sent to you by Oaky shortly.

Click here to sign our Data Processing Agreement (please download before filling in).

Do my guests need to give opt-in consent to use Oaky?
No. The Customer Accommodation Provider can send emails with an informational character with Oaky. These informational emails do not require expressed opt-in consent, as they fall under the legitimate interest under GDPR. Within legitimate interest, these informational emails are considered as part of the hotel stay and something that the hotel guest expects to receive when making a reservation with a hotel.

Oaky will offer templates of emails with informational character to all of its customers.

N
Thoroughly research the areas of our product and our business impacted by GDPR
N
Appoint a responsible person for privacy and data protection
N
Develop a strategy and requirements for how to address the areas of our product impacted by GDPR
N
Rewrite our Data Protection Agreement
N
Perform the necessary changes/improvements to our product based on the requirements
N
Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR
N
Thoroughly test all of our changes to verify and validate compliance with GDPR (being done incrementally as changes are completed)
N
Finalize and communicate our full compliance (this will be done when all work is completed which will occur prior to the effective date of the GDPR)

What do Oaky

customers need to do?

There are three things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Oaky:

1. Update your Privacy Policy
The legal requirement to inform the guests of the processing activities (e.g. through a privacy policy), is an obligation for the Customer Accommodation Provider as the data controller.

Please make sure your Privacy Policy properly communicate to your users how you are using Oaky (and any other similar services) to process personal data and for which purposes the processing takes place (for example by means of providing upgrades, bike rental, restaurant reservations, etc). This requirement is also part of Oaky’s Terms of Service, but the GDPR can heavily penalize you if this is not done clearly.

Example:
“We may share your personal data with third parties offering services to us. An example of such a third party offering services to us is Oaky B.V. We may use the Oaky services to communicate with you and to offer you specific services and upgrades that relate to your stay with us. Oaky acts as a data processor of your personal data on behalf of us, with the purpose of offering the Oaky services to us. We require all third party service providers to respect the security of your personal data, to treat it in accordance with the law and to process your personal data only in accordance with our instructions.”*

*Please note that this text is merely a suggestion and that the
hotels remain responsible for providing adequate information to the data subjects.


2. Sign the Data Processing Agreement (DPA)
The data controller is obliged to sign a DPA with all of its processors. We have prepared this DPA together with our legal counsel to be in compliance with GDPR.

Click here to sign our Data Processing Agreement follow url (please download before filling in).

 

 

As data controller, you need to be able to answer five questions relating to your data processors towards your guests. These five questions are:

1. Which personal data does Oaky process on behalf of the Customer Accommodation Providers?

2. What is the purpose of the processing activities of Oaky?

3. How long does Oaky story the data for?

4. Which third parties have access to personal data (internal and external)?

5. How is the data protected?

To help you answer these questions, we have created this page: http://oakyapp.com/privacy-policy/.

Oaky (as data processor) is not legally required to have a privacy policy for the guests of the hotels, as it only processes the personal data on behalf of the Customer Accommodation Providers. The legal requirement to inform the guests of the processing activities (e.g. through a privacy policy), is an obligation for the Customer Accommodation providers as the data controller.