GDPR and Visit Group
Updated: July 2021
Are you familiar with GDPR yet?
GDPR is the data protection act which applies since May 25th 2018 throughout the EU and EES. Complying with GDPR is important. Please read this brief information and ascertain that you, if you are a Visit Group customer, have received and signed our data processor agreement. If you know that your organization hasn’t already signed this agreement, we urge you to contact [email protected] as soon as possible.
Understanding GDPR
Most companies experience some uncertainties when interpreting GDPR. While many of you have questions, Visit Group can/should not take the role of a legal advisor. We are using a law firm called Zacco (www.zacco.com) to aid us in our legal inquires. Zacco are responsible for forming the data processor agreement and they are experts. If you should have legal questions, we urge you to contact a firm such as Zacco to ensure compliance for you as an organization and get the best answers suited for your needs.
Visit Group’s efforts in facilitating our customers’ GDPR compliance
You are the controller of the personal data and Visit solely acts on behalf of you as data processor
Through the data processor agreement, Visit ensures that we process your collected data in a secure and professional manner:
- We have corresponding data processor agreements with our colocation hosting provider in place
- We have been refining our internal security processes, and have altered database admittance for applications as well as individuals
- We have been developing a process to ensure that reviewing or anonymization of your clients’ data is being handled and delivered in a thorough and sufficient manner
You may contact us on behalf of your customers to reveal and/or anonymize the personal identifiable data as follows. Visit Group will not deal with requests directly from consumers since you, the licensees, are the owners of your data.
- Data regarding a booking which is not considered personal identifiable data will not be anonymized
- The burden of proof regarding who is to be anonymized lies in your hands, if we are unsure of a certain individual, we will get back to you and ask for more information
- After you have requested a reveal and/or anonymization through our regular points of contact, you will get an answer from us within 30 days
- We will not anonymize data in conjunction with accounting, since the European accounting laws currently trump GDPR and you must therefore comply with that first and foremost
- The anonymization-process is non-revocable, i.e. we cannot undo the process once you’ve ordered it
Visit Group is cooperating with the following subcontractors that may also have access to some personal data stored for our customers.
Infracom Managed Services AB – Hosting and Server Provider which, amongst other, stores data and backups for BookVisit and Citybreak.
Twilio / Sendgrid – The mail service Sendgrid and the text message service Twilio are used to send out booking confirmations.
Microsoft – Azure, cloud storage service for customers with Citybreak and iTicket.
Freshdesk – Support system that can receive issues containing personal data on a booking described in a support case: In this case, the information is sent to Visit from PUA.
Mailchimp – E-Mail Marketing system, which is used to send e-mail campaigns and Newsletters.
GDPR in more general terms
Anonymization of Data
An important part of GDPR is the customer’s right to be forgotten; at the customer’s request or after the time period you have determined to store your customer information (which must be documented and motivated).
The anonymization function can be run on an individual customer or on all customers who, for example, have not been in contact with you within a certain period of time.
The anonymization feature obscures personal identifiables, such as name, e-mail etc, but retains some anonymous demographic data, for any anonymous long-term statistics.
Additional confirmation box when booking, ordering a brochure or other contact
An additional privacy policy textbox that the customer may read through to confirm consent under the GDPR is added to your online environment upon request. You may start to create such a policy already, as it will be a vital part of what you store, why and how long. In this policy you may also add the measures the end-customer must take in order to be forgotten and to exercise other rights under the GDPR.
SSL, encryption of all information sent over the website
For a long time, most of our customers have chosen to use SSL (https) for their entire website and booking. GDPR is entitled to personal data security and, for example, mentions encryption as an appropriate measure, even if it is not a specific requirement.
There are many other benefits of SSL for the entire website. For example, more and more browsers show a warning for sites that are not through SSL, Google praises SSL in search results and the customer feels more secure when they visit the site and make reservations. If you do not have SSL today, we recommend that you contact us and order this as soon as possible.
Portability of personal data
The ability to extract a person’s data in Readable standardized formats is introduced, to fulfill the requirement of ease-of transfer of data to those requesting it.
Infracom Managed Services AB (formery PIN Sweden AB, same company)
Gamlestadsvägen 1
415 02 Göteborg
Sweden
Twilio Inc. (Sendgrid)
375 Beale Street, Suite 300
San Fransisco, CA 94105
USA
US-based data centers are located in Herndon, Las Vegas and Chicago.
Microsoft AB
Regeringsgatan 25
111 53 Stockholm
Sweden
Freshworks, Inc.
2950 S.Delaware Street
Suite 201
San Mateo
CA 94403
USA
The Rocket Science Group, LLC (Mailchimp)
675 Ponce de Leon Ave NE
Suite 5000
Atlanta
GA 30308
USA
Need help?
If you require help with your agreement, we recommend you to find an expert. If you haven't signed your GDPR agreement with us yet, contact us!
Email us
Want to know more about us?
Do you want to know more about us? No problem, there are several ways to get in touch with us.
Contact us