This document is intended for current and prospective clients of Maestro products, addressing the entire Maestro Suite, the ResWave Booking Engine and the GEM Guest Feedback system (collectively “Maestro”). This document addresses the status of our products to help you ensure that our products fit in with your Global Data Protection Regulation (“GDPR”) obligations.
The General Data Protection Regulation goes into effect on May 25, 2018. The regulation helps E.U. Citizens (“Data Subject(s)”) stay in control of their information, and Maestro agrees with this principle.
It is critical to note that our products represent only a subset of those products affecting your GDPR compliance obligations, and we recommend you consult with your other vendors, website providers, legal counsel, and security assessors to ensure you are fully compliant with the regulation.
This document is not intended to educate you on the specifics of GDPR, but rather to make clear the role of Maestro in this regard. We advise that you seek qualified legal counsel and regulatory advice from your business professionals. You can learn about the details of the GDPR on the GDPR website.
In brief, this regulation specifies that guests must supply written consent to the use of their personal information. It gives them the right to access their data, to know how it is being used, to withdraw consent and to be granted the “right to be forgotten”. The GDPR calls for consent from guests to be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Maestro continues to work with our legal, privacy, and cybersecurity advisors to audit its products and processes for GDPR compliance. In accordance with the regulation, we have balanced the need for security and data privacy protection with the legal, contractual, and commercial requirements of hoteliers.
DATA CONTROLLER vs DATA PROCESSOR
It is important to distinguish an element of where each party fits into the GDPR regulation. If you are self-hosting or using the on-premise version of Maestro, you are considered both a data controller and data processor under the regulation. If you are using the cloud-hosted version of Maestro, hosted by us for your use, then Maestro is the data processor, and you are the data controller. In the case of ResWave and GEM, regardless of how Maestro is hosted, you are the data controller and Maestro is the data processor.
Hoteliers decide what data they collect and they have the direct relationship with the guest, so hotels are data controllers under GDPR. Maestro is a data processor, so we are restricted in how we use the data we collect. When you use Maestro, your guests’ data is processed in a GDPR compliant and secure way.
DOES MAESTRO SHARE GUEST DATA?
As a data controller, you have the right to know exactly when Maestro processes your clients’ subject data and what we do with it. Maestro does not share any data outside your daily operational needs. Maestro only shares data through integrations you may use on property, including such integrations as GDS/OTA, Revenue Management, Credit Card, POS, PBX. Voicemail and others. As part of GDPR, our integrations are required to let each other know when a request to be forgotten has been initiated by a guest. As such, we are working with all our integration partners to facilitate these changes. Our Maestro proprietary API (aka Genomi), as well as our Comtrol integrations comply with this requirement in version 5.5. Compliance with other vendors will take time as we coordinate with them and their preparedness for this requirement.
MASTER AGREEMENT CHANGES
The GDPR requires that data controllers define how data processors use the data they receive from data controllers, and it is required that this be updated in our Master Agreement with you so that we both remain compliant. Maestro stores data in secure data centres based outside of the EU, and the GDPR allows this when we agree to standard contractual clauses that guarantee the security and privacy of that data. Maestro will contact all our clients with the necessary information to update our Master Agreement clauses as they upgrade to our GDPR compliant versions.
MAESTRO COMPLIANCE STATUS
Development of Maestro has been designed with data privacy as a principle and has been audited under PA-DSS (PCI) to meet the internal development requirements of a secure environment.
Maestro Suite - Front Desk, Sales & Catering, Spa and Activities, Owners, Members, Guest Engagement, Accounts Receivable is GDPR-ready) starting with version 5.5
In order for Maestro and its related products to be compliant, Maestro is completing the required product changes to support compliance with the GDPR in version 5.5. This includes new features such as:
- Enhanced change logs to allow you to track guest’s privacy preferences with change reason codes.
- A printable and exportable report, suitable for sharing with a guest, detailing all the personal information contained with Maestro.
- A new option to specify a data retention period to permit you to maintain compliance with legal requirements prior to removing any individual’s personal information. This will also be useful to conform with protection from chargebacks, where the guests “right to be forgotten” may conflict with chargeback time limits, and other legal requirements.
- Anonymization will enable you to “forget” a guest upon their request. This function will replace all personal information with generic data, meeting GDPR obligations while keeping your data intact for reporting and historical accuracy.
ResWave is secure but is not yet GDPR ready
ResWave continues to operate as a secure platform that is PCI-compliant and not store credit card data but does hold guest data that falls under GDPR. There are GDPR requirements under which guests can request their data be exported or deleted, and ResWave does not currently comply with those requests, these requests must be managed manually for the time being. This feature is being designed for development under version 5.5 of Maestro.
GEM is secure but is not yet GDPR-ready
GEM (Guest Experience Measurement) our guest survey product is not GDPR compliant for those guests who choose to identify themselves during the survey process. As noted above, there are GDPR requirements under which guests can request their data be exported or deleted, and GEM does not currently comply with those requests, these requests must be managed manually for the time being. This is being addressed to meet the GDPR deadline.
What about Data Mining Tools, Like Maestro Analytics?
If you use any third-party tools to access the Maestro data or use a tool like Maestro Analytics that mines the Maestro database directly, it is conceivable that you will access data that falls within the definition of personal information under GDPR. Since the database is accessed outside of Maestro in these cases, it is not possible for Maestro to track the transfer of this information. Therefore, it is recommended that queries be deleted as part of a standard practice once the data analysis has been done, and subsequent mining efforts be done with fresh data, which will be updated appropriate to GDPR in Maestro. When mining data, Maestro can provide guidance on how you should observe any privacy settings configured for individual guest data being retrieved.
WHAT DATA DO HOTELS COLLECT WITH MAESTRO?
Maestro can collect the following kinds of information based on your use (some are mandatory, such as name, and others are optional based on your use):
- Phone Number
- Email Address
- Mailing Address
- Booking Details (Reservations, Bookings, Activities)
- Client Requests
- Client Health Information
- Client Preferences
- Cardholder Information
- Social Security Number
- Passport Information
- Driver’s License
- Client Photo
- Date of Birth
- Country of Birth
- Wedding Anniversary
- Travelers Visa Number
- Application Usage Data
- User Fields (Clothing Sizes, Personal Preferences, Etc.)
The GDPR gives additional protection to extremely personal information like ethnicity, health status, sexuality, and religious affiliation. Based on your operation and usage needs, Maestro products allow hoteliers to collect and store some of this kind of information. Please review with your advisors if you should cease to hold some of this type of information.
HOW IS THIS DATA PROTECTED?
For cloud-hosted clients, the data collected is kept in secure data centres that have up-to-date physical and technical measures for protection. Maestro staff do not have physical access to these data centres.
For on-premise clients, you are responsible for the physical and technical security of your environment.
Most importantly, the data collected in any environment must be protected by your staff. Human error is a significant, albeit often innocent, threat to data security. Training around privacy and security can help your staff prevent data being compromised. Following PCI security guidelines and adhering to them goes a long way to protecting your data. This includes using strong passwords, proactively retiring expired usernames, and limiting outside access to your network by maintaining secure firewalls.
WHAT HAPPENS IF MAESTRO DATA IS BREACHED?
Under GDPR Maestro is required to notify you within 72 hours in the unlikely event that there is a breach of our secure storage systems, and we are prepared to meet that obligation and assist you as reasonably as possible should this occur.
HOW SHOULD OUR HOTEL HANDLE DATA ACCESS REQUESTS?
The GDPR gives people certain rights to correct, erase or export their data, and these requests must be fulfilled within thirty days. When you receive a request, it is critical that you communicate this request to all of your data partners, including Maestro, as soon as possible. Maestro is committed to complying with data requests within 15 business days, in order to give you time to include our response in the thirty-day period.
DO I NEED GUEST CONSENT TO KEEP THEIR DATA IN MAESTRO?
Any time you collect guest data you must have a legal basis to do so. One basis of consent is performance of a contract. You have a contract with your guest to provide hospitality services. You can collect the data you need to perform that contract and Maestro provides the means for you to do so and this is all perfectly compliant with the GDPR without additional consent.
Maestro is not qualified to provide legal or regulatory advice regarding GDPR and ultimately you are responsible for your compliance to all laws and regulations. This document represents a dedicated effort, working with our legal counsel and advisors to understand GDPR and its impact on hospitality. Please perform your own due diligence with your legal counsel and advisors to ensure that you are sufficiently protected.