Bookatable by Michelin’s GDPR preparations
In preparation for the implementation of the General Data Protection Regulation (GDPR), which comes into effect on 25th May 2018, we have prepared the below FAQ. This will let you know the steps that Bookatable have taken so far, and the actions that we will be taking in the next few weeks and beyond, to comply the GDPR. You can be sure that your customer data will be handled correctly and safely by Bookatable at all times.
This document is applicable between Bookatable and restaurants when restaurants subscribe to Bookatable Services.
Frequently Asked Questions
1. Is Bookatable a data controller or data processor?
Our relationship with restaurants makes us the data processor. The data controller controls the data, while the data processor processes it on behalf of the controller. As a restaurant working with Bookatable, you have the status of the data controller, and the data will remain yours.
However, please note that where a diner books directly with Bookatable through a Bookatable owned website or mobile application, Bookatable will be the data controller until such time that it transfers the data to the restaurant (where it will resume the role of a data processor on behalf of the restaurant).
2. What are the obligations of Bookatable?
We take our obligations in respect of personal data seriously, and are committed to ensuring that we always:
– process personal data fairly and lawfully, and in a transparent manner;
– only collect personal data for specified, explicit and legitimate purposes;
– keep the personal data relevant and limited only to what is necessary for the purposes of the processing; – take steps to ensure that personal data is accurate and where possible kept up to date;
– ensure that personal data is secure and protected against unauthorised or unlawful processing, and that we use appropriate technical and organisational measures to protect the data.
3. What has Bookatable done to comply with its obligations as data processor?
Following a comprehensive audit, we prepared a detailed road-map to ensure that we are compliant with the GDPR. The road-map includes: – comprehensively mapping where we receive, use, store and otherwise process personal data;
– reviewing and updating how long we keep personal data;
– updating the methods and internal controls we use to ensure the personal data is secured;
– updating our policies, procedures and standard documents; and
– working to ensure the rights given to individuals under GDPR are appropriately managed by us
4. What is Bookatable currently working on?
Currently, we are finalising the new policies, privacy notices, and associated documents. This includes ensuring that all the necessary and appropriate information is provided to consumers under the transparency provisions, whether for marketing purposes, or otherwise. We are working closely with data protection experts in the Michelin Group to complete this work.
We are also completing any necessary modifications to our IT systems so that they align with the rights given to individuals under GDPR.
Many of our employees have already received training on aspects of the GDPR. We will be running a training programme throughout the business for the next few months to develop awareness and understanding of the GDPR, recognising its requirement and any industry standards that develop following the implementation of GDPR. This training is also designed to refresh employees’ knowledge on marketing consent requirements and track updates currently proposed under the Privacy and Electronic Communications Regulation.
5. What’s next?
We will continue to monitor our compliance with GDPR following 25th May; compliance is a state of mind for us, not just something to manage for a single day. We have a data protection committee, including key members of the management team.
6. Your role as data controller
We understand that our role as a supplier is key to your own GDPR compliance programme and we are committed to providing any information you require.
As a data controller, you are in control of the personal data collected during the provision of our services to you. We do not sell any customer data to any third parties or transfer any data outside the EU. We also do not market to your customers unless they have consented to us contacting them directly.
7. Marketing Opt-in
The GDPR sets a high standard for consent. To comply, Bookatable will change the current pre-ticked opt-out marketing consent boxes to unticked opt-ins. This will give diners the opportunity to consent by taking a positive action.
8. Our contractual relationship with you
Under GDPR, the relationship between a data processor and data controller requires a contract in place to set out what each party’s obligations are in relation to data protection.
A contract addendum which sets out the legal requirements under GDPR will be sent to you by your dedicated Bookatable account manager in the coming days.
Once you have received this, we will need you to sign and date prior to 25 May 2018. This document only deals with data protection-related requirements and does not change any other terms and conditions which have been agreed between us.
If you have any further questions, please speak directly to your account manager.