GDPR & The Booking Factory

Evan Davies
The Booking Factory Blog
4 min readMay 15, 2018

If you haven’t been hiding behind a rock recently you would know that GDPR is nearly here and everyone (including us) is affected.

Data Processor & Data Controller

We are classed as a Data Processor as we hold and secure your data.

You (The Property) would be classed as the Data Controller and would be the owner of the data.

Our Responsibility

As you can imagine our responsibility is to secure that storage of all the data, we already have a high security policy and encryption of all database content with secure communication protocols. HTTPS.

All the data that we get into our platform is essential to complete a purpose (Hotel Reservation) and we do not require any sensitive data or personal information.

Credit Card Security is taken care of by our partners PCI Booking, who are level 1 PCI Compliant.

Our Responsibility to you the Customer

As an user of our systems we will help you stay compliant with the law by helping you or providing you tools to stay out of trouble.

We have an agreement for all our customers and future customers available here where we will guarantee in contract we will apply with GDPR. The contract is only valid if your a current paying customer:

Please fill in the pre signed contract and send back to us at

The contract is valid upon receipt of the signed document in our email inbox.

What are we doing currently

  1. We are adding a checkbox on the booking engine so the guest can also agree to the privacy policy of the hotel when booking. This cannot include being added to marketing lists etc. Must be only regarding their booking.
  2. We are not yet adding a checkbox for including to a marketing or mailing list (opt in) We may add this at a later date. For now the bookings from the booking engine the guests can only be communicated to regarding their booking.
  3. We are looking for advice regarding reports and exporting of reports which contain personal data. It is not our responsibility as the data processor but we are looking for ways to help you (The Controller)with this issue. We will most likely upgrade our user profiles so you can limit actions on the system to certain users only. And possible a log of actions relating to this.
  4. All data is encrypted as default but we will continue to monitor how we store data and if any more secure ways are possible.
  5. We will look to add some features to delete customer profile personal information, and possible a setting to auto delete all customer profiles after a certain time has passed. All these will be optional settings. We have to balance the law which states that all booking information must be kept for 1 year and invoices must be kept for 7 years. this will be up to you the data controller to decide how to proceed.

Your Responsibility

You have it really easy! Thanks to us taking most of the pain for you there’s only some small rules you need to worry about.

Only use the information for it’s intended purpose:

You as a hotel or accommodation provider receive bookings with personal information. You are allowed to contact the guest leading up to the booking about things regarding their stay. This can include offering upgrades or upsells. And also an email to ask for review after they have left.

Don’t use for other purposes

Unless legally required to do so like Police Reports that pass over personal details to the police or government. You must not use all the data you have collected to do any email marketing, sell the information to 3rd parties etc.

If you wish to do email marketing the best way is to gain consent from the guest and you also need proof of this action. So maybe in your emails add a link to your mailing list and they can choose to add themselves into it.

Mailchimp would help with this.

Careful of printing Copies

I know many hotels print everything, this puts the liability on you to securely store and have a system to search this information if someone requests if you have their information. Remember to cross shred all information and not put into the bin in bulk.

Deleting Information

With invoices there is often a legal requirement to keep this information for many years so don’t delete if asked to do so without checking for your legal requirements. Check with your country regulations on the length you need to keep. I believe the UK requires you to keep this info for up to 7 years. It’s possible that we can keep the invoice but delete all personal information but we should get advice on this before implementing any mass deletion of data.

As default we don’t allow you to delete anything. Please contact us if you have any requests to find or delete data.

Conclusion — We will help

If you have any issues with the new regulations or need anything deleted, searched etc because of a customer request we can help you. We don’t charge and you also cannot charge the customer for this service.



Evan Davies
The Booking Factory Blog

Tech Entrepreneur. Founder of, the new secure hotel distribution system.