GENERAL DATA PROTECTION REGULATION (EUROPEAN UNION)
This FAQ is for current and future customers of Cosmo. This covers everything you need to remain GDPR compliant while using Cosmo.
The General Data Protection Regulation (the “GDPR”) is effective 25th May 2018 and is aimed at harmonizing the privacy regulations of the European member states. The aim is to give European citizens control over their personal information. As a company, Cosmo is not in the habit of monetizing customer data for its own financial gain. The customer data is only for the purposes of assisting hospitality customers engage with their guests. The GDPR places strict privacy and security requirements, to ensure transparency about how personal information is stored, transmitted, handled and processed. We must allow European Union citizens the right to ask for their data to be purged, corrected or exported at their request. As such, an onus is placed on us to embed policies that control how this data is processed, protected and managed. Even though the GDPR allows for such data to be transmitted outside of the EU, strict rules on how and when this can happen apply. In line with that, Cosmo has taken steps and put in protocols that balances legalities of personal data privacy with the commercial needs of customers.
WHAT IS THE COMPLIANCE STATUS OF OUR PRODUCTS?
Every effort has been made to ensure that any product designed & developed by Cosmo meets the requirements stipulated by the GDPR. We have also taken steps to ensure that any service provider we engage is also GDPR compliant. This is to ensure that each step/stage of the development process is covered. FCS COMPUTER SYSTEMS asked EVA Group/BSSI to conduct a GDPR audit on its solutions in May 2018. Cosmo is GDPR ready.
WHAT DATA IS COLLECTED WITH COSMO?
Cosmo can collect the following kinds of information: Name; phone number; email address; reservation details; customer requests; application usage data. Our products do not collect information that is higher in sensitivity value, such as ethnicity, sexual orientation, credit card information, etc even though GDPR allows for it albeit under strict protocols.
HOW IS THIS DATA PROTECTED?
The data collected is stored in a secure facility. We also ensure that any third party partners and vendors are GDPR compliant.
DATA PROCESSOR VS DATA CONTROLLER?
A hospitality customer, is a data controller as you would collect the customer data and there is a direct nexus between yourselves & the customer. Conversely, FCS is a data processor. Which means, by using Cosmo, the data you collect from guests is processed in compliance with GDPR protocols. We can only share data at your specific instructions.
COULD THE SECURITY BE BREACHED?
In the unlikely event that this happens, FCS will notify you immediately and assist you in your notification obligations.
WHAT IS A DATA ACCESS REQUEST?
This is the right is EU citizens to correct, erase or export their data, and these requests must be fulfilled within thirty days. If you receive such a request, immediately inform all your data processors. We will comply to the request within 21 days, which would give you ample time to respond to the requestor within the GDPR stipulated 30 days window.
The rule is that you should be transparent about any data processors you are working with, so a Guest should be informed about who you are partnering when it comes to the collection, processing and storage of their personal information.
This FAQ is by no means to be construed as legal advice. We recommend you see legal counsel if necessary, as ultimately the onus is on each party to ensure compliance. The purpose of this FAQ is to assist in understanding how Cosmo handles its GDPR compliance in easy to understand vernacular.