Skip to main content
Solved

GDPR / Clear feature

Mick
Guru
Forum|alt.badge.img+6

We've observed that the usage of the clear function for GDPR anonymisation doesn't fully anonymise all data. Specifically, the guest's name remains on issued invoices and any the name on any tokenised credit cards. This information can then be retrieved through the bills and invoice report, allowing us to locate the guest record.

Should we be concerned about this? Do we need to consider deleting credit card information from a profile when we perform a Clear/anonymistation and raising with Mews regarding the guest name on the invoice? 

Best answer by andrew.star

Hi @Mick,  thank you for raising this query. GDPR is obviously very important, but it is not the only privacy law which affects how companies must retain data. For example, fiscal requirements also stipulate the content of the financial records as well as minimum retention period, which in most markets is ten years. Removing the guest names from invoices would violate this law. Mews has carefully engineered our anonymisation process with both sets of law in mind: those which require data to be removed, and those which require data to be retained.

It’s important to remember that the purpose of GDPR is to enforce the responsible use of customer data in the minimal scope needed for concrete purpose - not to prohibit collecting or storing it completely.

Please reach out if you have any further questions, and thanks again for raising this important subject.

View original
Mick Vazquez | Let's connect: www.linkedin.com/in/mickvazquez

medina.vultur
Mews Employee
Forum|alt.badge.img

Hi @Mick , thank you for raising your question with us! With regards to the card information, we are storing that encrypted, and indeed, under GDPR compliance, we offer the option of manually deleting the card - on customer demand when needed. 

Customer Names don’t need to be obfuscated, but under GDPR any data should be deletable on demand. I will let my colleague @coudert.mathias comment on the deletion of customer profile/name . 

We always have the option to remove data from DB with a script on demand/request. 

 

Kind Regards,

Medina

Medina - PM Payments Experience
Mick
1 person likes this
  • Mick
    Mick
coudert.mathias
Mews Employee
Forum|alt.badge.img

Thanks. Indeed cleaning the data is also depend on where the hotel is located. While Europe is more strict due to GDPR other countries have less strict laws. 
In any case, we invest a lot of time to make sure we remain compliant of every laws, but I will double check this information for you and confirm what should be done. 

Thanks

Mick
1 person likes this
  • Mick
    Mick
D
  • Dams
  • Superstar Apprentice
  • June 27, 2023
Hello Partner,For my part, I think that the names of the customers should be left with the tokenized card numbers. Since the card number is tokenized we are in agreement with the GDPR.Be careful though, MEWS must not take advantage of the GDPR law by asking hoteliers for too much money. You are starting to be too greedy on the price of tokenizations, especially since you are cashing certain reservations twice (booking bank number for example and that of the customer if he does his pre-check-in). If the customer cancels we even lose money for tokenizing the cards :(

See you

Damien

pierre.bazin
Mews Employee

Hello @Dams ,  indeed, due to rising network and underlying service costs, Mews recently increased tokenization fees, with the purpose to continue to ensure the highest level of PCI DSS security for you and your guests. I will reach you by email to discuss further this matter. 

Pierre

Mick
1 person likes this
  • Mick
    Mick
andrew.star
Mews Employee
Forum|alt.badge.img

Hi @Mick,  thank you for raising this query. GDPR is obviously very important, but it is not the only privacy law which affects how companies must retain data. For example, fiscal requirements also stipulate the content of the financial records as well as minimum retention period, which in most markets is ten years. Removing the guest names from invoices would violate this law. Mews has carefully engineered our anonymisation process with both sets of law in mind: those which require data to be removed, and those which require data to be retained.

It’s important to remember that the purpose of GDPR is to enforce the responsible use of customer data in the minimal scope needed for concrete purpose - not to prohibit collecting or storing it completely.

Please reach out if you have any further questions, and thanks again for raising this important subject.

Andrew - Product Manager @ Mews
coudert.mathias
1 person likes this
  • coudert.mathias
    coudert.mathias

Reply


Terms and ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings