Skip to main content

We've observed that the usage of the clear function for GDPR anonymisation doesn't fully anonymise all data. Specifically, the guest's name remains on issued invoices and any the name on any tokenised credit cards. This information can then be retrieved through the bills and invoice report, allowing us to locate the guest record.

Should we be concerned about this? Do we need to consider deleting credit card information from a profile when we perform a Clear/anonymistation and raising with Mews regarding the guest name on the invoice? 

Hi @Mick , thank you for raising your question with us! With regards to the card information, we are storing that encrypted, and indeed, under GDPR compliance, we offer the option of manually deleting the card - on customer demand when needed. 

Customer Names don’t need to be obfuscated, but under GDPR any data should be deletable on demand. I will let my colleague @coudert.mathias comment on the deletion of customer profile/name . 

We always have the option to remove data from DB with a script on demand/request. 

 

Kind Regards,

Medina

Thanks. Indeed cleaning the data is also depend on where the hotel is located. While Europe is more strict due to GDPR other countries have less strict laws. 
In any case, we invest a lot of time to make sure we remain compliant of every laws, but I will double check this information for you and confirm what should be done. 

Thanks

Hello Partner,For my part, I think that the names of the customers should be left with the tokenized card numbers. Since the card number is tokenized we are in agreement with the GDPR.Be careful though, MEWS must not take advantage of the GDPR law by asking hoteliers for too much money. You are starting to be too greedy on the price of tokenizations, especially since you are cashing certain reservations twice (booking bank number for example and that of the customer if he does his pre-check-in). If the customer cancels we even lose money for tokenizing the cards :(

See you

Damien

Hello @Dams ,  indeed, due to rising network and underlying service costs, Mews recently increased tokenization fees, with the purpose to continue to ensure the highest level of PCI DSS security for you and your guests. I will reach you by email to discuss further this matter. 

Pierre

Hi @Mick,  thank you for raising this query. GDPR is obviously very important, but it is not the only privacy law which affects how companies must retain data. For example, fiscal requirements also stipulate the content of the financial records as well as minimum retention period, which in most markets is ten years. Removing the guest names from invoices would violate this law. Mews has carefully engineered our anonymisation process with both sets of law in mind: those which require data to be removed, and those which require data to be retained.

It’s important to remember that the purpose of GDPR is to enforce the responsible use of customer data in the minimal scope needed for concrete purpose - not to prohibit collecting or storing it completely.

Please reach out if you have any further questions, and thanks again for raising this important subject.

Reply


Terms and ConditionsCookie settings