Getting Started

HomeKnowledge BaseGetting Started

GDPR

34 views /  6 likes /  / admin/

REGULATORY COMPLIANCE ON DATA PROTECTION OF THE CHEKIN APPLICATION

The provision of new intermediation services by online applications, given the existence of scattered regulations in this area, may rise certain doubts as to the legality of such intermediation, especially with regard to current data protection regulations.

Being aware of the situation, CheKin Soluciones Digitales S.L., hereinafter CheKin, it is important to do a legal analysis of its application for the purposes of legal compliance. To do this, we must start by identifying the service provided by CheKin, which is basically defined as a mobile application that allows the identification of guests of hotel establishments through the reading of their ID information, transferring this information, both to the owners of the accommodations and the security forces of the State, without this ID being scanned, given that OCR technology is used (Optical Character Recognition), a text digitalization process that has been used by hotels for decades.

From this definition we can analyze clear legal risks in its conception, the legal needs generated by the same from the point of view of the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR

To verify compliance with the GDPR, we must determine with which profile CheKin enters the legal relationship, since it depends on what are the obligations associated with it. Thus, we can find two cases, the first, that are responsible for the processing, which means that determine the purpose of the processing, in short, what is going to be done with personal data, or otherwise, second assumption, that they are responsible for processing, carrying out a specific task relating to a processing ordered by the data controller.

 

This is important since the GDPR in art. 92, obliges organisations whose main activity consists of processing that requires regular and systematic observation of citizens on a large scale, or in the large-scale processing of special categories of personal data, or data relating to convictions and criminal offences, to appoint a duly qualified Data Protection Officer.

In this case, it is clear that Chekin’s function is none other than that of data processor with respect to the data controllers who transfer the information to them, since it only carries out the management that the data controller entrusts to it (registration of travellers and communication of this information to the State security forces, without carrying out additional processing of this personal information).

On the other hand, Chekin faithfully complies with the obligation to inform citizens about the processing of their data and about the exercise of their rights, since the GDPR in its art. 14 determines that organizations are obliged to inform citizens in a clear and simple way about the most important aspects of the processing of their data, identifying who processes the data, with what legal basis and for what purpose, and about the way to exercise the rights of access, rectification, suppression, limitation of processing, portability, opposition and automated decisions, including the elaboration of profiles. Organisations may not refuse to exercise these rights if the citizen wishes to exercise them in a manner different from that offered to him.

In the case of personal data of minors, where the processing of data is legitimised by consent, the organisation will obtain the consent of the minor when he or she is at least 16 years of age; and that of the parents or their legal representatives in the case of minors under 16 years of age.

Regarding to the corresponding legal figure, that is to say, the person in charge of processing, we must then review whether it complies with the obligations imposed on it, which are mainly for practical purposes, three obligations:

  • The existence of a processor’s contract (as long as it does not previously belong to the company staff), which must be provided by the controller, setting out the duties and functions of the processor, the tasks to be performed and the security measures to be applied by the processor.
  • The register of the processing orders entrusted to it, something competently carried out on the basis of the obligations imposed by the GDPR with the possibility of using the tool provided by the Spanish Data Protection Agency, which institution is replicated in all european countries. That is to say, the creation of a processing register.
  • The application of security measures in accordance with the processing carried out, that is, when the data controller proceeds to rectify or delete the data, he is obliged to block them.

Therefore, we can conclude that if CheKin has the contract, registration and security measures established by law in all cases in which it contracts with customers, is complying with the scope of application of the GDPR not finding any illegality in this regard, given the basic treatment of the data analyzed.

In addition, another of the relevant issues is compliance with the extension of the prior information provided to the customer or user, so the content of the clauses and legal notices in emails, invoices and legal notices on your website must be adapted. In addition, these must be written in understandable language. As is the obligation to regulate international data transfers. If data is to be sent or stored outside the EU, specific permission must be requested.

This prior, more detailed information will allow the free, informed, specific and unequivocal consent to be obtained for each purpose now required by the GDPR.

Having analyzed the fundamental points to which I have referred, I can only consider that the application does not present any illegality in the aspects mentioned and that it complies with the regulatory compliance of the GDPR.

Any possible incident in Chekin’s security will be immediately reported to public authorities, computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), providers of electronic communications networks and services and providers of security technologies and services may process personal data contained in security incident notifications only for the time and scope necessary for their analysis, detection, protection and response, always taking appropriate security measures proportionate to the level of risk.

  • Guest Registration

The CheKin application complies with legal requirements of local authorities from the countries of the European Union where is available, since it carries out the traveler’s registers in the entrance parts adjusting to the standardized forms of each country. In this line, the general obligations are:

  • Do the telematic register of the guest from accommodation establishments with the local authorities.
  • Fill the guest book with every entry part of guests.
  • Keeping these books at the disposal of the forces and security corps of states. Likewise, it automatically transmits the files, complying with requirements of the GDPR, via internet to the General Directorate of the National Policies, as allowed by articles 5 and 6 of the GDPR, leaving the signed register books archived and available to the said security forces for the legal period established of every state. 
  • Therefore, the implementing regulations are scrupulously complied with in all its points.

In addition, the aforementioned implementing legislation does not establish at any point in its regulation that such information may not be transferred by the owner of a tourist home or hotel company to a third party company to carry out the management of that process. 

Therefore, the conclusion on CheKin’s compliance with the Citizen Security regulations can only be positive, above all aspects of it.

The way CheKin complies with the previously mentioned obligations is studying the current legal framework for aliens in each european country, and keeping in touch with the current local authorities which have to deal with all this process of guest registration:

  1. Spain. Orden INT/1922/2003, de 3 de julio, sobre libros-registro y partes de entrada de viajeros en establecimientos de hostelería y otros análogos.
  2. Italy. Decreto Legislativo 28 febbraio 2008, n. 32 “Modifiche e integrazioni al decreto legislativo 6 febbraio 2007, n. 30, recante attuazione della direttiva 2004/38/CE relativa al diritto dei cittadini dell’Unione e loro familiari di circolare e di soggiornare liberamente nel territorio degli Stati membri”.
  3. Portugal. Portaria n.º 415/2008 Aprova o modelo de boletim de alojamento e as regras de comunicação electrónica em condições de segurança, nos termos da Lei n.º 23/2007, de 4 de Julho, que aprova o regime jurídico de entrada, permanência, saída e afastamento de estrangeiros do território nacional.
  4. Germany. Bundesmeldegesetz vom 3. Mai 2013 (BGBl. I S. 1084), das zuletzt durch Artikel 11 Absatz 4 des Gesetzes vom 18. Juli 2017 (BGBl. I S. 2745) geändert worden ist.
  5. France. Décret n° 2016-1457 du 28 octobre 2016 pris pour l’application de la loi n° 2016-274 du 7 mars 2016 relative au droit des étrangers en France et portant diverses dispositions relatives à la lutte contre l’immigration irrégulière 
  6. Czech Rep. Act No. 222/2017, amending Act No. 326/1999 Coll., On the Residence of Aliens in the Czech Republic and on Amendments to Certain Acts.
  7. Austria. Bundesgesetz über das polizeiliche Meldewesen (Meldegesetz 1991 – MeldeG)
  8. UK. The Immigration (Hotel Records) Order N.1689/1972. 
  9. Croatia. ZAKON O PRUŽANJU TURISTIČKIH USLUGA (NN 68/07, 88/10 i 30/14).
  10. Slovenia. Zakon o prijavi prebivališča (ZPPreb-1), stran 7661.
  11. Greece. Αριθ.1500/3/1-γ’ ΑΣΤΥΝΟΜΙΚΗ ΔΙΑΤΑΞΗ υπ’ αριθ. 8 Αρχηγού Ελληνικής Αστυνομίας (ΦΕΚ Β’-1957/1.11.1999) όπως τροποποιήθηκε με την Αριθ.1500/3/1-κθ’ (ΦΕΚ Β1674/2003) Έγκριση της Αστυνομικής Διάταξης υπ’ αριθ. 8Α.
  12. Netherlands. Wet van 3 maart 1881 Wetboek van Strafrecht.
  • Statiscal Obligations

Generally, in the tourism sector according to the legislation of the countries studied, hotels and similar accommodation establishments have an obligation to transfer informatión about amount of their guests in National Institutes of Statistic. They must respond to surveys, which are collected, as a rule, daily / monthly / yearly (depending of the country and survey). Mostly, the answer is confidential and mandatory. They must answer on electronic form-online through Internet data collections in network, sending completed forms by post or by phone. 

The way CheKin complies with this obligation is studying the current legal framework for statistical purposes, and keeping in touch with the statistical institutions to understand the survey remission, which surveys have to fulfill accommodation establishments and the automatization of the process:

  1. Spain. Ley 12/1989, de 9 de mayo, de la Función Estadística Pública
  2. Italy. Legge n. 400 del 23 agosto 1988  (art. 24, Delega per la riforma degli enti pubblici di informazione statistica), D.lgs n. 322 del 6 settembre 1989 (Norme sul Sistema statistico nazionale e sulla riorganizzazione dell’Istituto nazionale di statistica, ai sensi dell’art. 24 della legge 23 agosto 1988, n. 400), in cui recepire le integrazioni e modifiche del  DPR n. 166 del 7 settembre 2010 (Regolamento recante il riordino dell’Istituto nazionale di Statistica)
  3. Portugal. Lei nº 22/2008 (D.R. nº 92 1ª Série, de 2008-05-13) — Lei do Sistema Estatístico Nacional, Decreto-Lei nº 136/2012, (D.R. nº 126 1ª Série, de 2012-07-02), Aprova a orgânica do Instituto Nacional de Estatística, I. P.
  4. Germany. das Gesetz über die Statistik für Bundeszwecke (Bundesstatistikgesetz – BStatG) in der Fassung der Bekanntmachung vom 20. Oktober 2016
  5. France. Loi n° 51-711 du 7 juin 1951 sur l’obligation, la coordination et le secret en matière de statistiques
  6. Czech Rep. Zákon č. 89/1995 Sb., o státní statistické službě
  7. Austria. Bundesrecht konsolidiert: Gesamte Rechtsvorschrift für Bundesstatistikgesetz 2000, Fassung vom 26.06.2019
  8. UK.   the Statistics of Trade Act 1947
  9. Croatia. Zakon o službenoj statistici (NN, br. 103/03.)
  10. Slovenia. Zakon o državni statistiki 
  11. Greece. Νόμο 3832/2010 ΦΕΚ Α΄38/9.3.2010 Ελληνικό Στατιστικό Σύστημα (ΕΛ.Σ.Σ.) Σύσταση της Ελληνικής Στατιστικής Αρχής (ΕΛ.ΣΤΑΤ.) ως Ανεξάρτητης Αρχής.
  12. Netherlands.  Wet op het Centraal Bureau voor de Statistiek 20 november 2003

For the preparation of official statistics it is necessary to treat individual data, especially in the early stages of the statistical process. Both regulations establish special protection for these data through the figure of statistical secrecy. In addition, to fulfill with the statistical obligation, according to the each national statistical law and the RGPD in the article 89, CheKin complies the guarantees and exceptions applicable to the treatment for the purposes of archiving in the public interest, scientific or historical research purposes or statistical purposes within the protection of personal data.

Related Articles