Visit Logo

GDPR

About GDPR

GDPR stands for “General Data Protection Regulation”. It establishes a framework for handling and protecting the personal data of EU-based citizens and is in effect since May 2018. The purpose of the regulations is to provide the citizens of EU better control over their personal data and protect their information. The customer’s consent of how their personal data can be stored and handled is key.

Visit Group stores personal data on behalf of our customers, the personal data controllers, which makes us a personal data processor. We are fully GDPR compliant since May 2018. Visit have implemented functionality to our platforms to ensure that the customer data is stored and processed in accordance with the regulations.

Visit Group’s efforts in facilitating our customers’ GDPR compliance

You are the controller of the personal data and Visit solely acts on behalf of you as data processor

Through the data processor agreement, Visit ensures that we process your collected data in a secure and professional manner:

  • We have corresponding data processor agreements with our colocation hosting provider in place
  • We have been refining our internal security processes, and have altered database admittance for applications as well as individuals
  • We have been developing a process to ensure that reviewing or anonymization of your clients’ data is being handled and delivered in a thorough and sufficient manner

You may contact us on behalf of your customers to reveal and/or anonymize the personal identifiable data as follows. Visit Group will not deal with requests directly from consumers since you, the licensees, are the owners of your data.

  • Data regarding a booking which is not considered personal identifiable data will not be anonymized
  • The burden of proof regarding who is to be anonymized lies in your hands, if we are unsure of a certain individual, we will get back to you and ask for more information
  • After you have requested a reveal and/or anonymization through our regular points of contact, you will get an answer from us within 30 days
  • We will not anonymize data in conjunction with accounting, since the European accounting laws currently trump GDPR and you must therefore comply with that first and foremost
  • The anonymization-process is non-revocable, i.e. we cannot undo the process once you’ve ordered it

Visit Group is cooperating with the following subcontractors that may also have access to some personal data stored for our customers.

Infracom Managed Services AB – Hosting and Server Provider which, amongst other, stores data and backups for BookVisit and Citybreak.

Twilio / Sendgrid – The mail service Sendgrid and the text message service Twilio are used to send out booking confirmations.

Microsoft – Azure, cloud storage service for customers with Citybreak and iTicket.

Freshdesk – Support system that can receive issues containing personal data on a booking described in a support case: In this case, the information is sent to Visit from the personal data controller.

Mailchimp – E-Mail Marketing system, which is used to send e-mail campaigns and Newsletters.

Cloudflare – Provider of a web application firewall. Cloudflare get access to IP-addresses of the visitors to our pages and stores the IP-addresses for a limited amount of time.

Delecsys – IT technicians that can access the server environment in order to work with maintenance and improvements to the environment.

Aixia (former CGiT) – IT technicians that can access the server environment in order to work with maintenance and improvements to the environment.

Mongo DB – Hosting partner for the iTicket database.

GDPR in more general terms

Anonymization of Data

An important part of GDPR is the customer’s right to be forgotten; at the customer’s request or after the time period you have determined to store your customer information (which must be documented and motivated).
The anonymization function can be run on an individual customer or on all customers who, for example, have not been in contact with you within a certain period of time.
The anonymization feature obscures personal identifiables, such as name, e-mail etc, but retains some anonymous demographic data, for any anonymous long-term statistics.

Additional confirmation box when booking, ordering a brochure or other contact

An additional privacy policy textbox that the customer may read through to confirm consent under the GDPR is added to your online environment upon request. You may start to create such a policy already, as it will be a vital part of what you store, why and how long. In this policy you may also add the measures the end-customer must take in order to be forgotten and to exercise other rights under the GDPR.

SSL, encryption of all information sent over the website

For a long time, most of our customers have chosen to use SSL (https) for their entire website and booking. GDPR is entitled to personal data security and, for example, mentions encryption as an appropriate measure, even if it is not a specific requirement.
There are many other benefits of SSL for the entire website. For example, more and more browsers show a warning for sites that are not through SSL, Google praises SSL in search results and the customer feels more secure when they visit the site and make reservations. If you do not have SSL today, we recommend that you contact us and order this as soon as possible.

Portability of personal data

The ability to extract a person’s data in Readable standardized formats is introduced, to fulfill the requirement of ease-of transfer of data to those requesting it.

 

Subscribe to updates about our GDPR work or changes to the list of subcontractors by email