With the upcoming GDPR regulations coming into enforcement on the 25th of May 2018, Staycity have undertaken development and procedural changes to ensure that Staycity are in compliance with the same. The privacy and security of our guests, employees and partners information is of the utmost importance to us and we have investigated our security and procedural measures to make sure we adhere to the new data privacy guidelines by design.

We have rationalized the outcomes in the following brackets:

Capture, process and disclose information fairly
All personal data that is captured by Staycity is used solely for the purpose it is collected for. This is made clear to our guests via a series of enhancements in our privacy policies, an online privacy statement, a ‘STAY IN CONTROL’ privacy self-serve platform, explicit requests for explicit consent within a specific purpose using emails, an extended online policy for cookies and a cookie preferences self-serve application and a data subject request portal.

To provide our services we may use third-parties to support our business and we have obtained clearance under a GDPR perspective using assessments and questionnaires that such vendors are in compliance with the new regulations. To avail of any of the ‘STAY IN CONTROL’ options please visit https://stayincontrol.staycity.com.

Use data in ways compatible with explicit purposes
Personal data which is captured is only used in accordance with a guest’s upcoming stay and may be used for marketing campaigns, updates on new properties, newsletters and guest profiling, only if the guests choose to be included in such activity using our ‘STAY IN CONTROL’ privacy preferences online module.

Information is safe and secure
Staycity uses PCI compliant companies for transmitting sensitive information such as credit card data (but not limited to) and in accordance with these standards we ensure that all data is kept safe and secure. We also made sure that data assets within our domain are all kept safe behind state of the art firewall technologies.

Ensure that it is adequate, relevant and not excessive
Staycity will collect only information that is relevant to the services we offer both from our guests, our employees and our vendors.

Data Retention
As part of the new GDPR guidelines data controllers are encouraged to delete data if it is no longer required for any business need.
The default settings for the data purging, so far, are as follows:
– Our current process ensures that Credit Card information is deleted after three months from the last completed transaction.

Subject Access Requests
Staycity provides a web form for any guest, vendor, employee or prospected employee who wishes to avail of the nine enhanced data subject rights under the GDPR regulations. So, in the event data subjects want to be forgotten, have their data made portable, object to profiling, or for example want to have their data updated, they will be able to issue a request which will be evaluated and if qualified will be replied to within 30 days.

The entire process will be kept on file for proof of action and completion within the regulation guidelines. This self-serve tool is powered by our GDPR partner OneTrust. To avail of these options right now please visit https://app-de.onetrust.com/app/#/webform/a10bf3cb-0a1b-4a31-ba65-db81a37d8772.

Data breaches
In the unlikely event that one of our data assets was breached, Staycity is committed in following the procedures highlighted in the GDPR regulation and mitigate the same within 72 hours of discovering said breach. A data breach protocol measure is in place to make sure we adhere to this statement and that we document the facts.

If you have any further questions about our Data protection policies or need to know more, please contact Max, our CIO, and the data protection officer for Staycity.

Max Cottica
Tel: +353 87 1523428
Email: max.cottica@staycity.com or privacy@staycity.com

Created: 15th May, 2018