GDPR

Last updated: September 12,2023

Hi lovely customers,

The GDPR (General Data Protection Regulation) entered into force on May 25th 2016 and officially applies as of May 25th 2018, and changed the data protection framework within Europe. To help you understand better what we both have to do as a result of the GDPR when you become our customer, we have created this page.

Now is the time to grab yourself a yummy cup of coffee or tea. Find out what we're doing, and what you need to do under the GDPR when you become a customer of Oaky (and when you use any other data processor).

You can always reach out to us at privacy@oaky.com if you have any questions at all.

Questions and Answers

Do you offer dynamic pricing for my room upgrades?
Currently we offer static rates to upgrade from one room type to another. Dynamic upgrade pricing is in the pipeline though. Until it is released, we recommend you revise the prices weekly. If you find the upgrade rate unacceptable (due to a change in demand for example), you have the option to reject upgrade requests from guests via Oaky’s dashboard.
What is Oaky?

Oaky is a tool used by our Customers Accommodation Providers (hotels, hostels and serviced apartments) to communicate with their guests, and to offer specific services and upgrades that relate to the upcoming stay of their guests.

Does Oaky have an inventory function to manage the availability of a specific service?
Currently we offer static rates to upgrade from one room type to another. Dynamic upgrade pricing is in the pipeline though. Until it is released, we recommend you revise the prices weekly. If you find the upgrade rate unacceptable (due to a change in demand for example), you have the option to reject upgrade requests from guests via Oaky’s dashboard.
Data Controller and Data Processor

Under the GDPR, the difference between a data controller and a data processor is that the data controller determines the purposes and means of processing, where the data processor processes personal data only on behalf of the data controller. In the context of our services, the Customer Accommodation Provider is the data controller of the personal data of the guests and Oaky is the data processor of the personal data of the guests.

What if we don't want to stress the guest with pre-arrival e-mails?
Currently we offer static rates to upgrade from one room type to another. Dynamic upgrade pricing is in the pipeline though. Until it is released, we recommend you revise the prices weekly. If you find the upgrade rate unacceptable (due to a change in demand for example), you have the option to reject upgrade requests from guests via Oaky’s dashboard.
Data Processing Agreement

According to the GDPR, the data controller and the data processor must sign a Data Processing Agreement (DPA) that stipulates their relationship in regards to the processing of Client Personal Data. The Customer Accommodation Provider and Oaky must sign a DPA accordingly, which Oaky will send to you during the when you become our customer.

Click here to sign our Data Processing Agreement (please download before filling in).

Does the reception get informed about new requests? If so, how?
Currently we offer static rates to upgrade from one room type to another. Dynamic upgrade pricing is in the pipeline though. Until it is released, we recommend you revise the prices weekly. If you find the upgrade rate unacceptable (due to a change in demand for example), you have the option to reject upgrade requests from guests via Oaky’s dashboard.
Do my guests need to give opt-in consent to use Oaky?

No. The Customer Accommodation Provider can send emails with an informational character with Oaky. However, The Customer Accommodation Provider may require opt-in consent for sending unsolicited marketing emails. Oaky will offer templates of emails with an informational character to all of its customers.

What do Oaky customers need to do?

  1. Update your Privacy Policy
    The legal requirement to inform the guests of the processing activities (e.g. through a privacy policy), is an obligation for the Customer Accommodation Provider as the data controller. Please make sure your Privacy Policy is properly communicated to your users about how you are using Oaky (and any other similar services) to process personal data and for which purposes the processing takes place (for example, by means of providing upgrades, bike rental, restaurant reservations, etc.). This requirement is also part of Oaky’s Terms of Service, but the GDPR can heavily penalize you if this is not done clearly

    Example: “We may share your personal data with third parties offering services to us. An example of such a third party offering services to us is Oaky B.V. We may use the Oaky services to communicate with you and to offer you specific services and upgrades that relate to your stay with us. Oaky acts as a data processor of your personal data on behalf of us, with the purpose of offering Oaky services to us. We require all third party service providers to respect the security of your personal data, to treat it in accordance with the law and to process your personal data only in accordance with our instructions.”
    *
    Please note that this text is merely a suggestion and that the hotels remain responsible for providing adequate information to the data subjects.
  2. Sign the Data Processing Agreement (DPA)Sign the Data Processing Agreement (DPA)
    The data controller is obliged to sign a DPA with all of its processors. We have prepared this DPA together with our legal counsel to be in compliance with GDPR.
    Click here to view our Data Processing Agreement: www.oaky.com/dpa
  3. Check whether opt-in consent is required for sending emails through Oaky
    As said above, applicable local law may require the hotel to obtain opt-in consent of guests for sending marketing emails with Oaky. If the messages have an informational character only, most likely, this does not qualify as a marketing message. We recommend carefully checking whether opt-in consent of guests is required when using Oaky.
What are the answers to 5 GDPR questions Oaky customers need to know?

As data controller, you need to be able to answer five questions relating to your data processors towards your guests. These five questions are:

  1. Which personal data does Oaky process on behalf of the Customer Accommodation Providers?
  2. What is the purpose of the processing activities of Oaky?
  3. How long does Oaky store the data for?
  4. Which third parties have access to personal data (internal and external)?
  5. How is the data protected?

To help you answer these questions, check out our privacy policy.

Oaky (as data processor) is not legally required to have a privacy policy for the guests of the hotels, as it only processes the personal data on behalf of the Customer Accommodation Providers. The legal requirement to inform the guests of the processing activities (e.g. through a privacy policy), is an obligation for the Customer Accommodation providers as the data controller.