Last updated: May 27,2022

The GDPR (General Data Protection Regulation) entered into force on May 25th 2016 and officially applies as of May 25th 2018, and changed the data protection framework within Europe. To help you understand better what we both have to do as a result of the GDPR when you become our customer, we have created this page.

Now is the time to grab yourself a yummy cup of coffee or tea. Find out what we're doing, and what you need to do under the GDPR when you become a customer of Oaky (and when you use any other data processor).

You can always reach out to us at if you have any questions at all.

Questions and Answers

What is Oaky?

Oaky is a tool used by our Customers Accommodation Providers (hotels, hostels and serviced apartments) to communicate with their guests, and to offer specific services and upgrades that relate to the upcoming stay of their guests.

Data controller and Data Processor

Under the GDPR, the difference between a data controller and a data processor is that the data controller determines the purposes and means of processing, where the data processor processes personal data only on behalf of the data controller. In the context of our services, the Customer Accommodation Provider is the data controller of the personal data of the guests and Oaky is the data processor of the personal data of the guests.

Data Processing Agreement

According to the GDPR, the data controller and the data processor must sign a Data Processing Agreement (DPA) that stipulates their relationship in regards to the processing of Client Personal Data. The Customer Accommodation Provider and Oaky must sign a DPA accordingly, which Oaky will send to you during the when you become our customer.

Click here to sign our Data Processing Agreement (please download before filling in).

Do my guests need to give opt-in consent to use Oaky?

No. The Customer Accommodation Provider can send emails with an informal character with Oaky. However, The Customer Accommodation Provider may require opt-in consent for sending unsollicited marketing emails. Oaky will offer templates of emails with an informational character to all of its customers.

GDPR image 2
GDPR image 1
What do Oakycustomers need to do?
  1. Update your Privacy Policy
    The legal requirement to inform the guests of the processing activities (e.g. through a privacy policy), is an obligation for the Customer Accommodation Provider as the data controller. Please make sure your Privacy Policy properly communicate to your users how you are using Oaky (and any other similar services) to process personal data and for which purposes the processing takes place (for example by means of providing upgrades, bike rental, restaurant reservations, etc). This requirement is also part of Oaky’s Terms of Service, but the GDPR can heavily penalize you if this is not done clearly

    Example: “We may share your personal data with third parties offering services to us. An example of such a third party offering services to us is Oaky B.V. We may use the Oaky services to communicate with you and to offer you specific services and upgrades that relate to your stay with us. Oaky acts as a data processor of your personal data on behalf of us, with the purpose of offering the Oaky services to us. We require all third party service providers to respect the security of your personal data, to treat it in accordance with the law and to process your personal data only in accordance with our instructions.”
    Please note that this text is merely a suggestion and that the hotels remain responsible for providing adequate information to the data subjects.
  2. Sign the Data Processing Agreement (DPA)Sign the Data Processing Agreement (DPA)
    The data controller is obliged to sign a DPA with all of its processors. We have prepared this DPA together with our legal counsel to be in compliance with GDPR.
    Click here to view our Data Processing Agreement:
  3. Check whether opt-in consent is required for sending emails through Oaky
    As said above, applicable local law may require the hotel to obtain opt-in consent of guests for sending marketing emails with Oaky. If the messages have an informational character only, most likely this does not qualify as a marketing message. We recommend to carefully check whether opt-in consent of guests is required when using Oaky.
What are the answers to 5 GDPR questions Oaky customers need to know?

As data controller, you need to be able to answer five questions relating to your data processors towards your guests. These five questions are:

  1. Which personal data does Oaky process on behalf of the Customer Accommodation Providers?
  2. What is the purpose of the processing activities of Oaky?
  3. How long does Oaky store the data for?
  4. Which third parties have access to personal data (internal and external)?
  5. How is the data protected?

To help you answer these questions, check out our privacy policy.

Oaky (as data processor) is not legally required to have a privacy policy for the guests of the hotels, as it only processes the personal data on behalf of the Customer Accommodation Providers. The legal requirement to inform the guests of the processing activities (e.g. through a privacy policy), is an obligation for the Customer Accommodation providers as the data controller.