Last updated: May 4, 2018
WeTravel takes data privacy and security very seriously. We take steps to make sure that we comply with our data privacy law obligations in the EU (primarily, the Data Protection Directive 95/46/EC as implemented into the national laws of EU Member States) and the General Data Protection Regulation ("GDPR") beginning in May of 2018), and make it easy for our Organizers to comply with their respective obligations too. With GDPR set to take effect on May 25, 2018, WeTravel updated our data privacy program so that we, and our Organizers, are comfortable that we will meet the new requirements. Here are a few highlights.
1. WeTravel's data processing obligations.
a. WeTravel as a data controller. — Where an Organizer creates an account with WeTravel to organize their trips and collect funds, WeTravel will be a data controller over the personal data that Organizers provide about themselves as part of their account creation process. Similarly, where a participant provides WeTravel with personal data in the course of creating an account, WeTravel will be a data controller over the personal data provided to WeTravel directly by that participant. WeTravel will also be a data controller of the personal data that WeTravel obtains in the course of an Organizer or participant's use of WeTravel Services, which WeTravel may then use to conduct research and analysis, improve our products and features, and provide targeted recommendations.
b. WeTravel as a data processor. — WeTravel will be a data processor over a participant's personal data that WeTravel obtains as a result of providing its core payment and booking management services to our Organizers. For example, allowing Organizers to learn more about their participants during the booking process, facilitating the transmission of emails to participants at the request of the Organizer, processing payments, or providing trip reports and tools so Organizers can gain insights into the effectiveness of various sales channels.
Given that WeTravel processes a participant's personal data both in providing WeTravel Services to the Organizer, and to the WeTravel account-holding participant directly in his or her own use of WeTravel, WeTravel may be both a controller and a processor of the same personal data and will be held to different processing obligations as a result.
2. Email Tools.
We offer the ability for Organizers to email participants directly through our platform. This functionality was built to send service related emails specific to an Organizer's trip attended by the recipient of such email. If an Organizer wants to use this function for marketing purposes, you (the Organizer) needs to secure your own compliant opt-in consents for the sending of marketing emails. WeTravel does not do this on an Organizer's behalf.
3. Data Deletion.
As a data controller of our account-holding participants, WeTravel will adhere to a participant's request that WeTravel delete that participant's personal data. As a result, there may be a time when your Organizer dashboard will show anonymized personal data for a particular participant, however the financial data associated with that participant should remain as part of the trip. Similarly, if WeTravel removes personal data on its own in accordance with our internal data retention policy, this same view within the dashboard will appear.
In the trip an Organizer's data retention needs require that WeTravel no longer provide such Organizer with access to the personal data of its former participants, the Organizer can accomplish this by removing the trip from its dashboard. Should the Organizer still need access to the non-personal trip data, it should first download the trip to a excel file and manipulate that file as it sees fit.
Should one of your participants ask you directly to have WeTravel remove that participant's personal data from our system, please forward the request to us at firstname.lastname@example.org. Our support team may reach out to the participant directly to confirm the request.
4. Data Incident Notifications.
In cases where we are a data controller (even if we are both a data processor and a data controller) over data accessed in an unauthorized manner, we will notify the affected participant directly rather than the Organizer of each trip associated with that participant. As a reminder, we are a data controller for all Organizers, as well as participants that created a WeTravel account in the course of a ticket purchase.
When we are solely a processor of data, meaning an individual purchased tickets on WeTravel without creating an account with WeTravel directly, then we will notify Organizers we determine to be most likely in contact with that individual around the time of a data incident involving the unauthorized access of that individual's personal data.
5. How does WeTravel secure personal data?
WeTravel is committed to maintain the highest level of security to protect personal data. In this effort, WeTravel has implemented numerous security measures and monitors them on a regular basis. WeTravel's information systems are protected by industry standard firewalls, encryption and intrusion detection systems.
6. What else is WeTravel doing as a result of GDPR?
a. Accountability and Training. — We're revamping our data privacy guidelines to make sure they're in line with the GDPR and we're making sure that our employees are trained on them appropriately. This means that everyone at WeTravel plays a role in handling personal data in a legitimate and fair way.
b. Privacy by Design. — We're implementing enhanced procedures to help ensure that all of our systems and tools that collect and store personal data are designed in a privacy-friendly way. By doing this, we can reduce privacy risks at the outset and offer our Organizers and participants more control over their information.