Tambourine Tambourine

General Data Protection Regulation

On May 25, 2018, a new European Union (EU) data protection law, the General Data Protection Regulation (GDPR), takes effect. If you are not familiar with GDPR, it stands for General Data Protection Regulation. This is a new regulation that seeks to protect the data security of the European Union’s (EU) citizens. However, GDPR also unavoidably affects ANY business that has or intends to have EU citizens as its customers, regardless of whether or not the business is located in the EU. Tambourine has been studying GDPR-related issues with privacy consultants, industry experts and legal specialists  to ensure that we are prepared in our role as your “Data Processor.” To get a comprehensive understanding of GDPR and how it affects your entire business, please review this link

What should you expect from Tambourine on GDPR?

Good news: because our service to you includes proactive response to unexpected technological and legislative changes, you can expect us to work diligently to manage GDPR-related items that fall under our Scope of Work for you.


  1. We are adding functionality and language to gain clear consent to all data collection forms (EX: email sign-up forms) on the website we manage for you.
  2. We will begin sending a welcome email to all individuals who provide personal data via website forms, giving them the ability to manage their data and remove themselves from future emails if desired.
  3. We are working with clients to update their website privacy policy with GDPR specific language (Suggested update: This website uses cookies to optimize your website experience. However, you can change your browser settings at any time. By continuing to use this website without changing your settings, you consent to the use of cookies as described in our Privacy Statement.)
  4. We will auto-detect visitors to your hotel website with an EU IP address. When an EU visitor is identified, a banner will be automatically displayed with information about our use of cookies and provide access to the privacy policy. The message will also notify the EU visitor that it is their responsibility to change their browser settings and by proceeding into the web site, they are consenting to all cookie and tracking policies.
  5. For CRS/Booking engine clients: we will also be issuing updates to the Agreements, policies, software, processes and mutual obligations related to GDPR ASAP.
  6. We use Google Analytics to monitor website visitor behavior and other digital marketing activity. After May 25th, the default settings for retention of analytics data will be automatically set by Google to a maximum of 26 months. We intend to maintain this default data retention setting.

What you need to do….

Based on GDPR regulations, the hotel is  the “Data Controller” and Tambourine is a “data processor” (we also deploy other technologies from sub-processors, to optimize your website experience and conduct marketing activities on your behalf). As Data Controller, the hotel is ultimately responsible for ensuring that all personal data meets GDPR requirements, including the activities of any of your data processors. Subsequently, we have updated our Service Level Agreement to reflect these new requirements. While we are taking care of the items in our purview related to GDPR, your property may have other policies and procedures affected by GDPR that fall outside our scope.


  1. Familiarize yourself with GDPR and think about how GDPR affects any other internal data collection procedures (i.e. asking for email address at the front desk and entering it in the PMS
    1. If you contract with any 3rd parties, you should receive their data processing addendums and include updates to the privacy policy on the website.
  2. Ensure that any email lists provided to us after May 25th do not contain non-consenting EU citizens
  3. Provide us with an updated privacy policy with GDPR specific language
    1. Click here to see sample language
    2. Your Privacy Policy should be reviewed by a legal specialist

Information provided by Tambourine is NOT intended as legal advice. You should contact a legal specialist for advice on overall GDPR-related effects on your property.