My company has several salespersons who sometimes stay at hotels. My company pays the invoice sent from the hotel. At the hotel the employees name, telephone number and sometimes e-mail is registered, also food preferences might be registered.
Shall I treat the hotel as a Processor and my company as Controller in DPOrganizer in this case?
Does this mean I have to add all catering firms and restaurants the process my employees’ data as Processors?
/Wondering
Dave_Wylie
If anyone has any questions around the best way to configure DPOrganizer and complex relationships scenarios, then definitely speak to Chris Roberts Chris Roberts on here as he has done some amazing things in this regard recently.
Chris Roberts
I would also have to consider whether the Catering companies and Restaurants in the Hotel are separate legal entities or not. If they are (often the case) then I would argue if personal data is passed from the hotel to them then they are also Data Processors and they may have Sub-Processors behind them too. As @Dave_Wylie said, I’ve recently been mapping some very complete Joint DC and DP arrangements. Email me if you’d like so further advice chris@cybata.co.uk
HellenB
So, to save yourself tortuous knots I would think of it in these terms: where you undertake the booking of the room and paying of the invoice you are the data controller and the hotel is the processor. However, once your employee or contractor stays there and volunteers new information beyond what is required for the fulfilment of the contract (accommodation etc.) then the hotel becomes the controller of that information and should handle it accordingly.
The pure form of this relationship is a co-controller, but you would be hard pressed to get a hotel to sign any documentation and their systems aren’t set up to handle this.
Consequently I would stick with recording them as a processor in DP Organizer and keep it relatively simple.