Client GDPR Responsibilities for Trade Data

GDPR applies to businesses that are sole traders and partnerships so most trade data is covered by GDPR.

As we share trade records between DMOs and NVG this means we are joint data controllers.

The ICO lists 6 bases under which you can lawfully process personal data, we consider that the bases for trade data are: ‘Legitimate interests’ or ‘Public task’, and ‘Contract’.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

As the lawful basis for processing is different if you are a public authority, there is a flag in the ‘configure publication’ tool to tick this if you are a public authority.

Non-essential emails opt out

We have introduced a single flag which a business can set if they don’t want to receive non-essential emails.
  • This flag is a new ‘MailTo - @’ which applies to all users of the data.
  • The flag can be set in Guestlink (Update Details) or by a data steward in (Manage Trade Data) or by the provider opting out through an email.
  • All clients using NVG bMarketing have been provided with a footer option for including this opt out when sending non-essential emails to providers.
  • Clients not using NVG bMarketing (including those using NVG eMarketing for communicating with the trade) must provide a way for providers to opt out (eg an email to the data steward) when sending non-essential emails.
To ensure compliance our clients agree to honour the non-essential emails flag by excluding opted out businesses in non-essential communications with the trade (including when using non-NVG systems).

Trade Data Management

  • Businesses need to know they are part of the ‘Guestlink’ database and what this means (eg publication on websites, contact by DMOs).
  • Businesses need to know what information we store about them (SAR).
  • Businesses need to know how to remove their business from the Guestlink database.
  • We need to ensure that trade data is not stored for longer than is necessary.

What this means to you:

  • When a data steward adds a business, make sure they are aware they are part of the Guestlink database (NVG will do this for managed data service).
  • When an event is added through, make sure the event owner is aware they are part of the Guestlink database.
  • When a record is published to a website make sure the business is aware.
  • Work with NVG to make sure that businesses that are no longer used are removed from the database.
  • Keep data (eg in communications manager) no longer than is required for lawful processing.