Application of GDPR to hotel businesses

3 November 2018

  • Italy
  • Tourism
  • Privacy - Data Protection

On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).

The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.

The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.

Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.

It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.

Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.

Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.

The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.

According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).

The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.

In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.

Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.

The author of this post is Giovanni Izzo.

In this post we will briefly outline some legal aspects related to e-commerce in Iran, starting from the definition of the average Iranian user and main characteristics and advantages of e-commerce in the Islamic Republic, which is attracting several foreign investors.

We will then analyze the requirements for the issuance of online business licenses in Iran, which is mandatory in order to open an e-shop. Finally we will take a look at some successful examples of online business in Iran.

The average Iranian user

Some statistics regarding Iranian users active in the virtual space are useful for understanding the size of the Iranian market, and why it is attracting several investors.

According to the “Internet Data and Statistics”, Iran is the thirteenth country for number of internet users, as 57 million of Iranian (on 83 million of Iran’s population) have access to internet (approximately the 68% of the population), but Government sources believe these numbers are  underestimated.

What matters for the purpose of this analysis, however, is that approximatively the 58% of the internet users search on the Internet is about information on goods and services and that – until the end of Azar 1394 (December 2015) – the average internet users are male (58%) and young (47% between 20 and 29 years old).

In addition, the 42% of the Iranian internet users are involved in electronic commerce and the 13% use the e-banking services.

Online Business Licenses in Iran

Whether carried out in the traditional way or electronically, all the businesses need a business-license to operate on the Iranian market. The most important law governing  is the Union System Act 1971, amended in 1980, 2003 and in 2013, which provides that the business license is issued by the competent union or legal authority.

E-commerce is no exception, therefore all those who intend to sell goods or provide services using the virtual space must acquire a business license.

On February 19th, 2017 the Iranian Government issued an Executive Regulation in regard to the Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, dividing the activities in virtual space into two categories:

  1. Virtual Business;
  2. Network Marketing.

According to Paragraph 1 in Article 1, Virtual Business is a business established by any natural or legal person in order to provide products (goods or services) directly or indirectly on a wholesale or retail basis, to wholesalers, retailers and consumers through telecommunication means such as websites and digital software (applications).

According to Paragraph 2 of Article 1, Network Marketing is a method for selling products based on which the Network Marketing company uses its website to organize the sellers in order to sell their products directly to consumers in a place far from the regular business location. Through this method, each seller can introduce another marketer as it subset and create a multi-product sales group in order to increase sales.

The competent authority for issuance of licenses in this regard is the National Union. Therefore, any person who intends to acquire a license in order to have its activities carried out online, must apply on the website of Center for Development of Electronic Commerce (an organ of the Ministry of Industry, Mine and Commerce, hereinafter: “CDEC” – www.enamad.ir) in order to acquire the Reliance Symbol, which is a symbol necessary to certify the identity and competence of online activities.

Requirements for the Online Business License

Article 3  of the Executive Regulation on Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, which governs the Issuance of Online Business Licenses in Iran, provides that business licenses shall be issued according to the following procedure:

  1. Establishment of the virtual business conforming to the checklists provided by the CDEC.
  2. Registration of application in E-Namad website (then the CDEC automatically submits the application to the unions’ website).
  3. Upload of the required documents, which we will list below.
  4. Issuance and submission of the license (after verifying the uploaded documents and the original copies thereof) to the applicant within 15 days and submission of the license information to E-Namad website.
  5. Grant of Electronic Reliance Symbol concurrent with issuance of the license.

Furthermore, the said Regulation specifies the required documents for issuance of business license, as follows:

  1. Office or legal domicile address of the applicant;
  2. Negative criminal record from the Police;
  3. Certificate of the relevant Tax Organization regarding tax compliance;
  4. Certificate for attendance in educational courses of commerce and business;
  5. Confirmation of specialized features regarding virtual business issued by the CDED;
  6. Photocopy of ID-card/Company-Registration number, plus passport/work-permit for foreigners;
  7. Photocopy of Military Service Termination Card or Permanent or Medical Exemption Card for men under 50 or a Student Certificate.

In addition to those, the Regulation provides some other documents for particular sectors, so it is advisable to contact an Iranian expert in the matter to verify the compliance with all applicable regulations. For instance, the Cultural Heritage, Handicrafts and Tourism Organization of Iran has set out some specific criteria for travel and tourism activities in the virtual space, so travel agency services, accommodation centers, private entities and other tourism services must follow a special procedure to render their services on virtual space.

Successful Examples of Iranian Start-ups

In order to become familiar with this sector, hereinafter we would like to report some inspirational examples of investments.

  1. Snapp

Snapp is an Iranian ride hailing company which renders its services online. The Snapp application automatically connects the users to the nearest driver and shows the driver the user’s location. Afterwards, the nearest ready driver will pick up the users from their location, and Snapp calculates the price beforehand. This price is normally lower than the Taxi Agency Unions prices and can be received either in cash or via online payment or credit card.

  1. Digikala

Digikala is the name of one of the biggest e-marketplaces in Iran. Cellphones, laptops and computers, digital cameras, office appliances, automobiles, watches, home appliances, instruments, jewelry, toys, clothes and books are some of the items sold on this website. One of the features of this website is the detailed and comprehensive reviews of different types of digital goods which can be a reliable source for purchasers.

  1. Pintapin

Pintapin is a comprehensive tool for rendering travel services online. Accommodation services are listed in Pintapin and users can book online their desired location. It is also possible to submit the information regarding your destination, duration of stay and number of companions in order to receive suitable suggestions from Pintapin.

  1. Bamilo

Bamilo is probably the most important Marketplace businesses in Iran. It started its activity in 2014 and is now among the most viewed websites in Iran. Based on the Amazon-model, the online store is considered as the main Iranian middleman between suppliers and consumers.

  1. Eskano

Eskano is a smart system for searching real estate in Iran which is performed under international standards. With its huge database of transferable real estates divided between several Iranian cities, Eskano facilitates the sale and lease process, also with the possibility of setting up appointments directly through the website.

The author of this post is Mohammad Rahmani.

Iran – Online business and eCommerce

5 December 2017

  • Iran
  • eCommerce
  • Investments
  • Start-up
  • Tourism

On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).

The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.

The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.

Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.

It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.

Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.

Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.

The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.

According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).

The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.

In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.

Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.

The author of this post is Giovanni Izzo.

In this post we will briefly outline some legal aspects related to e-commerce in Iran, starting from the definition of the average Iranian user and main characteristics and advantages of e-commerce in the Islamic Republic, which is attracting several foreign investors.

We will then analyze the requirements for the issuance of online business licenses in Iran, which is mandatory in order to open an e-shop. Finally we will take a look at some successful examples of online business in Iran.

The average Iranian user

Some statistics regarding Iranian users active in the virtual space are useful for understanding the size of the Iranian market, and why it is attracting several investors.

According to the “Internet Data and Statistics”, Iran is the thirteenth country for number of internet users, as 57 million of Iranian (on 83 million of Iran’s population) have access to internet (approximately the 68% of the population), but Government sources believe these numbers are  underestimated.

What matters for the purpose of this analysis, however, is that approximatively the 58% of the internet users search on the Internet is about information on goods and services and that – until the end of Azar 1394 (December 2015) – the average internet users are male (58%) and young (47% between 20 and 29 years old).

In addition, the 42% of the Iranian internet users are involved in electronic commerce and the 13% use the e-banking services.

Online Business Licenses in Iran

Whether carried out in the traditional way or electronically, all the businesses need a business-license to operate on the Iranian market. The most important law governing  is the Union System Act 1971, amended in 1980, 2003 and in 2013, which provides that the business license is issued by the competent union or legal authority.

E-commerce is no exception, therefore all those who intend to sell goods or provide services using the virtual space must acquire a business license.

On February 19th, 2017 the Iranian Government issued an Executive Regulation in regard to the Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, dividing the activities in virtual space into two categories:

  1. Virtual Business;
  2. Network Marketing.

According to Paragraph 1 in Article 1, Virtual Business is a business established by any natural or legal person in order to provide products (goods or services) directly or indirectly on a wholesale or retail basis, to wholesalers, retailers and consumers through telecommunication means such as websites and digital software (applications).

According to Paragraph 2 of Article 1, Network Marketing is a method for selling products based on which the Network Marketing company uses its website to organize the sellers in order to sell their products directly to consumers in a place far from the regular business location. Through this method, each seller can introduce another marketer as it subset and create a multi-product sales group in order to increase sales.

The competent authority for issuance of licenses in this regard is the National Union. Therefore, any person who intends to acquire a license in order to have its activities carried out online, must apply on the website of Center for Development of Electronic Commerce (an organ of the Ministry of Industry, Mine and Commerce, hereinafter: “CDEC” – www.enamad.ir) in order to acquire the Reliance Symbol, which is a symbol necessary to certify the identity and competence of online activities.

Requirements for the Online Business License

Article 3  of the Executive Regulation on Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, which governs the Issuance of Online Business Licenses in Iran, provides that business licenses shall be issued according to the following procedure:

  1. Establishment of the virtual business conforming to the checklists provided by the CDEC.
  2. Registration of application in E-Namad website (then the CDEC automatically submits the application to the unions’ website).
  3. Upload of the required documents, which we will list below.
  4. Issuance and submission of the license (after verifying the uploaded documents and the original copies thereof) to the applicant within 15 days and submission of the license information to E-Namad website.
  5. Grant of Electronic Reliance Symbol concurrent with issuance of the license.

Furthermore, the said Regulation specifies the required documents for issuance of business license, as follows:

  1. Office or legal domicile address of the applicant;
  2. Negative criminal record from the Police;
  3. Certificate of the relevant Tax Organization regarding tax compliance;
  4. Certificate for attendance in educational courses of commerce and business;
  5. Confirmation of specialized features regarding virtual business issued by the CDED;
  6. Photocopy of ID-card/Company-Registration number, plus passport/work-permit for foreigners;
  7. Photocopy of Military Service Termination Card or Permanent or Medical Exemption Card for men under 50 or a Student Certificate.

In addition to those, the Regulation provides some other documents for particular sectors, so it is advisable to contact an Iranian expert in the matter to verify the compliance with all applicable regulations. For instance, the Cultural Heritage, Handicrafts and Tourism Organization of Iran has set out some specific criteria for travel and tourism activities in the virtual space, so travel agency services, accommodation centers, private entities and other tourism services must follow a special procedure to render their services on virtual space.

Successful Examples of Iranian Start-ups

In order to become familiar with this sector, hereinafter we would like to report some inspirational examples of investments.

  1. Snapp

Snapp is an Iranian ride hailing company which renders its services online. The Snapp application automatically connects the users to the nearest driver and shows the driver the user’s location. Afterwards, the nearest ready driver will pick up the users from their location, and Snapp calculates the price beforehand. This price is normally lower than the Taxi Agency Unions prices and can be received either in cash or via online payment or credit card.

  1. Digikala

Digikala is the name of one of the biggest e-marketplaces in Iran. Cellphones, laptops and computers, digital cameras, office appliances, automobiles, watches, home appliances, instruments, jewelry, toys, clothes and books are some of the items sold on this website. One of the features of this website is the detailed and comprehensive reviews of different types of digital goods which can be a reliable source for purchasers.

  1. Pintapin

Pintapin is a comprehensive tool for rendering travel services online. Accommodation services are listed in Pintapin and users can book online their desired location. It is also possible to submit the information regarding your destination, duration of stay and number of companions in order to receive suitable suggestions from Pintapin.

  1. Bamilo

Bamilo is probably the most important Marketplace businesses in Iran. It started its activity in 2014 and is now among the most viewed websites in Iran. Based on the Amazon-model, the online store is considered as the main Iranian middleman between suppliers and consumers.

  1. Eskano

Eskano is a smart system for searching real estate in Iran which is performed under international standards. With its huge database of transferable real estates divided between several Iranian cities, Eskano facilitates the sale and lease process, also with the possibility of setting up appointments directly through the website.

The author of this post is Mohammad Rahmani.