Skip to content

Security and Compliance Requirements

INSTALLER AND END USER / CUSTOMER MUST REVIEW THIS SECTION

Personally Identifiable Information Collection

The Smart Check-In system allows the end user/customer (“you” or “your”) to collect and process Personally Identifiable Information (PII) from their guests.  Examples of this PII includes:

  • Reservation Number
  • Room Number
  • Guest Name
  • Guest Photo
  • ID Number
  • Gender
  • Street Address
  • E-Mail Address
  • Phone Number
  • Check In / Check Out Date
  • Masked Credit Card Number
  • Health Condition
  • Occupation

Data collected by other customer systems such as the Property Management System, Door Lock System, Payment System, etc., may be accessed by and passed through the Smart Check-In system based on API interfaces used for these integrations.

Important

The handling of PII is closely regulated by the laws of your regional authority, and mishandling of PII may result in severe sanctioning and financial penalty.  Please consult your local privacy and data protection regulations and, if applicable, the General Data Protection Regulation (GDPR) to understand your responsibilities as a data controller of PII before proceeding with the installation of the Smart Check-In system. For full clarity, NEC is not the data controller or data processor.  It is your sole responsibility to comply with all applicable laws, including privacy laws, when using the system.

Data Privacy and Protection Considerations at Installation

  • Replace the Smart Check-In Privacy Placeholder Text.

    The Smart Check-In system is shipped with a Privacy Policy “placeholder text” in its display.  The placeholder text reads: “This is a placeholder for your official privacy policy.  This text must be replaced with your official privacy policy.  It is your sole responsibility to comply with all applicable laws and regulations when installing this product.”. This Privacy Policy placeholder text must be replaced with the End User/Customer’s official Privacy Policy regarding its collection and use of Personally Identifiable Information (“PII”) before installation and use of the Smart Check-In system.  It is your express responsibility to replace the Smart Check-In Privacy Policy placeholder text with your policy that complies with all local and national regulations, your policies.

    The official Privacy Policy must be provided to the guests during their sign in to the Smart Check-In system.

  • Consent and Choice.

    Consent should be obtained from the guests by the guest viewing the Privacy Policy in the Smart Check-In guest check-in flow of the application and agreeing to any use of that data.  If a guest does not agree to the use of PII in the system, the guest will not be able to use the system.  The guest should be directed to go to the front desk of the hotel for guidance.

  • Internal Transfer of PII

    PII obtained by this system should only be transferred to other systems or servers for the uses authorized by the guest.

  • Purpose of Processing

    Information collected by this system should be used for authorized uses of the Smart Check-In system only.  The Smart Check-In System should be configured to collect only the data needed for approved purposes on the system.  No extra data should be gathered or stored on the system.

  • PII Retention Period

    Smart Check-In system can be configured to remove all PII after the guest checks out.  Other systems may retain guest data (example:  PMS, Payment, Lock System) and should be considered separately.  The end-user/customer/hotel should inform the guest how long PII data will be retained and how it will be used.  Smart Check-In configuration for retention can be found in the System Settings -> Guest Personal Data in the Kiosk Administration web site.

  • Disposal of the System

    When disposing of this system, delete all PII and follow the procedures specified by law.

  • Parental Consent Notification

    The Smart Check-In system does not have a feature to gather consent from his/her parents/guardians for collecting underage person’s PII.  Should you choose to collect such information, you must comply with the law and regulations concerning this subject, separate and outside the system.

Data Security Considerations During Installation

The Data Security Considerations identified below should be verified by the installer and the operator of Smart Check-In

  • The Smart Check-In system must be installed in a physically secure location. This includes the Smart Check-In client kiosk, Kiosk Server, Adapter Hub and UNIVERGE Integration Platform as well as all other network devices, servers and systems related to the guest processing flow.
  • All operating systems and hardware related to the Smart Check-In system should be installed with industry best practices for security and data protection. This may include anti-virus software, anti-malware software, firewalls, multi-factor operating system console access, password management, active intrusion detection and many other applicable best practices.  The installer of the system should review these practices with the End User/Customer/Hotel before starting the installation.  There may be further local and regional laws requiring certain practices to be followed.  Failure to comply with the guidelines identified in this document, operating system security guidelines or other IT security practices could result in data breaches.  A comprehensive data security plan should be put in place to secure this system.  Securing this system includes all components in the system and the environment in which they reside.  NEC is not responsible for events caused by inaccurate settings or information input.
  • Encrypted communications and data storage must be used.   Smart Check-In uses Transport Layer Security to encrypt the personal Information in transit.  The installer and the operator of the Smart Check-In System should verify all connections are secure.  When installing the Smart Check-In System, hardware encryption, OS level disk encryption and filesystem encryption should be considered to protect data at rest.  Enterprise Data Base options may be required to cover encryption at rest in the various Data Bases of the Smart Check-In System.  See the Smart Check-In system documentation for instructions.

EULA

The operator of the Smart Check-In system software agrees to the EULA.  If installing the software on behalf of the hotel, the installer must obtain the End User/Customer/Hotel’s consent and confirm with the operator of the hotel that the data used, and the installation complies with local and regional laws.