GDPR and ITC Booking

ITC Booking is a software as a service developped and maintained by IT Consults SARL (

The GDPR (General Regulation on Data Protection) is a new set of rules put in place to give European residents control over the use of their Personal Data by companies around the world. The heart of these rules is to protect the data of European citizens. This means that companies must pay particular attention to the impact that this will have on individuals as well as businesses that affect the Personal Data of European citizens. Everyone must prepare to follow these new laws.

IT Consults follows suit, and before going into detail, it is essential to identify the differences in everyone’s roles.

  • Personal Data: Personal Data consists of anything that can identify a person.
    It includes a wide range of information that can be used alone or in combination with other pieces of information to identify a person. Personal Data extends beyond a person’s name or email address. Examples include financial information, political opinions, genetic data, biometric data, IP addresses, physical address, sexual orientation and ethnicity.
  • Data Controller: is the person or entity who controls the purpose and means of processing the Personal Data. The Data Controller defines how the data should be used and why it should be used. Often, Data Controllers use an external service or other organization to process the data. This is where the Data Processors come in. In this case, the control of the Personal Data collected remains with the Data Controller and is not transmitted.
  • Data Processor: Organizations that process Personal Data on behalf of the Data Controller are referred to as Data Processors. They have no control over what is done with the data and they cannot change the purpose of the data collection. Data Processors have limited rights to process the data according to the instructions provided by the Data Controller.
  • Data Subject: The person whose personal information you collect is the Data Subject. In a business, Data Subjects tend to be your customers and employees. You collect information from them, such as their name, address, phone number, and email address, to process and contact them for business.



IT Consults as a Data Processor

As a Data Processor, IT Consults must process the Personal Data according to the contract established with the Data Controller, and in no other way (Article 29).

IT Consults is making every effort to the best of its ability to comply with the GDPR as soon as possible.

In addition:

  • As for Data Controllers, IT Consults must put in place appropriate security measures (in reference to 83 and Article 32), keep records (in reference to 82, 89 and Article 30), carry out impact assessments of the data protection (Article 35), and comply with the data transfers laws and obligations.
  • In case of a data breach, it will be reported to the Data Controller “without delay” (Article 33), and if possible not later than 72 hours after becoming aware of it.
  • In order to deliver a quality service, IT Consults uses the same list of subprocessors since its creation, each specialized in its field. In accordance with Articles 28 (2) and 28 (4), you will find the list of these subprocessors here. The use of the services provided by IT Consults results in the automatic acceptance of these subprocessors.
  • If IT Consults interprets that its Data Controller’s instructions are inconsistent with the requirements of the GDPR, it will immediately inform its Data Controller (Article 28 (3)).
  • The Data Controller has the right to conduct a security audit when he wishes IT Consults to demonstrate compliance with the GDPR (Article 28 (3) (h)).

In addition, if a processor undertakes data processing operations for which there is no explicit consent by the Data Controller, the processor is considered by law to be a Data Controller itself, with all the corresponding obligations and consequences.



How is IT Consults preparing for the GDPR?

  • We are evaluating our contractors (third-party service providers, partners) and streamlining the contract process with them to ensure they meet the urgent needs of the current situation in terms of security and confidentiality.
  • We have assembled an inventory of Personal Data that includes all the roles IT Consults has (for example, Data Controller and Data Processor). This includes several categories of Personal Data processed by our organization and has helped us determine which department has access to which data and for what purpose.
  • We clean our databases to make sure we only have the latest and most accurate information. This cleanup process includes the removal of terminated and dormant accounts in accordance with our Terms and Conditions.
  • We are constantly improving our data security methods and processes. This concerns databases, as well as the access to them.



last updated on: 21/09/2018