How PCI Booking complies with GDPR

PCI Booking, from its very nature of a credit card tokenization and storage service, has always been security conscience. As a PCI compliant service provider, it was a natural progression for us to become GDPR compliant – both as we are EU-based organization and to support our customers who handle information on travellers from around the world.

What is GDPR?

The General Data Protection Regulations, commonly known as GDPR, came into effect on 25 May, 2018. These new regulations set a series of EU laws concerning how data is processed and used, and protects EU citizens’ right to privacy and the protection of personal data. These regulations apply to any organisation that controls and/or processes data on behalf of an individual or group of individuals.

What types of privacy data does GDPR protect?

  • All personal data that can be used to identify a living person, such as name, email address, bank details and phone number.
  • Sensitive personal data such as the subjects ethnic origin, political beliefs or sexual orientation. Web information such as IP address and cookie data.


What has PCI Booking done to comply with GDPR?

As a organization which is based on securing private information, we at PCI Booking have long had a privacy-conscience culture and that continues today. GDPR reaffirms this position and in order to comply fully with GDPR, PCI Booking has taken a number of steps.

  • We have reviewed all the information that we store, and the processes behind this. PCI Booking are the data processor for our clients, the data controllers. We do not store any information that is not required for the functionality of PCI Booking. The data we do store is primarily credit card information that is securely stored in PCI Booking on behalf of our clients.
  • The personal information that we are required to store for the functionality of the product are stored on EU-located cloud storage which is both PCI DSS and GDPR compliant.
  • We have signed a standard GDPR annex with all customers in our customer service agreement.
  • We offer an API that is designed to search, retrieve and delete card data. This fully removes the deleted card data from our system.
  • We have updated our privacy policy to ensure that our customers and partners know exactly how we handle our data.
    We have updated the cookie consent process on our public website, and have ensured that all forms now require an opt-in.


For additional questions on data privacy and GDPR, please contact us at


Stay in Touch

Sign up to our newsletter to stay informed about PCI compliance news, and updates regarding new BlueTime features.