- Italia
Aplicación de RGPD en la actividad hotelera
3 noviembre 2018
- Privacidad y Protección de Datos
- Tourism
El 25 de mayo de 2018 ha entrado en vigor el Reglamento UE 2016/679, en materia de “protección” de datos personales (de ahora en adelante el “Reglamento” o “RGPD”), instrumento normativo comunitario destinado a reforzar el derecho de las personas físicas a que sean protegidos sus datos personales, al que se le ha dado la categoría de “derecho fundamental” en la Carta de derechos fundamentales de la Unión Europea (Artículo 8 apartado 1) y en el Tratado sobre el funcionamiento de la Unión Europea (Artículo 16 apartado 1).
El Reglamento se aplica inmediatamente y no necesita transposición por parte del legislador nacional. Sus disposiciones prevalecen sobre las leyes internas. Desde un punto de vista práctico ello significa que, en caso de contraste entre una disposición contenida en el Reglamento y una prevista en el “viejo” Decreto Legislativo 196/2003, prevalecerá el Reglamento.
El RGPD se compone de 99 artículos de los cuales, solo algunos, constituyen novedades y tienen relevancia para los titulares/gestores de estructuras receptoras turísticas.
Seguramente la primera novedad es la relativa al “consentimiento explícito” para el tratamiento de datos “sensibles” y las decisiones basadas sobre tratamientos automatizados (incluida la elaboración de perfiles – art. 22). De hecho es necesario que el cliente manifieste un consentimiento distinto del relativo a los otros datos. El consentimiento anterior al 25 de mayo 2018 es válido solo si tiene estas características.
Esto impone, por ejemplo, al titular de los datos poner al día su página web o las newsletter promocionales enviadas a los clientes. Estos deben ser informados de las finalidades para las cuales se recogen los datos y los derechos que les corresponden. Para la inscripción en la newsletter debería ser necesario únicamente el correo y cuando fuesen solicitados otros datos, se especificarán las finalidades para las que fueron solicitados. Antes de la solicitud de inscripción el cliente deberá emitir el consentimiento y la aceptación de la normativa sobre la protección de datos. El documento de seguridad deberá poder ser visualizado claramente desde la página web principal. Por lo que respecta específicamente a la newsletter, el documento de seguridad debe ser indicado y enlazado en el relativo recuadro de inscripción.
Se han introducido importantes modificaciones a los deberes del Responsable del tratamiento de datos y del Encargado del tratamiento de datos, ambas figuras de gran importancia en las estructuras hoteleras.
El Responsable del tratamiento de datos debe ahora: (i) poder demostrar que el interesado haya prestado el consentimiento a un tratamiento específico, (ii) suministrar los datos de contacto del Responsable de protección de datos, (iii) declarar si transmitir los datos personales a Terceros Países y, en caso afirmativo, a través de qué instrumentos, (iv) especificar el período de conservación de los datos y o criterios seguidos para establecer el período de conservación de los mismos y el derecho de presentar un recurso a la autoridad de control, (v) especificar si el tratamiento comporta procesos decisionales automatizados (incluso la definición del perfil), y las consecuencias previstas por el interesado.
El Encargado del tratamiento de datos (denominado Data protection Officer – DPO), es en cambio el profesional (que puede ser interno o externo a la estructura) que garantiza las observaciones de las normas del RGPD y la gestión y tratamiento de datos.
Según la nueva normativa los deberes de dicho sujeto consisten ahora en: i) llevanza del registro de tratamientos efectuados (en base al art. 30, párrafo 2) y ii) en la adopción de idóneas medidas técnicas y organizativas para garantizar la seguridad de los tratamientos (en base al art. 32 del reglamento).
Su nombre debe aparecer en el documento de seguridad que debe entregarse al Cliente. La relación con el titular del tratamiento está regulada obligatoriamente por un contrato que debe disciplinar taxativamente al menos seis materias de las previstas en el párrafo 3 del art. 28 con el fin de demostrar que el responsable da “garantías suficientes” para una correcta gestión y tratamiento de datos. El Responsable puede nombrar a su vez un “sub-responsable” pero solo para limitar la actividad de tratamiento, llevado a cabo de acuerdo con cuanto previsto en el contrato, y responderá del incumplimiento del mismo.
En base a dichas disposiciones, las estructuras hoteleras deberán proceder a una atenta valoración del riesgo resultante del tratamiento de datos, establecer un detallado procedimiento en grado de verificar constantemente la idoneidad del tratamiento, proceder en tiempo oportuno a notificar una violación del procedimiento de seguridad que implique la divulgación incluso accidental de datos, poner al día los documentos de seguridad que hay que entregar al cliente.
Hay que señalar que las sanciones por las violaciones del RGPD pueden alcanzar el 4% de la facturación de la empresa, siendo más severas respecto a lo previsto en precedencia. Es necesario prestar mucha atención a que se respete el mencionado Reglamento, ya que su errónea o carente aplicación puede determinar graves perjuicios a la empresa.
El autor de este artículo es Giovanni Izzo.
In this post we will briefly outline some legal aspects related to e-commerce in Iran, starting from the definition of the average Iranian user and main characteristics and advantages of e-commerce in the Islamic Republic, which is attracting several foreign investors.
We will then analyze the requirements for the issuance of online business licenses in Iran, which is mandatory in order to open an e-shop. Finally we will take a look at some successful examples of online business in Iran.
The average Iranian user
Some statistics regarding Iranian users active in the virtual space are useful for understanding the size of the Iranian market, and why it is attracting several investors.
According to the “Internet Data and Statistics”, Iran is the thirteenth country for number of internet users, as 57 million of Iranian (on 83 million of Iran’s population) have access to internet (approximately the 68% of the population), but Government sources believe these numbers are underestimated.
What matters for the purpose of this analysis, however, is that approximatively the 58% of the internet users search on the Internet is about information on goods and services and that – until the end of Azar 1394 (December 2015) – the average internet users are male (58%) and young (47% between 20 and 29 years old).
In addition, the 42% of the Iranian internet users are involved in electronic commerce and the 13% use the e-banking services.
Online Business Licenses in Iran
Whether carried out in the traditional way or electronically, all the businesses need a business-license to operate on the Iranian market. The most important law governing is the Union System Act 1971, amended in 1980, 2003 and in 2013, which provides that the business license is issued by the competent union or legal authority.
E-commerce is no exception, therefore all those who intend to sell goods or provide services using the virtual space must acquire a business license.
On February 19th, 2017 the Iranian Government issued an Executive Regulation in regard to the Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, dividing the activities in virtual space into two categories:
- Virtual Business;
- Network Marketing.
According to Paragraph 1 in Article 1, Virtual Business is a business established by any natural or legal person in order to provide products (goods or services) directly or indirectly on a wholesale or retail basis, to wholesalers, retailers and consumers through telecommunication means such as websites and digital software (applications).
According to Paragraph 2 of Article 1, Network Marketing is a method for selling products based on which the Network Marketing company uses its website to organize the sellers in order to sell their products directly to consumers in a place far from the regular business location. Through this method, each seller can introduce another marketer as it subset and create a multi-product sales group in order to increase sales.
The competent authority for issuance of licenses in this regard is the National Union. Therefore, any person who intends to acquire a license in order to have its activities carried out online, must apply on the website of Center for Development of Electronic Commerce (an organ of the Ministry of Industry, Mine and Commerce, hereinafter: “CDEC” – www.enamad.ir) in order to acquire the Reliance Symbol, which is a symbol necessary to certify the identity and competence of online activities.
Requirements for the Online Business License
Article 3 of the Executive Regulation on Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, which governs the Issuance of Online Business Licenses in Iran, provides that business licenses shall be issued according to the following procedure:
- Establishment of the virtual business conforming to the checklists provided by the CDEC.
- Registration of application in E-Namad website (then the CDEC automatically submits the application to the unions’ website).
- Upload of the required documents, which we will list below.
- Issuance and submission of the license (after verifying the uploaded documents and the original copies thereof) to the applicant within 15 days and submission of the license information to E-Namad website.
- Grant of Electronic Reliance Symbol concurrent with issuance of the license.
Furthermore, the said Regulation specifies the required documents for issuance of business license, as follows:
- Office or legal domicile address of the applicant;
- Negative criminal record from the Police;
- Certificate of the relevant Tax Organization regarding tax compliance;
- Certificate for attendance in educational courses of commerce and business;
- Confirmation of specialized features regarding virtual business issued by the CDED;
- Photocopy of ID-card/Company-Registration number, plus passport/work-permit for foreigners;
- Photocopy of Military Service Termination Card or Permanent or Medical Exemption Card for men under 50 or a Student Certificate.
In addition to those, the Regulation provides some other documents for particular sectors, so it is advisable to contact an Iranian expert in the matter to verify the compliance with all applicable regulations. For instance, the Cultural Heritage, Handicrafts and Tourism Organization of Iran has set out some specific criteria for travel and tourism activities in the virtual space, so travel agency services, accommodation centers, private entities and other tourism services must follow a special procedure to render their services on virtual space.
Successful Examples of Iranian Start-ups
In order to become familiar with this sector, hereinafter we would like to report some inspirational examples of investments.
- Snapp
Snapp is an Iranian ride hailing company which renders its services online. The Snapp application automatically connects the users to the nearest driver and shows the driver the user’s location. Afterwards, the nearest ready driver will pick up the users from their location, and Snapp calculates the price beforehand. This price is normally lower than the Taxi Agency Unions prices and can be received either in cash or via online payment or credit card.
- Digikala
Digikala is the name of one of the biggest e-marketplaces in Iran. Cellphones, laptops and computers, digital cameras, office appliances, automobiles, watches, home appliances, instruments, jewelry, toys, clothes and books are some of the items sold on this website. One of the features of this website is the detailed and comprehensive reviews of different types of digital goods which can be a reliable source for purchasers.
- Pintapin
Pintapin is a comprehensive tool for rendering travel services online. Accommodation services are listed in Pintapin and users can book online their desired location. It is also possible to submit the information regarding your destination, duration of stay and number of companions in order to receive suitable suggestions from Pintapin.
- Bamilo
Bamilo is probably the most important Marketplace businesses in Iran. It started its activity in 2014 and is now among the most viewed websites in Iran. Based on the Amazon-model, the online store is considered as the main Iranian middleman between suppliers and consumers.
- Eskano
Eskano is a smart system for searching real estate in Iran which is performed under international standards. With its huge database of transferable real estates divided between several Iranian cities, Eskano facilitates the sale and lease process, also with the possibility of setting up appointments directly through the website.
The author of this post is Mohammad Rahmani.
Iran – Online business and eCommerce
5 diciembre 2017
- Irán
- e-commerce
- Inversiones
- Start-up
- Tourism
El 25 de mayo de 2018 ha entrado en vigor el Reglamento UE 2016/679, en materia de “protección” de datos personales (de ahora en adelante el “Reglamento” o “RGPD”), instrumento normativo comunitario destinado a reforzar el derecho de las personas físicas a que sean protegidos sus datos personales, al que se le ha dado la categoría de “derecho fundamental” en la Carta de derechos fundamentales de la Unión Europea (Artículo 8 apartado 1) y en el Tratado sobre el funcionamiento de la Unión Europea (Artículo 16 apartado 1).
El Reglamento se aplica inmediatamente y no necesita transposición por parte del legislador nacional. Sus disposiciones prevalecen sobre las leyes internas. Desde un punto de vista práctico ello significa que, en caso de contraste entre una disposición contenida en el Reglamento y una prevista en el “viejo” Decreto Legislativo 196/2003, prevalecerá el Reglamento.
El RGPD se compone de 99 artículos de los cuales, solo algunos, constituyen novedades y tienen relevancia para los titulares/gestores de estructuras receptoras turísticas.
Seguramente la primera novedad es la relativa al “consentimiento explícito” para el tratamiento de datos “sensibles” y las decisiones basadas sobre tratamientos automatizados (incluida la elaboración de perfiles – art. 22). De hecho es necesario que el cliente manifieste un consentimiento distinto del relativo a los otros datos. El consentimiento anterior al 25 de mayo 2018 es válido solo si tiene estas características.
Esto impone, por ejemplo, al titular de los datos poner al día su página web o las newsletter promocionales enviadas a los clientes. Estos deben ser informados de las finalidades para las cuales se recogen los datos y los derechos que les corresponden. Para la inscripción en la newsletter debería ser necesario únicamente el correo y cuando fuesen solicitados otros datos, se especificarán las finalidades para las que fueron solicitados. Antes de la solicitud de inscripción el cliente deberá emitir el consentimiento y la aceptación de la normativa sobre la protección de datos. El documento de seguridad deberá poder ser visualizado claramente desde la página web principal. Por lo que respecta específicamente a la newsletter, el documento de seguridad debe ser indicado y enlazado en el relativo recuadro de inscripción.
Se han introducido importantes modificaciones a los deberes del Responsable del tratamiento de datos y del Encargado del tratamiento de datos, ambas figuras de gran importancia en las estructuras hoteleras.
El Responsable del tratamiento de datos debe ahora: (i) poder demostrar que el interesado haya prestado el consentimiento a un tratamiento específico, (ii) suministrar los datos de contacto del Responsable de protección de datos, (iii) declarar si transmitir los datos personales a Terceros Países y, en caso afirmativo, a través de qué instrumentos, (iv) especificar el período de conservación de los datos y o criterios seguidos para establecer el período de conservación de los mismos y el derecho de presentar un recurso a la autoridad de control, (v) especificar si el tratamiento comporta procesos decisionales automatizados (incluso la definición del perfil), y las consecuencias previstas por el interesado.
El Encargado del tratamiento de datos (denominado Data protection Officer – DPO), es en cambio el profesional (que puede ser interno o externo a la estructura) que garantiza las observaciones de las normas del RGPD y la gestión y tratamiento de datos.
Según la nueva normativa los deberes de dicho sujeto consisten ahora en: i) llevanza del registro de tratamientos efectuados (en base al art. 30, párrafo 2) y ii) en la adopción de idóneas medidas técnicas y organizativas para garantizar la seguridad de los tratamientos (en base al art. 32 del reglamento).
Su nombre debe aparecer en el documento de seguridad que debe entregarse al Cliente. La relación con el titular del tratamiento está regulada obligatoriamente por un contrato que debe disciplinar taxativamente al menos seis materias de las previstas en el párrafo 3 del art. 28 con el fin de demostrar que el responsable da “garantías suficientes” para una correcta gestión y tratamiento de datos. El Responsable puede nombrar a su vez un “sub-responsable” pero solo para limitar la actividad de tratamiento, llevado a cabo de acuerdo con cuanto previsto en el contrato, y responderá del incumplimiento del mismo.
En base a dichas disposiciones, las estructuras hoteleras deberán proceder a una atenta valoración del riesgo resultante del tratamiento de datos, establecer un detallado procedimiento en grado de verificar constantemente la idoneidad del tratamiento, proceder en tiempo oportuno a notificar una violación del procedimiento de seguridad que implique la divulgación incluso accidental de datos, poner al día los documentos de seguridad que hay que entregar al cliente.
Hay que señalar que las sanciones por las violaciones del RGPD pueden alcanzar el 4% de la facturación de la empresa, siendo más severas respecto a lo previsto en precedencia. Es necesario prestar mucha atención a que se respete el mencionado Reglamento, ya que su errónea o carente aplicación puede determinar graves perjuicios a la empresa.
El autor de este artículo es Giovanni Izzo.
In this post we will briefly outline some legal aspects related to e-commerce in Iran, starting from the definition of the average Iranian user and main characteristics and advantages of e-commerce in the Islamic Republic, which is attracting several foreign investors.
We will then analyze the requirements for the issuance of online business licenses in Iran, which is mandatory in order to open an e-shop. Finally we will take a look at some successful examples of online business in Iran.
The average Iranian user
Some statistics regarding Iranian users active in the virtual space are useful for understanding the size of the Iranian market, and why it is attracting several investors.
According to the “Internet Data and Statistics”, Iran is the thirteenth country for number of internet users, as 57 million of Iranian (on 83 million of Iran’s population) have access to internet (approximately the 68% of the population), but Government sources believe these numbers are underestimated.
What matters for the purpose of this analysis, however, is that approximatively the 58% of the internet users search on the Internet is about information on goods and services and that – until the end of Azar 1394 (December 2015) – the average internet users are male (58%) and young (47% between 20 and 29 years old).
In addition, the 42% of the Iranian internet users are involved in electronic commerce and the 13% use the e-banking services.
Online Business Licenses in Iran
Whether carried out in the traditional way or electronically, all the businesses need a business-license to operate on the Iranian market. The most important law governing is the Union System Act 1971, amended in 1980, 2003 and in 2013, which provides that the business license is issued by the competent union or legal authority.
E-commerce is no exception, therefore all those who intend to sell goods or provide services using the virtual space must acquire a business license.
On February 19th, 2017 the Iranian Government issued an Executive Regulation in regard to the Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, dividing the activities in virtual space into two categories:
- Virtual Business;
- Network Marketing.
According to Paragraph 1 in Article 1, Virtual Business is a business established by any natural or legal person in order to provide products (goods or services) directly or indirectly on a wholesale or retail basis, to wholesalers, retailers and consumers through telecommunication means such as websites and digital software (applications).
According to Paragraph 2 of Article 1, Network Marketing is a method for selling products based on which the Network Marketing company uses its website to organize the sellers in order to sell their products directly to consumers in a place far from the regular business location. Through this method, each seller can introduce another marketer as it subset and create a multi-product sales group in order to increase sales.
The competent authority for issuance of licenses in this regard is the National Union. Therefore, any person who intends to acquire a license in order to have its activities carried out online, must apply on the website of Center for Development of Electronic Commerce (an organ of the Ministry of Industry, Mine and Commerce, hereinafter: “CDEC” – www.enamad.ir) in order to acquire the Reliance Symbol, which is a symbol necessary to certify the identity and competence of online activities.
Requirements for the Online Business License
Article 3 of the Executive Regulation on Issuance of License and Supervision on Businesses in Virtual Space and Network Marketing, which governs the Issuance of Online Business Licenses in Iran, provides that business licenses shall be issued according to the following procedure:
- Establishment of the virtual business conforming to the checklists provided by the CDEC.
- Registration of application in E-Namad website (then the CDEC automatically submits the application to the unions’ website).
- Upload of the required documents, which we will list below.
- Issuance and submission of the license (after verifying the uploaded documents and the original copies thereof) to the applicant within 15 days and submission of the license information to E-Namad website.
- Grant of Electronic Reliance Symbol concurrent with issuance of the license.
Furthermore, the said Regulation specifies the required documents for issuance of business license, as follows:
- Office or legal domicile address of the applicant;
- Negative criminal record from the Police;
- Certificate of the relevant Tax Organization regarding tax compliance;
- Certificate for attendance in educational courses of commerce and business;
- Confirmation of specialized features regarding virtual business issued by the CDED;
- Photocopy of ID-card/Company-Registration number, plus passport/work-permit for foreigners;
- Photocopy of Military Service Termination Card or Permanent or Medical Exemption Card for men under 50 or a Student Certificate.
In addition to those, the Regulation provides some other documents for particular sectors, so it is advisable to contact an Iranian expert in the matter to verify the compliance with all applicable regulations. For instance, the Cultural Heritage, Handicrafts and Tourism Organization of Iran has set out some specific criteria for travel and tourism activities in the virtual space, so travel agency services, accommodation centers, private entities and other tourism services must follow a special procedure to render their services on virtual space.
Successful Examples of Iranian Start-ups
In order to become familiar with this sector, hereinafter we would like to report some inspirational examples of investments.
- Snapp
Snapp is an Iranian ride hailing company which renders its services online. The Snapp application automatically connects the users to the nearest driver and shows the driver the user’s location. Afterwards, the nearest ready driver will pick up the users from their location, and Snapp calculates the price beforehand. This price is normally lower than the Taxi Agency Unions prices and can be received either in cash or via online payment or credit card.
- Digikala
Digikala is the name of one of the biggest e-marketplaces in Iran. Cellphones, laptops and computers, digital cameras, office appliances, automobiles, watches, home appliances, instruments, jewelry, toys, clothes and books are some of the items sold on this website. One of the features of this website is the detailed and comprehensive reviews of different types of digital goods which can be a reliable source for purchasers.
- Pintapin
Pintapin is a comprehensive tool for rendering travel services online. Accommodation services are listed in Pintapin and users can book online their desired location. It is also possible to submit the information regarding your destination, duration of stay and number of companions in order to receive suitable suggestions from Pintapin.
- Bamilo
Bamilo is probably the most important Marketplace businesses in Iran. It started its activity in 2014 and is now among the most viewed websites in Iran. Based on the Amazon-model, the online store is considered as the main Iranian middleman between suppliers and consumers.
- Eskano
Eskano is a smart system for searching real estate in Iran which is performed under international standards. With its huge database of transferable real estates divided between several Iranian cities, Eskano facilitates the sale and lease process, also with the possibility of setting up appointments directly through the website.
The author of this post is Mohammad Rahmani.