How to ensure GDPR compliance with the data held within Kobas

We take a look at how Kobas helps you to maintain GDPR compliance in relation to the data held in your system.

Last updated 25 Nov 2022

Jump to:


Here at Kobas we take client and customer data privacy very seriously indeed. To that end, we will never, ever sell or disclose the personal information we store to third parties unless we are required to do so by law.

This article explains how we comply with relevant legislation and standards to ensure that you can be confident your data is secure.

Our key information:

  • Kobas is a trading name of Kobas Hospitality Ltd, a company registered in Ireland. Kobas Hospitality Ltd resells services provided by Hospitality Tech Dev Ltd, a company registered in England and Wales.
  • Kobas Hospitality Ltd is registered with the Irish ICO.
  • Hospitality Tech Dev Ltd is registered with the UK ICO under reference ZA828453.
  • Our Data Protection Officer (DPO) is Neil Mukerji who is also our Chief Technical and Operating Officer. 
  • Please email for any queries in relation to data protection, privacy or GDPR. 

Warning: This article explores how to permanently erase data relating to your staff, applicants and customers. It is important to note that these actions cannot be undone, even by Kobas staff

Legal framework

The legislation that is most pertinent to Data Protection is:

The positions we hold under these legal provisions are:

  • Data Controller - this is you, as our client. You are responsible for the data.
  • Data Processor - this is us, Kobas. We process the data lawfully on your behalf.
  • Data Subject - this is your customers/staff whom you hold data about.

The relevant data sets held by Kobas that qualify as personal/sensitive data:

  • Staff and Applicant data
  • Customer data

Technical Security Compliance

All Kobas customer loyalty and staff recruitment web portal interactions require mandatory SSL HTTPS encryption, which we now provide free of charge in association with Let's Encrypt. Sensitive HR record information, such as pay and bank details, is stored encrypted at rest in our databases.

All data exchanges with Kobas Cloud and the Kobas API also require HTTPS. The Kobas customer loyalty portals require a confirmed email opt-in consent loop before data may be used for marketing purposes, and our email partner, AWS, is also fully compliant.

Administrators are required to use Multi-Factor Authentication to access their account, due to the level of personal and sensitive data available to them. They can also force other user groups to use MFA to log in, and any user can opt-in.

Compliance with GDPR Principle 5: Storage limitations

On a daily basis, Kobas will automatically review Job Applicant and Former Staff records, and take the following actions:

  • Any job applicant whose application process has received no notes or progression for in excess of 1 year will have their application automatically rejected and all sensitive personal information deleted.
  • Personal information pertaining to staff who departed over 7 years ago has been automatically deleted.
  • We retain online ordering "checkout as guest" information to up to 100 days to facilitate investigations into any complaints or legal communications.

Note: Please be reassured that whenever we delete personal information like this, we will retain non-sensitive business information to ensure that historic reports and analyses are still useful. This means that metric information such as recruitment funnel analysis or historic operational profit comparisons will still be valid.

Compliance with GDPR Article 15: Right to access

In accordance with the rights to access and rectification, Kobas Cloud users will be able to see the personal data we hold on them. This would include information such as address and next of kin. Where sensible, we will offer the ability for an individual to maintain their own details. Additionally, Kobas Cloud users will be able to access their holiday, sickness, lateness and any other absence logs held about them.

With its confirmed opt-in loop, transparency of data held, and per-venue email opt-in checkbox list, the Kobas Customer Loyalty Portal has always been compliant, with rights to access and rectify being built in.

All users will see a Personal Details button when they log in, which they can press to reveal the personal, time off and bank details held on the system.

Compliance with GDPR Article 17: Right to be forgotten

Customer account removal

Customer accounts can be erased permanently by the customer in the CIC, or by privileged users in Kobas Cloud.

Once they click this link, the warning will pop up to confirm the action. Confirming that they’d like to delete their account will remove all their personal data, including their name, email address, and contact number.

It’s important to note that this action is non-reversible, so once a customer deletes their account, they will lose all the points they acquired, as well as any vouchers associated with their account.

Note: Customer profiles and details cannot be deleted where they are required for an upcoming reservation. Should a customer account need to be deleted where attached to a future reservation, they will need to wait for the reservation to pass, or contact the venue to cancel the reservation.

Staff & Applicant details removal

When accessing profiles under Staff > Former Staff and Staff > Rejected Applicants in Cloud, you will now see an Erase Staff Member button at the top of the page. Once this has been clicked and confirmation given, you will be presented with two options: 

"Include Anonymous Data in Reports" is perfect for former staff members that have worked in your business and affected labour costs. This option will erase their personal details, but keep historical pay rates and hours worked, ensuring that your labour reporting remains accurate.

"Totally Erase This User" The second option is perfect for staff members that have been added in error; for instance, if a duplicate profile is created for an existing New Starter. This option will remove that profile completely from Kobas and this will affect any stored data on that staff member, in terms of labour costs and staff turnover.

Updated Privacy Policy & Marketing Consent

To ensure compliance with the GDPR, we will be asking all of our users to give clear consent to receive the client newsletter. Upon your first login to Cloud, you will be greeted with an opt-in form (see below). If you are interested in receiving our updates then you can simply click “yes” and you’ll be added to our new mailing list.

You can opt out at any time using the unsubscribe links included in each of our emails. You can also subscribe outside of the Cloud by going to

Our privacy policy can be found on our website: