HFP and the new data protection rules

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The new European data protection rules come into force today.

As you know, HFP collects very little directly identifiable data about readers since you do not need to register to use the site.  There are four areas where you may voluntarily choose to provide directly identifiable personal data to us and I thought I would run over how we operate:

Our email list

Some readers prefer to receive HFP articles by email instead of visiting the site directly.  You can read how we, actually Mailchimp, handle your data and your rights regarding it on this page.

We have not asked subscribers to reconfirm their interest as everyone on our list explicitly signed up to receive articles by email in the first place. We have never randomly added reader email addresses to our list.

When you comment on HFP

We have produced a page of information about what data we collect on comments on the site and your rights in relation to the deletion or export of comments you make.  You can read that here.

Head for Points and GDPR

When you enter a competition

Future competitions will include a statement on how your entry data is treated by Gleam, our Data Processor.  We have never used competition entry data for any other purpose and won’t be starting now.  We are deleting all of the existing entrant data held by Gleam, so we will no longer know if you entered a specific competition back in 2015 or not!  Going forward, entry data will be deleted shortly after a winner has been selected and verified.

When you contact Bon Vivant with a luxury hotel booking enquiry

Our Bon Vivant enquiry page now includes details on how Emyr and ourselves handle your enquiry.

This covers all of the scenarios under which you may provide directly identifiable data to us.

You also provide indirectly identifiable data to us when you use the site, since we are obliged to use various cookies for the site to function.  The ‘legitimate interest’ basis allows us to collect indirect data as long as it is bare minimum required for the smooth operation of the site.

We have made necessary changes where possible to cookie collection.  There will be more to come over the coming weeks as a consensus emerges on what is and is not needed – WordPress is a patchwork quilt of products and we are reliant on a large number of people to update their code.  With WordPress running 25% of global websites there are obviously many people supporting this effort.

We do not, and never have, used indirectly identifiable reader data to build behavioural user profiles or to market for any other purposes.  You do not, for example, see ads for HFP popping up when you visit other websites.

We have also taken this opportunity to add a disclosure to our articles stating that HFP may receive a commission if you make a purchase using a link on the site.

Our full privacy policy can be found here.  You can find this page at any time via the link at the bottom of each page on the desktop / tablet site.

Which is the most generous hotel programme for earning Avios points?
A new Hilton Honors McLaren factory tour in Woking is available

Click here to join the 15,000 people on our email list and receive the latest Avios, miles and points news by 6am.

Amazon ad
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.


  1. Sandgrounder says:

    OT: Aols if already mentioned. I had a letter from Tesco Bank yesterday, reminding me that payments to ‘prepaid and virtual cards’ amongst other things will be charged at 3.99% from the 1st. I have the standard credit card. So I suppose it is no longer a sensible option for Revolut or Curve.

    • the real harry1 says:

      Apparently payments to Curve will still be treated as a purchase – the others get charged 3.99%.

    • Mr dee says:

      I believe they are referring to loading a card and storing the value ie prepaid or virtual neither of which Curve does.

      • 6540 is the offending MCC. For 2 days a while ago Curve transactions were accidentally processed with this, which is what triggered the Tesco letters.

  2. Phil Gollings says:

    HFP articles have started appearing on my Facebook timeline.
    I suppose that’s FB scanning my phone rather than HFP ?

    • I am assuming you are following us on FB. We also occasionally promote articles on FB so they may turn up with a ‘Promoted’ logo on them.

  3. Judge says:

    DME = Domodedovo, not Domodevo

  4. AlanC says:

    I remember a good few years back booking a United flight and later the price dropped. I read that if you complained they would refund the difference in vouchers as they wanted to encourage early bookers. I did get a voucher and wondered if any Hotels or Airlines still do this?
    Sorry if asked before.

    • Doesn’t easyJet do that?

      • They do, not sure if you have to be part of the Easyjet ‘flight club’, I am and have done it in the past. Hertz also do this but you can do that online

        • Darren says:

          I’ve received this form EasyJet, not a club member. They have always been very helpful when cancelling/changing due to family medical issues.

  5. David Gardiner says:

    On GDRP “We have not asked subscribers to reconfirm their interest as everyone on our list explicitly signed up to receive articles by email in the first place.” i believe the requirement is to be able to evidence a specific person signing up, that would be evidence of email, ip address, time, date, and specific confirmation that it was the owner of the email (i.e. the person clicks a link in the email sent post sign-up to confirm its them, i.e. to stop people putting other people’s names in).

    I’m not sure you’d been able to provide the required data if challenged.

    The mail chimp angle is interesting but i suspect its the company, rather than provider thats liable.

    Theres alot of confusion out there and i’ve seen companies do it different ways, some have wiped out their mailing lists and forced re-application, some have simply told people to read their updated privacy terms. I think it comes down to if challenged could you provide evidence of positive signup.

    • the real harry1 says:

      My wife’s company decided to wipe one of their databases for email communications from the company as whilst they had a button for customers/ interested people to opt in from the start, it didn’t work properly or at least they couldn’t be sure. They thought it was too messy to get people to opt in again so are starting fresh.

      There was an interesting interview on Radio 4 this morning about 7.45 where the senior person responsible for enforcing compliance with GDPR (and investigating complaints/ levying fines) said businesses should not be too worried about 25th May deadline and 100% compliance at this stage and as long as a business could demonstrate progress towards ‘good/ perfect’ compliance, there would never be a penalty levied in that scenario. She has a staff of 200 (I doubt whether this is their only job responsibility?) – they’re after rogue companies deliberately misusing data, not honest businesses that may have failed to tick some of the GDPR compliance boxes.

      • Anonymous says:

        “And who really cares, apart from a bunch of self-serving European bureaucrats”

        Because I’ve been harassed and bothered by estate agents and loan companies that I never asked for. They send me stupid texts from many different numbers. It took me ages to shake off David Wilson Homes. Absolutely terrible behaviour from them. Why do they think it’s acceptable to bombard my personal phone and email with this tripe all across the country. Such blatant disregard from people’s data deserves to be challenged. Good on these bureaucrats..

    • Keith says:

      And who really cares, apart from a bunch of self-serving European bureaucrats, and IT specialists trying to cash in? Just as with the annoying cookie message on websites, none of this addresses the important stuff. And over regulation just inconveniences many.

      • callum says:

        I care. Because of this legislation I am now removed from countless databases I didn’t even realise/forgot I was a part of.

        The cookie warnings were pointless, this actually changes things.

        • But unless these databases were actually sending you stuff, it doesn’t really matter does it? You have been removed from a list (let’s not call it a database because that overstates the case) you forgot you were on and wasn’t being used for anything.

          It turned out a couple of weeks ago that I could actually see every competition someone had entered on HFP via Gleam. I never even knew we had this data and certainly had no interest in using it for anything. We are now wiping it. It doesn’t change anything.

        • @Rob, it’s fine being on a list that wasn’t being used. But data that is not being used ican be forgotten and could potentially get abused by hackers etc in due course, who then may sell it on, so whilst not getting anything from them, and now unsubscribing makes no apparent difference NOW, it could have some difference in due course.

          There are some good things coming from GDPR – forcing people to clear up data is good – but I think the implementation requirements leave a lot to be desired. Also It’s a bit counter intuitive. On a website I help run, we’ve had to create more data to record WHO we’ve sent a GDPR e-mail to now, and it’s just a massive headache generally, taking up a week of my life!

          I bet mailchimp are rolling around laughing in the piles of cash they’re getting from all these GDPR e-mails going out!

        • Callum says:

          Of course it changes things. That’s less junk emails I get (yes I already unsubscribe from most of them, but some don’t work and some are obstructionist – Etihad being one relevant to this site) and my data is now less vulnerable to theft.

          My data has already been exposed through hacks on multiple companies, minimising the risk of that happening again isn’t a bad thing in my book.

    • MailChimp does indeed have all of that data and uses double opt-in.

      As you would know, it would actually have been illegal for me to email subscribers to ask them to reconfirm, because they only agreed to receive articles from us and not general administrative information. Almost every GDPR email you have had in recent deals is in breach of the original terms under which you agreed to be on their list, amusingly.

      The main upside so far it seems is that My Waitrose has been forced to allow me to opt out their (almost daily) emails without forcefully cancelling my account 🙂

      • Not technically illegal. You are allowed to contact people who you have an active relationship with.. e.g. signed up or logged in or commented on the site etc within a reasonable time period.

      • James Smith says:

        Consent is one of the 6 lawful principles you can rely upon for processing data. It’s reasonable to say that you have a legitimate interest in running such a blog to email administrative tasks.

      • Lady Londonh says:

        ? Mywaitrose has had a comms section for a while that allows you to opt out of their comma. Their emails were driving me nuts too but that is how I got them to stop a while back and kept my account.

    • Andrew says:

      There is indeed a lot of confusion out there, but there always has been.

      Don’t forget to add agency law into the mix too, it might date back to the 1870s but it’s still very relevant today. The ICO has twice found in my favour when a company has shrugged its shoulders and blamed a third party marketing company. A company is responsible for the actions of its agents.

  6. Aliks says:

    The pain point will come when a company is asked to show exactly what information they have on a named individual. If that info doesnt show evidence of informed consent then there could be a problem.
    I suspect it will all be worked out in case law over the next year or so.

  7. Good work on providing a clear statement around what HFP is doing on GDPR. Rob. As a privacy consultant, GDPR has been responsible for most of my flights over the last year!

  8. OT on the first part of an ex Oslo Qatar trip to Australia. Glad we picked the Radisson at the airport as we have woken up to discover my (numpty) husband has taken the wrong bag from the carousel last night. I’m sat in arrivals with a coffee while they take him through to look for it. Fingers crossed ….

    • We had this in Cape Town only it was our bag which was taken by someone else….I hope whoever it was whose bag you took has been reunited with their stuff! The bloke in Cape Town had the temerity to say “‘I’ve been inconvenienced too!” The marvellous woman at lost luggage put him wise. Saying that I hope it’s all sorted and it doesn’t disrupt your trip.

  9. How’s Sheremetyevo since the redevelopment? Aeroexpress makes choice of airports much of a muchness from a convenience perspective but DME was usually more pleasant airside.

    Is the new route expected to have the long-haul Business Class layout?

  10. David says:

    OT: JAL Redemptions

    I am looking to use avios on JAL given the great value it provides.

    However, I am having an issue with finding flights to redeem on through BA. When searching for certain routes I can find flights (TYO-PEK), however on much more common routes (TYO-KIX/ITM) there are none showing.

    Are there any known issues with searching for JAL availability on BA.com? Is there a work around? Given there are >20 flights from Tokyo to Osaka per day I would expect to see some availability at any point in the next year!

    Thanks for any help.

    • New Card says:

      Are you looking for Business class? AFAIK you can only redeem for Economy class intra-Japan flights. (Also, query if a bullet train might be better from Tokyo to Osaka!)

      • David says:

        We’ve just come back from Japan, and whilst we did some non-Shinkansen routes on dirt cheap redemptions (HND-CTS; CTS-HND-KOJ) where there’s a Shinkansen link I’d take it over the flights for the convenience, calm, and efficiency.

        We made much use of the takkyubin too to make life easier, packing 3-day bags or so and catching up with luggage every few days!

        • David says:

          Only looking for economy tickets which is why I was very confused about there being no Tokyo-Osaka tickets.

          We have done the Shinkansen before, which is fantastic although expensive. 4,500 avios vs. ~£150 makes the redemption attractive for me (if I can find it).

    • I think I saw a thread on FT recently about changes to the way JAL domestic awards are released with OW partners. They are apparently now 60 days out instead of 330 days.

  11. Craig says:

    OT: My eRewards account is linked directly to Avios only, anyone have an idea what will happen when my Avios account closes?

Please click here to read our data protection policy before submitting your comment.