My website features trips and tours from various travel operators.
The customer, my website visitor, is able to access the tour operator's profile page and contact them directly with any questions or enquiries via contact form placed on this page.
The form is asking the visitor to fill up their Name, Email, Phone and Message.
Now with the GDPR, I understand that I need to inform the visitor and guarantee that their details will not be misused or put on any email lists without their consent.
But how can I guarantee this if the message sent via this contact form is sent directly to the tour operator and I have no control over what will happen with the contact details once it arrives to the tour operator's inbox?
Would I be able to put a clause in the terms and conditions that the operators must agree to that they will not use the contact details for their own marketing purposes or is this just simply not enough?