Hospitality Sector: How to Comply With GDPR?

Hospitality sector (accommodation, restaurants & bars, travel & tourism and leisure) has one of the largest shares of personal data collected by sector. Therefore, necessary actions need to be taken in order to avoid the financial consequences that could result from a lack of compliance. Especially, since major breaches already affected many of the world’s most prominent hotel chains Radisson (read more about the data breach in Radisson Hotel in GDPR Register News), Hilton, Mandarin Oriental, Trump Hotels worldwide.

Often, personal information regarding customers goes through many channels receiving and providing personal data to this sector. Meaning, data is collected not only directly from customers, but also through channel managers or booking sites. Hotels, travel agencies and similar service providers possess customers credit card information. This information makes companies vulnerable to threats (as seen from previously mentioned examples). Therefore, GDPR cannot be ignored.

It is important to understand that GDPR applies to the handling of information of EU citizens. For example, if a hotel is located in the United States, there is a big chance that it has guests from the EU. Therefore, GDPR regulations and requirements apply.

How Hospitality sector should start preparation for GDPR?

Hospitality sector companies possess a lot of various information about their customers. Therefore, the first thing these companies should do is to review all data.  Consent practices should exist in both present and existing records. If some are missing, an update must be done.

Information about customers is usually being kept on various platforms. The following are recommended to be reviewed:

  • CRM systems
  • Booking Engines
  • Website Developers
  • Payment Processors
  • Email Marketing Tools
  • Membership
  • Social Media
  • Customer Databases
  • Website cookies

Acquiring personal data

There are six lawful bases for processing personal data. In most cases, the Hospitality sector should use contractual obligation for guests. However, whatever lawful ground is used, an individual must be informed information is being collected, what it is being used for and how long it will be retained. Therefore, only necessary data for specific purposes must be collected and it should be retained only for the period necessary to meet that purpose.

Data subjects have rights concerning their personal data. One of them – the right to access personal data. Companies have 30 days, after customers request, to provide a copy of any stored information about them. This data, upon customers request, can be changed. If there is no lawful ground for any or all the collected data, and the company can’t prove otherwise, the information must be erased.

Protection of personal data

There are many steps to take in order to protect personal data. That includes everything from reviewing security policies to encrypting and/or pseudonymizing data. However, it has to start at the adoption of privacy by design. It’s particularly important now that technology combines with personalization.

In the Hospitality industry, mobile technology is playing a big part –planning the visit, using it as a boarding pass, etc. Nowadays, separate apps are still needed for these purposes. However, the traveling experience gets smoother while improving collaboration. Meaning, thinking of privacy by design but also sharing data properly between travel companies or agencies. Though, GDPR requirements cannot be forgotten here. As, for example, having the right agreements in place between the different parties. Regardless of partners or solutions provider, company (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that follow the GDPR.

Companies, dealing with personal data in large-scale, should appoint a data protection officer (DPO) and carry out Data Protection Impact Assessment (DPIA). There are also additional requirements for data that is transferred outside the EU (read more about transferring personal data to third countries).

Organizations should not underestimate how important it is to adapt to GDPR regulations. Companies in the Hospitality industry, the same as in any other, need to address the policies, procedures, and technology that they use for handling personal data. Furthermore, they have to ensure that the staff is fully aware of the obligations. Basically, anything that contains personally identifiable information should be covered. In another case, failure to comply can grow up to 4% of annual global turnover or 20 million.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
GDPR checklist for controllers

GDPR checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2020

GDPR Compliance Checklist for 2020

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data