Hospitality Sector: How to Comply With GDPR?

Hospitality sector (accommodation, restaurants & bars, travel & tourism and leisure) has one of the largest shares of personal data collected by sector. Therefore, necessary actions need to be taken in order to avoid the financial consequences that could result from a lack of compliance. Especially, since major breaches already affected many of the world’s most prominent hotel chains Radisson (read more about the data breach in Radisson Hotel in GDPR Register News), Hilton, Mandarin Oriental, Trump Hotels worldwide.

Often, personal information regarding customers goes through many channels receiving and providing personal data to this sector. Meaning, data is collected not only directly from customers, but also through channel managers or booking sites. Hotels, travel agencies and similar service providers possess customers credit card information. This information makes companies vulnerable to threats (as seen from previously mentioned examples). Therefore, GDPR cannot be ignored.

It is important to understand that GDPR applies to the handling of information of EU citizens. For example, if a hotel is located in the United States, there is a big chance that it has guests from the EU. Therefore, GDPR regulations and requirements apply.

How Hospitality sector should start preparation for GDPR?

Hospitality sector companies possess a lot of various information about their customers. Therefore, the first thing these companies should do is to review all data.  Consent practices should exist in both present and existing records. If some are missing, an update must be done.

Information about customers is usually being kept on various platforms. The following are recommended to be reviewed:

  • CRM systems
  • Booking Engines
  • Website Developers
  • Payment Processors
  • Email Marketing Tools
  • Membership
  • Social Media
  • Customer Databases
  • Website cookies

Acquiring personal data

There are six lawful bases for processing personal data. In most cases, the Hospitality sector should use contractual obligation for guests. However, whatever lawful ground is used, an individual must be informed information is being collected, what it is being used for and how long it will be retained. Therefore, only necessary data for specific purposes must be collected and it should be retained only for the period necessary to meet that purpose.

Data subjects have rights concerning their personal data. One of them – the right to access personal data. Companies have 30 days, after customers request, to provide a copy of any stored information about them. This data, upon customers request, can be changed. If there is no lawful ground for any or all the collected data, and the company can’t prove otherwise, the information must be erased.

Protection of personal data

There are many steps to take in order to protect personal data. That includes everything from reviewing security policies to encrypting and/or pseudonymizing data. However, it has to start at the adoption of privacy by design. It’s particularly important now that technology combines with personalization.

In the Hospitality industry, mobile technology is playing a big part –planning the visit, using it as a boarding pass, etc. Nowadays, separate apps are still needed for these purposes. However, the traveling experience gets smoother while improving collaboration. Meaning, thinking of privacy by design but also sharing data properly between travel companies or agencies. Though, GDPR requirements cannot be forgotten here. As, for example, having the right agreements in place between the different parties. Regardless of partners or solutions provider, company (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that follow the GDPR.

Companies, dealing with personal data in large-scale, should appoint a data protection officer (DPO) and carry out Data Protection Impact Assessment (DPIA). There are also additional requirements for data that is transferred outside the EU (read more about transferring personal data to third countries).

Organizations should not underestimate how important it is to adapt to GDPR regulations. Companies in the Hospitality industry, the same as in any other, need to address the policies, procedures, and technology that they use for handling personal data. Furthermore, they have to ensure that the staff is fully aware of the obligations. Basically, anything that contains personally identifiable information should be covered. In another case, failure to comply can grow up to 4% of annual global turnover or 20 million.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data