The Hotel Industry and GDPR: How to prepare

The hotel industry and many others are affected by the new EU legislation GDPR. The law aims to extend individuals’ data rights and give EU citizens better control over how companies are handling their information. Hotel industry employees and guests are both covered by GDPR, although some GDPR requirements apply equally to both, there are some fundamental differences. This article explains some primary hotel industry and GDPR terminology and analyses some key differences.

Check how the GDPR affects various businesses in our GDPR by Industry section


Hotel Industry and GDPR

What is personal data?

Hotel Industry and GDPR - Personal Data

Personal data is defined by both GDPR (2018) and the Data Protection Act (1998) and it’s regarded as an information that could be used to identify living individual (data subject). Simply said, any information that is clearly about a particular person. Some information may consist of anything from someone’s name to physical appearance. Some personal information including political beliefs, genetic information or mental health is considered sensitive data by GDPR.


In this case, companies must appoint Data Protection Officer (DPO) to handle the personal data processing.  This directly affects hotel industry because, for instance,  you’re hosting an event where guests’ are political party members is revealed, or when employees need to give a fingerprint scan to access certain parts of the building.

Guide to Data Protection


Acquiring personal data

Hotel industry and GDPR - Consent

Acquiring consent from a data subject is one of the six lawful bases for acquiring and processing personal data but GDPR discourages its use by toughening the rules for obtaining it. For example, you would need a consent from the parent/guarding of someone under the age of 13. The reason for this is consent is unreliable and time-consuming and not many people are reading the terms and conditions before giving their consent. For example, if you obtained a consent from users to handle their data in the purchase process but then u decide to use their data for marketing communications, you have to get a fresh consent from your customers to do so. Anyone who doesn’t explicitly state that their giving your their consent must be removed from your database. If not, your organisation risks to be non-compliant and could face fines up to €20 million or 4% of the global turnover (whichever is higher).

Hotels should use contractual obligation for their employees and legitimate and lawful interests for guests. Whatever lawful bases is used, hotels must inform individuals about their data handling and retention policies. The GDPR data protection principles state that organisation must collect only necessary data and erase everything that doesn’t fit the purpose of the lawful basis. That’s called data minimisation


Protecting personal data in the Hotel Industry and GDPR

hotel industry and GDPR - data protection











Like every industry, hotels should take the necessary steps to protect personal data including regular review and documentation of data policies and procedures, data encryption, anonymising data. The first step is to adopt privacy by design and tail GDPR-compliance culture from the top management level. This essentially means that data protection needs to be considered when designing new products or services.

For example, if a hotel was developing a new mechanism for room bookings, it would have to consider the ways in which data might be exposed, and apply necessary controls to mitigate each threat. It should conduct a data protection impact assessment (DPIA), which would bring to the fore questions such as ‘are there system vulnerabilities that a criminal hacker could exploit?’ or ‘is it too easy for an employee to misappropriate information?’. Hotels should also appoint a data protection officer (DPO) to ensure that the processes outlined in the design are being properly implemented.

For instances, if a hotel is developing a new booking system, it should consider any vulnerabilities for data breach and the ways data might be exposed or corrupt. Furthermore, all necessary controls must be applied to minimise any threats. Hotels should also conduct a Data Protection Impact Assessment (DPIA) which would answer essential questions such as “Are there any system vulnerabilities that a hacker could exploit?” or “could an employee corrupt or misappropriate information?”. As we already mentioned, hotels should also appoint Data Protection Officers to ensure compliance and that all data handling procedures are implemented accordingly to GDPR.

GDPR Compliant Website: 3 Key Requirements


Accessing and erasing personal data

hotel industry and gdpr - data access

Data subjects can exercise a number of rights concerning their personal data but most importantly is the right of ‘Subject Access request’ described in our GDPR Accredited eLearning. Individuals can submit subject access requests which a hotel 30 days to provide any information that the hotel stores for them. If individuals believe there is no lawful basis for any or all the collected information about them and the hotel can’t prove otherwise, this information must be immediately erased. Similarly, if an individual considers that information is incorrect, they can request the organisation to correct it.

GDPR Software to Support Your Business Compliance


Policy and Progress in the Hotel Industry and GDPR

hotel industry and GDPR - hotel

In order to ensure compliance with GDPR, hotels must undertake structured and step-by-step approach. Some of the steps may seem obvious but they’re necessary to ensure guests and employees data is protected and avoid any fines that could result from non-compliance. A hotel must:

  • Define self-regulatory compliance audits
  • Define its core principles and procedures regarding handling guest data as it relates to GDPR, and recognize that data belongs to the guest, not to the hotel.
  • Establish a code of conduct for the hotel and its staff.
  • A hotel must outline its guidelines for collecting and managing PII.


Actual implementation requires:

  • Internal processing. A hotel must provide a detailed and structured approach to data handling, retention and minimisation. This procedure involves organised retention policies and procedures so that a hotel can always keep track of such information.
  • Hotels need a section on their website that permits “opting in,” thus allowing hotels to store PII data. Furthermore, they must explain the process, enabling guests to access, modify and erase information.
  • A hotel must keep technical and organisational documents to prove data protection and privacy. It will also need to show the supervisory authority that these mechanisms are in place.


Training for the Hotel Industry and GDPR

Hoteliers should ensure their staff are trained and appreciate the GDPR intetion when it comes to the compliance process. Hotel employees must be aware how to collect, access, use and disclose personal information as well as how to restrict access to cardholder data. They also must be able to handle data safely and avoid data corruption. Staff must also be advised on how to create strong passwords, and how to properly dispose of documents containing payment card data.

Get GDPR Ready with Apex

  • City & Guilds Accredited eLearning
  • Updated content
  • Develops Data Safety knowledge
  • Instantly available course
  • Completed in 60 minutes
  • Subject Access Request game
  • Interviews with legal experts
  • Interactive content
  • Certificate for your CV



Leave a comment