GDPR Compliance for Hotels

The travel and tourism industries often involve massive amounts of data – and, of course, the regulations that apply to the collection and use of that data.  One example is the European Union’s GDPR (General Data Protection Regulation), a recently enacted regulation that applies to many in the hotel industry.  The GDPR was approved on 4/14/16, but its two-year transition period came to pass just this past year. One of its main purposes is to ensure that companies are transparent about their data handling and protection practices, including what they’re collecting and how, their storage and protection procedures and when information is shared and with whom. While this measure applies to businesses handling the data of EU citizens, it is especially important when considering hotels and their data handling. 

In addition to requiring transparency, the GDPR also allows customers, employees, and anyone else whose data has been collected to make requests that the businesses send them a copy, correct their data, or even erase it altogether. This is an aspect of the regulation that should be planned for ahead of time, with someone put in charge of data protection and compliance for your company.  In fact, although it may not be required, you may want to consider having a dedicated Data Protection Officer to fulfill this role. Audits may be needed in order to organize and report on data being stored and vendors and software products must also be held accountable. Products used to collect information may be required to share a Data Processing Agreement with hotels using the products to ensure that they’re following the GDPR.

As to what information the Regulation applies to, it can cover any personal details such as names, contact information, addresses, IP numbers, and more! There is even a sub-section of information that is considered especially sensitive, requiring extra protections for any information about: union memberships, health records, sexual orientation, fingerprints and other biological indicators, race, religious and political beliefs, or anything else considered extremely personal. 

The GDPR specifically protects EU citizens, which generally would mean that it covers only data collection or other activities within EU boundaries. However, this is not the case.  In fact, a hotel reservation made by an EU citizen with a company located outside the EU may involve data covered by the GDPR. You can read more about the GDPR’s coverage of non- EU companies here.  

Even if you’re not directly conducting business within the EU, it’s important to keep an eye on the regulations and make sure your practices are GDPR-compliant when necessary. Even a small slip-up on your company’s behalf may end in hefty fines, so the best way to approach these rules is to get educated and be prepared. You can read more about how this may impact your business here. For a more individual analysis of your business’ legal obligations, let’s have a meeting to discuss!

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.