Compliance with the GDPR in the Tourism Sector
In the tourism industry, where the collection and processing of personal data are essential for service delivery, it is even more critical to ensure that the handling of customer data is done in accordance with the General Data Protection Regulation (GDPR).
It’s a fact that the supply chain in the tourism sector involves a continuous flow of personal data, as information provided by individuals during the booking process (personal data and, in some cases, special categories of personal data) flows between different parties involved in managing the reservation. However, this flow increases the risk of improper handling or exposure of personal data.
The main legal issue arises from how personal data travels through different information systems. From the moment a customer enters their booking information on a particular platform until the reservation is finalized, this data may pass through several intermediaries. Each intermediary maintains a separate agreement between the customer and the service provider, which must correctly define the legal responsibilities regarding data processing. Among the main problems that may arise, we find the lack of direct control between a platform, the data controller (the company that initially collects the data), and the service provider (for example, if a hotel fails to implement proper data protection practices).
In addition to this lack of direct control, we can add: (i) the complexity of supervising how the various actors involved process the data; (ii) the fact that personal data may be stored on platforms vulnerable to cyberattacks; and (iii) in cases of international tourism (especially outside the EU), international data transfers may occur without complying with the GDPR’s requirements.
Another challenge for this sector, considering the demand for personalized services, is balancing service personalization with GDPR compliance.
Privacy Violations
Currently, the most significant privacy violations in the tourism sector include personal data breaches due to cyberattacks or inadequate security measures, excessive collection of information, using data without explicit customer consent, and retaining information beyond legal limits.
Additionally, there are issues related to a lack of control over company staff’s access to sensitive data, misuse of data for advertising without consent, and non-compliance with regulations on international data transfers and breach notifications.
Non-compliance Cases
Among the most notorious cases in this sector, we should highlight many businesses’ failure to comply with data protection regulations by photocopying guests’ identity documents.
Specifically, the extensive inspections carried out by the Spanish Data Protection Agency (AEPD) this summer, capitalizing on the peak tourist season, targeted businesses that photocopy or scan guests’ ID cards. The AEPD has repeatedly emphasized that this practice, though common in the hospitality industry, is illegal as it violates data protection laws.
It is crucial to remember that only adequate, relevant, and limited information necessary for the purpose for which it is collected should be obtained. Therefore, collecting specific information about users and processing personal data is lawful, but photocopying an ID card would be excessive, as some information contained in the ID is not necessary for the intended purpose.
In this context, the AEPD imposed a fine of €30,000 on a hotel for violating Article 6 of the GDPR. The sanction followed a complaint by the Dutch Data Protection Authority, as the hotel had scanned a guest’s passport, including their photo, and used that information to verify the guest’s identity when charging their account, without their consent. Although the hotel collected the data to comply with regulations on traveler registration, the subsequent use of the information for other purposes was deemed illegal.
GDPR Penalties
Penalties for GDPR non-compliance can be extremely high, reaching up to €20 million or 4% of annual turnover. Although most fines are smaller, such as the €2,000 penalty imposed on a tourism business for photocopying ID cards, the AEPD warns that penalties can be severe and increase depending on the gravity of the violation.
Candela es graduada en Derecho por la Universidad de Granada, donde tuvo su primer contacto con el Derecho de las Nuevas Tecnologías y Derecho Digital que, posteriormente, plasmó en la realización de su Trabajo de Fin de Grado. Le apasiona el Derecho Digital, la Propiedad Intelectual e Industrial, la Privacidad y Protección de Datos, el Derecho de la Competencia y el Comercio Electrónico.
More from my site
Health surveillance and GDPR: what can my employer know about my health status?
Meta blocks EU users from accessing Threads, even if they use VPNs, for running afoul of GDPR
GDPR compliance
THE “GDPR” IN RESTAURANTS, HOW DOES IT AFFECT MY BUSINESS?
GDPR and Online Sweepstakes: 5 Things You Should Know
First fines of over 40,000€ by the AEPD for exploiting customer data through business Wi-Fi