Jan 22 2018

Data Protection in Hotels

In order to provide their services, hotels need to collect different types of personal data from their customers. They must, therefore, take into account specific data protection regulations.

Under the new General Data Protection Regulation (GDPR), effective as of 25 May 2018, hotels may foresee and apply all measures and policies necessary to prevent any inappropriate processing of personal data of their guests, workers, etc. It is therefore of utmost importance that hotels apply correctly the GDPR before said date.

What does a Hotel need to do to comply with the Law?

In order to simplify the matter and support all those who may act as personal data controllers and processors in all commercial and business fields, the Spanish Data Protection Agency (AEPD) and the group created by the European Commission to deal with this matter (known as the Working Group of article 29) have provided us with guidelines and reports to help us develop internal policies and understand the correct implementation of the GDPR.

Let us now examine the main actions to be taken by our company before implementing the new GDPR.

During their everyday business, hotels compile a large amount of personal data from customers staying on their premises. The processing of said data is subject to the provisions of Data Protection Organic Law and Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data.

Legal Advice of Hotels

In order to be well prepared for this new regulation and carry out a correct processing of the personal data held as controller, a hotel must perform a series of specific actions which we shall now explain.

Under the provisions of the new GDPR, hotels must fulfil the so-called principle of proactive responsibility. To this end, they must carry out (i) a risk analysis to evaluate any possible contingencies of the processing performed taking into account, among other things, the type of processing, the nature of the data and the number of data subjects affected. Furthermore, if the risk is deemed to be particularly high, they will need to perform (ii) an impact evaluation aimed at minimizing any likelihood that the processing may affect the freedom and liberty of the data subjects. Subsequently, they must implement (iii) security measures in line with the studies performed.

On the other hand, the hotel must provide the data subjects with simple and accessible mechanisms to manage their rights. ARCO rights, as they have been commonly referred to until now, must be extended to include the following:

Right of access
Right of rectification
Right of objection
Right of erasure
Right to be forgotten
Right of limitation of data processing
Right of data portability

It will be necessary for the hotel to appoint a professional with the necessary qualifications in this matter to safeguard the internal processes and policies of personal data processing. Said professional is referred to as the Data Protection Officer (DPO).

Furthermore, in order to comply with the information principle of the new GDPR, the appointment of the DPO and his/her contact details must be disclosed to the public and communicated to the competent supervising authorities.

However, if the hotel forms part of a group of companies, it may be possible to appoint a single DPO for the whole group.

It is also vital to keep in mind that if the hotel belongs to a hotel group, said group may have hotels located in countries which lack adequate data protection levels. In order to make international transfers of data to said hotels it may be necessary also to obtain the data subject’s explicit consent, provided that said international transfer is not effected fully in connection with the performance of an agreement.

Said explicit consent will entail for the data controller a series of additional efforts to ensure the identity of the users providing their consent. However, a way to render unnecessary the authorization of the international transfer of data of its customers to the subsidiaries worldwide is to request a specific authorization from the Spanish Data Protection Agency or to establish Binding Corporate Rules.