Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Mor Swiel
    • Ilanit Appelfeld
    • Charles Soden-Bird
    • Nick Bromfield
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Matthew Fox
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Galyna Carey
    • Stephen Hornsby
    • Claire Barraclough
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Checking In: Hotels and the GDPR

October 1, 2018By Preiskel & Co

Europe’s General Data Protection Regulation the (“GDPR”) has been in force for a little over four months, but it is important to remember that May 25th was just the beginning of a new chapter in data protection and privacy rights. In this blog, Preiskel & Co Partner Jose Saras answers questions and discusses what he’s learned from working with clients in the hospitality and tourism sector.

Why should hotels and other hospitality companies care about the GDPR? Isn’t the GDPR a technology law?

Much has been written about the implications for tech-heavy sectors such as telecoms, media and finance. But fundamentally, the GDPR aims to ensure adequate protections for an individual’s privacy – regardless of how the information is stored. It applies to paper files and CCTV footage, as well as fingerprint access cards and hotel loyalty or rewards programs.

Hotels will have thousands, if not hundreds of thousands, of unique guests or visitors each year. Additionally, hotels and other hospitality companies often employ large numbers of staff at any given time, and turnover rates within the industry can be high. This means hotels will have vast amounts of personal data at their disposal.

 The GDPR has updated the definition of personal data. How does this impact the hospitality industry?

In contrast to the old data protection laws, the GDPR defines “personal data” as being any information that identifies or could potentially identify an individual – this goes far beyond someone’s name, date of birth, or address. In some circumstances, this can include information like usernames, location data, and ISP addresses.

The GDPR requires that all personal data is kept safe and secure. To meet these legal obligations, hotels need to review and consider a wide range of systems, internal policies and contracts with vendors as part of their GDPR compliance. In addition to staff contracts and guest forms, this could also include Wi-Fi policies, CCTV policies and signage, contracts about payment transactions… the list goes on. Personal data can be hiding in a variety of systems or documents… or hidden in any hotel cupboard where staff or guest forms are kept!

 What about sensitive personal data?

 Hotels must also be aware that they are often guardians of sensitive personal information from the guests or members of staff. When a guest checks in with reception, a hotel may ask for copies of ID, travel documents, or if the guest has any dietary requirements. This data could be sensitive personal data if it reveals race, religion or ethnicity. In such circumstances, particular rules about safeguarding that information will apply. Information relating to sexuality, biometric data, health or political beliefs are also considered sensitive personal data, so this could apply to information held about hotel staff as well.

Marketing and advertising is hugely important for the competitive hotel industry. What are some common misconceptions about what the GDPR says in respect of marketing?  

Firstly, while it’s true that the GDPR has tightened the rules surrounding what companies can and cannot do with an individual’s personal data, it is a common misconception that consent is always needed. Consent is just one of several lawful justifications available under the GDPR: it is possible to rely on other lawful justifications.

Secondly, the GDPR is not the only law that applies to marketing! The Privacy and Electronic Communications Regulations (the “PECR”) sit alongside the GDPR and much of our work involves that legislation, too. The PECR regulates the sending of direct marketing communications to recipients by electronic means and has specific rules about it which are not covered by the GDPR. The misconception that the GDPR regulates direct marketing communication is perhaps why we’ve seen so many messages from businesses about “staying in touch” and “confirming consent” to receive marketing emails – and this is often the wrong approach.

 If for whatever reason consent will be difficult or impractical for a controller to obtain, can hospitality business rely on a different lawful justification under the GDPR – for example, contractual obligation or legitimate interests?

Absolutely – but doing so requires a careful analysis. In deciding which lawful justification (known as a “lawful basis” under the GDPR) to rely upon, it’s always best to involve privacy lawyers and to consider each activity on a case by case basis. In any event, the justification for using someone’s personal data, whether it is based on consent or otherwise, must be clearly explained to the data subjects, including both hotel staff and guests. This is to ensure the controller processes the personal data fairly, lawfully and transparently.

 It seems that individuals are becoming increasingly aware about their enhanced rights under the GDPR. The GDPR has been given considerable publicity and, has made exercising rights relating to data privacy much easier. What do businesses in the hospitality and sector need to consider when dealing with requests from individuals concerning data?

Indeed, there are now six potential data subject requests that a European resident, regardless of their citizenship, may make under the GDPR. This includes the right of access and the right to be forgotten. In addition, the GDPR has also introduced a strict regulatory timeframe for responding to individuals. Because of the volume of personal data and sensitive personal data they use, hotels and other hospitality business need to ensure that they have clear systems and procedures in place, so they can easily and efficiently handle these types of requests. If requests are handled inadequately, an individual is entitled to make a complaint to the Information Commissioner’s Office (the UK regulator), and a hotel’s reputation – and business – may suffer as a result. Some of our most complex GDPR work to date has involved data subject access requests.

 How is Brexit going to impact GDPR compliance for Hotels and other hospitality business in the UK? If the UK leaves the European Union, does that mean we can forget about the GDPR?

The short answer is no! The UK European Union (Withdrawal) Act 2018 has a special provision which will make the GDPR part of our domestic legislation following our departure from the EU in March. Furthermore, the GDPR has extra-territorial effect, which means that it applies to companies wherever in the world they are located if they collect or use personal data belonging to European Union residents. This means that all hotels must comply with the privacy compliance standards established by the GDPR, even after Brexit.

 

Please contact Jose if you have any questions regarding the above.

GDPRJose SarasKelsey Farish
Latest blog posts
  • CMA publishes Issues Statement in Liberty Global/Telefónica merger inquiry
    January 22, 2021
  • Epic Games, creator of Fortnite, launches claims against Google and Apple in Competition Appeal Tribunal
    January 21, 2021
  • European Commission proposal for Digital Services Act published
    December 15, 2020
  • Facebook faces antitrust lawsuits in the US
    December 11, 2020
  • CMA issues advice for Government on regulatory regime for tech giants
    December 10, 2020
  • New Telecoms Security Law Laid before Parliament for tougher Rules and Fines for Telecoms Companies
    November 25, 2020
  • New Ofcom Consultation on Copper Retirement
    November 23, 2020
  • European Commission releases draft new Standard Contractual Clauses
    November 19, 2020
  • National Security and Investment Bill published
    November 16, 2020
  • Inherited GDPR breach still leads to a record fine for Marriott
    November 3, 2020
  • UK National Data Strategy: a step further away from an adequacy decision under the GDPR?
    October 21, 2020
  • British Airways issued £20 million fine by ICO for data breach
    October 20, 2020
The Preiskel Blog
  • CMA publishes Issues Statement in Liberty Global/Telefónica merger inquiry 22 Jan 2021
  • Epic Games, creator of Fortnite, launches claims against Google and Apple in Competition Appeal Tribunal 21 Jan 2021
  • European Commission proposal for Digital Services Act published 15 Dec 2020
  • Facebook faces antitrust lawsuits in the US 11 Dec 2020
Preiskel news
  • Tim Cowen and Claire Barraclough co-author article published in Competition Policy International
  • Electric Car Batteries with 5 min charging times produced
  • Tim Cowen to deliver Oxford lecture on 12 February 2021
  • CMA announces investigation into Google Privacy Sandbox
Preiskel tweets
  • We're delighted to see @CompPolicyInt publish an article co-authored by P&Co's @TC_4KBW and @ClaireBarraclo4. You c… https://t.co/XoeKtg3dI8yesterday
  • The @CMAGovUK has published its Issues Statement in Liberty Global/Telefónica merger inquiry. More details here:… https://t.co/D9P8LuRyxU6 days ago
  • Creator of Fortnite, @EpicGames, launches claims against @Google and @Apple in @CATribunal. Contact @TC_4KBW with q… https://t.co/IjzXiFO2fF6 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel:
+44 20 7332 5640
Email:
info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2021 | Site map | Legal notices | Privacy | Cookie Policy

   

We use essential and analytic cookies on our website. By continuing to use our site, you are agreeing to the use of cookies as set in our Cookie Policy. OKCookie policy