GDPR: major impact on hotel industry

Europe
13/02/2018
Download PDF

In a development that is expected to reverberate across the hotel industry of the Netherlands and EU, the General Data Protection Regulation (GDPR) is scheduled to come into force on 25 May 2018.

The GDPR was designed to strengthen privacy rules, protect the personal processed data of individuals, and introduce administrative fines for privacy violations of up to 4% of total annual worldwide turnover.

Although the new rules will impact any organisation that processes personal data, the hotel industry will be particularly affected for the following reasons:

  • Hotels obtain high volumes of personal data for guests, and process a large number of payment-card transactions daily.
  • They receive personal data from many sources, such as third-party booking systems and corporate websites.
  • They operate CCTV-systems.
  • They conduct profiling activities of customers.
  • Hotels enjoy a high turnover of employees, and independent contractors.

All of these activities involve the processing of personal and sensitive data on a larger scale.

Under the GDPR, a misuse or breach of personal data not only carries the risk of administrative fines, but could also hurt reputations and result in damage claims. The GDPR will affect owners and operators alike.

Against this backdrop, it is vital for businesses in the hotel industry to focus on GDPR compliance, including the following actions:

  • Ensure that management understands the main issues and risks involved.
  • Make an inventory of data processing activities.
  • Identify any shortcomings and weaknesses of data processing operations.
  • Put in place or update privacy policies, and information notices given to guests.
  • Review and update data-processing contracts with third parties.
  • Review and update joint data controller contracts, particularly if a hotel is run by a franchisee.
  • Review and update consent policies involving customer profiling.

The CMS hotel sector group will help you understand the implications of the GDPR, so that your business is in full compliance by the implementation date.

For more information, please contact the authors.

Search Filters

Advanced Search

Key contacts

Related content

  • 18/04/2024

    Top developments and predictions in the Technology, Media and Communications sector in Asia-Pacific

    We look back at the top developments over the last 12 months in the technology, media and communications (TMC) sector and we look to the future with our top predictions for the coming year for businesses operating across the Asia-Pacific region, specifically...
  • 17/04/2024

    Impact of the CJEU's Schufa judgment on the use of AI in HR

    This article examines the extent to which the CJEU's Schufa judgment is an obstacle to the use of artificial intelligence (AI) in the HR sector.More and more companies are using AI systems in HR. A key data protection provision in this context is Article...
  • 17/04/2024

    CMS data protection update (04/2024)

    I. The latest from the data protection authorities and current topics1. EDPB: Launch of coordinated enforcement on the right of accessThe European Data Protection Board (EDPB) selected the right of access under Article 15 GDPR as the focus of the third...