Law Blog Categories


Overview: European Union: Collection of Personal Data of Hotel Guests

Published on : 19 Apr 2021

European Union: Collection of Personal Data of Hotel Guests


Massive amounts of personal details are now shared online. The personalization of technology and customer service is fuelled by e-commerce and social media. As a result, consumer privacy, accountability, and data security have become hot topics around the board, including in the hospitality industry.

The Schengen Agreement was signed in 1985 by Germany, France, Belgium, Luxembourg, and the Netherlands, and it eventually eliminated checks at their shared borders. The Convention Implementing the Schengen Agreement was signed in 1990, establishing the Schengen region and removing all border controls. 

To compensate for the elimination of border controls, the Convention included provisions for the Schengen visa, refuge, police and security cooperation, the Schengen Information System (SIS), and data protection. The Schengen Agreement was enshrined in European Union (EU) law by the Amsterdam Treaty of 1997.

Further, On May 25th, 2018, the GDPR was put into practice. GDPR (General Data Protection Regulation) is an acronym for General Data Protection Regulation (GDPR). Simply stated, it is new, advanced regulation included in the European Data Protection Directive. GDPR compliance is required beginning May 25th for any organization collecting personal data from EU citizens or providing EU citizens with goods and services. This latest law extends to hotels as well.

The Schengen Agreement 

The Member States must take reasonable measures to ensure that managers of lodging establishments ensure that foreign visitors complete and sign registration forms and confirm their identity by producing a valid identification document, according to a provision in the Convention Implementing the Schengen Agreement's chapter on police cooperation. If required to avoid threats or criminal investigations, completed registration forms must be held or forwarded to the appropriate authorities.

Article 129 stipulates that when such personal data is transmitted, Member States must maintain a certain degree of data security in compliance with the principles of the Committee of Ministers of the Council of Europe's Recommendation No. R (87) 15 of 17 September 1987 Governing the Usage of Personal Data in the Police Sector. The Recommendation includes provisions on data collection, storage, usage, communication, storage duration and updating, and protection, as well as data subjects' rights of publicity, access, rectification, and appeal.

Data Protection 

As previously stated, the Convention Implementing the Schengen Agreement mandates that when personal data is stored and transmitted, Member States must maintain a certain degree of data security in accordance with the principles of Recommendation No. R (87) 15. In addition, the EU's General Data Protection Regulation (GDPR) went into force on May 25, 2018. The GDPR applies to all personal data processing. Persons processing personal data must ensure that the processing complies with the GDPR's principles, especially lawfulness, which means that the processing must have a proper legal basis.


The GDPR is a rule in EU law that governs how businesses handle, use, and exchange personal data. It applies to all people in the European Union. On May 25, 2018, the GDPR will go into practice. The GDPR refers to all-natural persons whose personal data is processed and whose conduct is tracked while in the EU, regardless of their nationality or place of residence. Nearly every online service is impacted by this shift in law, and the regulation has already resulted in drastic changes for US consumers as businesses adapt.

The GDPR builds on earlier EU privacy measures such as the Privacy Shield and the Data Protection Directive, and draws on them in two ways. To begin, the GDPR defines personal data as any information that can be used to identify a data subject directly or indirectly, such as an online identifier such as an IP address. The GDPR raises the threshold for gathering personal data to new heights. Users also require a way to withdraw that consent, as well as the ability to request any of the data that a company has gathered on them in order to validate that consent. These stringent rules apply to businesses operating outside of the European Union.

GDPR's Applicability to a Hospitality Industry

The aim of this section is to discuss the GDPR's territorial scope, and in particular, how it could relate to hospitality venues that are physically located outside of the EU.

The GDPR notes the following in Chapter 1, Article 3;

  1. Regardless of whether the processing takes place in the Union or not, this Regulation refers to the processing of personal data in the form of the activities of a controller or processor in the Union.
  2. This Regulation extends to the processing of personal data of Union data subjects by a controller or processor based outside the Union, where the processing activities are referred to;
  3. the provision of goods or services to a data subject in the Union, regardless of whether the data subject is expected to pay;
  4. the control of their behaviour as far as they take place within the Union
  5. This Regulation extends to the processing of personal data by a controller who is not based in the EU but who operates in a country where member state law is applicable due to public international law.

This section will concentrate on determining if individual hotels or hotel companies physically located outside of the EU are subject to the GDPR by interpreting Section 2(a) above. 

The criterion for GDPR applicability to hotels located outside of the EU can be divided into two sections. To begin, the Regulation relates to the processing of personal data of Union data subjects. The requirement that the data subject be a resident of the EU appears to rule out the scenario in which a resident of the EU travels to another area and then makes or pays for a hotel room. The data topic is not in the EU in this situation.

A situation in which an individual in the EU makes a reservation for a room in a hotel outside the EU is more likely to occur. In this situation, the GDPR will only apply to the hotel if it delivered products or services to data subjects in the European Union. The GDPR provides only rudimentary guidelines on what constitutes a "offering of products or services" in the European Union.

In addition to these considerations, hotels and other hospitality establishments should be mindful that using third-party booking sites or vendors who provide third-party marketing services can be construed as providing products or services to EU data subjects. Individuals visiting their website, using other methods to track website visitors' browsing activity, or even putting cookies on website visitors' devices are examples of third-party marketing services.

The consequences of not complying 

The GDPR imposes harsh punishments, including two levels of fines. The maximum penalties for each breach are set at 4% of a company's annual global sales, or 20 million Euros, whichever is greater. Fines at the lower levels are up to 2% of a company's annual global sales or €10 million, whichever is greater. These penalties are much more stringent than the fines permitted by the Data Protection Directive, and they show the EU's commitment to data privacy.


  • The GDPR has an effect on hotels all over the world

No matter where they are located, all properties that target EU residents as customers are subject to the GDPR. This means that the GDPR applies to all hotels in the United States as well as other countries around the world, not just those in Europe. 

  • The GDPR applies to hotels

Regardless of the partners or solution providers, the hotel (who, under the GDPR, will be called the data controller) is solely responsible for using GDPR-compliant software.

  • For the entire EU, a single price point has been created

Hotels cannot use profiling to set rates based on an EU visitor's venue, which is a widely ignored feature of the GDPR. 

What effect would the GDPR have on your hotel's online data policy?

The GDPR has six significant consequences for your hotel's data policies about EU website visitors:

  • Obtaining consent

Visitors to your website should understand precisely how you plan to use their information and the legal basis for gathering it. GDPR law requires unambiguous and affirmative consent, and any hotel website that collects personal data must obtain express permission to use it in the course of their business. The user must agree to each particular intent if you are seeking consent from them. That is, if you have someone's email address who has made a reservation with your hotel, you can only sell to them if they have expressly consented. Similarly, privacy notifications can need to be rewritten to comply with GDPR regulations. Terms of Service and Privacy Policies must be easy to comprehend and free of jargon (A good rule of thumb is that the Terms of Service should be understandable to a 16-year-old). 

  • Data processing

Being completely aware of who has access to personal data that is logged and maintained on the hotel website's content management system or database is a key component of the GDPR. The first step is to figure out who has access to this information and make a list. Examine the list again to see if any of these people need access to this information. If the response is no, permission should be withdrawn, and steps to regulate future access should be put in place. 

Companies are not permitted to keep data for any longer than is absolutely appropriate, so there must be a robust mechanism in place for removing data that is no longer valid or needed. 

  • Accountability for data 

Hotels, regardless of their solution provider, are solely responsible for using GDPR-compliant tools. As a result, hotels should conduct internal audits with any external entities that may have access to their data to ensure that their practices are legal. Even if you've outsourced parts of the operation, you're ultimately liable as the data owner (controller), so keep track of the steps you've taken to ensure all stakeholders are following GDPR regulations. All of your collaborators should be able to clearly illustrate what steps they've taken to ensure the data you provide is kept as secure as possible. 

  • Data Accuracy 

Personal information must be correct and up-to-date at all times. Every fair step must be taken to ensure that personal data is correct for the purposes for which it is stored, and that incorrect personal data is immediately erased or rectified.

  • Minimization of data

Websites should only obtain the minimum amount of consumer data necessary to complete the task, as well as follow the "storage restriction principle," which states that personal data should be kept for no longer than is necessary and that individuals should be told about how their data will be used.

  • The "Right to be Forgotten" and data portability

All website users hold the right to receive their previously collected personal data in a readable format, as well as the "Right to be Forgotten," which allows customers to quickly have all of their information removed from the hotel database.

What steps should the hotels take to prepare for the GDPR?

Your hotel's website, data policy, digital marketing, and online merchandising are all affected by the GDPR. The following are the best ways to get ready for GDPR:

The hotel web forms and website usage:

It's important to make sure that all web forms and cookie use comply with the GDPR. To ensure that all is in order, the website's Privacy Policy and Terms and Conditions should also reflect the GDPR. 

  1. The Privacy Policy and Terms and Conditions should be updated 

First and foremost, the Privacy Policy and Terms and Conditions on your hotel's website should be revised to reflect GDPR rules and regulations. You must be clear about what you will do with personal information after it has been obtained, as well as how long you will keep it on your website and in any other databases.

  1. Ascertain that your website is secure

To ensure that all data processing via the website is safe, your hotel website should have an SSL (Secure Sockets Layer) Certificate. The domain will begin with "https" rather than "http" if your website has an SSL Certificate. SSL Certificates encrypt all of your data as it moves from your browser to the server of a website.

  1. Make sure you've given your approval to cookies

Visitors from the European Union must give their consent for cookies to be used to identify a person on your hotel's website. Consenting to cookies, as all other forms of consent under the GDPR, must be a direct affirmative action. With an opt-in box, hotel websites should present specific terms of service regarding cookie use. Have no pre-ticked boxes on the consent form, since this is in violation of GDPR regulations. It's also worth noting that the hotel website shouldn't force users to accept cookies in return for details, and the hotel must have a legal justification to use an EU visitor's IP address to personalize content or identify a user's computer under the GDPR.

  1. Ensure that people can opt out or have their personal data erased

Under the "Right to be Forgotten" provision of the GDPR, a data subject should be allowed to revoke consent as quickly as they gave it. Before consent is granted, controllers must remind data subjects of their right to withdraw.

  1. Change the default opt-in to "No" and add separate check boxes for each opt-in.

Forms that ask users to sign up for newsletters or indicate contact preferences must have a "no" option or an unchecked opt-in box by design. You should also make sure that users give their consent for all of the ways your hotel can use their information. When a person signs up for email newsletters, for example, they are not agreeing to have their email address used for look-alike audience marketing. Finally, for each separate use of guests' data, hotels must set up a clear checkbox or form of consent. Finally, a double opt-in procedure is necessary to ensure that you are GDPR compliant.

  1. Called parties must be clearly identified in all web forms.

Each party to whom consent is being given must be clearly identified in your web forms. It's important to remember that naming particular groups of third-party entities isn't enough; they must be named in their entirety. Your consent form, for example, cannot simply say "third-party ad networks," but must name the ad networks where advertisements will appear.

Consequences of not complying with GDPR

Non - compliance with the GDPR rules will result in penalties of up to 4% of annual global sales or $24.6 million (€20 million), whichever is higher.

Related Publication

  • Company Formation in Luxembourg