The GDPR for hospitality: what’s to come in 2020

GDPR is coming: is your hotel ready?

Any business that offers hospitality, travel, software or e-commerce services to European residents needs to comply with the General Data Protection Regulation (GDPR). If the company or organization fails to comply with the data protection rules, it may result in large fines. But how do the Regulation’s provisions apply to your business?

In this article, we will explain what GDPR is, its key principles, as well as changes to GDPR to consider in 2020.

What is GDPR?

The General Data Protection Regulation (GDPR, is a new EU Regulation which enhances the personal data protection of citizens and increases the obligations of companies collecting or processing data.

The GDPR will apply to your company in case you use the personal data of EU citizens, even if it isn't based in Europe.

The GDPR was adopted in 2016 and came into force on the25th of May 2018 in each EU member state and Germany with the country’s adaptation – the Federal Data Protection Act (BDSG).

What is personal data?

Personal information is any type of information that relates to an individual (data subject), and with which you can directly or indirectly identify the data subject. For example, name, postal address, location, etc. The term is so broad that even an IP address can be considered personal information in certain circumstances.

GDPR for the hospitality sector

The GDPR applies to any hospitality industry companies that use or process EU citizen's personal data even though they are based out of the EU, whether they are your guests, employees, clients or partners.

Changes in the GDPR to consider in 2020

The German Bundestag passed the 2nd German Data Protection Adaptation and Implementation Act EU (“2nd DSAnpUG-EU”) at the end of June 2019. On November 20, 2019, it was published in the Federal Law Gazette and entered into force on the day after its promulgation. It is aimed at easing the burden for small businesses and civil society organizations.

A new law also brings important changes to the BDSG, which are as follows:

● The limit from when data controllers and data processors should appoint a data protection officer is now from 20 employees of a company permanently engaged in the automated processing of personal data, instead of the minimum of 10 persons previously.

● It became easier to obtain employee consent. As of now, employees shouldn’t provide it in written form. They can give their consent electronically via email.

Data protection officer’s tasks and duties

Each organization is required to assign a Data Protection Officer (DPO) to manage data processing processes and monitor compliance according to the requirements of the GDPR.

DPOs are responsible for the following:

● Monitor compliance with data protection rules in the company.

● Keep a record of processing activities.

● Serve as a contact point towards clients and the Data Protection Authority regarding the processing of personal data.

Please note that under the GDPR, to appoint a Data Protection Officer, a written order is not required, as well as:

● The Data Protection Officer is not legally obliged to get training and certification. However, in the event of a dispute, you must prove that a DPO has specialized knowledge.

● You can choose between an internal DPO or external one.

6 key principles of the GDPR: everything you need to know

To avoid paying fines, it is necessary to follow the six basic principles of the GDPR:

1 Personal data shall be processed legally, fairly, and transparently. All information about goals, methods, and processing volumes should be maximally available and clearly stated in the Privacy Policy so that even the novice user can understand it. Moreover, users should confirm that they agree with the data use policy. If not, they cannot use the website.
2 The data should be collected and used only for the stated in the agreement purposes.
3 You cannot collect more data than necessary for processing purposes. As mentioned above, you need to determine exactly what data you need and for which purposes.
4 Inaccurate personal data must be deleted or corrected (at the request of the site user).
5 Data should be stored in a form that allows you to identify the data subject for a period not longer than necessary for your purposes.
6 When collecting or processing data, companies are required to protect personal data from illegal processing, damage or disposal.
6 key principles of the GDPR: everything you need to know

If there are any violations related to personal data, companies are required to notify the supervisory authorities (in Germany — Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit — and data subjects within 72 hours after the discovery, even if they are guilty themselves.

Requirements for consent forms

Under the GDPR, the form of consent to the user data processing should be worked out seriously and in detail.

1 Consent can not be expressed in the form of silence or inaction of the user. We do not recommend using fields with an already ticked box or other similar methods..
2 Consent will be invalid if the person had no real choice or was unable to refuse or withdraw the consent without detriment.
3 It must be expressed in the form of a statement or in the form of action.
4 Information on how to revoke consent should be easily accessible and understandable to ensure the user can find it easily.
5 At the beginning of the session, you need to get your users to agree to data processing in the Privacy Policy section, as well as give instructions on how to withdraw consent.
6 Besides, hotels can only provide information about registered users. This will probably have a negative effect on the conversion.

The case with the child data is more serious because children are less aware of the risks and consequences of the processing. The consent to the child's data processing should be authorized by the parents or legal representatives. The age threshold for this is determined by the EU members separately in each country, from 13 to 16 years. If you do not need to process the data of children, you need to specify in large print that there is an age limit of 16 or over to use the site and services.


The provisions of the GDPR regarding data protection help keep your business and personal data safe and thus prevent any attacks or data breaches. This builds trust in an increasingly digital business world.

“I’m sure companies that digitize business processes will ultimately benefit from implementing the data protection and IT security associated with it. Without the citizens' (and customers in particular) trust in data and processes security, digitization will not work”, said Ulrich Kelber, the Federal Commissioner for Data Protection and Freedom of Information.

Data protection is more critical than ever and may affect guests’ decisions about where to stay on vacation or travel. Increasingly, a hotel reputation for the responsible processing of personal data will be an asset that can lead to more conversions and a positive impact on profits.

Public relations: Ralph Eichelberger

Previous post
Next post

Latest News