The tourism and hotel industry is becoming increasingly dependent on modern technology to manage reservations, process payments, and store customer data. Unfortunately, technology dependence has made the industry an attractive target for cybercriminals.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was implemented by the European Union (EU) in 2018. It applies to any organization processing personal data of EU residents, regardless of where the organization is located.
GDPR compliance is a legal requirement imposed, among others, on hotels and travel agencies that process the personal data of EU residents. Failure to comply with these regulations may result in severe penalties, including fines of up to €20 million or 4% of total annual turnover, whichever is higher. By complying with GDPR, hotels, and travel agencies can avoid these high fines and legal consequences and maintain the trust of their customers.
For tourism enterprises, we have prepared a checklist containing the 10 most important obligations and guidelines that will help ensure compliance with the GDPR.
You can also download the checklist as a practical tool from our website by completing a short form:
If you want to speak with one of our specialists about compliance analysis and implementing changes in your company, schedule a free consultation.
We’ll tell you how to get started and assess how our team can help you.
Why is GDPR compliance important for hotels and travel agencies?
Maintaining GDPR compliance is essential for hotels and travel agencies to protect their customers’ data, protect their reputations, avoid financial penalties, and demonstrate responsibility for their data processing activities.
In one of our articles on data security in the hotel industry, we cited an example of the consequences that affected one of the global hotel chains as a result of a breach of guest data security:
- a fine of USD 23.8 million imposed by the UK Information Commissioner’s Office (ICO) for neglecting obligations under the General Data Protection Regulation (GDPR),
- legal costs related to lawsuits filed against the company, both from injured clients and investors,
- potential compensation resulting from lawsuits estimated at up to USD 1.8 billion,
- a temporary drop in the value of the hotel chain shares by 8.7% after the hack was announced in 2018.
These values perfectly illustrate why compliance with the requirements of the General Data Protection Regulation (GDPR) is so important.
GDPR compliance in the tourism industry. Checklist for your company
Below you will find the 10 most important GDPR requirements for hotels, travel agencies, and online booking platforms, along with tips from our experts to help you ensure the appropriate level of compliance with the regulations.
1. Lawful basis for processing
Tourism businesses must obtain explicit and specific consent from customers before collecting and processing their data. This is important because it ensures that they understand how their data will be used and have given their explicit consent.
A common abuse is obtaining guest and customer data without their express consent. In the case of tourism businesses, this requirement is particularly important because not only personal and document data are collected, but often also payment-related data (e.g. credit card numbers).
Remember that consent must be „free, specific, informed, and unambiguous.” An individual must know for what purpose their data is collected and have the right to withdraw consent at any time.
The company collecting data must be able to provide the basis for processing the data upon any reasonable request. It must be lawful, such as an agreement, written consent, or legitimate interests. Make sure that the basis is appropriate for the specific processing activity and that the processing is necessary and proportionate.
2. The principle of limiting the storage of personal data
Tour companies are obliged to collect detailed information about their guests, but they should do so only to the extent necessary to provide the service and within legal requirements.
This means, first of all, that hotels and travel agencies must:
- determine the purpose for which they collect personal data,
- ensure that data is relevant, adequate, and limited to what is necessary for a specific purpose,
- ensure that data is accurate, complete, and up-to-date,
- store personal data securely and only for as long as necessary to achieve the specified purpose.
3. Principles of privacy by design and data protection by default (privacy by design and privacy by default)
GDPR compliance requires companies to incorporate the principle of data protection into their processes and systems from the very beginning of their planning. This includes implementing data protection policies, procedures, and protocols, as well as designing appropriately secured software that is tailored to the company’s specific needs.
Privacy by Design is a concept that emphasizes incorporating data privacy measures and safeguards into the development of products, systems, and processes from the very beginning. This requires companies to consider privacy at every stage of the project. This approach ensures that privacy is built into the design and architecture of systems and technologies.
Privacy by default requires organizations to set the highest level of privacy settings as the default option for their products and services. This means that individuals’ data should be automatically protected using the strictest privacy settings unless they actively choose to share more information.
Compliance with these two principles is crucial for hotels, travel agencies, and online booking platforms to maintain GDPR compliance.
4. Cross-border data transfers
Tourism companies in particular must ensure that any cross-border data transfers are subject to appropriate safeguards, such as standard contractual clauses or certification under the EU-US Privacy Shield. This is important because it ensures the protection of personal data sent outside the EU, and companies organizing trips and leisure for tourists around the world are necessarily forced to transfer their data to other entities located abroad.
The condition for transferring data is the Customer’s consent and ensuring an adequate level of data protection on the part of your contractor. You must also ensure that data is protected as it is transferred between systems.
5. Ensuring the appropriate level of awareness and training of employees
According to data published by research institutes, human error is still the most common cause of data security breaches.
Therefore, travel companies need to educate their employees about GDPR requirements and ensure they understand the importance of data privacy. They must also provide regular training and updates on GDPR requirements and best practices.
6. Appointment of a Data Protection Inspector (DPO) in the company
Tourism companies are among a group of organizations that engage in the „systematic monitoring or processing of sensitive personal data on a large scale.”
For this reason, by law, they must appoint a data protection officer to oversee their data protection practices. This is important because it ensures that the company has a designated point of contact on data protection matters and that they are held accountable for their handling of personal data.
It is worth remembering that the role of the Data Protection Inspector (DPO) in the company can be performed by both your employee and a specialist acquired through outsourcing.
7. Preparation of appropriate documentation
Before taking actions related to the collection and processing of your customer’s data, you are obliged to conduct a data protection impact assessment (DPIA). It is required when data processing may result in a high risk to the rights and freedoms of natural persons, which is certainly the case in the tourism industry.
8. Creating appropriate procedures for reporting violations and ensuring their compliance
In the event of any serious data breach, your company has only 72 hours to notify the appropriate authority. This is important because it ensures that customers are aware of any potential threats to their data and can take steps to protect themselves.
For this reason, to avoid fines due to delay in fulfilling this obligation, it is worth preparing appropriate procedures, familiarizing employees with them, and monitoring whether they comply with them.
9. Information obligation and enabling customers to exercise their rights
You should remember that when collecting your customers’ data, you must also inform them about their rights in an appropriate manner. Any customer may require from your company, among others: access, correction, deletion, restriction of processing, objection to processing, and transfer of data.
Those rights are important because they enable customers to control their data and ensure that organizations are responsible for the handling of this data.
Using these rights should be simple and easily accessible.
10. Data collection must be lawful, fair, and transparent
Your customers’ data cannot be collected „just in case” and to the extent that is inappropriate for the provision of the service.
You must be able to demonstrate, in the event of an audit, that your collection and processing actions are necessary to provide the service. It is also important to show that alternative methods of achieving this goal were considered before deciding on the scope of data collected.
Summary
Hotels, travel agencies, and other tourism businesses rely heavily on technology to manage their operations, communicate with guests, and store sensitive information.
However, this increased dependence on technology also exposes them to several data security risks, which the requirements of the General Data Protection Regulation (GDPR) are intended to prevent.
Although tourism businesses can adapt to GDPR requirements on their own, achieving a high level of security without the help of experts may be a challenge for them.
Cooperating with software house specialists, such as the SOFTIQ team, will not only allow you to reliably verify the current level of security and its compliance with legal requirements. We can also support you with periodic security tests, including penetration tests, as well as staff training.
If you want to be sure that your company will properly fulfill its obligations under the GDPR, contact us and arrange a free consultation with our expert.
If you need more information about GDPR compliance in tourism activities, we encourage you to read our blog article: „Creating a GDPR-Compliant Online Booking System for Your Business. Step-by-Step Guide”.
