GDPR for Hotels: What You Need to Know

GDPR in France: laws, enforcement, audits, and penalties

The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, is an EU law that makes companies accountable for how they collect, process, and retain personal data.

This legal framework complements and strengthens France’s 1978 Data Protection Act and increases the powers of supervisory authorities, including harsher penalties for violations.

Concretely, businesses must be able to guarantee—and demonstrate—compliance in terms of collecting and protecting users’ personal data (prospects, guests, or employees), as well as honoring rights of access and erasure.

The CNIL recommends a staged approach that includes appointing a Data Protection Officer (where necessary), mapping data, performing risk analyses, and putting corrective actions in place via internal procedures and maintenance of processing registers and supporting documentation.

In the event of non-compliance during audits, a range of sanctions may be applied depending on the severity—from formal notices to suspension of processing, along with administrative fines and potentially criminal consequences.

A first tier of administrative fines can reach up to €10,000,000 or up to 2% of the enterprise’s worldwide annual turnover of the preceding financial year.

Hotel-specific GDPR considerations

Hotels, because of their large guest base and prospecting activity, are particularly affected by GDPR. The main provisions are numerous and collectively aim to make businesses responsible for proper data handling.
You can find the overarching principles on the CNIL’s dedicated website.

Hoteliers are responsible for compliant collection, processing, and retention of data about their guests, prospects, and employees—whether data are stored in-house or with a vendor.

Beyond data collected online or via marketing tools—which already imply consent management, access, and retention/erasure controls—hotels often handle sensitive personal data at check-in (passports or IDs) and frequently payment data.

These data are often kept longer than legally allowed and not always stored with appropriate security measures.

Hoteliers must also verify that all vendors they use process data in GDPR-compliant ways, in particular PMS providers, POS software, and Wi-Fi access providers. A hotel cannot simply shift responsibility to its vendors for personal data they collect or store on the hotel’s behalf.

Industry-specific implementation

GDPR’s spirit does not fundamentally differ for hotels compared to other firms. What makes hotels unique is how they obtain and collect personal data.

A relevant, end-to-end approach should include:

• IT infrastructure (hardware and software) that is appropriate and secure;
• A data structure with restricted, selective access to personal data;
• Regular, encrypted backup solutions;
• Secured local networks and the property’s guest Wi-Fi;
• Training leadership and staff on cybersecurity best practices;
• Support to build processing registers, identify risks, and implement corrective actions.