GDPR Regulations & How it Affects the Hospitality Industry

GDPR logo

One of the biggest hospitality companies, Marriott, was fined 23.8 million dollars in GDPR fines back in 2018 . The strict regulations implemented in the European Union have affected industries across the world, costing them eye-opening fines that could have been prevented. General data protection regulations (GDPR) have shed a light on hotel vulnerabilities, and if these regulations aren't followed for EU residents, there are immense consequences that could cost businesses millions more. Let's take a closer look at how GDPR has affected the hospitality industry, costs for maintaining conformity, problems, and some examples of data breaches.

GDPR Affects the Entire Hospitality Industry

Every organization that operates in the EU must comply with regulations set within the GDPR. These regulations require EU consumers to agree with and provide complete transparency on how their personal data and information is kept, used, and distributed. These policies apply to anyone that resides in the EU and travels to other countries as well and the GDPR strengthens the rights for EU citizens. Some examples of companies are travel agencies, tour operators, hotels, motels, clubs, Airbnbs, auto rental companies, restaurants, and any other hospitality organization. It would be wise for hospitality agencies to act as if these regulations were mandatory no matter what country they reside in since this would save them from reputational damage and help them to avoid financial penalties.

Costs of maintaining conformity to GDPR are stated clearly in Article 83 of the law. Generally speaking, there are two tiers that are followed to select the charge of the fines that are placed. The first tier includes the less severe infringements that can still cost up to 2% of an organization's worldwide annual revenue. Data that is obtained by controllers & processors, certification bodies, and monitoring bodies must all adhere to the regulations or fines will be applied if that data is breached.The more severe infringements would be a fine of up to 4% of the firm's worldwide annual revenue from the preceding financial year. This could result in millions and millions of dollars. The basic criteria to follow when analyzing and processing data are the following:

  • Lawfulness, transparency, and fairness
  • Purpose limitation- Only process data for the specified purpose pertained to the data subject
  • Eliminating Unnecessary Costs and Plastic
  • Data minimization- Collect and process only necessary data
  • Accuracy- Keep personal data accurate
  • Storage limitation- Only store personal data for as long as necessary
  • Integrity and confidentiality- Processing should be done to ensure appropriate security measures are in place
  • Accountability- the data controller should be accountable for showing how their processes comply with GDPR

Standards in Other Countries

In view of international cooperation, it is crucial to be able to submit data to third countries. This would relate to any countries that reside outside of the European Union. Calling all the same regulations would apply to any other country the only difference would be that the regulations apply to citizens in the European Union only. Regarding the regulations in place and data transfers, it must all be legal. Any processing of personal data is prohibited and subjected to possible authorization. Referring to article 6 of the GDPR, there can be authorization reasons such as fulfilling a contract or protecting interests. General data transfers must meet these requirements and follow with checking to see if the data transfer is permitted in the third country. Furthermore, if there is not an acceptable decision for a country there must be another way for the organization to ensure that personal data will be protected by the recipient. This can be assured using standard contractual clauses through binding corporate rules that comply with the code of conduct. This has been declared by the European Commission as being generally acceptable or can be certified by following data processing procedures.

Data Breach- Marriott Hotels

Hotels can be a large target for hackers due to their numerous customer touch points. Customers make online reservations, provide passports, and credit card information, and sign up for loyalty programs. Larger hotels can inadvertently expose an interconnection of business entities and external suppliers. As for Marriott , their 23.8 million fine was given because of a data breach for 30 million EU residents, and 383 million total personal data files. The hotel chain’s guest reservation list was compromised, so guests' names, passport numbers, credit card numbers, and addresses were exposed. It is important to note that the hack on the reservation system originated in 2016, but was not detected until September 2018. It was found that Marriott failed to perform due diligence after acquiring the reservation system. This could have been avoided if the hotel chain did more to safeguard their systems with stronger data loss prevention strategies and utilized de-identification methods.

Problems that Arise in Centralized Systems

A 2017 survey by strategic payment consulting firm Edgar Dunn & Company found that most medium and large hotels operate with a poorly defined management system . 57% admitted to not having a GDPR-compliant system in place. The findings also concluded that there is a lack of GDPR planning in small and medium hotel sizes with less than 2500 rooms. For centralized systems, the problems that arise hover around the way data is distributed and the measures that are taken to prevent breaches. Consent is not the only thing companies should be worried about, so try to look at all of the GDPR requirements and invest in technology that will help fulfill these requirements.


Protect your hotel guests and their valuable information by staying on top of and ahead of the evolving general data protection regulations (GDPR). Investing in secure service providers like PassiveBolt can help keep your hotel up to date with regulations and keep your information and your guests' information secure.

Related articles

Stay in the know

Get special offers on the latest developments from Unify.