On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).
The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.
The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.
Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.
Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.
Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.
The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.
According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).
In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.
Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.