Application of GDPR to hotel businesses

Also available in Italiano, Español.
Time to read: 5 min

On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).

The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.

The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.

Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.

It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.

Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.

Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.

The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.

According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).

The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.

In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.

Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.

Share
Giovanni Izzo
  • Corporate
  • Litigation
  • M&A
  • Real estate
  • Tourism

Contact