The General Data Protection Regulation (GDPR) goes into effect on 25 May 2018. Like all other organisations, hotels need to set up their processes in compliance with the GDPR if they are to avoid being confronted with fines or other sanctions by the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (AP).

Hotels process a great deal of personal data of hotel and restaurant guests. The GDPR makes it important to know what data on hotel guests is being collected and why. Under the law, a hotel is obliged to maintain a register of overnight guests containing the following information: type of valid form of identification, first name and surname, city of residence, date of arrival and date of departure. But hotels are not authorised to copy or scan the guest’s identification or collect other information such as citizen service number.

And compliance with the GDPR requires attention to a number of other details, including:

• Retention period of guest and personnel records
• Drafting and updating a data processing log
• Use of CCTV monitoring in and around the hotel
• Configuration of the guest administration program
• Engagement of night watchmen (whether in-house staff or outsourced personnel)
• Data processing agreements contracted with other parties
• Use of lists such as breakfast service lists
• Approaching current or former guests for marketing purposes
• Use of social media
• Use of blacklists, which is only permitted to a limited degree
• The provision of video images and/or the register of overnight guests to the police

Our team will be happy to advise you about the GDPR and its consequences for your hotel. Based on the privacy scan by which we catalogue the processes within your hotel, we can also give you a checklist of the steps you need to take to make your hotel GDPR-proof. For more information and a free no-obligation quote, please contact our team Data protection & Privacy.