GDPR for Concierge Services: Client Data, Preferences, and Confidentiality
Concierge services occupy one of the most privacy-sensitive positions in any industry. Your value proposition is built on knowing your clients intimately — their lifestyle preferences, dietary requirements, travel habits, family circumstances, health considerations, and financial expectations. That depth of knowledge is exactly what makes concierge services extraordinary. It is also what makes GDPR compliance not merely a legal formality, but a fundamental part of how you operate.
This guide covers the specific GDPR obligations that apply to personal concierge services, luxury lifestyle management firms, corporate concierge operators, and hotel concierge desks — anywhere that processing detailed client preference data is central to the service.
Why Concierge Data Is Different
Most businesses collect names, email addresses, and purchase history. Concierge services collect and maintain profiles that can include:
- Lifestyle preferences: dietary requirements (including religious or medical), preferred cuisines, alcohol preferences, entertainment tastes, sports and leisure interests
- Travel habits: preferred airlines and cabin classes, hotel brands, destination preferences, passport and visa details, travel insurance records
- Family details: partner and children's names, birthdays, school information, nanny or household staff names, family health conditions
- Medical and accessibility needs: allergies, medications, mobility requirements, preferred doctors or hospitals when travelling
- Financial expectations: budget ranges, preferred payment methods, expenditure habits, property and asset information relevant to service delivery
- Social and professional networks: employer, business relationships, social circles relevant to event planning and reservations
Under GDPR, all of this is personal data. Some of it — health information, religious dietary requirements, potentially financial data — is special category data under Article 9, attracting the highest level of protection. Processing any of it requires a clear lawful basis, appropriate security, defined retention periods, and transparency with your clients.
Lawful Basis for Processing Client Preference Data
The two most relevant lawful bases for concierge client data are:
Contractual Necessity (Article 6(1)(b))
The core justification for processing a client's preferences is that processing is necessary to perform the concierge contract. A client who engages you to manage their travel cannot receive that service if you do not hold their passport details and seat preferences. A client whose dietary restrictions you manage needs you to hold that information to fulfil the service.
Contractual necessity covers data that is genuinely required for service delivery. It does not stretch to maintaining detailed preference profiles for prospective clients you have not yet contracted with, or retaining extensive data after the client relationship ends.
Legitimate Interests (Article 6(1)(f))
For activities that are closely related to the service but not strictly contractually required — building preference histories, anticipating future needs, proactive planning — you may rely on legitimate interests. This requires completing a Legitimate Interests Assessment (LIA) that documents:
- The specific legitimate interest pursued
- Why processing is necessary for that interest
- A balancing test showing the client's privacy interests do not override yours
For high-net-worth clients who have engaged a premium lifestyle management service, the expectation that you will maintain detailed preferences and use them proactively is generally reasonable — provided it is clearly disclosed and clients can object.
Special Category Data: Explicit Consent Required
Where you process health-related data (allergies, medical conditions, accessibility requirements) or data revealing religious beliefs (dietary requirements for religious reasons), you need both a standard lawful basis under Article 6 and a condition under Article 9. The most practical Article 9 condition for concierge services is explicit consent (Article 9(2)(a)) — a clear, specific agreement from the client to process this category of data for defined purposes.
Explicit consent must be separate from general service acceptance, granular in scope, freely given, and easy to withdraw. Build explicit consent collection into your client onboarding process for any health or religious dietary data.
NDAs vs GDPR: Different Obligations
Many concierge services operate under non-disclosure agreements with high-net-worth clients. NDAs and GDPR serve different purposes and operate in parallel — one does not substitute for the other.
An NDA protects confidential business information and creates contractual obligations of secrecy. GDPR creates statutory data protection rights that belong to individuals regardless of any contractual arrangement. A client's GDPR rights — including the right of access, the right to erasure, and the right to restrict processing — cannot be waived by an NDA. They are not contractual rights; they are legal rights.
In practice:
- Your NDA obligations apply to how you handle client information commercially and reputationally
- Your GDPR obligations govern how you collect, store, secure, share, and retain personal data
- Sharing client data with third-party suppliers may comply with GDPR (with a Data Processing Agreement in place) but still require NDA protection if the information is commercially sensitive
- A data breach involving client information triggers GDPR breach notification obligations regardless of any confidentiality arrangements — you cannot use NDA secrecy to avoid reporting to the ICO
Sharing Client Data with Third-Party Suppliers
Delivering concierge services almost always involves sharing client data with third parties: restaurants, hotels, private aviation operators, event venues, chauffeur services, florists, security providers, medical assistance services, and more.
Under GDPR, any supplier who processes personal data on your behalf is a data processor. You are the data controller. This relationship requires a Data Processing Agreement (DPA) — a written contract that specifies:
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The data processor's obligations to implement appropriate security
- Restrictions on sub-processing
- Obligations to assist with DSARs
- Data deletion requirements on termination
The practical reality of concierge work — calling ahead to confirm a client's dietary requirements, booking in a client's name, sharing accessibility needs with a hotel — means client data flows regularly to third parties. Each flow should be covered either by a formal DPA or, where the third party is acting as an independent controller (such as the restaurant accepting the reservation), by your privacy notice disclosing that such sharing occurs.
Verbal sharing of client preferences with suppliers is data processing. It carries the same obligations as digital sharing. Brief your team clearly.
Data Retention for Client Preference Profiles
One of the most commercially valuable aspects of a concierge business is the accumulated preference profile — years of learned knowledge about a client's tastes and habits. GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is not retained longer than necessary for the purpose for which it was collected.
This creates genuine tension. A practical retention framework:
- Active clients: Retain full preference profiles while the client relationship is active. This is justified by the ongoing contract.
- Lapsed clients (no contact for 12-24 months): Conduct a retention review. Consider contacting the client to confirm they wish to continue the relationship. If no response, consider moving to a stripped-down record (name and last service date only) or deletion.
- Former clients (relationship definitively ended): Delete the detailed preference profile. You may retain basic transactional records (invoices, payment records) for tax and legal purposes — typically 6-7 years — but the lifestyle preference data that goes beyond transactional necessity should not be retained indefinitely.
- Prospective clients: Data collected during initial conversations should not be retained for extended periods without a clear basis. If someone enquires but does not proceed, delete their data after 3-6 months.
Document your retention decisions in a retention schedule. This is not just good practice — it is part of your GDPR accountability obligations.
Security Requirements for Sensitive Client Information
The combination of high-net-worth clients, detailed lifestyle data, travel itineraries, and location information creates a security risk profile that goes beyond typical small business concerns. Your clients expect discretion. GDPR requires it.
Appropriate technical and organisational measures (Article 32) for concierge services should include:
- Encryption at rest and in transit: Client preference databases and CRM systems must encrypt stored data. Communications with clients (and between team members about clients) should use encrypted channels where possible.
- Access controls: Not every team member needs access to every client profile. Implement role-based access controls — a junior concierge handling restaurant reservations should not have access to a client's medical records or financial details.
- Device security: Mobile devices used for client communications and CRM access must be password-protected, encrypted, and covered by a remote wipe capability. Travel itineraries and client briefing notes should not live in unprotected notes apps.
- Supplier sharing protocols: Verbal sharing of sensitive client details with suppliers should follow a defined process — confirm the supplier's identity before sharing, share only the minimum necessary, and log that sharing occurred.
- Incident response: Have a documented process for responding to data breaches. If a client's itinerary is compromised, a device containing client data is lost, or a supplier mishandles shared information, you need to be able to assess within hours whether this constitutes a notifiable breach.
Choosing a CRM and Cloud Storage Platform
Concierge services increasingly rely on CRM platforms (Salesforce, HubSpot, Notion, bespoke systems) and cloud storage (Dropbox, Google Drive, SharePoint, iCloud) to manage client profiles. Under GDPR, these platforms are data processors, and you need:
- A signed DPA with each platform (most major providers offer these in their terms of service or on request)
- Clarity on where data is stored geographically — data stored outside the UK/EU may require Standard Contractual Clauses or other transfer mechanisms
- Understanding of who at the platform provider may access your data and under what circumstances
- The ability to export and delete client data from the platform when required
Custodia's website scanner can identify which third-party platforms are loaded on your website and flag those that may not have adequate GDPR protections — a useful starting point for understanding your full data processor landscape.
Staff Access Controls and Training
Concierge service staff have privileged access to extremely sensitive information. This is operationally necessary and unavoidable — but it creates both GDPR compliance obligations and real-world security risks.
A staff data governance framework should include:
- Access limited to what is needed: Define which staff can access which client profiles. Segment access by client tier or by operational role.
- Confidentiality agreements: All staff (employees and contractors) should sign confidentiality agreements that specifically reference their obligations regarding client personal data.
- Data protection training: Brief, practical training on what data they can share, with whom, and how to handle client enquiries about their data. Annual refreshers.
- Off-boarding procedures: When a staff member leaves, promptly revoke access to all CRM and cloud systems. Former employees with knowledge of client preferences represent a data protection risk — your access controls should prevent them from retaining copies.
- Background checks where appropriate: For staff with access to particularly sensitive client data (security arrangements, medical information, location data for travelling clients), consider DBS checks or equivalent background verification.
Handling DSARs from High-Net-Worth Clients
A Data Subject Access Request (DSAR) is a legal right to obtain a copy of all personal data held. High-net-worth clients in the luxury and privacy sphere are generally well-advised — they know their rights and are not afraid to exercise them.
When a client submits a DSAR:
- You have one calendar month to respond (extendable to three months for complex requests)
- You must provide a copy of all personal data held across all systems — CRM records, email threads, chat logs, call notes, physical files, spreadsheets, preference notes
- You can redact information that would identify third parties (such as supplier contact names) but cannot withhold information about the client themselves
- You cannot charge a fee for the first DSAR (only for manifestly unfounded or excessive repeat requests)
Given the depth of data concierge services hold, DSARs can be operationally significant. Prepare by mapping all the places where client data lives before you receive a request, not after.
Marketing Consent
Marketing to existing and prospective clients requires a lawful basis under GDPR and, for electronic marketing, compliance with the Privacy and Electronic Communications Regulations (PECR).
For email marketing:
- Existing clients: You may be able to rely on the soft opt-in for marketing similar services, provided they were given a clear opportunity to opt out and have not done so. This applies to clients who gave you their contact details as part of the service relationship.
- Prospective clients: Require explicit opt-in consent before sending marketing emails.
- Opt-out must be easy: Every marketing email must include a clear unsubscribe mechanism that works immediately.
For direct mail and telephone marketing to existing clients, legitimate interests may apply — but document your LIA and always honour opt-outs.
Website Analytics and Cookie Consent
Your website may seem like a small part of your compliance picture given the richness of the client data you manage offline. But your website is often the first place you process visitor personal data, and it is where regulatory scrutiny often begins.
A GDPR-compliant website requires:
- A cookie consent banner that obtains opt-in consent before loading analytics, remarketing, or tracking scripts
- A privacy policy that accurately describes what data your website collects, how it is used, and who it is shared with
- Opt-out mechanisms for any tracking that visitors have consented to
Run a free scan of your website at https://app.custodia-privacy.com/scan to see exactly which third-party scripts are loading on your site, whether they are loading before consent, and what data they are sending — and where.
Where to Start: A Practical Checklist
For a concierge service beginning its GDPR compliance programme:
- Map your data: Document every category of personal data you hold about clients, where it came from, why you hold it, who has access, and how long you retain it
- Identify special category data: Flag health, dietary, and other sensitive data in your client profiles and confirm you have explicit consent to process it
- Audit your supplier list: Identify every third party you share client data with and ensure DPAs are in place
- Review your privacy notice: Ensure it accurately describes your data processing practices and is provided to clients at the start of the relationship
- Implement access controls: Restrict CRM and cloud system access by role; revoke access promptly when staff leave
- Set a retention schedule: Define how long you retain client profiles after the relationship ends and implement a review process
- Scan your website: Use Custodia to audit your website's cookie and tracker compliance
- Create a DSAR process: Document how you would respond to a client asking for all their data
Concierge services that take privacy seriously are not just legally compliant — they are better positioned with the high-net-worth clients who value discretion above almost everything else. Compliance and competitive advantage, in this industry, are the same thing.
This guide is for informational purposes and does not constitute legal advice. Concierge service GDPR compliance involves complex, fact-specific considerations — engage a qualified data protection professional for your specific situation.
Top comments (0)