GDPR for Hotels and Hospitality Businesses: How to Handle Guest Data Compliantly

If you run a hotel, B&B, serviced apartment, or any other hospitality business that takes overnight guests, you are handling personal data at a scale and sensitivity that few other small businesses match. Guest names and addresses are just the beginning. A full hotel operation touches passport scans, payment card details, dietary requirements and accessibility needs, loyalty programme histories, CCTV footage from every corridor, wifi usage logs, and years of booking history built up into detailed guest profiles.

GDPR applies to all of it. Some of it — particularly health-related dietary requirements and accessibility needs — qualifies as special category data, which attracts significantly stricter rules than ordinary personal data. And the hospitality sector adds complications that most generic privacy guides never cover: the triangular relationship between hotels, OTAs (online travel agents), and guests, the data processor status of your PMS provider, and how data flows between the hotel restaurant, spa, and activities team when a guest books multiple services.

This guide works through every major data type that hotels collect, explains the lawful basis for each, and gives you a practical compliance checklist you can start working through today.

---

What Data Do Hotels Actually Collect?

Before thinking about compliance, it's worth mapping out what a hotel actually holds. The list is longer than most operators appreciate:

Booking and identity data — guest names, home addresses, email addresses, phone numbers, dates of birth, nationality, booking history across multiple stays.

Passport and ID data — for foreign nationals, UK and EU law requires hotels to record passport details and country of origin. This is a legal obligation, not a choice.

Payment details — credit and debit card data, billing addresses, transaction histories. Even if you use a payment processor like Stripe, your PMS likely stores card-on-file for authorisation holds and incidental charges.

Dietary requirements and accessibility needs — these are the most legally sensitive. Food allergies and medically necessary dietary requirements are health data under Article 9 of GDPR — special category data. Mobility requirements, hearing or vision impairments, and other accessibility needs may also be health data.

Loyalty programme data — name, email, stay frequency, room type preferences, spending patterns, family composition, anniversary and birthday data. Loyalty profiles are detailed behavioural records built up over years.

CCTV footage — lobbies, corridors, car parks, restaurant areas, pool areas. All footage of identifiable individuals is personal data.

Wifi usage logs — connection times, device identifiers, volume of usage, and sometimes browsing data (in systems that enforce content policies). Even basic connection logs are personal data.

Booking history and guest preferences — room preferences, pillow types, newspaper choices, floor preferences, previous complaints or incidents. The "guest profile" accumulated by PMS systems over time can be extensive.

---

Lawful Basis for Hotel Data Processing

Different data types have different lawful bases. Getting this right matters — using the wrong basis is itself a GDPR violation, even if your processing is otherwise reasonable.

Contract

The core booking relationship — collecting name, contact details, room type, payment details, and check-in/check-out dates — is processed on the basis of contract. You need this information to fulfil the booking. Guests cannot opt out of this processing and remain guests.

Legal obligation

Recording passport details for foreign nationals is a legal obligation under the Immigration (Hotel Records) Order 1972 in the UK (equivalent requirements exist across EU member states). You don't need consent for this; you're required to do it by law. This also means you cannot delete it on request until the legally required retention period expires.

Legitimate interests

CCTV in public areas of the hotel — lobby, corridors, car park, pool — is typically processed on the basis of legitimate interests. You have a genuine security interest, and guests have a reasonable expectation that commercial premises use CCTV. This comes with transparency obligations: clear signage at entrances and visible locations.

Explicit consent

Dietary requirements and accessibility needs that relate to health conditions — food allergies, mobility requirements, medically necessary diets — must be collected on the basis of explicit consent. "Explicit" means active, informed consent specifically for health data — a checkbox on a booking form doesn't cut it unless it's clearly labelled and the guest actively ticks it. The default must be unchecked.

You cannot rely on legitimate interests for health data. You cannot argue that knowing a guest's severe nut allergy is in their vital interests to justify bypassing consent requirements (unless they are genuinely unable to consent and it is a genuine emergency).

Soft opt-in for marketing

Marketing emails to past guests can rely on the soft opt-in rule under PECR (Privacy and Electronic Communications Regulations) if: the guest purchased from you (a confirmed booking counts), you collected their email in that process, the marketing is for similar services, you gave them an opportunity to opt out at collection, and every marketing email contains an unsubscribe link. If any of those conditions aren't met, you need prior consent.

---

PMS Systems: Your Data Processor Relationship

Your Property Management System — whether that's Opera, Mews, Cloudbeds, Little Hotelier, or another platform — processes guest data on your behalf. Under GDPR, this makes the PMS provider a data processor and you the data controller.

This relationship carries specific legal requirements:

You must have a Data Processing Agreement (DPA) in place with your PMS provider. Most enterprise PMS vendors (Oracle Opera, Mews, Cloudbeds) have DPAs available in their terms or on request. Smaller or regional providers may not — if they don't, you need to request one before continuing to use the platform.

You remain responsible for what the PMS does with data. If your PMS vendor suffers a breach, you are still accountable to your guests under GDPR. Your privacy notice must disclose the use of PMS systems as data processors.

Data retention in your PMS is your responsibility. The fact that your PMS retains guest records for seven years by default doesn't make it compliant — you need to configure retention settings in accordance with your own retention policy, and document why you've set them where you have.

If your PMS is US-based (Cloudbeds, Little Hotelier's parent company are both outside the UK/EU), you will also need to address international data transfers — typically via Standard Contractual Clauses.

---

OTAs: Processors or Independent Controllers?

This is one of the most contested questions in hotel GDPR compliance, and the honest answer is: it depends on the OTA and on what data flows where.

Booking.com, Expedia, and Airbnb all operate their own platforms, process customer data under their own privacy policies, and have direct relationships with guests. When a guest books through Booking.com, Booking.com is the primary data controller for that interaction. They collect payment data, manage reviews, and process guest preferences in their own systems.

When Booking.com sends you a reservation notification, you receive a subset of guest data (name, contact details, stay dates, special requests). At that point, you become an independent data controller of the data you receive — you process it for your own purposes (managing the stay, communicating with the guest, maintaining records).

What this means in practice:

• You cannot claim that OTA bookings are covered by Booking.com's privacy policy. Once you hold and process the data yourself, your own privacy notice must cover it.
• You must have a lawful basis for any processing you do beyond fulfilling the stay — including adding OTA guests to your direct marketing list.
• Special requests (dietary requirements, accessibility needs) that come through OTA bookings still need to be treated as special category data if they reveal health information. The fact that the guest disclosed it to Booking.com first does not change your obligations when you receive and process it.

---

Sharing Data Within a Hotel Group

If your hotel is part of a group — sharing a restaurant, spa, golf course, or activities programme — data sharing between those entities raises its own questions.

If all outlets are part of the same legal entity, data sharing between them is internal processing. Your privacy notice should be transparent about what data goes where and for what purposes.

If outlets are separate legal entities (common in franchise arrangements or managed hotel structures), sharing guest data between them means sharing between independent controllers. This requires a lawful basis — usually a joint controller agreement if you're genuinely sharing purposes, or explicit consent if the sharing goes beyond what guests would reasonably expect from their relationship with the hotel.

In practice, most hotel groups document this through their privacy notices ("we may share your data with other businesses within [Group Name]") and rely on legitimate interests or contract for intra-group sharing related to the stay. Marketing sharing across group entities typically requires consent or a clear legitimate interests assessment.

---

CCTV in Lobbies and Corridors

CCTV in hotel public areas is near-universal, and the compliance requirements are well-established:

Signage is mandatory. Visible signs at entrances and camera locations. Signs must identify who operates the CCTV and how to request further information. This is non-negotiable under UK GDPR and equivalent EU national laws.

Retention must be limited. Standard guidance is 30 days maximum. Keep footage longer only if there is a specific reason (reported incident, active insurance claim, police request). Document your retention policy in writing.

Access controls are required. Only individuals who genuinely need access should be able to view footage. Keep a log of who has accessed footage and when.

Subject Access Requests apply. Any guest or employee can request footage of themselves. You have one month to respond. This includes being able to locate footage by date and time, extract a copy, and redact other individuals who appear in the same footage (their data protection rights apply too). Having a process for this before a request arrives is important — trying to figure it out when a guest demands their footage within hours of an incident is stressful and error-prone.

No covert surveillance. Hidden cameras without signage are only lawful in extremely narrow circumstances and would almost never be appropriate in guest-facing hotel areas.

---

Guest Profiles and Personalisation

Building detailed guest profiles — room preferences, floor preferences, pillow choices, anniversary data, complaint history — is standard practice in hospitality. It's also a significant GDPR consideration.

Guest profiling is generally processed on the basis of legitimate interests (personalising service is a genuine business purpose that most guests would expect). However, legitimate interests requires a balancing test: does your interest in personalising service outweigh the guest's interest in not having a detailed profile built about them?

Practical requirements:

• Your privacy notice must disclose that you build guest profiles and what data they contain
• Guests have the right to access the data in their profile (Subject Access Requests)
• Guests have the right to object to profiling on legitimate interests grounds — and you must stop if they do
• Profiles built from special category data (health information, accessibility needs) cannot rely on legitimate interests — those fields in a guest profile need explicit consent

Loyalty programme profiles warrant separate transparency at sign-up: what data you collect, how you use it, who you share it with, and how long you keep it.

---

Marketing to Past Guests

Email marketing to past guests is one of the most common compliance grey areas in hotel marketing.

Under PECR, the soft opt-in applies to guests who made a booking directly with you: you collected their email, they completed a transaction, you can send marketing about similar services, provided you gave them an opt-out opportunity at collection and every marketing email has an unsubscribe mechanism.

The soft opt-in does not apply to:

• Guests who enquired but never booked
• Guests whose contact details came through an OTA (no direct relationship for PECR purposes)
• Guests who previously opted out
• Contacts from bought or rented lists

If you want to market to OTA-sourced guests, you need explicit consent — either collected during the stay (a sign-up card, opt-in on your wifi portal, or a request at check-in) or through a re-permission campaign if you already have their data.

Re-examine your marketing list before your next send if you're not certain of the basis for each segment. Sending marketing to people you don't have a valid basis to contact is a PECR violation, not just a GDPR one.

---

Hotel Wifi Usage Logs

If your hotel provides wifi — and nearly all do — your network logs are personal data. Connection logs record device identifiers (MAC addresses), connection times, and data volumes. If your system enforces content filtering or captures browsing metadata, the data becomes considerably more sensitive.

Lawful basis: Legitimate interests for security and network management is reasonable for basic connection logs. Consent or contractual necessity may apply if you require guests to register on a portal before accessing the network.

Retention: Basic connection logs don't need to be kept for more than 30 days in most cases. If you hold them for fraud prevention or incident investigation, document why and for how long.

Transparency: Your privacy notice should mention wifi log collection. Your wifi splash page or terms of use is a natural place to give guests this information before they connect.

---

Compliance Checklist for Hotel and Hospitality Operators

Work through this list to identify your biggest gaps:

Guest booking data

• [ ] Privacy notice on your website and booking confirmation covering what you collect and why
• [ ] Lawful basis documented for each category of booking data
• [ ] Retention schedule set in your PMS (and actually enforced)
• [ ] Process for handling guest Subject Access Requests

Passport and ID recording

• [ ] Legal obligation basis documented
• [ ] Retention period set in accordance with UK Immigration (Hotel Records) Order or equivalent EU law
• [ ] Records stored securely (not in an unsecured spreadsheet)

Dietary and accessibility data

• [ ] Explicit consent mechanism on booking form or during pre-arrival communication
• [ ] Health-related fields in your PMS clearly identified as special category data
• [ ] Access restricted to staff who need it (kitchen, housekeeping for accessibility)
• [ ] Data not retained beyond the stay unless guest has consented to profile retention

PMS and data processors

• [ ] DPA signed with your PMS provider
• [ ] DPA signed with any booking engine provider
• [ ] International transfer mechanism documented if PMS provider is outside UK/EU
• [ ] Privacy notice discloses use of PMS systems

OTA relationships

• [ ] Privacy notice covers data received from OTA bookings
• [ ] OTA-sourced guest data not added to direct marketing lists without separate consent
• [ ] Special requests received via OTAs treated as special category data where applicable

Intra-group data sharing

• [ ] Joint controller agreement in place with separate group entities
• [ ] Privacy notice discloses which group entities receive guest data
• [ ] Consent in place for any sharing that goes beyond guest expectations

CCTV

• [ ] Visible signage at all camera locations and entrances
• [ ] Written retention policy (typically 30 days)
• [ ] Access log and access controls in place
• [ ] Process for responding to CCTV Subject Access Requests

Guest profiles and loyalty

• [ ] Privacy notice discloses profiling and loyalty data collection
• [ ] Legitimate interests assessment documented for non-health profiling
• [ ] Explicit consent for health/accessibility fields in guest profiles
• [ ] Loyalty sign-up includes clear privacy information

Email marketing

• [ ] Marketing list segmented by basis (direct booking soft opt-in vs. OTA-sourced)
• [ ] Opt-out opportunity presented at point of direct email collection
• [ ] Unsubscribe link in every marketing email
• [ ] OTA-sourced contacts removed or subject to re-permission campaign

Wifi

• [ ] Privacy notice covers wifi log collection
• [ ] Retention period set for connection logs
• [ ] Splash page or terms disclose data collection before guests connect

General

• [ ] Named person responsible for data protection
• [ ] Staff trained on handling guest data (especially special category data)
• [ ] Data breach response plan documented

---

Where to Start

If you're a hotel owner or hospitality manager reading this, the most practical starting point is understanding what your website is doing with visitor data before a guest even completes a booking — what trackers are loading, whether your cookie consent is compliant, and what third-party scripts have access to guest data entered into your booking forms.

Run a free scan at https://app.custodia-privacy.com/scan. It takes 60 seconds, requires no signup, and gives you a concrete picture of your website's compliance posture before you work through the operational checklist above.

---

This guide provides general information about GDPR obligations for hotels and hospitality businesses operating in the UK and EU. It does not constitute legal advice. Requirements vary based on the size of your operation, your specific data processing activities, and the jurisdiction in which you operate. For advice specific to your business, consult a qualified data protection professional.