DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Hotels: Guest Data, CCTV and Hospitality Compliance

#gdpr #hospitality #hotels #compliance

GDPR for Hotels: Guest Data, CCTV and Hospitality Compliance

Hotels and hospitality businesses collect more personal data than almost any other sector. A single guest stay can involve passport numbers, payment card details, dietary requirements, room access data, CCTV footage, and loyalty programme history — all processed across multiple systems and shared with third parties. This guide explains what GDPR requires for hotels, B&Bs, serviced apartments, and hospitality businesses operating in or serving guests from the UK or European Union.

What Personal Data Do Hotels Collect?

Before building a compliance programme, it helps to map out exactly what data flows through a hotel operation. Typical categories include:

  • Booking data: name, email, phone number, address, payment card details, special requests
  • Check-in data: passport or identity document number, nationality, date of birth (often required by law in many EU jurisdictions)
  • Stay data: room access logs, minibar charges, telephone records, in-room internet usage
  • Loyalty programme data: full booking history, preferences, tier status, marketing consent
  • CCTV footage: lobbies, corridors, car parks, reception areas
  • Special category data: dietary requirements (indicating religious or health information), accessibility needs, medical conditions noted for welfare
  • Staff data: employment records, HR files, access logs

Each of these data categories has its own retention, security, and legal basis considerations under GDPR.

Legal Bases for Processing Guest Data

Hotels typically rely on several GDPR legal bases depending on the processing activity:

Contract performance (Article 6(1)(b)): Processing necessary to fulfil the booking — name, contact details, payment processing, room assignment. This is the primary basis for most guest data collected at point of booking.

Legal obligation (Article 6(1)(c)): Many countries require hotels to record passport details or identity document information for police registration purposes. This is a legal obligation, not consent — guests cannot opt out, and the hotel must retain records for the legally specified period.

Legitimate interests (Article 6(1)(f)): CCTV for security, fraud prevention, and operational analytics. Hotels must conduct a legitimate interests assessment (LIA) and document it.

Consent (Article 6(1)(a)): Direct marketing emails, loyalty programme enrolment where it goes beyond the contractual relationship, and optional personalisation features.

Special category data requires an additional Article 9 condition. Dietary requirements and accessibility needs are frequently special category data (revealing health or religious beliefs). The safest basis is explicit consent from the guest, documented at time of collection.

Passport and ID Data: Retention and Security

In many EU member states and the UK, hotels are legally required to collect passport or identity document details for guests, particularly foreign nationals. This creates a specific compliance challenge: the legal obligation basis means you must collect the data, but GDPR's data minimisation and storage limitation principles mean you must not keep it longer than required.

Practical requirements:

  • Retain passport data only for the period required by national law (typically 12 months in most EU jurisdictions)
  • Store it separately from general booking data, with stricter access controls
  • Do not use it for marketing or any purpose other than the legal obligation
  • Ensure staff who process it are trained on its sensitivity
  • If using a property management system (PMS) to store passport data, ensure the PMS vendor has a data processing agreement in place

Hotels that photocopy or scan passports should ensure images are stored securely and deleted promptly after the legal retention period expires.

CCTV in Hotels: What GDPR Requires

CCTV is common in hotel lobbies, corridors, car parks, and public areas. Rooms are never monitored — this would be a serious breach. The legal basis for hotel CCTV is typically legitimate interests.

Key GDPR requirements for hotel CCTV:

Signage: Clearly visible signs must be displayed wherever cameras operate, telling people they are being recorded and directing them to your privacy notice.

Retention: CCTV footage should be retained for the minimum period needed. For most hotels, 14-31 days is standard. Footage retained longer than necessary is a GDPR violation.

Access controls: Only authorised staff should have access to CCTV footage. Access should be logged.

Data subject rights: Guests can submit a subject access request for CCTV footage of themselves. Hotels must be able to respond within one month, which may require the ability to identify and export footage by date, time, and location.

Legitimate interests assessment: Document why the CCTV is necessary, what footage is retained, how long it is kept, and how it is secured.

Custodia can help hotels document their CCTV processing activities in their Record of Processing Activities (RoPA) and privacy notice.

OTA Partnerships: Booking.com, Expedia and Data Controller Questions

Online travel agents (OTAs) like Booking.com, Expedia, and Hotels.com introduce complex data controller questions. When a guest books through an OTA:

  • The OTA is typically an independent data controller for the booking transaction
  • The hotel becomes a data controller when it receives and processes the guest's data to fulfil the stay
  • Both parties have independent GDPR obligations

Key issues:

  • Hotels should not use data received from OTAs for their own marketing without separate consent from the guest
  • If the hotel receives data it did not collect directly, it must provide guests with a privacy notice (Article 14 GDPR) — this can be delivered at check-in
  • Data sharing arrangements with OTAs should be documented

Some OTAs send limited guest data (name and email only) and require hotels to sign their own data processing terms. Review what data each OTA sends and whether the arrangement makes the OTA a data processor or a joint controller. Given the complexity, many hotels seek legal advice on their OTA data relationships.

Payment Card Data: PCI DSS Alongside GDPR

Hotels processing payment cards face two overlapping regimes: GDPR and PCI DSS (Payment Card Industry Data Security Standard). These are complementary but distinct.

GDPR governs personal data including payment card details. Legal basis is typically contract performance. Retention should be limited to what is necessary — hotels that store card details on file for incidental charges during a stay should delete them promptly at checkout.

PCI DSS requires hotels to protect cardholder data with specific technical and organisational controls, including network segmentation, encryption, access logging, and annual compliance validation.

Hotels using a third-party payment processor (Stripe, Adyen, WorldPay) should ensure the processor is PCI DSS certified and that the integration minimises card data handled directly by the hotel's own systems.

Special Category Data: Dietary and Accessibility Information

Dietary requirements and accessibility needs are frequently special category data under Article 9 GDPR. A guest noting they are halal, kosher, or have a severe nut allergy reveals religious beliefs or health information.

Compliance approach:

  • Collect only what is necessary for the stay
  • Obtain explicit consent (not just implicit agreement through booking)
  • Do not share with third parties beyond what is needed (e.g., restaurant staff, not external marketing partners)
  • Delete after the stay unless the guest is a loyalty member who has consented to storing preferences
  • Document the processing in your RoPA with the Article 9 condition relied upon

Data Breaches: A High-Risk Sector

Hotels are a high-value target for cyberattacks. Marriott International's breach exposed 500 million guest records. Hilton, Hyatt, InterContinental, and many smaller chains have suffered significant incidents. The combination of payment card data, passport information, and personal preferences makes hotel databases attractive targets.

GDPR breach obligations:

  • Report breaches involving personal data to the supervisory authority within 72 hours of becoming aware
  • If the breach is high risk to individuals (e.g., passport numbers or payment cards exposed), notify affected guests directly without undue delay
  • Document all breaches, including those below the notification threshold, in an internal breach register

Hotels should have a documented incident response plan, test it regularly, and ensure staff know how to recognise and escalate a suspected breach.

Subject Access Requests from Guests

Guests have the right to request copies of all personal data a hotel holds about them. A former guest could ask for their booking history, loyalty programme data, any CCTV footage, notes on their account, and records of emails sent to them.

Hotels must respond within one month. Complex requests can be extended by two further months with notice.

Practical considerations:

  • Ensure your PMS can export data for a named individual across all stays
  • Know how to locate and export CCTV footage by date and guest identity
  • Have a single point of contact for DSAR handling
  • Train front desk and customer service staff to recognise and escalate access requests promptly

Custodia can scan your hotel website to identify what data is being collected through contact forms, booking widgets, and marketing tools — giving you a clearer picture of your data footprint before a guest submits a request.

Direct Marketing and Email Consent Under PECR

In the UK, the Privacy and Electronic Communications Regulations (PECR) govern marketing emails. PECR requires prior consent for marketing emails to individuals. Soft opt-in applies where a guest has recently purchased a service and the marketing is for similar products — so a hotel can email a recent guest about their next stay without fresh consent, provided they were given a clear opt-out at the time of booking and every subsequent email.

Key rules:

  • Always provide a clear unsubscribe mechanism in every marketing email
  • Do not add guests to marketing lists without consent or a valid soft opt-in basis
  • Honour unsubscribe requests promptly (within 10 business days under PECR, but best practice is immediately)
  • Keep records of consent including date, mechanism, and what was agreed

Loyalty programme members who actively enrol typically provide marketing consent through the enrolment process — ensure your enrolment form clearly describes what marketing they are consenting to.

Children Staying with Parents

When children stay at a hotel with their parents, the hotel processes limited data about the child (typically name and age for room allocation and safety purposes). GDPR provides enhanced protections for children's data.

Key points:

  • Do not use children's data for marketing
  • Where collecting any data about children (e.g., for children's club activities, school trips, or supervised facilities), ensure parental consent is obtained
  • Under GDPR, children under 16 (or lower in some member states) cannot provide valid consent for data processing — parental consent is required
  • Do not retain children's data beyond the stay without explicit parental consent

Staff Data

Hotels are large employers. Staff data — employment contracts, payroll records, disciplinary files, health and absence records, access logs, and training records — must comply with GDPR.

Key requirements:

  • Issue a staff privacy notice at the start of employment covering all HR processing
  • Rely on contract performance and legal obligation as the primary bases for employment data processing
  • Special category data (health records, sickness absence) requires explicit consent or another Article 9 condition
  • Conduct a DPIA before introducing new staff monitoring systems (access logs, productivity tracking)
  • Retain employment records for the legally required period after termination (typically 6 years in the UK)

Property Management Systems: DPAs with Opera, Mews, Cloudbeds

Hotels use property management systems (PMS) to manage bookings, check-ins, billing, and guest preferences. Major platforms include Opera (by Oracle Hospitality), Mews, and Cloudbeds. As data processors handling personal data on the hotel's behalf, every PMS provider must sign a data processing agreement (DPA) with the hotel.

What a DPA with your PMS should cover:

  • The scope and purpose of processing
  • Technical and organisational security measures
  • Sub-processor notifications and approvals
  • Data subject rights assistance
  • Breach notification obligations
  • Data deletion or return on contract termination
  • International transfers (if the PMS hosts data outside the UK/EEA)

Most major PMS providers offer standard DPAs or refer to standard contractual clauses for international transfers. Obtain and retain signed copies. Review them when you change systems or when the provider updates its terms.

Other third-party systems requiring DPAs include channel managers, revenue management software, CRM platforms, email marketing tools, and guest feedback platforms.

Practical Compliance Checklist for Hotels

Governance

  • Data Protection Officer (DPO) appointed if required (mandatory for large-scale systematic monitoring — many hotel chains will qualify)
  • Record of Processing Activities (RoPA) maintained covering all processing activities
  • Privacy notices for guests and staff published and current
  • Data protection policies reviewed in the last 12 months

Guest Data

  • Legal basis documented for each type of guest data processing
  • Passport/ID data retained only for legally required period with restricted access
  • Special category data (dietary, accessibility) collected with explicit consent and deleted post-stay
  • Payment card data minimised and PCI DSS compliance maintained
  • CCTV: signage displayed, retention period set, LIA documented, SAR process in place

Marketing

  • Soft opt-in basis documented for loyalty programme emails
  • Unsubscribe mechanism in all marketing emails
  • Consent records maintained for direct marketing

Third Parties

  • DPA in place with all PMS providers (Opera, Mews, Cloudbeds, etc.)
  • OTA data relationship reviewed and documented
  • DPAs in place with all other processors (email tools, review platforms, CRM)

Incidents and Rights

  • Incident response plan documented and tested
  • Internal breach register maintained
  • DSAR process in place with assigned owner

How Custodia Can Help

Hospitality businesses often have more complex data flows than they realise — particularly across booking widgets, marketing integrations, and loyalty programme tools embedded on their websites. Run a free website scan at https://app.custodia-privacy.com/scan to see exactly which third-party trackers and data processors are active on your hotel website, and whether your consent mechanisms are operating correctly. The scan takes 60 seconds and requires no sign-up.

This guide is for informational purposes only and does not constitute legal advice. Hotels with complex data protection requirements, high-risk processing activities, or regulatory investigations should seek specialist DPO support or legal advice.

Top comments (0)