helpdesk: 365 days a year
from 8:00am to 8:00pm
GDPR for hotels and restaurants
On Friday, the new European privacy regulation GDPR, came into force. In this article you will find hotel and restaurant managers’ responsibilities and the necessary security measures required to protect data in digital format in order to clarify what the new legislation entails.
What are the responsibilities of hotel and restaurant managers?
The hotel or restaurant manager (Data Controller) is the one who manages guest data: it is his responsibility to ensure confidentiality and act in compliance with GDPR by activating all parameters within the software that allow proper handling of guests’ data. Management must also be able to demonstrate to have adopted all technical and organizational measures necessary to be in line with the principles of the new regulation.
What are the responsibilities of the software producer?
The software provider, the Data Processor, the company providing the PMS, the tool with which data is collected and managed. The legislation requires that software complies with the GDPR “by design” e “by default”, meaning that in the development phase new standards and new regulations are taken into account.
Below is a list of precautions that the software user should implement in order to be able to adapt to the legislation:
1. Contact a legal advisor or a privacy expert for an analysis of the data that is managed within their company and the access granted to each operator to ensure security and control.
2. Entrust the analysis of the IT infrastructure (servers, computers, operating systems, antivirus, firewall, Cloud) to a hardware technician or IT consultant that guarantees the security of the company’s computer system. For example, an operating system has to be constantly updated in order to be in line with GDPR regulations, otherwise the company may be subject to sanctions because it does not own a computer system compliant with legal standards.
3. Define together with the legal adviser the retention period of guests’ data to be configured in the PMS.
4. Prepare clear information sheets and consent requests in line with GDPR in order to prove that an explicit consent from the data holder has been given.
5. Provide adequate training to staff on GDPR to ensure that management instructions are acknowledged and adopted by staff in all daily operations.
Below are listed the parameters that allow software to be compatible with GDPR. For simplicity, the term “company” will be used to indicate the hotel or restaurant using the software. Some examples are related specifically to hotel guest data treatment while others, more in general, refer to data storage and email marketing activities.
1.Acquisition of customer data
1.1. Data required to make a reservation
Each guest to stay in a property (hotel, B&B, apartment, etc) must be able to provide consent for sensitive data treatment according to GDPR legislation (regardless of the method used to make the reservation). The acquisition of customer data by a restaurant, instead takes place when the guest requests an invoice. In this case, in order to obtain the fiscal document, the customer has to receive a copy of the privacy treatment terms according to GDPR legislation. In both cases the guest can’t, by law, refuse to accept data processing.
1.2. Consent to send marketing communications
(if the company use the CRM module)
While requesting consent for data treatment (necessary for the reservation or to issue an invoice) the company may also ask for guests’ consent to receive promotional emails. In the PMS, based on customer’s will, the “authorizes marketing communications” flag can be enabled and the system will automatically record the date/time the consent was given.
• Positive consent: the customer will receive promotional emails from the hotel or restaurant;
• Negative consent: in addition to not being able to send marketing communications to the customer, the software will maintain only the data necessary to fulfil law obligations. In the case of hotel reservation, all sensitive data will be cancelled at guest’s check out, if the property has pre-configured this automatic operation in the PMS.
1.3. Withdrawal of consent to marketing communications
(if the company uses the CRM module)
End of consent may take place if:
• The guest, during his next stay in the property, decides not to renew the consent previously expressed (in case of a
• The guest sends a communication to the company with which he exercises his right to no longer receive promotional
In both cases listed above, in addition to not being able to send marketing communications to the customer, all sensitive data will be cancelled from existing reservations. Sensitive data means racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, biometric data which identify a person in a unique way, health information (allergies), sexual life or sexual orientation of the individual, information added in the profile notes (video notes, print notes, service notes), notes present in the reservation card and possible pictures.
2. Data Retention for tax records
Personal data retention for tax records, according to the Italian law, may be up to 10 years (please verify retention period required by your country). After this period the company no longer has a reason to store such data and data must be automatically anonymized from the PMS: all information that can identify a person in an unique way will be replaced by asterisks (in this way, information be maintained for statistical purposes, for example in the sales report).
3. Data Retention for email marketing activities
(if the company uses the CRM module)
As already indicated, the hotel or restaurant manager, together with his privacy advisor, will have to set in the PMS a maximum limit (for example 2/3 years) for which he will have the possibility to store his in his database customers
information for promotional emails. After such period, the PMS will automatically remove the consent for email marketing.
4. Access to data visualization
4.1. Credit card visualization
Credit card data will be made visible within the software only if access passwords respect PCI Level 1° regulations (listed below). If the password does not comply with these requirements, card data will still be stored inside the database, but will not be visible to operators.
Below are the minimum password requirements for PCI compliance:
• Length of at least 7 characters
• With uppercase and lowercase letters
• Must be changed at least every 90 days
• Cannot be equal to the previous 4 passwords used
• Can be mistaken a maximum of 6 times before incurring in a 30-minute suspension
4.2. Visualization and access to data
For greater protection, a “log” section may be activated in the PMS. Once the section is configured, all movements carried
out by different operators in the PMS will be registered.
From this section you will be able to view the following operations:
• PMS Log-in or log-out
• Data insertion, modification and cancellation
• Prints and data export
• Search filters applied
• Search of a specific guest profile and visualization of information
In addition, it will be possible to configure different levels of access for operators to the PMS. Each member of the staff will have access only to guests’ data related to their duties. At the hotel, for example, housekeeping staff will be able to view notes on guests’ allergies but will not have access to other information such as name, nationality, etc…
The software must be adapted to the legislation “by design” e “by default”, meaning that it must put in practice the new privacy rules by introducing automatic operations in the system that facilitate proper data management. Please note that that without a proper configuration of such automatic processes by the software user, the system will not be compliant with the new regulation.
The hotel or restaurant manager must ensure that GDPR principles are applied within his company, we therefore recommend that he contacts a legal adviser or a privacy expert.
• Anonymization of profiles after 10 years (tax records)
• Elimination of all sensitive data if the guest did not provide consent to receive promotional emails
• Elimination of all sensitive data after the period configured (expressed in years)
• Elimination of all sensitive data from customer profiles if the customer withdrew his consent to data processing for marketing purposes
• Registration of staff operations in the PMS (data access, visualization and printing)
• Display of credit card data subject to a control of the password parameters in accordance to PCI Rules
Discover more on the Ericsoft adaptation to GDPR or fill out the form below to request additional information
We have been creating complete and highly specialized technological solutions for the hospitality industry since 1995.
Having an exclusive focus on a single industry, our investments have always been entirely dedicated to the development of our software and innovative applications for hotel and restaurant management.
The experience gained over the years, together with what we acquire on a daily basis by being in contact with hospitality professionals, allows us to understand the real needs of the sector and to develop, based on new market trends and regulations, flexible and scalable solutions that can be customized according to the needs of each property, from independent ones to chains.
INFORMATION about the processing of personal data
Arts. 12 et seq of Regulation (EU) 2016/679 (GDPR)
Subject: information about the processing of personal data pursuant to arts. 12 et seq of Regulation (EU)
Introduction - Regulation (EU) 2016/679 («General Data Protection Regulation»), hereinafter GDPR) provides safeguards for natural persons with regard to the processing of their personal data. In accordance with the above legislation, the processing of personal data that refers to an identified or identifiable natural person, being the “data subject”, is based on the principles of correctness, legality and transparency, as well as the protection of confidentiality and the rights of the data subject.
This information is provided in compliance with the above Regulation to inform you that, with regard to your customer relationship with our organization, we hold certain data about you that was acquired, verbally or in writing, either directly or via third parties that carry out operations concerning you or that, in response to your requests, acquire information and provide it to us.
Pursuant to the GDPR, this information must be treated as “personal data” since it relates to you and must therefore benefit from the protection provided by the above Regulation. More specifically, in accordance with the Regulation, you are the data subject who benefits from the rights that safeguard your personal data.
Pursuant to arts. 12 et seq of the GDPR, as the Controller, our organization will process the personal data provided by you with the utmost care in compliance with the Regulation, implementing effective operational procedures and processes in order to guarantee the safeguards that protect the processing of your personal data. For this purpose, using material and operational procedures to safeguard the collected data, we undertake to protect the information provided, in order to avoid unauthorized access and disclosure, maintain the accuracy of the data and guarantee its appropriate use.
Consistent with this introduction, the following information is provided:
Collected personal data - Our organization, as the Controller, uses your personal data to carry on our business activities in the best possible manner.
You may be requested to provided some or all of the following data:
Length of time that your data will be retained - The collected data will be retained for the entire duration of the relationship or collaboration with our organization, and for 10 years after the end of the relationship. If during the contract period, data is processed that is not relevant to the administrative-accounting obligations arising under the contract, such data will be retained for the time necessary to achieve the purposes for which it was collected, and then deleted. You will be given specific information about the length of time that your data will be retained when the data is collected.
Mandatory or optional nature of providing data and consequences of refusal – The essential data needed to execute the contract must be provided to us, together with the data required to fulfill legal, regulatory and EU legislation obligations, as well as instructions from competent authorities and supervisory and control bodies.
Non-essential data, not required for execution of the contractual relationship, must be identified and considered additional information whose provision, if requested, is optional. Your refusal to provide such data would however mean that our organization will be less efficient when dealing with third parties.
Should "data that is sensitive or whose processing is subject to specific risks” be needed in order to carry out the contract, provide specific services or fulfill legal obligations, the provision of such data will be mandatory and, since it can only be processed following written consent from the data subject, you will have to give consent for its processing.
Methods of processing – Pursuant and consequent to arts. 12 et seq GDPR, the personal data that you provide will be recorded, processed and retained in our hard-copy and electronic files, in compliance with the adequate technical and organizational measures specified in art. 32 GDPR. The processing of your personal data may consist in any operation or series of operations described in art. 4, para. 1, point 2 GDPR. Personal data will be processed using suitable tools and procedures that guarantee security and confidentiality. Such processing may be carried out directly and/or via delegated third parties, both manually using hard-copy support and electronically using IT equipment and other instruments. In order to manage properly the relationship and fulfill legal obligations, personal data may be included in the internal documentation of the Controller and, if necessary, in the documents and registers required by law.
Activities which may be entrusted to external parties - When carrying out our activities as the Data Controller, we may occasionally request other operators to perform certain services on our behalf, such as processing or other services; services needed in order to carry out requested operations or activities; shipments and deliveries; accounting registrations; administrative activities. If the operator appointed by the Controller to carry out certain activities is a company that provides payment, tax collection and treasury management, banking and financial brokerage services, the following services may also be supplied: mass processing of payments, notes, checks and other securities; sending, placing in envelopes, transportation and sorting of communications; filing of documents; identification of financial risks; control of fraud; credit collection. The above operators will only be given the information needed to provide the requested services. They will be required to maintain confidentiality and forbidden to use the data provided for purposes other than those agreed. Operators that are not persons in our organization tasked with processing personal data will be appointed as Data Processors (pursuant to art. 28 GDPR) and will process the data to the extent strictly necessary in order to provide the requested service and solely for that purpose, guaranteeing that their persons tasked with processing have signed a confidentiality agreement. For any matters not indicated herein, these operators must provide specific information about the processing of personal data carried out by them.
Transfer abroad of personal data - The data provided by you will only be processed in Italy. If during the contractual relationship your data is processed in a non-EU State, your rights under EU legislation will be guaranteed and you will be informed on a timely basis.
Purposes of processing your personal data - The main purpose for which our organization will process your personal data is to enable the relationship described in the introduction to become established and/or develop, as well as to ensure that it is administered correctly.
In particular, the following purposes of processing are identified:
Personal data will be processed to fulfill legal obligations, as well as the administrative, insurance and tax obligations envisaged under current legislation, to satisfy accounting and commercial needs, and to fulfill in a timely manner the contractual and legal obligations deriving from the contractual relationship with the data subject. The data provided may also be used to contact the data subject in the context of market research relating to the products or services, or in the context of commercial campaigns or offers. The data subject is free, in all cases, to refuse consent for such purposes and also to specify the manner in which to be contacted or to receive commercial information.
Extent of knowledge of your data - The following categories of data processors or persons tasked with processing by our organization may become aware of your data:
Personal data may also become known by parties that have agreements with us, as indicated in the section entitled “Methods of processing”. We may delegate the fulfillment of certain obligations or deeds to such parties, for the purpose of executing the contractual relationship with the data subject.
Communication and dissemination - Our organization may communicate your data externally, i.e. make it known to one or more specific parties, in order to fulfill all required legal and/or contractual obligations. In particular, your data may be communicated to:
We may communicate your data:
In all cases, your data will only be communicated to operators in order to contribute to fulfillment of the contractual relations that may arise with the data subjects concerned.
Dissemination - We will not disseminate your data indiscriminately, i.e. we will not make it known to unspecified subjects, or make it available for use or consultation.
Trust and confidentiality - We recognize the importance of the trust shown by data subjects who consent to the processing of their personal data and, therefore, we undertake not to sell, hire or rent such personal information to others.
Any debt collection activities and/or communication of omitted payments – Following the signing of the contract for the provision of services, our organization may use the contact details you provide (in particular phone number and email address) in order to undertake reminder activities with reference to debt collection and omitted payments. These communications can be made via email, certified mail, phone call, SMS and WhatsApp. The contact data collected for the purpose of this paragraph will be kept for the entire duration of the relationship or collabration with our organization and in any case until the balance of all payments due on the aforementioned contract.
Rights pursuant to arts. 15 et seq GDPR - Pursuant to art. 15 GDPR, you are entitled to obtain confirmation of whether or not your personal data has been processed, even if the results have not yet been recorded. Exercise of this right depends on verification of the identity of the data subject, by presentation of an identity document that will not be retained by our organization, but merely checked to verify the legitimacy of the request.
You are entitled to access to your personal data and the following information:
If the data is transferred to another country or to an international organization, you are entitled to be informed about the existence of adequate guarantees pursuant to art. 46 GDPR.
You are entitled to request the controller to amend or delete your personal data, in whole or in part, or to restrict the processing of your personal data or to object, in whole or in part, to its processing.
To exercise these rights, contact the “Data Controller” for our organization at via Adriatica n.62 – 47843 Misano Adriatico or call +390541604894 or write to the firstname.lastname@example.org. The Controller will respond within 30 days of receiving your formal request.
If your rights concerning your personal data are infringed, you may complain to the competent authority:
“Guarantor for the protection of personal data - Garante”.
Identification details of the Data Controller and, if appointed, the Representative in the territory of the State and the Data Processor.
Controller - This organization is the Controller of processing: ERICSOFT ITALIA SRL with registered offices at via Adriatica n.62 – 47843 Misano Adriatico; Tel: +39 0541604894; fax: 0541604862; certified e-mail address: email@example.com; e-mail: firstname.lastname@example.org.
Data Protection Manager – The Data Protection Manager is Mario Brocca, who can be contacted at +39
0371/5943191 - email@example.com – firstname.lastname@example.org
Data Processors - The Data Processors are external firms with which contractual relations have been established, and which need your personal data in order to fulfill those agreements.
Each data subject may send a letter to the Data Controller, at the above address, requesting information about any Data Processors that have been appointed and to be informed about any persons appointed to perform that function in future.
Please note that the above Data Processors are not responsible for fulfilling requests from data subjects to exercise their rights pursuant to arts. 15 et seq GDPR. That activity is carried out exclusively by this organization as the Data Controller.
Representative in the territory of the State - Pursuant to art. 4, para. 1, point 17 GDPR, it is confirmed that none of the related circumstances envisaged in the Regulation are applicable and that, accordingly, our organization has not appointed any Representatives in the territory of the State for the purpose of applying the regulations that govern the processing of personal data.
Processing without need for consent from the data subject - Even without your consent, this organization is entitled to process your personal data should it be necessary in order to:
Furthermore, your express consent is not required when the processing:
Il TITOLARE del Trattamento
ERICSOFT ITALIA SRL
helpdesk: 365 days a year
from 8:00am to 8:00pm
Offices: from Monday to Friday
from 09:00am to 01:00pm and from 02:30pm to 06:00pm
Address: S.S. Adriatica 62, Misano Adriatico (RN)