GDPR: what changes for the ho.re.ca industry?

The General Data Protection Regulation (GDPR) will enter into force starting May 25th 2018 and replaces the current Data Protection Directive, issued in 1995. The fundamental principles of privacy and data protection have not changed; but the new regulation takes into account the changes caused by digitalization and applies in all EU countries. The most innovative aspects that characterize the new legislation are multiple:

Extraterritorial

If a company transfers data of European citizens to a country outside the EU, for example in the U.S., the organizations or companies that process such data will have to comply with GDPR. Indeed, the new rules, protect data of European citizens and apply to all companies that process or manage such data, regardless of the country in which they have their registered office or where data is processed.

Fines

Expensive fines will be introduced for companies that do not comply with the regulation, sanctions can reach 4% of the global annual turnover or 20 million euros. In which cases will companies be subject to fines? For example, if they do not implement adequate policies to request data processing consent or if they violate the principles underlying the concept of "Privacy by Design".

Privacy by Design

According to GDPR, data protection must not represent an additional component but relate to the design of systems. This means that any project must be developed taking into account confidentiality and protection of personal data from the start.

Consent

Companies that collect or process personal data must explicitly explain to users, all the conditions that regulate the collection and processing of such data and it is mandatory to declare how the requested data will be processed.

Increase in rights of data holders

Citizens will be able to exercise the right to request the cancellation of their data from the database of institutions and companies and the right of access to such information or the possibility to inquire about who is collecting their personal data and for what purposes. Furthermore, upon request, the company can be required to provide within 30 days to the data owner an electronic copy of the data in his possession.

Mandatory notifications of violations

The companies that hold personal data must communicate within 72 hours, both to customers and to the data controller, the occurrence of violations that could expose personal information of data owners

What does this mean for hoteliers and restaurateurs?

Before understanding in detail how hospitality entrepreneurs must comply with these rules, the new figures introduced by the European regulation must be explained: Data Controller and Data Processor:

The data controller determines the purposes for which and the means by which personal data is processed.

The data processor processes personal data only on behalf of the controller.

In summary, according to GDPR, the Data Controller is any company or organization that holds the personal data of European Union citizens - personal data means all information, including the name of your customers.

The Data Processor is instead the company or organization that deals with the processing and storage of this personal data on behalf of the Data Controller.

Applied to a real case reality: the Data Controller is the hotelier / restaurateur that owns customers’ personal data, while the Data Processor is Ericsoft, the company that provides the PMS software with which data are collected and processed.

Hotels and restaurants collect a lot of data from their customers, from their preferences in terms of stay to food allergies, we will analyze in detail how the legislation affects the data collected by accommodation facilities (examples are also applicable in the catering sector).

Guests staying at the property, provide different types of data to the hotel: in addition to personal information, they can also share more information on their consumption habits and preferences, which will be collected by the CRM (if the hotel has one) to be used in future marketing campaigns.

By controlling the collection, storage, processing and sharing of personal data, the new regulation wants to ensure that this data is managed correctly and in full respect of data holders. To be in line with the principles of the new regulation:

- the host, or data owner, must have given consent for the collection and processing of his personal data for one or more specific purposes clearly and explicitly stated by the hotel, or the hotel must demonstrate that the processing of such data is necessary to fulfill a legal obligation or to complete an action, as in the case of check in, where the consent for personal data collection and processing is implicit (it is considered as already provided during the booking phase);

- the hotel must be able to demonstrate that the guest has given his consent to the processing of his data explicitly and actively. For example, the subscription to a newsletter must include a checkbox, deselected by default, that the user must check to register his request;

- it is forbidden to process personal data concerning: racial or ethnic origin, political opinions, religious, philosophical and political beliefs, data related to the health issues, genetic data and sexual orientation of the individual;

- the guest has the right to obtain the cancellation of his personal data and the data controller will therefore have be forced to delete such data;

- the guest has the right to receive a copy of the personal data collected by the data controller (hotel) in a structured way, using a common format readable by automatic devices;

- the hotel’s website should have a page with the privacy policy displayed in full, to explain in a detail way what information is collected when users visit the site - data sent freely by users, data collected from cookies and data collected through other means