To date, the hotel sector had lived with the LOPD (Organic Law on Data Protection) approved in 1995 as a result of the EU Data Protection Directive. But now a new horizon of changes and obligations is opening up for this and many other sectors that handle personal information of their customers.
The new General Data Protection Regulation or GDPR has direct implications for the management and use of data on individuals in the European Union. Not surprisingly, almost all hotel brands will be affected.
In this article, we discuss what this new European Union regulation consists of, what its objective is and how it affects the hotel sector, one of the most susceptible to this change, due to the considerable amount of personal data it handles. On this occasion we would like to talk more specifically about its principles and obligations.
So what are the principles of GDPR?
According to the Article 5. of the GDPRwhere the most important principles of this regulation are summarized, personal data shall be:
- Processed in a legal, fair and transparent manner in relation to the in relation to the person concerned.
- Collected for a limited purpose; that is, these data must be collected for specified, explicit and legitimate purposes, and must not beand must not be processed in a way that is incompatible with this purpose.
- Adequate, relevant and limited to those that are necessary in relation to the purposes for which they are collected. This means that data minimization is applied, so that organizations only have data that is essential for this purpose.
- Accurately stored and managed and, where necessary, reasonable steps shall be taken to keep them updated. updated or deleted if necessary.
- Stored on a limited basis. In other words, personal data will be stored for no longer than is necessary for the purposes for which they were processed in the first place.
- Processed with complete confidentiality and integrity. Personal data must be processed in a manner that ensures adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Based on these principles, hotel companies should take into account a series of actions in terms of processing. Although these are practices that have been done with the LOPD, now it will be necessary more than ever:
- Document and identify the legal basis on the processing of this data to demonstrate compliance with GDPR.
- Provide complete information on the legal basis in reference to the data processing that your hotel will do, from the time of collection. This information, easily accessible, should be concise, transparent and in clear and simple language for full understanding.
- Specify and document the basis for the legitimate collection of this data..
- No longer obtain consent by omissionThe consent of the person must be explicit, unequivocal and free.
And what are the main obligations?
The GDPR takes into account a series of rights of those EU individuals (called “data subjects”) that go beyond the traditional ARCO rights (access, rectification, cancellation and opposition) with which the LOPD intended to guarantee individuals control over their personal data. This change means that companies have a series of obligations regarding the responsibility for the management of the personal information of their contactsdata subjects.
- EU individuals shall have right of access to their personal informationThis means, among other things, that they will have the right to obtain a copy of the personal data that the hotel has collected about them. This right may also be met by providing secure remote access to a system containing the personal data. According to the GDPR in most cases, no charge may be made for processing a request for access unless it can be demonstrated that the cost would be excessive.unless it can be demonstrated that the cost would be excessive.
- The limitation of use of personal information, which means that, at the subject’s request, his or her personal data will not be used for the processing operations that would be appropriate.
- In addition, data subjects may request their right to have their data erased (right to be forgotten), which companies must respect, and in the event that any of this personal data has been made public, appropriate measures must be taken to erase it as well.
- The GDPR details a number of organizational measures necessary to be complied with, such as, for example, the appointment of an Data Protection OfficerThe company will have to adopt measures such as the choice of agents to demonstrate compliance and compliance with the GDPR, the risk assessment data processing and the data processing and establishment of data protection policiesamong others.
- It will also be necessary to technological security measures must also be taken to protect personal data.. In the case of hotels, both hardware and software applications as well as hard copy files should be reviewed. And if not already done, it would be necessary to implement a series of encryption codes, passwords or access limitations to protect access and data integrity.
- This new regulation also describes how companies should act in the event of data exposure and breach. in case of exposure and data breachesallowing data protection authorities to impose severe fines on companies in the event of data severe fines in such a case. in such a case.
A whole series of tasks that must be taken into account with this new scenario, both at a legal level and at a strategic level for the marketing of the hotel. Our recommendation is to go step by step, for which we recommend that you complete this series of questions. And of course, don’t forget the implication that GDPR will have on your hotel brand marketing.