GDPR in the Hospitality Industry – FAQs


What is GDPR?

The General Data Protection Regulation (EU2016/679) is an EU regulation passed on 12 April 2016, superseding the Data Protection Directive 95/46/EC. The regulation intends to standardise data privacy laws across Europe, providing data empowerment and protection to all residents of the EU. It states that any business (including hospitality industry businesses) that handles personal data of an EU citizen should have adequate measures in place.

What are “adequate measures”?

Data should be properly protected so that theft or misuse cannot occur. The EU citizen also has specific rights on the data that you are holding about them, including the right to know what data has been collected, how it will be used, and the right for the data to be permanently deleted.

What counts as “personal data”?

The GDPR defines personal data as “any information related to a natural person or “Data Subject”, that can be used to directly or indirectly identify the person”.

This may include an individual’s name, email address, phone number, photos, IP address, dietary requirements, etc.

How much are GDPR non-compliance fines?

Non-compliance fines can be up to €20m, or 4% of global annual turnover (whichever is greater).

When does GDPR come into effect?

GDPR came into effect on the 25th May 2018.

Do non-EU companies need to comply to GDPR?

The GDPR is framed around the data subject (the person), rather than the location of the data controller or processor (the business). As such, any company that has European customers should comply with GDPR.

Do small businesses need to comply to GDPR?

All businesses that process personal data must comply with the GDPR, regardless of their size.

What are the rules of GDPR compliance?

Article 5 of the EU GDPR states that personal data must be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected only for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Held only for the absolute time necessary and no longer
  • Processed in a manner that ensures appropriate security of the personal data

What is the difference between a data controller and a data processor?

According to Article 4 of the EU GDPR, different roles are identified as indicated below:

  • Data Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
  • Data Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

What is the easiest way to become GDPR compliant?

Springboard Caribbean’s half-day workshop raises the awareness of GDPR for hotel and tourism staff, and highlights the types of actions that must be taken within their departments to maintain compliance and understand the consequences of non-compliance. This workshop helps participants develop a step-by-step plan to achieving compliance for their respective organization. For more information, please visit our GDPR compliance page. For any enquiries or requests, please contact us today.