A neighbourhood bar offering Wi-Fi to its customers, a three-star hotel with an online booking system and a restaurant with a loyalty card all have something in common that rarely appears on their list of concerns: all three are controllers of personal data under Regulation (EU) 2016/679, known as the GDPR, and under Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). A small business size does not exempt from the obligations; operating in a "face-to-face" sector does not either. The Spanish Data Protection Agency (AEPD) has in recent years sanctioned hospitality businesses for poorly positioned CCTV cameras, booking forms without an information clause and customer databases lacking basic security measures.
This article explains, using real use cases from the sector, what data hospitality businesses process, what obligations the regulations impose and when it makes sense to engage an external DPO to ensure compliance without overloading the business owner.
What personal data does a hospitality business process?
The hospitality industry collects more data than it appears at first glance. Identifying it is the first step to managing it correctly.
Bookings and check-in
Hotels, rural guesthouses and tourist apartments are required by public security regulations (Organic Law 4/2015 and Royal Decree 933/2021, in force since 2 January 2023) to record and report to the Ministry of the Interior the data of all travellers aged 14 and over: name and surnames, type and number of identity document, date of birth, sex, country of residence and date of entry. This record must be reported within a maximum of 24 hours via the SES.HOSPEDAJES system. Each traveller registration file is also a personal data file that requires a retention policy and controlled access.
Online booking systems
Forms on the hotel or restaurant website, third-party booking platforms (TheFork, Booking.com, etc.) and confirmation emails generate records containing name, email address, phone number and, frequently, dietary preferences or allergies. The latter are health data, a special category under Article 9 of the GDPR, which requires a reinforced legal basis (explicit consent or contractual necessity with safeguards) and additional security measures.
CCTV surveillance
Security cameras at entrances, rooms and car parks capture images that constitute personal data. The AEPD has published a Guide on the use of video cameras for security and other purposes (updated in 2023) that sets out, among other requirements: minimum capture zone (only the business's own perimeter, not public roads except in specified cases), visible information sign, and maximum retention of 30 days unless required by court order. Several recent sanctions by the agency — some exceeding €5,000 for small businesses — stem from cameras pointing at the street or from images stored for months without justification.
Guest Wi-Fi
Internet access via a captive portal involves, at a minimum, recording the MAC address of the device and, if registration is required, the user's email address or phone number. Under Article 13 of the GDPR, the establishment must inform the user at the point of data collection: who the controller is, for what purpose the data is retained and for how long. Omitting this notice on the connection portal is a recognised infringement.
Loyalty cards and programmes
Hotel chains and higher-volume restaurants maintain customer databases containing consumption history, room preferences and visit patterns. When this data is cross-referenced with profiles to send commercial offers, the most common legal basis is legitimate interest (Article 6.1.f GDPR), provided a balancing test has been carried out and customers can easily object. Sending commercial communications without a legal basis also constitutes an infringement of Law 34/2002 on Information Society Services (LSSI).
Employment relationships
Payslips, contracts, sick notes, images from cameras in work areas, digital time-tracking: the hospitality employer is also a controller of employee data. Data protection obligations in employment law are extensive and include informing workers about the use of monitoring systems (Articles 87–90 LOPDGDD).
Specific GDPR obligations for hospitality
The regulations make no distinction between sectors: the obligations are the same for a 200-room hotel as for a ten-table bar, although the intensity and complexity of their practical application varies.
| Obligation | What it involves | Applies to |
|---|---|---|
| Record of Processing Activities (RoPA) | Internal document listing all processing activities: purpose, categories of data, recipients, retention periods, security measures. Mandatory for organisations with more than 250 employees or that process high-risk data (special categories, large scale). | Medium and large hotels, chains; recommended for all |
| Information clauses | Notices on booking forms, on the website (legal notice + privacy policy), at the reception desk and on the Wi-Fi portal. Must comply with Article 13 GDPR. | All establishments collecting data |
| Contracts with data processors | Formal agreements with suppliers who access data (booking platforms, accountants, cloud-based POS software, camera maintenance company). Art. 28 GDPR. | All controllers that outsource processing |
| CCTV information signs | Visible signs in monitored areas with basic information (controller, purpose, rights). Template available on the AEPD website. | All establishments with cameras |
| Retention and deletion policy | Define how long each type of data is kept and ensure its deletion or anonymisation when no longer needed. | All establishments |
| Rights request procedure | Channel for customers and employees to exercise their rights (access, rectification, erasure, objection, portability, restriction). Response within one month (extendable to two). | All establishments |
| Data Protection Impact Assessment (DPIA) | Formal risk analysis mandatory when processing "is likely to result in a high risk". Large-scale CCTV or extensive processing of health data (allergies) may require one. | Hotels with extensive CCTV, large chains |
| DPO appointment | Mandatory when the core activity involves large-scale systematic monitoring of individuals in public spaces, or large-scale processing of special category data. Recommended for hotel chains. | Large chains; recommended for medium-sized ones |
AEPD sanctions in the hospitality sector: real cases
This is not theory. The AEPD publishes all its decisions and many directly affect the sector.
Cameras recording public roads
In several decisions, the AEPD has sanctioned hospitality establishments for installing cameras pointing at the pavement or street, capturing images of people with no connection to the business without a legal basis. The argument "it is for the security of the premises" does not justify capture outside the business's own perimeter. Fines in these cases range, for small businesses, between €300 and €3,000, although the amount may be higher in cases of repeat infringement or lack of cooperation.
Commercial mailings without consent
Restaurants that collect customers' email addresses during a booking and then add them to a newsletter list without specific consent have received warnings and fines. Consent for managing the booking does not authorise the sending of advertising: these are different purposes requiring independent legal bases.
Unauthorised access to employee data
In hotel environments with high staff turnover, access to payroll and personnel files by unauthorised managers or the use of shared systems without access controls have generated security incidents. Article 32 GDPR requires the adoption of appropriate technical and organisational measures, including role-based access controls.
When is it mandatory to appoint a DPO in hospitality?
Article 37 of the GDPR establishes three cases in which appointing a Data Protection Officer (DPO) is mandatory: public authorities or bodies, organisations whose core activities involve large-scale systematic monitoring of individuals, and organisations that process special category data on a large scale. In hospitality, the formal obligation rarely arises except in large chains with extensive CCTV systems or with extensive health data processing.
However, the voluntary appointment of an external DPO is an increasingly common practice in the sector, particularly in medium-sized hotels and multi-site restaurant groups, for three practical reasons:
- Growing complexity: the number of processing activities, suppliers and digital channels makes compliance management too technical to handle without specialists.
- Point of contact with the AEPD: having a DPO appointed and notified to the supervisory authority improves the establishment's position in the event of any inspection or complaint.
- Contained cost: an external DPO can serve several establishments in a shared service model, making the cost viable even for medium-sized businesses.
Concrete use cases: how GDPR applies in practice in hospitality
Urban hotel with 80 rooms
A hotel of this size manages daily: traveller registration reports communicated to the Ministry of the Interior (SES.HOSPEDAJES), direct bookings via the website and through OTAs (Booking.com, Expedia), credit card data as guarantee (normally through a PCI-DSS certified gateway, which does not exempt from GDPR responsibility), cameras at reception, car park and corridors, and employee data. The record of processing activities will identify at least eight to ten separate processing activities. The relationship with Booking.com requires a data processing agreement; the camera policy needs an internal guide and the required information signs; web forms must include a full information clause. An external DPO with a few hours of monthly dedication can keep all of this up to date.
Restaurant chain with a loyalty card
A chain with eight locations managing a points card accumulates a full profile of each customer: visit frequency, average spend, preferences (non-alcoholic drinks, vegan menu), contact details. This processing may approach the concept of "profiling" under Article 4.4 GDPR, which requires greater diligence regarding the legal basis and information provided to the user. The loyalty programme must have its own section in the privacy policy, with a clear explanation of how the data will be used and the retention period after cancellation.
Bar with free Wi-Fi
This is the apparently simplest case, but also the most frequently non-compliant. If the connection portal requests the customer's email address, that email is personal data and collecting it requires informing the user. If the email address is to be used to send offers, explicit consent is also required (active opt-in, not a pre-ticked box). The session cookie on the portal may also fall under the Cookies Law (transposition of the ePrivacy Directive), although the practical scope depends on the technical implementation.
Rural guesthouse with a digital complaints book
Digital complaints forms, increasingly common in regions that have regulated the online channel, collect data about the complainant and the employee involved. This data has a specific purpose (handling the complaint and possible review by the regional consumer authority) and cannot be reused for other purposes. Handling it correctly requires informing the customer at the time of the complaint and retaining the file for as long as sector-specific regulations require.
The dual regulatory framework: GDPR and LOPDGDD
The GDPR has been directly applicable in Spain since 25 May 2018. The LOPDGDD (Organic Law 3/2018) develops and adapts it to the Spanish legal system, adding specific rules in areas such as workplace CCTV (Art. 89), control of the use of digital devices (Art. 87), geolocation of workers (Art. 90) and internal whistleblowing systems (Art. 24, now complemented by Law 2/2023 on whistleblowing channels). For hospitality, Articles 89 and 90 of the LOPDGDD are particularly relevant if cameras or GPS are used in a catering delivery fleet.
Additionally, Royal Decree 933/2021 on documentary registration and information obligations for individuals carrying out accommodation or motor vehicle rental activities introduces specific obligations for the sector that overlap — without contradiction — with those of the GDPR. Complying with both regulations simultaneously requires consistency in retention periods: the Ministry of the Interior may require traveller registration records to be retained for three years, while the GDPR requires that they not be kept longer than strictly necessary. The solution is to document both obligations in the RoPA and apply the longer period where a legal obligation justifies it.
Steps to bring your establishment into compliance
Compliance does not require months or disproportionate resources. In most medium-sized hospitality establishments, a structured process allows a reasonable level of compliance to be achieved within a few weeks:
- Processing inventory: list all points where data is collected or processed (forms, bookings, cameras, Wi-Fi, POS, payroll, etc.).
- Legal basis per processing activity: identify whether each processing activity is based on a contract, legitimate interest, legal obligation or consent, and document it.
- Information clauses: draft or update information texts on forms, the website and physical collection points.
- Processor contracts: review agreements with booking platforms, management software providers, security companies and accountants, and incorporate the clauses required by Article 28 GDPR where missing.
- CCTV policy: check camera angles, install required information signs and set a maximum 30-day retention policy.
- Staff training: reception, front-of-house and kitchen teams who handle data need to know the basic procedures: how to handle a rights request, what to do in the event of a security breach.
- Periodic review: GDPR compliance is not a one-off project; processing activities change (new booking app, new Wi-Fi provider) and documentation must be kept up to date.
Frequently asked questions
Does a small restaurant have the same GDPR obligations as a large hotel?
The formal obligations are the same in terms of principles, legal bases and information to data subjects. What varies is the scale and therefore the implementation effort. A restaurant with four employees and no loyalty schemes or CCTV has few processing activities to manage; a hotel with a hundred rooms and multiple digital channels has a far broader range of situations. In both cases, infringements are subject to sanctions, but the AEPD takes into account the size and financial capacity of the offender when setting the amount (Article 83.2.k GDPR).
Can I keep customer booking data indefinitely for future marketing campaigns?
No. The storage limitation principle (Article 5.1.e GDPR) requires data to be retained only for as long as necessary for the purpose that justifies it. Once the stay has ended and any potential civil or tax claims have expired (generally four to five years depending on the type of data), the data must be deleted or anonymised. Using past booking data for commercial mailings also requires a specific legal basis independent of the original booking.
Do I need consent to install cameras on my premises?
Not exactly: the legal basis for CCTV in premises open to the public is usually the controller's legitimate interest (security of persons and property), not consent. What is mandatory is to inform customers and employees by means of the required information signs. The capture of images of employees for the purpose of workplace monitoring has additional requirements under Article 89 of the LOPDGDD: the employer must inform workers or their representatives in advance.
What happens if I suffer a security breach (hacking of the customer database)?
Article 33 of the GDPR imposes an obligation to notify the breach to the AEPD within a maximum of 72 hours of the controller becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of those affected. If the breach entails a high risk to data subjects, they must also be informed directly (Article 34). Failure to notify within the deadline is a serious infringement. Having a documented incident management protocol — and an external DPO to activate it — significantly reduces the risk of missing this deadline.