GDPR for Hospitality: Bookings, Wi-Fi & CCTV

·

A hospitality business processes personal data across bookings, payments, Wi-Fi, CCTV, marketing, staff records and, where accommodation is involved, the legally required guest registers. Each purpose needs its own legal basis, information notice, access controls and retention period. Meeting a registration obligation does not authorise copying entire ID documents, reusing data for marketing, or keeping it indefinitely.

Mapping the processing activities

Before looking at each processing activity in detail, it helps to have the full picture: a hospitality business typically carries out the following activities:

Each activity should be logged with its purpose, legal basis, categories of data processed, recipients, retention period and the security measures applied.

Bookings

The booking process should collect only what's needed: name, contact details, date, party size and any notes relevant to delivering the service. Offensive remarks about the guest and irrelevant sensitive data should never be recorded.

If the booking platform reuses the data for its own purposes, each party's role must be clearly defined and transparency towards the guest must be guaranteed. Cancelled bookings should not be kept indefinitely for marketing purposes.

Guest registration data

Royal Decree 933/2021 (Real Decreto 933/2021) sets out which data must be collected and reported for accommodation activities. The AEPD (Spanish DPA) has clarified that this registration obligation does not, by itself, justify requesting a full copy of an ID document when that isn't actually necessary.

The procedure should:

ID documents should not be photographed as a matter of routine simply for operational convenience.

Guest Wi-Fi

Wi-Fi access can generate identifiers such as the MAC address, IP address, device type or browsing history, depending on the configuration used. The purpose of the processing —access, security or regulatory compliance— must be defined, and any hidden analytics must be avoided.

Recommended controls:

Basic Wi-Fi access should not be made conditional on accepting marketing communications when this isn't necessary for the service.

CCTV

An image is personal data. Cameras must serve a security purpose and comply with the principles of necessity and proportionality.

Audio recording is a more intrusive measure and, as a general rule, should be avoided unless there's an exceptional justification.

Cameras and staff

When cameras are also used for staff monitoring, the specific duty to inform and the principle of proportionality apply. Continuous performance surveillance must not be designed into the system, and cameras that form part of the ordinary system must not be hidden.

Staff representatives should be involved in the process where applicable.

Marketing

Booking a table or a room does not amount to accepting advertising. Marketing needs an appropriate legal basis, clear information and a simple opt-out mechanism.

It's worth keeping separate:

Contact lists should be cleaned periodically, and the source of each piece of data should be recorded. Buying databases without sufficient guarantees creates a genuine compliance risk.

Images and social media

Publishing images of guests or staff on social media is a separate purpose from the rest of the processing activities. When it relies on consent, that consent must be channel-specific and revocable at any time. At events, guests should be informed beforehand and reasonable alternatives offered to anyone who doesn't want to appear.

A person in the background can still be identifiable. Not everything that happens on the premises can be freely published.

Allergies and health

Allergies can constitute health data. Only what's needed to deliver the service should be collected, access to that information should be limited to kitchen and floor staff, and it should be deleted once it's no longer needed.

This information must not be used for commercial segmentation. The relevant notes should be objective and kept securely protected.

Staff

Staff-related processing activities include:

Employees must be informed, access to each type of information must be restricted, and biometric data must not be used purely for convenience. Health data must be kept separate, with only the strictly necessary conclusions shared.

Suppliers

Booking platforms, PMS, POS, delivery, marketing, Wi-Fi, cameras, payroll and cloud services can act either as processors or as independent controllers, depending on the case.

Worth reviewing:

A platform being well known in the sector doesn't exempt you from this due diligence.

Payments

Card data must not be stored outside the systems authorised for that purpose. Access to this information must be restricted, appropriate payment providers must be used, and payment data must be kept separate from marketing data.

Payment receipts contain personal information and must be retained in line with tax obligations and the handling of possible claims.

Retention

There's no single retention period for every processing activity: each data category follows its own retention criterion.

Category Criterion
Bookings Service and claims
Invoices Tax obligations
Accommodation Specific accommodation regulation
Wi-Fi Security and necessity
Cameras CCTV regime
Marketing Until opt-out or end of legal basis
Staff Employment and liability obligations

Once the ordinary use of the data ends, blocking may be appropriate rather than immediate deletion.

Rights

There must be a channel for exercising the rights of access, rectification, erasure, restriction and objection. The identity of the person making the request must be verified proportionately, and the response must be given within the deadline.

For CCTV, third parties who may appear in the recordings must be protected. In accommodation, erasure may be limited by a legal obligation to retain the data.

Breaches

The most common cases in hospitality include:

The breach procedure must contain the incident, assess it, log it and decide whether notification to the supervisory authority or to affected individuals is required. The supplier involved must give notice without delay.

30-day plan

Week 1

Inventory of processing activities, assignment of responsibilities and supplier review.

Week 2

Information to data subjects, definition of legal bases and contract review.

Week 3

Review of access controls, retention, cameras and Wi-Fi.

Week 4

Team training, breach procedure and testing the exercise of rights.

Common mistakes

  1. Copying the guest's full ID document.
  2. Using booking data for marketing without an appropriate legal basis.
  3. Making Wi-Fi access conditional on accepting advertising.
  4. Installing cameras with audio recording.
  5. Capturing excessive footage of public streets.
  6. Sharing PMS login credentials among staff.
  7. Keeping allergy data indefinitely.
  8. Not reviewing the contracts of the platforms used.
  9. Publishing images of guests or staff without a legal basis.
  10. Having no breach management procedure in place.

Checklist

Frequently asked questions

Can a guest's ID document be copied?

The registration obligation in accommodation establishments does not, by itself, authorise keeping a full copy of an ID document. The AEPD (Spanish DPA) has warned about the need to apply the data minimisation principle.

Can I use the phone number from a booking to send promotions?

Not automatically. There must be an appropriate legal basis for sending marketing, along with a simple opt-out mechanism.

How long are CCTV recordings kept?

As a general rule, the CCTV regime sets a typical maximum of one month, unless retention for an incident applies under the relevant regulation.

Can an email address be required to grant Wi-Fi access?

Only if it's necessary and there's an appropriate legal basis and information notice in place. Accepting marketing must never be imposed as a condition for Wi-Fi access.

Summum Consultoría can review, for a hospitality business, its booking, accommodation, camera, supplier and data retention processes. The external DPO service helps keep the processing map up to date and respond to the authorities, while the GDPR CCTV compliance service specifically addresses camera installation and its regime.