A hospitality business processes personal data across bookings, payments, Wi-Fi, CCTV, marketing, staff records and, where accommodation is involved, the legally required guest registers. Each purpose needs its own legal basis, information notice, access controls and retention period. Meeting a registration obligation does not authorise copying entire ID documents, reusing data for marketing, or keeping it indefinitely.
Mapping the processing activities
Before looking at each processing activity in detail, it helps to have the full picture: a hospitality business typically carries out the following activities:
- Bookings and waiting lists
- Billing and payments
- Loyalty programmes
- Home delivery orders
- Guest Wi-Fi
- CCTV
- Events and images
- Marketing
- Allergens and special needs
- Staff and shift schedules
- Suppliers
- Accommodation, where applicable
Each activity should be logged with its purpose, legal basis, categories of data processed, recipients, retention period and the security measures applied.
Bookings
The booking process should collect only what's needed: name, contact details, date, party size and any notes relevant to delivering the service. Offensive remarks about the guest and irrelevant sensitive data should never be recorded.
If the booking platform reuses the data for its own purposes, each party's role must be clearly defined and transparency towards the guest must be guaranteed. Cancelled bookings should not be kept indefinitely for marketing purposes.
Guest registration data
Royal Decree 933/2021 (Real Decreto 933/2021) sets out which data must be collected and reported for accommodation activities. The AEPD (Spanish DPA) has clarified that this registration obligation does not, by itself, justify requesting a full copy of an ID document when that isn't actually necessary.
The procedure should:
- Collect only the fields required by the regulation
- Verify identity proportionately
- Inform the guest
- Restrict access to the information collected
- Transmit the data through the authorised channel
- Retain it in line with the specific regulation
- Avoid additional copies
ID documents should not be photographed as a matter of routine simply for operational convenience.
Guest Wi-Fi
Wi-Fi access can generate identifiers such as the MAC address, IP address, device type or browsing history, depending on the configuration used. The purpose of the processing —access, security or regulatory compliance— must be defined, and any hidden analytics must be avoided.
Recommended controls:
- Network kept separate from the business's internal systems
- Accessible information about the processing
- Minimal logs with a defined retention period
- Properly contracted provider
- Secure access portal
- No excessive data requests
- Protection against unauthorised access
Basic Wi-Fi access should not be made conditional on accepting marketing communications when this isn't necessary for the service.
CCTV
An image is personal data. Cameras must serve a security purpose and comply with the principles of necessity and proportionality.
- Positioning that limits capture of public streets and areas outside the business
- Express ban in toilets, changing rooms and private areas
- Visible information sign
- Full information available to anyone who requests it
- Restricted access to recordings
- Maximum general retention under the applicable regime, typically one month unless there's an incident
- Footage extraction only for specific events
- Contract with the security company where applicable
Audio recording is a more intrusive measure and, as a general rule, should be avoided unless there's an exceptional justification.
Cameras and staff
When cameras are also used for staff monitoring, the specific duty to inform and the principle of proportionality apply. Continuous performance surveillance must not be designed into the system, and cameras that form part of the ordinary system must not be hidden.
Staff representatives should be involved in the process where applicable.
Marketing
Booking a table or a room does not amount to accepting advertising. Marketing needs an appropriate legal basis, clear information and a simple opt-out mechanism.
It's worth keeping separate:
- Service communications
- Surveys
- Loyalty schemes
- Promotions
- Profiling
Contact lists should be cleaned periodically, and the source of each piece of data should be recorded. Buying databases without sufficient guarantees creates a genuine compliance risk.
Images and social media
Publishing images of guests or staff on social media is a separate purpose from the rest of the processing activities. When it relies on consent, that consent must be channel-specific and revocable at any time. At events, guests should be informed beforehand and reasonable alternatives offered to anyone who doesn't want to appear.
A person in the background can still be identifiable. Not everything that happens on the premises can be freely published.
Allergies and health
Allergies can constitute health data. Only what's needed to deliver the service should be collected, access to that information should be limited to kitchen and floor staff, and it should be deleted once it's no longer needed.
This information must not be used for commercial segmentation. The relevant notes should be objective and kept securely protected.
Staff
Staff-related processing activities include:
- Contracts and payroll
- Shift schedules
- Clocking in and out
- Occupational health
- Cameras
- Devices
- Candidates
Employees must be informed, access to each type of information must be restricted, and biometric data must not be used purely for convenience. Health data must be kept separate, with only the strictly necessary conclusions shared.
Suppliers
Booking platforms, PMS, POS, delivery, marketing, Wi-Fi, cameras, payroll and cloud services can act either as processors or as independent controllers, depending on the case.
Worth reviewing:
- The role each supplier occupies
- The signed contract
- Any sub-processors involved
- The security measures applied
- The data transfers it carries out
- The applicable retention period
- Whether the data can be exported
- The incident procedure
- The exit conditions from the service
A platform being well known in the sector doesn't exempt you from this due diligence.
Payments
Card data must not be stored outside the systems authorised for that purpose. Access to this information must be restricted, appropriate payment providers must be used, and payment data must be kept separate from marketing data.
Payment receipts contain personal information and must be retained in line with tax obligations and the handling of possible claims.
Retention
There's no single retention period for every processing activity: each data category follows its own retention criterion.
| Category | Criterion |
|---|---|
| Bookings | Service and claims |
| Invoices | Tax obligations |
| Accommodation | Specific accommodation regulation |
| Wi-Fi | Security and necessity |
| Cameras | CCTV regime |
| Marketing | Until opt-out or end of legal basis |
| Staff | Employment and liability obligations |
Once the ordinary use of the data ends, blocking may be appropriate rather than immediate deletion.
Rights
There must be a channel for exercising the rights of access, rectification, erasure, restriction and objection. The identity of the person making the request must be verified proportionately, and the response must be given within the deadline.
For CCTV, third parties who may appear in the recordings must be protected. In accommodation, erasure may be limited by a legal obligation to retain the data.
Breaches
The most common cases in hospitality include:
- Exposed booking list
- Compromised POS system
- Email sent to recipients visible to each other
- Leaked ID copy
- Camera accessible from the internet
- Lost device
- Attacked supplier
The breach procedure must contain the incident, assess it, log it and decide whether notification to the supervisory authority or to affected individuals is required. The supplier involved must give notice without delay.
30-day plan
Week 1
Inventory of processing activities, assignment of responsibilities and supplier review.
Week 2
Information to data subjects, definition of legal bases and contract review.
Week 3
Review of access controls, retention, cameras and Wi-Fi.
Week 4
Team training, breach procedure and testing the exercise of rights.
Common mistakes
- Copying the guest's full ID document.
- Using booking data for marketing without an appropriate legal basis.
- Making Wi-Fi access conditional on accepting advertising.
- Installing cameras with audio recording.
- Capturing excessive footage of public streets.
- Sharing PMS login credentials among staff.
- Keeping allergy data indefinitely.
- Not reviewing the contracts of the platforms used.
- Publishing images of guests or staff without a legal basis.
- Having no breach management procedure in place.
Checklist
- Processing activities inventoried.
- Guest registration data reduced to the minimum necessary.
- Bookings and marketing handled separately.
- Wi-Fi isolated and properly disclosed.
- Cameras proportionate to the security purpose.
- Allergy data with restricted access.
- Staff informed of the processing that affects them.
- Suppliers with a defined processor or controller contract.
- Retention defined by data category.
- Rights and breach procedure tested.
Frequently asked questions
Can a guest's ID document be copied?
The registration obligation in accommodation establishments does not, by itself, authorise keeping a full copy of an ID document. The AEPD (Spanish DPA) has warned about the need to apply the data minimisation principle.
Can I use the phone number from a booking to send promotions?
Not automatically. There must be an appropriate legal basis for sending marketing, along with a simple opt-out mechanism.
How long are CCTV recordings kept?
As a general rule, the CCTV regime sets a typical maximum of one month, unless retention for an incident applies under the relevant regulation.
Can an email address be required to grant Wi-Fi access?
Only if it's necessary and there's an appropriate legal basis and information notice in place. Accepting marketing must never be imposed as a condition for Wi-Fi access.
Summum Consultoría can review, for a hospitality business, its booking, accommodation, camera, supplier and data retention processes. The external DPO service helps keep the processing map up to date and respond to the authorities, while the GDPR CCTV compliance service specifically addresses camera installation and its regime.