Sector hostelero

GDPR for hospitality: restaurants, hotels and catering

The hospitality sector processes a considerable volume of personal data every day: table and room reservations, mandatory traveller registration, images from video surveillance systems, customer Wi-Fi data and loyalty programme profiles. Each of these processing activities has its own legal basis, its own information obligations and its own retention periods. At Summum Consultoria we support restaurants, hotels, cafés and tourist accommodation in their practical compliance with Regulation (EU) 2016/679 and the LOPDGDD (LO 3/2018 — Spain's national data protection law).

Applicable lawGDPR (EU) 2016/679 · LOPDGDD 3/2018
Key processing activitiesReservations · traveller registration · video surveillance · loyalty programmes
Supervisory authorityAEPD — Spanish Data Protection Agency (Agencia Española de Protección de Datos)

Hospitality is one of the sectors with the highest density of personal data processing: guests provide their name, identity document number and credit card details even before stepping through the door. Compliance with Regulation (EU) 2016/679 — the GDPR — in this environment requires identifying precisely what data is collected at each point of service, what legal basis covers it and what information must be provided to the customer. Article 6 of the GDPR sets out the lawful bases for processing: for a reservation, the usual basis is the performance of a contract (art. 6.1.b); for a security camera in the lobby, the legitimate interest of the establishment (art. 6.1.f) or the fulfilment of a legal obligation may be the appropriate basis depending on the circumstances; and for a loyalty programme that includes commercial communications, the explicit consent of the customer (art. 6.1.a) is almost always required.

Traveller registration is one of the most distinctive obligations in the accommodation sector. Royal Decree 933/2021 of 26 October (Real Decreto 933/2021) regulates the obligation of accommodation establishments to collect guests' data — full name, identity document number, date of birth, sex, nationality and check-in date — and to transmit it to the State Security Forces and Corps within a maximum of twenty-four hours. From a GDPR perspective, this processing rests on the fulfilment of a legal obligation (art. 6.1.c of the GDPR), which exempts the establishment from obtaining consent for this specific purpose. Nevertheless, the hotel remains obliged to inform the guest of this processing in advance, through a privacy notice during the check-in process, and to ensure that the data is not used for purposes other than those laid down in the regulation.

Video surveillance is another frequent source of non-compliance in the hospitality sector. Cameras installed in the lobby, car park, bar area or common areas are subject to article 22 of the LOPDGDD, which requires placing informative signs in a visible location warning of the existence of the system, indicating the data controller and how data subjects can exercise their rights. Images captured may only be retained for a maximum of thirty days, unless they are needed to evidence the commission of a criminal offence or administrative infraction. Cameras pointed at private spaces used by workers — changing rooms, canteens, rest areas — or at the public highway fall outside what the GDPR and the LOPDGDD permit in this context. For installations aimed at monitoring activity in the kitchen or dining room, it is important to distinguish whether the purpose is the security of the establishment or the supervision of staff: the latter may require prior notification to the employee in accordance with article 89 of the LOPDGDD.

Free Wi-Fi for customers is a processing activity that is frequently managed without the minimum documentation required. When an establishment deploys a captive portal that requests a name, email address, room number or other data in order to grant network access, it is initiating a personal data processing activity that requires, at a minimum, compliance with the information duty under article 13 of the GDPR before the user provides their data. If that information is additionally used to send commercial communications or promotions from the establishment, the legal basis shifts to the user's informed and specific consent, which must be clearly separate from the mere condition for accessing the service.

Loyalty programmes and direct marketing represent the processing activity with the greatest commercial potential for the sector, but also one that attracts the most regulatory scrutiny. The LOPDGDD (LO 3/2018) requires that the sending of offers, discounts or newsletters be based on the free, specific, informed and unambiguous consent of the recipient, unless the recipient is an existing customer and the communication relates to products or services similar to those already contracted, in which case the existing contractual relationship exception may apply. In any event, the customer must be able to exercise their right to object to direct marketing at any time, and the establishment must ensure that requests are dealt with without undue delay. Summum Consultoria supports hospitality establishments in designing consent-collection processes that are practical for the business and compliant with regulatory requirements.

The GDPR for hospitality process.

The process · four stages
01

Processing audit and risk analysis

We carry out a complete inventory of the establishment's data processing activities: reservations, check-in, traveller registration, video surveillance, Wi-Fi, loyalty programmes, suppliers and digital platforms. For each processing activity we identify the lawful basis, the categories of data, the recipients, the retention periods and the risks to data subjects' rights. The result is the processing map that forms the basis for compliance and for the Records of Processing Activities required by article 30 of the GDPR.

02

Documentation and contractual compliance

We draft or review all of the establishment's privacy documents: privacy notices for customers in the reservation process, check-in, Wi-Fi and loyalty programmes; data protection clauses for employees; and data processing agreements with technology providers, reservation platforms, system maintenance companies and any third party that accesses the establishment's personal data, in accordance with article 28 of the GDPR.

03

Video surveillance and traveller registration

We audit the video surveillance system: camera positions, declared purpose, informative signs, image retention periods and access to recordings. We draft or review the traveller registration procedure in accordance with Royal Decree 933/2021 (Real Decreto 933/2021), verify that the privacy notice covers this processing and that the data is not used for purposes other than those prescribed by the regulation. Where non-compliance is identified, we propose specific corrective measures.

04

Team training and ongoing management

We train the establishment's staff — receptionists, floor managers, reservations staff — in procedures for handling data subjects' rights requests (access, rectification, erasure, portability, objection) and in the detection and internal reporting of security incidents. We establish a rights-exercise channel and a timely response procedure in accordance with articles 12 to 22 of the GDPR. We offer periodic reviews to adapt the system to regulatory changes or changes in the establishment's operations.

What is included

What GDPR for hospitality includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Reservations and customer data

    Alignment of the reservation process — in person, by telephone or online — with the information requirements of article 13 of the GDPR: what data is collected, for what purpose, for how long and how the customer can exercise their rights.

  • Traveller registration (RD 933/2021)

    Design of the procedure for collecting and transmitting guest data to the State Security Forces and Corps in accordance with Royal Decree 933/2021 (Real Decreto 933/2021), integrating the duty to inform the traveller and guaranteeing that the data is not used for other purposes.

  • Video surveillance and cameras in dining rooms and kitchens

    Audit of the camera system: position, declared purpose, informative signs, maximum retention period of thirty days (art. 22 LOPDGDD) and access to recordings. Differentiated analysis for security cameras and staff supervision cameras (art. 89 LOPDGDD).

  • Customer Wi-Fi and captive portals

    Review of the captive portal and the privacy notice that must be provided before collecting user data; separation between access to the service and consent for commercial communications.

  • Loyalty programmes and direct marketing

    Design of the consent model and marketing clause for points programmes, newsletters and promotions; procedure for exercising the right to object and management of unsubscriptions from commercial communications.

  • Contracts with platforms and suppliers

    Drafting or review of data processing agreements (art. 28 GDPR) with online reservation platforms, hotel management systems (PMS), point-of-sale terminals and any supplier with access to the establishment's personal data.

Frequently asked questions about GDPR for hospitality.

What legal basis covers data processing in restaurant or hotel reservations?

The usual basis for processing data collected during the reservation process — name, telephone number, email address and payment details — is the performance of the accommodation or catering service contract, in accordance with article 6.1.b of the GDPR. This means that explicit consent is not required to manage the reservation, but the prior information duty under article 13 must be fulfilled: the customer must be informed of who is the data controller, what their data is used for, how long it is retained and how they can exercise their rights of access, rectification, erasure or objection.

Is hotel traveller registration subject to the GDPR?

Yes. Traveller registration — collecting guests' identity data and transmitting it to the State Security Forces and Corps — is a personal data processing activity subject to the GDPR, even though its lawful basis is the fulfilment of a legal obligation (art. 6.1.c of the GDPR and Royal Decree 933/2021 — Real Decreto 933/2021). This means that the establishment does not need consent to carry out the registration, but it must inform the guest of this processing — generally through the privacy notice during the check-in process — and ensure that the data collected for registration is not used for other purposes such as marketing or building customer profiles.

Can I install cameras in the kitchen or dining room of a restaurant?

It depends on the purpose. If cameras are installed for the security of the establishment — access monitoring, theft prevention — the applicable framework is article 22 of the LOPDGDD: informative signs must be placed in a visible location before entering the monitored area, image retention must be limited to a maximum of thirty days and access to recordings must be restricted to authorised persons. If the primary or secondary purpose is to monitor employees' activity, article 89 of the LOPDGDD requires that workers — and, where one exists, their union representatives — be informed in advance. Cameras may not be aimed at rest areas, changing rooms or intimate spaces used by workers, nor may they systematically capture the public highway.

Does free customer Wi-Fi create data protection obligations?

Yes, whenever personal data is collected for access purposes. When an establishment uses a captive portal that requests a name, email address or other data before granting network access, that moment of collection triggers the information duty under article 13 of the GDPR: the user must know who processes their data, for what purpose and for how long. If that information is additionally intended to be used for sending offers or commercial communications, the user's explicit consent is required, and it must be independent and not conditional on Wi-Fi access. Providing network access without collecting identifying data reduces compliance obligations, although the establishment may need to retain connection logs for its own network security reasons.

What happens with customer data shared with reservation platforms such as Booking.com?

Online reservation platforms may act, in relation to customer data, as independent data controllers or as joint controllers together with the establishment, depending on how the relationship is structured and the purposes pursued. In any case, the hospitality establishment must review the platform's privacy terms and, if it receives customer data from the platform, comply with the information duty under article 14 of the GDPR — which applies when data has not been obtained directly from the data subject — and formalise the appropriate contractual arrangements. Summum Consultoria analyses each relationship with digital platforms to determine the correct classification and reflect it in the Records of Processing Activities.

What penalties can the AEPD impose on a hospitality establishment for GDPR non-compliance?

The sanctioning regime under article 83 of the GDPR establishes two tiers of fines: up to €10 million or 2% of total annual worldwide turnover for infringements related to technical or organisational obligations, and up to €20 million or 4% of turnover for infringements of the principles of processing, the lawful bases or data subjects' rights. The LOPDGDD (LO 3/2018) classifies infringements as minor, serious and very serious, and incorporates graduated criteria that take into account the size of the organisation and the measures taken to reduce the damage. Summum Consultoria supports establishments in preventive compliance but does not guarantee the absence of enforcement proceedings or replace the supervisory function of the AEPD.