Hospitality is one of the sectors with the highest density of personal data processing: guests provide their name, identity document number and credit card details even before stepping through the door. Compliance with Regulation (EU) 2016/679 — the GDPR — in this environment requires identifying precisely what data is collected at each point of service, what legal basis covers it and what information must be provided to the customer. Article 6 of the GDPR sets out the lawful bases for processing: for a reservation, the usual basis is the performance of a contract (art. 6.1.b); for a security camera in the lobby, the legitimate interest of the establishment (art. 6.1.f) or the fulfilment of a legal obligation may be the appropriate basis depending on the circumstances; and for a loyalty programme that includes commercial communications, the explicit consent of the customer (art. 6.1.a) is almost always required.
Traveller registration is one of the most distinctive obligations in the accommodation sector. Royal Decree 933/2021 of 26 October (Real Decreto 933/2021) regulates the obligation of accommodation establishments to collect guests' data — full name, identity document number, date of birth, sex, nationality and check-in date — and to transmit it to the State Security Forces and Corps within a maximum of twenty-four hours. From a GDPR perspective, this processing rests on the fulfilment of a legal obligation (art. 6.1.c of the GDPR), which exempts the establishment from obtaining consent for this specific purpose. Nevertheless, the hotel remains obliged to inform the guest of this processing in advance, through a privacy notice during the check-in process, and to ensure that the data is not used for purposes other than those laid down in the regulation.
Video surveillance is another frequent source of non-compliance in the hospitality sector. Cameras installed in the lobby, car park, bar area or common areas are subject to article 22 of the LOPDGDD, which requires placing informative signs in a visible location warning of the existence of the system, indicating the data controller and how data subjects can exercise their rights. Images captured may only be retained for a maximum of thirty days, unless they are needed to evidence the commission of a criminal offence or administrative infraction. Cameras pointed at private spaces used by workers — changing rooms, canteens, rest areas — or at the public highway fall outside what the GDPR and the LOPDGDD permit in this context. For installations aimed at monitoring activity in the kitchen or dining room, it is important to distinguish whether the purpose is the security of the establishment or the supervision of staff: the latter may require prior notification to the employee in accordance with article 89 of the LOPDGDD.
Free Wi-Fi for customers is a processing activity that is frequently managed without the minimum documentation required. When an establishment deploys a captive portal that requests a name, email address, room number or other data in order to grant network access, it is initiating a personal data processing activity that requires, at a minimum, compliance with the information duty under article 13 of the GDPR before the user provides their data. If that information is additionally used to send commercial communications or promotions from the establishment, the legal basis shifts to the user's informed and specific consent, which must be clearly separate from the mere condition for accessing the service.
Loyalty programmes and direct marketing represent the processing activity with the greatest commercial potential for the sector, but also one that attracts the most regulatory scrutiny. The LOPDGDD (LO 3/2018) requires that the sending of offers, discounts or newsletters be based on the free, specific, informed and unambiguous consent of the recipient, unless the recipient is an existing customer and the communication relates to products or services similar to those already contracted, in which case the existing contractual relationship exception may apply. In any event, the customer must be able to exercise their right to object to direct marketing at any time, and the establishment must ensure that requests are dealt with without undue delay. Summum Consultoria supports hospitality establishments in designing consent-collection processes that are practical for the business and compliant with regulatory requirements.