Hotel GDPR Data Privacy and Protection

What is The GDPR?


The GDPR (General Data Protection Regulation) intends to create a homogenous data protection legal framework across the European Union States with the intent to give back control of personal data to individuals. The GDPR is a landmark law, which imposes strict rules on those hosting and processing personal data, anywhere in the world. The regulation seeks data protection and privacy for all individuals within the European Union. The central premise of the GDPR stipulates how companies manage, use, and share personal data.

The GDPR took effect on May 25, 2018. You might recall receiving an onslaught of emails with your favorite websites updating their terms & conditions. The advent of pop-up windows for cookie policies started popping up on your favorite websites after that date. All of this is attributed to the passing of the GDPR.

The GDPR applies to natural persons, whatever their nationality or place of residence, whose personal data is processed and whose behavior is surveyed while within the EU. The breadth of this legislation means that nearly every online service worldwide is impacted. The sweeping regulation has already resulted in significant changes for US users as companies begin to adapt and has even ensnared major US corporations such as Facebook and Google into disputes with EU governing bodies about their data privacy practices.

The foundation of the GDPR is built upon rules established by earlier EU privacy measures such as the Privacy Shield and Data Protection Directive. This new comprehensive regulation expands on these privacy measures in two critical ways:

First, the definition of personal data has been expanded to include any information that can be traced back to identify the data subject. This scope not only limits direct data which is collected about the subject such as personal information, but also indirect data about the subject such as online identifiers like an IP address or geolocation coordinates, and psychographic, physical, financial, and economic data.

Secondarily, the GDPR creates a higher benchmark for collecting, storing, and disseminating the potential vast data array that might be harvested from individuals. Any time a company obtains data on a European Union resident, it will: need a legal basis for gathering that data, which may include explicit and at least informed consent from the individual subject. The spirit of the GDPR puts the individual in control of their data, so a user will require a way to revoke that consent of data collection. Individual users will be able to request all the data a company has collected on them, which in effect provides an assessment of the company’s adherence to the law.

Because of the fluidity of data online, and also the fact that many travelers also originate from the EU, these strong data regulations expressly extend its jurisprudence to all companies based outside of the European Union, and becomes global in nature, therefore ignorance of the GDPR is not a defense for hospitality businesses based outside of the EU.

The GDPR’s penalties are severe and have two tiers of burdensome fines. The maximum fines per violation are set at up to 4% of a company’s annual global revenue or 20 million Euros, whichever is larger. The lower level fines are up to 2% of a company’s annual global revenue or 10 million Euros, whichever is larger. These huge penalties signal how serious the EU is taking the scope of data privacy.

It is noteworthy that the EU’s GDPR is just the start to a global push to protect personal data online, and we are already seeing other governments follow suit with laws of the same ilk. In the United States, California, arguably the nation’s most progressive state, has followed the EU’s lead and passed its own analogue to the GDPR. The California State Assembly passed the California Consumer Privacy Act (CCPA) in 2018. This law, while not as expansive in scope as the EU’s GDPR, goes into effect in 2020 and will definitely set the tone for the rest of the United States to take the protection of personal data privacy and its security more seriously.

With this said, it is imperative that all hospitality businesses ensure that they are adhering to the GDPR and are even looking forward to compliance to the CCPA.

Hotel GDPR Data Privacy and Protection

What are The Key Policies of GDPR?

According to Article 5 of the GDPR, there are six main principles that drive compliance with the regulation:

Getting Consent (Lawfulness, Fairness and Transparency)

Getting Consent
All personal data of an individual must be processed lawfully, fairly, and in a transparent manner whereby the controller of the data must obtain consent from the individual to gather and store this personal data and clearly outline what this data will be used for.

Purpose Limitations

Purpose Limitations
All personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. It is important that the controller specifies the usage of the data collected and ensure that the scope of its use does not change.

Data Accountability (Integrity and Confidentiality)

Data Accountability
Personal data must be processed with integrity in a manner that ensures security and confidentiality of the data, including protection against unauthorized processing and against accidental loss, destruction or damage, using appropriate techniques and processes.

Data Accuracy

Data Accuracy
Any personal data that is collected must be accurate and, where necessary, kept up to date; inaccurate data must be erased or rectified without delay. It is important that the controller analyzes the data for its integrity and provides a process to correct errors.

Data Minimization

Data Minimization
Personal data collected must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Only essential data to satisfy the disclosed objectives must be processed and extraneous data collection must be avoided.

Storage Limitation

Storage Limitation
Personal data that is collected must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. It is important to deprecate personal data regularly.

The Facts About GDPR

The drive to personalize a guest’s experience traditionally has lent itself to the hospitality industry eagerly capturing as much information about the guest as possible. If you reckon the amount of guest data and preferences hotels capture, the hotel industry is exposed to potential pitfalls in the management of this personally identifiable data and preferential information.

It is now the responsibility of hotels to put the individual and their rights first. Some facts:

The GDPR affects hotels across the world: The GDPR applies to all properties that target EU residents as customers no matter where they are located. This means that the GDPR affects all hotels, not just in Europe.

Hotels are liable for the GDPR: Regardless of your partners or technology solutions provider, the hotel, which is defined as the data controller, is ultimately responsible for using tools that are in compliance with the GDPR.

No price discrimination in all of the EU: It is important to note that hotels cannot use profiling to set prices based on a EU visitor’s location.

Punishment can be crippling: An organization in breach of GDPR laws will be fined up to 4 percent of annual global revenue or 20 million euros, whichever is bigger.

Hotel GDPR Data Privacy and Protection

What is INNsight Doing to Comply With GDPR?

INNsight has performed a full audit of its own systems and controls and begun taking the steps to ensure full compliance with GPRD Regulations with foresight on all similar laws such as the CCPA. Additionally, INNsight has created an internal 'GDPR Pathway' with steps to help us assist our clients to achieve readiness: Evaluate, Design, Transform, Manage, and Observe.

The goal of the pathway is to help hospitality clients manage security and privacy effectively and efficiently in order for them to reduce risks, and therefore incidents of data privacy violations. INNsight's services and products are designed to support you during each phase of your own GDPR compliance journey.


We have conducted GDPR risk and data privacy evaluations across our corporate governance, human resources, processes, data and infrastructure. This has led to the creation of a product and services roadmap to achieve compliance.


We have designed new data management standards for the business and our clients, developed product requirements and completed an implementation plan to ensure all processes and technical infrastructure is in compliance with GDPR.


INNsight has developed and implemented these procedures, processes and tools and conducted the necessary GDPR training to transform the business into a compliant data processor and controller.


We have executed the relevant business processes and developed the technical infrastructure to establish consent, access rights, and portability protocols for data subjects and created the appropriate framework to protect from a data breach.


We will continue ongoing monitoring, assessment, and develop reporting to evaluate adherence to GDPR standards and ensure compliance with any future changes in requirements or new laws from other governing authorities.

Protect your hotel from a personal data privacy breach

GDPR: What It Means To Your Hospitality Business?

As a business owner, it is imperative that you audit your technologies and ensure that every technical and operational touch point where any personal data that is stored or transmitted follows the principles of the GDPR. Hospitality companies are required to implement appropriate technical and organizational processes in relation to the nature, scope, context, and purposes of their handling and processing of personal data.

Protect your hotel from a personal data privacy breach

Utilizing multiple third parties increase vulnerability. From reliance on OTAs for reservations to your business’ internal systems such as its Property Management System to your website developer, there exist many weak spots when it comes to the compliance to data protection laws. Data protection safeguards should be designed into products and services from the earliest stages of development. Look for all-in-one solutions like INNsight offers that minimize external data transfers. Hold your technology partners that are data processors and controllers accountable for their compliance.

With the sensitivity of personal data used for processing guest reservations, it is important that you question your software providers to ensure that they have taken the necessary measures to comply with GDPR. Basic governance calls for at least ensuring data is transmitted via Secure Socket Layer (SSL), is encrypted, and purged regularly. Question your software providers if they are insured and bonded with adequate coverage for cyber liability and whether they have the protocols in place to handle a personal data breach.

GDPR & Our Data Subjects:

INNsight strives to ensure that we protect the personal data privacy rights of our community members, which include travelers, business owners, and other website visitors. INNsight works to ensure that its data subjects possess the:

  • 1) Right to Information

    This right provides our data subjects with the ability to ask us for information about what personal data is being processed and the purpose for such processing. You can find more information at our Privacy Policy.
  • 2) Right to Access

    This right provides our data subjects with the ability to get access to their personal data that is being processed by our system. Our data subjects can see or view their own personal data, as well as to request copies of the personal data. To receive a report of your personal data, Click Here.
  • 3) Right to rectification and erasure

    This right provides our data subjects with the ability to ask for modifications to their personal data in case the data subject believes that this personal data is not up to date or accurate. For example, we offer a means for a data subject to log in and modify their reservation details and account details with ease.
  • 4) Right to Withdraw Consent

    This right provides our data subjects with the ability to withdraw a previously given consent for the processing of their personal data for a purpose. Contact Us
  • 5) Right to Object

    This right provides our data subjects with the ability to object to the processing of their personal data. Contact Us
  • 6) Right to Object to Automated Processing

    This right provides our data subjects with the ability to object to a decision based on automated processing. Using this right, a data subject may ask for their reservation to be processed manually by our agents. Contact Us
  • 7) Right to be Forgotten

    Also known as the right to erasure, this right provides our data subject with the ability to ask for the deletion of their data. This depends on our data retention schedule and period in line with other applicable laws. Contact Us
  • 8) Right for Data Portability

    This right provides our data subject with the ability to ask for the transfer of their personal data. As part of such request, we will provide a digital file of any personal data belonging to the subject. Click Here

Data Security Certifications & Facts

PCI-DSS Compliant
  • Fully secured end-to-end encryption of personal data
  • SHA-256 bit with RSA Encryption across entire website
  • reCaptcha v3 protects against bots and abusive traffic
  • Two-factor authentication to access any personal data
  • PCI DSS Compliant for payment card details
  • Fully insured and bonded by Cyber Insurance Policy

Disclaimer: The content on this page should not be construed as legal advice nor does INNsight guarantee conformity to GDPR or such privacy laws. Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining the advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.


By submitting your email address, you confirm that you would like to receive marketing emails from INNsight. In addition, you agree to the storing and processing your data by INNsight as described in our privacy policy.