Published Works

<< Return to Published Works List

The GDPR: Catering to Privacy in the Hospitality Industry

Raquel Lauren Loret de Mola | January 6, 2020

Introduction

The European Union’s (EU) “General Data Protection Regulation” (GDPR), which went into effect on May 25, 2018, requires businesses to carefully manage/prevent misuse of their customer data. The GDPR places stringent requirements on how businesses interact with their customers and further requires them to be extremely sensitive to their customers’ privacy rights. Notably, the GDPR implicates businesses that are based solely in the U.S. as well: regardless of where your business may be headquartered, if your clientele is EU-based, then GDPR compliance is triggered. For our purposes, the GDPR applies to all travel agencies, tour operators, hotels, motels, inns, clubs, bed-and-breakfasts, Airbnbs, car rental agencies, restaurants, aggregators, and other travel and hospitality groups that operate in Europe or outside of the EU and actively maintain data on EU residents. For hospitality businesses, this data can be encompassed within a membership, client/prospective client database, etc. 

The GDPR’s basic goals are as follows: if the business has a legitimate reason to collect, process, or transfer an EU resident/customer’s “personally identifiable information” (PPI), or information that could be used to identify or single out an individual, then these customers must be notified in clear, unambiguous terms. Further, businesses must inform their EU resident/customers as to everyone that is using their PPI and why; and if the customer instructs them to stop – they must stop! Finally, if the EU resident/customer requests to access, correct, delete, or transfer their PPI, businesses are required to assist with their request. 

Significantly, noncompliance with the GDRP can result in tremendous fines (reaching $20 million or four percent of the business’s worldwide revenues for the preceding year, whichever is higher), operational setbacks, and reputational damage. Consequentially, hospitality businesses must be prepared to address GDPR requirements through their policies, procedures, and technology if their business maintains PPI on and markets their services to EU residents.

Background of the GDPR 

Prior to the adoption of the GDPR, the EU regulated data privacy pursuant to Directive 95/46/EC. Directives are EU legislation requiring the member states to meet a certain goal, while allowing each member state to implement their own laws in order to the meet that goal. The Directive resulted in twenty-eight different data-protection laws throughout the EU. In order to harmonize these various laws, and respond to technological advances while offering greater privacy rights and protections to EU residents, the GDPR came into being. Although many aspects of the Directive continue on through the GDPR, there are key distinctions that will impact U.S. businesses, including those within the hospitality industry. The extent of the GDPR’s impact is dictated by how the business is defined: is it considered a data controller or processor (or both)? 

Controller vs. Processor

As a preliminary matter, it is important to note that businesses can weave in and out of the controller/processor roles, and how they categorize themselves is irrelevant for compliance purposes. Fortunately, the GDPR provides some guidance to aid in the assessment as to how businesses are defined under the Regulation for compliance purposes. Simply stated, controllers control: Article 4 of the GDPR defines a “controller” as “the natural or legal person…which, alone or jointly with others, determine the purposes and means of the processing of personal data.” In other words, controllers determine why and how consumers’ PPI is used, and even though they do not necessarily store or process the PPI, they are still responsible for the maintenance thereof. For example, a hotel that collects the preferences and contact information from its guests is considered a controller regardless of whether it stores the PPI on its own or through an external vendor. 

Article 4 of the GDPR further defines a “processor” as “a natural or legal person…which processes personal data on behalf of the controller.” So, processors are advised by controllers as to how to store, manage, or otherwise manipulate the PPI (which is oftentimes stored on a third-party server) and have no right to determine the purpose for which the PPI will be used. Examples of processors within the hospitality industry may include the following: external payroll processors; market research firms; affinity programs that sell to member bases, such as hotel rewards programs; and aggregators that market their own and others’ products and services to the consumer (such as Expedia, Kayak, Travelocity, etc.). 

The GDPR provides additional guidance as to businesses’ obligations and responsibilities under the Regulation. Controllers have various obligations under the GDPR. Controllers have to be able to justify processing PPI for that processing to be lawful, and they have to provide proper notification to their customers at the time of data collection. Generally, a controller must process PPI in accordance with one of the legal grounds set forth in Article 6 of the GDPR, which includes: the EU resident has given consent; it is necessary for performance of a contract or compliance with a legal obligation; it is necessary for protecting the EU resident’s “vital interests”; it is being carried out in the public interest or in the exercise of official authority; or it is necessary for “the legitimate interests pursued by the controller or a third party except where those interests are overridden by the interests or fundamental rights and freedoms of the [EU resident].” The GDPR requires controllers to maintain records regarding the PPI that the business controls or processes, including why they are controlling/processing it, where it goes, how long it is kept, what third parties do with the PPI, etc.

Furthermore, at the time that their EU resident/customer’s data is collected, controllers must notify the customer of the following: the identity of the data controller; the purpose and legal basis for processing the data; the recipients of the data; and whether the data is intended to be transferred out of the country, and if so, provide information on the security of the data in transit; the storage period; their rights to access, rectify, erase, transfer, or restrict the processing of personal data; the rights to withdraw consent and complain to supervisory authorities; and whether the information provided will form part of a profile.

As for processors, one of their key obligations under the GDPR includes their duty to notify the controller of a breach and to implement appropriate security measures. As a threshold matter, the GDPR broadly defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Article 33 of the GDPR further requires processors to “notify the controller without undue delay after becoming aware of a personal data breach.” In all likelihood, the processor’s obligations do not end there: their contractual obligations will likely require them to provide the controller with information regarding the breach so that they may assist the controller in satisfying its GDPR compliance obligations. With respect to implementing appropriate security measures (which is really to be performed in conjunction with the controller’s oversight), the GDPR provides some flexibility and allows processors to consider the state of the art, costs of implementation, nature, scope, context, and purposes of processing, as well as any potential risks.

Taking Steps towards GDPR Compliance

Hospitality businesses should consult with counsel who has dealt with GDPR compliance and work with them to identify the various departments within the business that utilize customers’ PPI, including IT, marketing, human resources, etc. From there, interviews must be conducted of key personnel within those departments to ascertain what PPI is collected/why, how are the customers notified, who has access to the PPI, where does the PPI go/how is it stored, how long is it stored, is it deleted, etc. All of this information must be documented, and these records must be maintained and consistently updated (particularly since a GDPR authority may request them at any time). Once this information is compiled and assessed, hospitality businesses should have some insight as to areas of high risk; these areas need to be prioritized for compliance. Then, counsel, in conjunction with a technology specialist, particularly one who is well-versed in IT-risk advisory, cyber security, digital forensics, and technology-systems design, can assist the business in implementing company-wide policies, procedures, technological programs, and security, and in providing education and training to their staff. Additionally, counsel should be prepared to assist the hospitality business in drafting the requisite notice to provide to their EU customers, which will need to advise them of their various above-referenced rights under the GDPR, e.g. their rights to consent/withdraw consent, to delete their PPI, etc., and include a specifically-delineated checklist with “opt-in” boxes where their consent is explicitly required. Notably, consent must be clear, unambiguous, easily accessible, and require the customer to take affirmative action to agree to each item, i.e. there can be no “agree to all” boxes. It is important to note that GDPR authorities can easily access such notices: they could serve as their first “tip” that a business is not in compliance with the Regulation; therefore, it is imperative for these notices to be properly prepared by an experienced attorney.

Conclusion

Total GDPR compliance may take time for some hospitality businesses depending on finances, labor, resources, etc., but prioritizing areas of high risk is a great place to start. The GDPR is here to stay, and it may ultimately become the global standard for data-privacy jurisprudence and lead to the implementation of similar privacy laws throughout the world, including the U.S. Indeed, the California Consumer Privacy Act (CCPA), which was adopted on June 28, 2018, establishes one of the most comprehensive data-privacy regulations in the U.S. to date. The CCPA regulates companies “doing business” in California, and is considered by some to be the U.S. counterpart to the GDPR. Of course, it seems inevitable that other states may also implement their own data-protection laws in the future. In any event, in light of the technology-driven world we live in today, data-protection laws appear to be catching fire. Accordingly, it is vital for hospitality businesses to take the necessary steps towards compliance, including, but not limited to, retention of legal counsel that understands the needs of the company and GDPR requirements, so that hospitality businesses can move forward with a well-considered, comprehensive compliance strategy.

For questions about this topic, please e-mail: KDHospitalityRetailPracticeGroup@kubickidraper.com.

locations

Miami

Miami Office

9100 S. Dadeland Blvd., Suite 1800
Miami, FL 33156

T: 305.374.1212 F: 305.374.7846

view location | map location

Miami-Dade

Key West

Key West Office

402 Applerouth Lane, Suite 2C
Key West, FL 33040

T: 305.509.7300 F: 305.374.7846

view location | map location
Monroe
Ft. Lauderdale

Ft. Lauderdale Office

One East Broward Boulevard, Suite 1600
Fort Lauderdale, FL 33301

T: 954.768.0011 F: 954.768.0514

view location | map location
Broward
West Palm Beach

West Palm Beach Office

515 North Flagler Drive, Suite 1800
West Palm Beach, FL 33401

T: 561.640.0303 F: 561.640.0524

view location | map location

Indian River | Martin | Okeechobee | Palm Beach | Saint Lucie

Tampa

Tampa Office

400 North Ashley Drive, Suite 1200
Tampa, FL 33602

T: 813.204.9776 F: 813.204.9660

view location | map location
Hernando | Hillsborough | Manatee | Pasco | Pinellas | Polk | Sarasota
Orlando

Orlando Office

201 South Orange Avenue, Suite 475
Orlando, FL 32801

T: 407.245.3630 F: 407.245.7685

view location | map location
Brevard | Highlands | Orange | Osceola | Seminole
Ocala

Ocala Office

101 Southwest 3rd Street
Ocala, FL 34471

T: 352.622.4222 F: 352.622.9122

view location | map location
Alachua | Citrus | Dixie | Gilchrist | Lake | Levy | Marion | Putnam | Sumter | Volusia
Jacksonville

Jacksonville Office

76 South Laura Street, Suite 1400
Jacksonville, FL 32202

T: 904.396.0062 F: 904.396.0380

view location | map location
Baker | Bradford | Clay | Columbia | Duval | Flagler | Hamilton | Nassau | Saint Johns | Union
Pensacola

Pensacola Office

125 West Romana Street, Suite 550
Pensacola, FL 32502

T: 850.434.0003 F: 850.434.0223

view location | map location

Escambia | Holmes | Okaloosa | Santa Rosa | Walton

Tallahassee

Tallahassee Office

1705 Metropolitan Boulevard, Suite 202
Tallahassee, FL 32308

T: 850.222.5188 F: 850.222.5108

view location | map location

Bay | Calhoun | Franklin | Gadsden | Gulf | Jackson | Jefferson | Leon | Liberty | Wakulla | Washington | Madison | Lafayette | Taylor 

Ft. Myers

Ft. Myers Office

13350 Metro Parkway, Suite 401
Fort Myers, FL 33966

T: 239.334.8403 F: 239.939.0700

view location | map location

Charlotte | Collier | DeSoto | Glades | Hardee | Hendry | Lee

Mobile

Mobile Office

11 North Water Street, Suite 10290
Mobile, Alabama 36602

T: 251.308.3351 F: 251.287.1624

view location | map location

Baldwin | Washington | Clarke | Escambia | Covington | Geneva | Houston | Henry |  Dale | Coffee | Barbour | Pike |Crenshaw | Butler  | Monroe | Clarke | Choctaw | Wilcox | Bullock | Russell

Seattle

Seattle Office

800 5th Avenue, Suite 4100
Seattle, WA 98104

T: 206.453.3030 F: 206.829.9046

view location | map location
King | Pierce | Snohomish 

hover over location name to preview, or click it for full details

Our Firm

our hi(story)

In 1963, Gene Kubicki founded the firm based on dedication to excellence. The same high standards have been maintained for over five decades -- years which have seen the firm’s ranks swell to over 150 attorneys.

ourattorneys

Our team knows return clients are the life blood of any law firm and this is why we ensure client satisfaction by an exacting attention to service and quality.  Client service coupled with a spectacular work ethic, makes our team hard to beat.

find an attorney

ourDIVERSITY

Kubicki Draper is committed to fostering an environment of equal opportunity for success and believes diversity is not only a moral imperative, but is also sound business practice.

Read More

ourPractices

In response to the growing needs of its clients, the firm began expanding in the early 1980's and today is a diverse full-service law firm providing trial, appellate, coverage, commercial and real estate transaction services.

browse our practice areas

ourresults

Kubicki Draper enjoys a national reputation for expertise in the handling of complex, high stakes litigation matters, as well as, appellate, general commercial and real estate practice.

preview our results

ourreach

With a dozen offices throughout the State of Florida and other key points in the southern parts of Georgia, Alabama, and Mississipi, as well as in Seattle, Washington, our firm is familiar to every venue statewide and will never get home-teamed.

find the location near you