Bulletin
on the Implementation of the General Data Protection Regulation (GDPR)
What is the General Data Protection Regulation (GDPR)
The General Data Protection Regulation, also known as GDPR, applies to all companies that process personal data of Citizens of the European Union (EU). Therefore, any company that cooperates/trades with EU citizens should comply with GDPR requirements. In particular, the hotel industry is considered one of the most vulnerable to personal data threats, because hotels process a large amount of personal data daily, initially for sales promotion purposes, then through booking , on arrival and until the departure of their customers or during the visit to their websites, while personal data are particularly vulnerable to breaches through credit card payments.
What is currently the case and what this means for hotels
Since the entry into force of the Regulation, i.e. since 25 May 2018, hotels must not only constantly comply with the GDPR, but also be able to demonstrate such compliance. It is important for all active and future contracts with both staff and external partners to be examined from a legal point of view. It is also important to train employees in order to avoid leaks. Given, in fact, that hotels rely on online promotions as a form of marketing, it is certain that the Regulation also has a significant impact on this strategy. For example, before the application of the Regulation, hotels could obtain the e-mail address once and then reuse it in campaigns and newsletters. However, with the adoption of the Regulation, re-obtaining customer’s consent became mandatory in order to use his personal data for an other promotional campaign, especially when it comes to an unassociated purpose.
What hotel owners need to do
In order to maintain and increase their customer base and to avoid fines and a drop in business from non-compliance with the Regulation, hotels should
α) invest in legal and technological solutions and services with the help of which they will provide personalised services, while taking care of the security of their customers’ personal data and avoiding penalties. Furthermore, they must
β) appoint the Data Protection Officer (DPO) where and when it is required, who will facilitate and supervise the compliance of your hotel, while being responsible for communicating with the Hellenic Data Protection Authority.
Penalties and Fines
Failure to comply with the Regulation can result in both civil and administrative penalties and fines, which may amount to EUR 20 million or, in the case of enterprises, 4% of the total global annual turnover of the previous financial year. One year after the Regulation and granting leniency so that everyone is adapted appropriately, compliance is now imperative, while it is worth noting that the adverse effects on those within the tourism industry who did not comply in time have already been shown either because of complaints or because of defamatory comments on relevant online platforms and tourist agencies.
“Argyriadis and Associates Law Firm” has created an experienced and highly competent team of legal personnel with great and multifaceted knowledge in the compliance process for the Protection of Personal Data, as well as in the Services of the Data Protection Officer (DPO), offering services tailored to the needs and specificities of all members of the tourist circuit and especially every hotel organization.
We are at your disposal for any information or clarification. (e-mail address: gdpr@alf.gr)