Conformités et obligations

GDPR in Hospitality: Managing Customer Data Without Risk

5
min de lecture
-
03 July 2026

A guest sends an email to the reception. Based on GDPR, they request access to all data the hotel holds about them. The hotel has one month to respond. The manager opens their PMS, email marketing software, and customer database. They realize they have no consolidated view of what their establishment has collected, nor for how long this data is retained.

This scenario is not uncommon. And it illustrates a structural problem: most hotels collect significant volumes of customer data, across a wide variety of touchpoints, without having formalized the rules governing this collection.

GDPR has applied to hotels since May 2018 without sectoral derogation. What's changing is the nature and diversity of the data hotels process, and the number of stakeholders involved in this processing.

Why Hotels Are Particularly Concerned

A typical business primarily collects transactional data. A hotel collects identity data, payment data, preference data, behavioral data during the stay, health data in some cases (allergies, accessibility), network connection data, and sometimes religious or philosophical beliefs via dietary choices.

This data density is explained by the nature of the service: hospitality is extended hospitality, not a one-off transaction. The guest lives in the establishment for several hours or several days. They leave traces at every stage: at booking, check-in, during the stay, check-out, and sometimes long after through loyalty campaigns.

Added to this is a legal specificity unique to the hotel industry in France: police forms. Every hotelier is required to have non-EU guests complete an identity form. These forms contain sensitive data and must be retained for six months, available to authorities, then destroyed. This is a regulated processing distinct from GDPR but which interacts with it.

Finally, hotels work with numerous digital subcontractors: PMS, channel manager, OTA, email marketing tool, Wi-Fi provider, video surveillance system. Each processes customer data on behalf of the hotel. GDPR requires the hotel, as the data controller, to ensure that each of these providers processes data compliantly, and to formalize this contractually.

The Data a Hotel Collects and Its Legal Bases

Before discussing compliance, it's essential to know precisely what data is being processed. Data collected by a hotel falls into several categories depending on the time of collection.

Before arrival, booking generates identity data (name, surname, contact details), payment data (card number or guarantee), and sometimes preference data (room type, dietary requirements, estimated arrival time). The legal basis is contract performance: this data is necessary to provide the service.

During the stay, the hotel may collect Wi-Fi connection data (IP address, browsing logs, connection duration), room service requests, consumption data from the restaurant or spa, and satisfaction feedback. The legal basis varies: legitimate interest for Wi-Fi logs, contract for services, consent for satisfaction surveys.

After departure, data is used for invoicing, post-stay communication, and loyalty campaigns. Invoicing falls under a legal obligation (accounting retention). Marketing communication falls under consent or legitimate interest, under strict conditions.

This distinction by legal basis is not trivial: it determines what the hotel can do with the data, and for how long it can retain it.

Data Retention Periods to Observe

This is often the least formalized aspect in hotels. Data accumulates in the PMS without explicit purging rules. However, GDPR imposes a limited duration, adapted to the purpose of processing.

Practical guidelines for the hotel industry:

Booking and stay data are retained for the duration of the commercial relationship, then for five years to address potential disputes or accounting obligations. After this period, they must be deleted or anonymized.

Wi-Fi connection logs are retained for one year, in accordance with French legal traceability obligations. After one year, they must be deleted. This retention period is often incorrectly configured in hotel Wi-Fi solutions.

Prospecting and loyalty data are retained for three years after the last active contact with the customer. A customer who has not stayed for three years and has not opened the hotel's emails during the same period must be removed from the active database or have their consent renewed.

Video surveillance footage is retained for a maximum of thirty days, except for extractions in case of an incident (theft, dispute), which can be kept for the duration of the procedure.

Police registration forms for non-EU guests are retained for six months for authorities, then must be destroyed.

Documenting these retention periods and ensuring they are enforced within your tools is one of the simplest actions to implement, and one of the first things checked during a CNIL inspection.

Five practical obligations to implement

Maintain a record of processing activities. This is the foundational document for all GDPR compliance. It lists all data processing activities carried out by the hotel (bookings, Wi-Fi, loyalty, video surveillance, etc.), detailing for each: the purpose, legal basis, categories of data concerned, recipients, and retention period. The CNIL provides a free template. An independent hotel can maintain this record in a few hours using a spreadsheet.

Inform customers. At each data collection point, customers must be informed clearly and accessibly. This includes on the website (booking form, contact page), at reception (display or QR code), and on paper forms. This information must state the identity of the data controller, the purposes, the customer's rights, and contact details for exercising these rights.

Manage data processors. Each service provider that processes customer data on behalf of the hotel must have signed a Data Processing Agreement (DPA) or equivalent contractual clauses. This applies to the PMS, channel manager, emailing tool, Wi-Fi provider, and booking system. Without this document, the hotel is exposed in the event of a data breach at a service provider.

Enable the exercise of rights. Customers can request access to their data, have it corrected, deleted, or object to its use for marketing purposes. The hotel must have a dedicated contact point (specific email) and an internal procedure to process these requests within the legal timeframe of one month.

Secure access. Access to the PMS and customer databases must be individualized, with strong passwords, differentiated rights based on roles, and an immediate revocation procedure upon staff departures. Shared access at reception using a generic account is a common and easily correctable non-compliance.

What digital tools must guarantee

A hotel's GDPR compliance largely depends on the compliance of the tools it uses. Verifying that its PMS is GDPR compliant, that its emailing tool offers a functional unsubscribe mechanism, and that its Wi-Fi provider retains logs for the correct period, is not optional.

For customer data management, three key criteria are essential. The tool must allow for the export of a client's data upon request for access. It must allow for the deletion or anonymization of data by a specific date. And it must document access and modifications to ensure traceability.

A compliant hotel database centralizes customer information while ensuring GDPR compliance: role-based restricted access, configurable retention periods, export upon request, and data hosting in Europe. These criteria enable the hotel to respond to a data subject request in minutes rather than hours.

Sanctions and how to avoid them

GDPR penalties can reach 20 million euros or 4% of annual global turnover for the most serious infringements. In practice, the CNIL (French data protection authority) favors a progressive approach: formal notice, injunction, then financial penalty if infringements persist.

What the CNIL primarily checks during an inspection: the existence of a record of processing activities, the quality of information provided to customers, compliance with retention periods, access security, and the presence of contracts with subcontractors. All five of these points are achievable for an independent hotel without specialized legal assistance.

Reputational risk is often more immediate than financial risk. A publicly disclosed data breach, a data subject request not processed within the deadline, or a customer complaint to the CNIL affects customer trust and the establishment's image long before any administrative sanction.

Where to start, practically

For a hotel starting from scratch, the most effective sequence is as follows.

First, take inventory: list all tools that collect or store customer data (PMS, channel manager, email, Wi-Fi, cameras, reception spreadsheet). For each, identify what data is involved and how long it has been retained.

Next, draft or update the record of processing activities, following the CNIL model, and set retention periods for each processing activity.

Then, verify that privacy policies are in place on the website and at reception, and that they are readable without needing to be a lawyer.

Finally, contact each digital service provider to obtain their DPA (Data Processing Addendum) or verify that GDPR clauses are present in current contracts.

This work typically takes one to two days for initial compliance. Once the foundations are laid, maintenance is light: an annual review of the record, a check of retention periods, and an update when new tools are added.

GetWelcom integrates GDPR compliance into customer data management: data hosting in Europe, named and differentiated access, export upon request, and configurable retention periods. To see how GetWelcom structures data management in your establishment: request a free demo on getwelcom.com.

This article provides general practical guidelines and does not constitute legal advice. In complex situations (multi-establishment group, specific processing activities, data breach), specialized legal assistance is recommended.

Hadrien REAUD
Co-founder of Getwelcom
03 July 2026

Contact us

Contact
Demo
Required fields are marked with an asterisk*
Thank you, we will get back to you soon!
An error has occurred. Please try again