Author: Vlatka Vuković, Co-founder and Lead Consultant at Horvath Wolf d.o.o. CIPP/E, ISO 27001 LA, ISO 9001 LA
You must be thinking, how does the General Data Protection Regulation (GDPR) Impact the Tourism Industry? What better way to experience it than when traveling.
Is there a better feeling than planning a vacation?
Personally, the process of planning a vacation is just as precious as the vacation itself, just as much as retelling vacation stories to the dearest people afterward, describing all the new places I’ve visited.
Professionally, I am a consultant. Clients hire me to identify irregularities and to propose the best solutions for them. Still, just as I do it professionally, I also can’t help but notice mistakes even when I’m in a private capacity.
What follows is a series of professional and private experiences taken from the perspective of a privacy geek on vacation.
1. GDPR IN TOURISM: Booking flights
I start with the time and date, which, of course, depends upon my working schedule, and then I choose the destination.
There’s not a lot to grasp there, all that matters is that, wherever I’m headed, the temperatures don’t get over 40 degrees Celsius, it isn’t the monsoon season, or there isn’t a military coup.
It’s taken me some years, but I finally learned to appreciate the real value of vacation – RESTING. After the compromise has been struck concerning “when” and “where,” the fun part finally comes – hunting down cheap flight tickets and charming accommodation options.
The story of getting the tickets is the same as ever – I try a number of different companies and services to get the best possible offer, but in the end, I always wind up with the same one.
And it’s the one that has done nothing in terms of personal data protection. Well, at least as far as anyone could tell, judging by the information on their website, or lack thereof.
They could’ve at least bought a generic notice of processing of personal data or any cookie notice, cheaply. But, nah. Nothing. Zero. Zilch. Nada.
Their direct competitors are not much better either – they did put in more effort and copied some information from another website.
However, in that same text, they state that the personal data processing activities and the taken security measures are in accordance with the law, the one that was repealed in May 2018. Need I say more?
Oh well, never mind. I did manage to book a cheap flight, and they even let me take an extra piece of luggage, so I’ll be nice, and I won’t hold it against them.
GDPR Advice: What information do you (the company, the data controller) need to provide to your customers (the data subjects)?
Before collecting the data:
- inform the customers about your identity and the contact details
- contact details of the Data Protection Officer (DPO)
- the purposes of processing and legal basis for the processing
- legitimate interest (if applicable)
- data recipients or categories of data recipients
- suitable safeguards for data transfers to third countries (if applicable)
- data storage period
- data subject rights
- possible consequences for data subjects if they refuse to provide the data
- the existence of automated decision-making, including profiling
What about cookies?
Also, the notice itself needs to be designed – the colors, the shape, and the position – in such a way as to make sure it doesn’t go unnoticed.
For any cookies that are not strictly necessary for the proper functioning of the website and providing the service, you should ask the user for their consent, one for each type of non-mandatory cookies.
If users are given only one option – “I accept,” and they have no other options but to agree to the use of all cookies – well, it’s not acceptance, but rather extortion.
Anyway, that’s not considered to be valid consent, and such treatment might get you fined.
2.GDPR IN TOURISM: Reservation of accommodation
Unlike the company I bought the flight tickets from, the booking platform is quite the opposite.
They have a privacy notice in which they brag about their efforts to ensure the contents of the notice are “not too tedious.”
Even a 20-page-long article talking about the most interesting information or juicy gossip would be tedious, let alone an endless amount of dull text of which the ultimate goal is for the user to give up reading and exercising their data processing rights. Wonderful! Just as the GDPR transparency principle dictates!
Still, I’ve had a fair relationship with them, their service is easy to use, and I’ve no complaints there. Considering they do have millions of users, I honestly believe they’ve managed to set aside a budget for personal data protection.
By that, I mean they have procedures and assigned responsibilities for implementing everything they described in a novel called Privacy Notice.
GDPR Advice: How to inform?
Don’t let your notice of personal data processing be novel. Make it short, easily understandable, and available. Use clear and straightforward language.
Make sure the notice is available on your website, but as a matter of good practice in hotels (and other accommodation services), make that information available at the reception desks or through a TV notice that greets the guests when they turn on the TV for the first time.
Train your staff and ensure they can provide your guests with at least the basic information before referring them on how to obtain more information about the processing of their personal data and exercising their rights.
Be fair and transparent. You’ve got nothing to hide. Right? For more information read the guidelines on transparency
3. GDPR IN TOURISM: Check-in
I made it through with the flight and the airport taxi service, and I’m finally at the hotel where a charming receptionist welcomes me. I greet him and hand him over my ID and credit card, and then – I wait.
To see if the receptionist will tell me any notice or information about the processing of personal data.
Nothing. All I got was: “Right, so, your room’s on the fifth floor, the network password is… the breakfast is served from…” — Nothing about the processing of my personal data.
“Just one more thing. Please sign this GDPR consent“, he asks of me. He hands me a form containing all my data that he entered during check-in, with a text at the bottom saying, “I agree that the hotel may process my personal data for the purposes of providing accommodation services.”
Tired from fighting it, I take a deep breath, carefully refraining from rolling my eyes, and then I sign – The Consent!
I won’t tell him anything about it, and I won’t be fighting for my rights at this moment because none of this is his fault.
In this case, the management is at fault because they have passed a procedure which is guest-unfriendly and – illegal!
I guess no one has thought about what would happen if a guest withdraws their consent or if they refuse to give it in the first place. And if the consent were really free and willing, they’d be able to do it.
But it is not…
The legal basis for the processing of customers’ personal data is the contract that you have with them or the fact that you’re taking steps at the request of a potential customer prior to entering into a contract.
Also, some countries have special regulations that make it obligatory to collect personal data for the payment of special tax and to inform competent authorities about foreign guests.
So, if you need the personal data to perform a contract or to fulfill a legal obligation, you do not need and should not use consent.
Don’t complicate things by asking for your guests to sign various forms confirming that they’re informed about the processing and related information. You don’t need that.
Do not copy nor archive copies of the personal documents of your guests. For an easier collection of necessary personal data, invest in an ID card reader.
Use consent for marketing purposes, customer satisfaction surveys, ensuring service quality, and similar.
In such cases, consent is an adequate legal basis and can be given freely, voluntarily, affirmatively, and can be easily withdrawn without the data subjects suffering and negative consequences.
4. GDPR IN TOURISM: Video surveillance
While still checking in, my trained eye was looking for surveillance cameras.
I noticed a few of them but still couldn’t find any notices about the existence of surveillance.
Still looking… Searching… Wait. What? There’s a barely visible, transparent sticker on that massive glass entrance door. Is it the video surveillance notice?
Yes, it is… After the formalities were done, accompanied by the bellman, I turn toward that door.
The sticker is discreet. The designer considered the aesthetics of the space adorned by clean lines and simplicity, an A for design, but a terrible F for failing to comply with the lawfulness and transparency principles.
While it is arguable that big and cumbersome information notices may deform the space and have an impact on the guests so that they don’t feel pleasant, these notices are mandatory.
Try finding the best compromise between aesthetics and legal obligation.
The notice on video surveillance activity must be clearly visible and placed so that it may be seen at the latest before entering the surveilled perimeter.
The notice should contain an illustration that suggests video surveillance is present, as well as other basic information.
Basic information includes:
- your contact information
- DPO’s contact information
- the purposes and legal basis for the processing
- contact information of the relevant supervisory authority
- a link to a website with more information
Of course, to be permitted even to set up video surveillance, to begin with, such personal data processing must have a valid legal basis.
Read about legitimate interests for the processing of personal data.
5.GDPR IN TOURISM: Additional services
Traveling can be quite tiresome, so massages and saunas might be the perfect antidote.
I take on the fluffy, white-as-a-snow bathrobe and put on the disposable slippers, and leave the room to enjoy the massage session that I pre-arranged with the help of the reception desk.
I love the space, the music, the scents, and then I hear something like, “Ma’am, I’d like you to sign this consent, please.“
What? Why? Again!? Am I dreaming?…
Unfortunately, not. The hotel outsources wellness services, so they can’t provide the service, not knowing my name and room number.
When you are about to forward guests’ personal data to other data receivers or data processors (i.e., restaurants, travel agencies, transportation services…), make sure to let them know of such transfers in advance.
If there is a data processor in the process, you need to regulate that relationship with an agreement that conforms to the requirements set forth by the GDPR in Article 28.
Do not use generic contracts because every business relationship is specific and different.
Give your data processors clear instructions for the processing of personal data and define the technical security measures.
If you are not capable of giving instructions and defining the security measures, then your business partner is not a data processor. Simple as that.
6. GDPR IN TOURISM: Customers’ special requests
Personally, I neither have the need nor the opportunity to come back to the same hotels I’ve visited before.
However, some guests regularly visit the same hotels and expect the staff to know and understand all their wishes and special requests.
To be able to provide such exceptional service, hotels need to have the data at their disposal. Sometimes that data may include special category data (i.e., religious views, data concerning health, sexual affiliations).
Take care of your guests, respect their privacy, and be discreet.
If you have guests who come back regularly that is a testament to the quality of the service you provide.
Do not process more data and information than what is necessary for the services the guest is asking for.
Start with your privacy program right away
It’s been three years since the GDPR is being applied as law, and yet we still encounter situations like this.
There is no better time to review your compliance requirements than RIGHT NOW.
The first step is to review and check whether the records of processing activities are complete and accurate, and whether the processing of personal data is actually being done as described there.