GDPR Europe

GDPR for European Hotels: Marriott Fine, EDPB Guidelines & Complete Compliance Framework

Updated: February 2026GDPR Arts. 5, 6, 9, 22, 28, 30, 35 • EDPB Hotel Guidelines 2022 • ICO Enforcement

£18.4M

Marriott ICO fine for 500M-record Starwood data breach (2020)

€20M

Maximum GDPR fine or 4% global turnover — whichever higher

Art. 30

Article 30 Records of Processing Activities — mandatory for all hotels

72 hrs

Maximum time to notify supervisory authority of a personal data breach

GDPR ENFORCEMENT RISK FOR HOTELS:The ICO's enforcement actions against Marriott (£18.4M, 2020) and British Airways (£20M, 2020) established that hotels and travel operators face the full force of GDPR sanctions for inadequate technical measures, failure to conduct due diligence on acquired systems, and systemic security failures. The EDPB's Guidelines on the processing of personal data in the hotel sector (2022) specifically address reservation data, loyalty programmes, in-room entertainment, and marketing profiling — covering the full spectrum of hotel data operations.

Section 1

GDPR in European Hospitality: The Regulatory Landscape

LANDMARK CASE — Marriott International ICO Fine (October 2020)

Authority

UK Information Commissioner's Office (ICO)

Fine

£18.4 million (reduced from £99M provisional notice)

Records

339 million guest records compromised from Starwood acquisition

Violation

GDPR Arts. 5, 25, 32 — Inadequate due diligence & technical controls

The EU General Data Protection Regulation (GDPR, Regulation 2016/679) has applied since May 2018. For hotels operating in the EU — or processing data of EU guests worldwide — GDPR imposes comprehensive obligations covering: data subject rights, lawful basis for processing, data minimisation, retention limits, technical security, vendor management, breach notification, and cross-border data transfers. The European Data Protection Board (EDPB) issued specific hotel-sector guidance in 2022, addressing loyalty programmes, reservation data, and guest profiling. National data protection authorities (DPAs) across 27 EU member states actively enforce against hotels.

Article 5 Principles — Data Minimisation Failures

Hotels routinely collect excessive guest data: purpose of visit, dietary preferences, room preferences linked to biographic profiles. EDPB guidance requires purpose limitation and minimisation — collecting only what is strictly necessary for each processing purpose.

Article 22 — Automated Decision-Making

Dynamic pricing algorithms and AI upsell tools that make decisions producing 'significant effects' on guests must offer human review. Revenue management AI profiling EU guests requires Art. 22 disclosure and, if based on consent, the right to opt out.

Article 28 — Processor Agreements

Every hotel technology vendor — PMS, CRS, POS, loyalty platform, OTA — that processes EU guest data must have a GDPR Article 28 DPA. CNIL (France) enforcement in 2022 found 60% of audited hotel technology stacks lacked complete DPAs.

Section 2

Key GDPR Articles for Hotel Operations

Article 6 — Lawful Basis for Guest Data Processing

Hotels must identify and document a lawful basis for every processing activity. Common bases in hospitality: Art. 6(1)(b) — contract performance (reservation processing, check-in); Art. 6(1)(c) — legal obligation (police registration requirements, financial records); Art. 6(1)(f) — legitimate interests (fraud prevention, security CCTV); Art. 6(1)(a) — consent (marketing emails, profiling for personalisation). Consent must be freely given, specific, informed, and unambiguous — pre-ticked marketing boxes are invalid.

Article 9 — Special Category Data in Hotels

Hotels regularly process special category data requiring explicit consent or explicit legal basis under Article 9: dietary requirements (religious/health-based) indicating beliefs or health; disability/accessibility needs indicating health status; loyalty programme profiling that infers political or religious beliefs from travel patterns. EDPB guidance (2022) specifically warns that collecting dietary requirements 'just in case' without explicit consent violates Article 9.

Articles 13/14 — Privacy Notices

Hotels must provide comprehensive privacy information at booking (online or via OTA) covering: data controller identity; processing purposes and legal bases; data sharing with processors; retention periods; international transfer safeguards; and all GDPR data subject rights. At-property privacy notices must be displayed at check-in. OTA bookings create joint controller obligations under Article 26 that must be managed contractually.

Chapter V — International Transfers

Hotel groups transferring EU guest data to non-EEA processors (US-based PMS cloud providers, global CRS platforms, Asian call centres) must use: Standard Contractual Clauses (SCCs, 2021 version); Binding Corporate Rules (BCRs) for intra-group transfers; or rely on UK/EU adequacy decisions. The US-EU Data Privacy Framework (2023) allows transfers to certified US organisations but requires annual re-verification of certification status.

EDPB HOTEL SECTOR GUIDANCE 2022:The EDPB's Guidelines on the processing of personal data in the hotel sector (2022) are binding on national DPAs. Key points: (1) Marketing profiling requires consent, not legitimate interest; (2) Loyalty programme data must respect purpose limitation; (3) In-room entertainment viewing data requires explicit consent; (4) Guest profiling across properties requires Article 22 automated-decision transparency; (5) Dietary and accessibility data is Article 9 special category data.

Section 3

How Claire Manages EU GDPR Hotel Compliance

Claire GDPR Europe Hotel Capabilities

✓

Article 30 ROPA Builder: Auto-generates and maintains Records of Processing Activities for all hotel data flows; maps processing purposes, legal bases, retention periods, and processor relationships.

✓

Lawful Basis Checker: Validates legal basis for each processing activity against EDPB guidance; flags consent-based processing lacking valid consent records.

✓

Article 9 Special Data Handler: Identifies dietary, health, and accessibility data flows; enforces explicit consent collection; applies enhanced retention limits and deletion schedules.

✓

DPA / Vendor Registry: Tracks Article 28 DPA status for all technology vendors; generates renewal alerts; validates SCC/DPF status for US and non-EEA processors.

✓

Breach Notification Workflow: 72-hour Article 33 notification countdown timer; auto-populates supervisory authority notification form; Article 34 guest notification decision support.

✓

Privacy Notice Audit: Compares hotel privacy notices against Article 13/14 requirements and EDPB hotel guidance; flags missing elements; tracks annual review cycle.

Section 4

GDPR Europe Hotel Compliance Checklist

Article 30 Records of Processing Activities:Maintain up-to-date ROPA covering all hotel data processing activities; review quarterly; DPO sign-off annually.
Lawful Basis Documentation:Document lawful basis (Art. 6 + Art. 9 where applicable) for every processing purpose; no processing without recorded basis.
Privacy Notice — Booking & At-Property:GDPR-compliant privacy notice provided at booking stage; displayed at check-in; accessible on hotel website in all languages of operation.
Article 9 Explicit Consent for Dietary/Health Data:Collect explicit consent before recording dietary, health, or disability information; store consent records with guest profile.
Article 28 DPAs with All Processors:Signed DPAs with all technology vendors, OTAs with joint-controller arrangements, and third-party service providers processing guest data.
International Transfer Safeguards:SCCs, BCRs, or DPF certification verified for all non-EEA data transfers; transfer impact assessments for high-risk destinations.
72-Hour Breach Notification Readiness:Documented and tested breach notification workflow; DPO/CISO responsible party designated; DPA contact details for each EU member state maintained.
Data Subject Rights Procedures:Process for handling erasure, access, portability, objection, and rectification requests within 30 days; logged in data subject rights register.
Marketing Consent Records:Valid consent with timestamp, IP, and consent statement text for every EU guest on marketing list; consent withdrawal honoured within 72 hours.
Article 35 DPIAs for High-Risk Processing:DPIA completed for CCTV, loyalty profiling, reservation data analytics, and any AI processing of EU guest data; reviewed when processing changes.

Section 5

Frequently Asked Questions

What did the Marriott GDPR fine establish for hotels?

The ICO's £18.4M fine against Marriott (October 2020) established that hotels are liable for inadequate due diligence on acquired company data systems (Marriott failed to properly assess the Starwood network it acquired in 2016, which had been breached in 2014). The fine confirmed that GDPR Articles 5(1)(f), 25, and 32 create affirmative obligations to assess and secure legacy systems after M&A transactions.

Does GDPR apply to non-EU hotel chains?

Yes. GDPR Article 3 has extraterritorial scope: it applies to any organisation processing EU data subjects' personal data in connection with offering goods or services to EU residents, or monitoring their behaviour within the EU. A US, Asian, or Middle Eastern hotel chain that markets to EU guests, operates booking platforms targeting EU residents, or processes EU passport data at check-in must comply with GDPR.

Is a dietary preference 'special category data' under GDPR?

Yes. The EDPB confirmed in its 2022 hotel sector guidelines that dietary preferences indicating religious beliefs (halal, kosher) or health conditions (gluten intolerance, severe allergies) constitute special category data under GDPR Article 9. Hotels must obtain explicit consent (Art. 9(2)(a)) or rely on another Article 9 basis before recording such preferences. Collecting dietary data 'just in case' without consent is a violation.

What is a Data Processing Agreement and which hotel vendors need one?

An Article 28 DPA is a mandatory written contract required whenever a hotel engages a third party to process personal data on its behalf. In hospitality, this covers: PMS vendors (Opera, Mews, Apaleo), CRS platforms, OTAs acting as processors, email marketing platforms, loyalty programme operators, CCTV cloud storage providers, and IT support companies with system access. Missing DPAs are a violation regardless of breach occurrence.

How does GDPR interact with police guest registration requirements?

Many EU countries require hotels to collect and report guest passport data to police (Germany Meldegesetz, Spain Ley Orgánica 4/2015, Italy Tulps). GDPR Article 6(1)(c) (legal obligation) provides the lawful basis for this collection. However, hotels may only collect the minimum data required by the specific legal obligation and must not use police registration data for other purposes (marketing, profiling) without a separate lawful basis.