Thursday, December 1 2022

All the questions

Data and hotel technology

i Data Protection

The hotel industry, mainly due to the processing of personal data relating to customers (name, date of birth, nationality, email address, etc.), is subject to the General Data Protection Regulations (GDPR) and the Data Protection Act. Freedoms.

The GDPR applies to the processing of personal data by hotel owners, operators, franchisors, franchisees and technology providers established in the EU, whether or not the processing takes place in the EU. It also applies in the event that they are established outside the EU, if the processing is related to the offer of goods or services to data subjects in the EU. French data protection law is also applicable.

The GDPR provides different sets of obligations depending on the legal qualification of the party (controller, processor, co-controller), which must be determined – on a case-by-case basis – for each party playing a role in processing of personal data by analyzing the key elements. Hotel owners are most likely considered controllers. Controllers are subject to a number of obligations including, but not limited to, determining a valid legal basis for processing personal data, providing information to data subjects (privacy policy) or the guarantee of respect for the rights of data subjects. In all cases, they must implement appropriate measures to ensure a level of security appropriate to the risk (for example, data encryption).

The hotel industry is likely to collect and process sensitive data (biometric data, health data or religious beliefs of customers). To do so, it is necessary to comply with one of the applicable specific conditions. For hotels, the processing of sensitive data will likely be based on the explicit consent of the data subjects, provided that the consent meets the validity criteria defined by the GDPR.

As a general rule, personal data is not kept longer than necessary for the purposes for which it is processed. This is particularly important for hotels as they generally process personal data subject to specific legal provisions under French law (i.e. CCTV data can only be retained for 30 days and WiFi traffic for a year).

The hospitality industry operates in several countries and, in this context, may transfer personal data outside the EEA. Hotels should only transfer data if the receiving country guarantees an adequate level of data protection, or if it implements appropriate safeguards (European Commission standard contractual clauses, binding corporate rules), or if a exception applies. The EU-US Privacy Shield, on which most data transfers to the US were based, has been invalidated by the Court of Justice of the European Union (CJEU), in the Schrem II decision of 16 July 2020. In addition to the implementation of appropriate safeguards, hotels must also determine whether additional measures (technical, contractual and organizational) must be implemented in accordance with the recommendations of the EDPS.19

If a hotel does not comply with the provisions of the GDPR, it faces a fine of up to 20 million euros or up to 4% of its annual worldwide turnover. For example, the National Commission for Computing and Liberties (CNIL) has just imposed a fine of €600,000 on a large hotel group,20 in particular (1) for having carried out commercial prospecting without the consent of the persons concerned, (2) for not having respected the rights of customers and prospects and (3) for having carried out in many EU countries. The CNIL notably took into account the number of breaches alleged by the company, the fact that these breaches concerned several fundamental principles of the protection of personal data and that they constituted a substantial violation of the rights of individuals, the number of people concerned and of the company’s financial situation. Taking into account the fact that the group had complied on several points, the CNIL submitted a draft decision to the foreign data protection authorities concerned, before issuing its final decision. As one of these authorities disagreed with the draft decision, the case was brought before the EDPS, which ordered the CNIL to reconsider the amount of the fine and to increase it so that the measure taken is more dissuasive.

The use of cookies on hotel websites is subject to specific rules and must in particular comply with the directives of the Commission Nationale de l’Informatique et des Libertés, CNIL of September 2020. In essence, cookies cannot be used ” in writing or reading” until the user has given his or her consent in due form – in a free, specific, informed and unequivocal manner – by a statement or by a clear affirmative action, a list of required information must be provided to the user before he gives his consent and it must be as easy to accept cookies as it is to refuse cookies.

ii E-commerce in the hotel industry in France

E-commerce in general is subject to a set of rules in French law, which therefore also applies to the hotel sector. As a first step, if there is no mandatory step to follow for the creation of an online business, a set of mandatory information must be made available on the hotel’s website, in the framework of the pre-contractual information obligation including (1) the conditions of use, (2) the general conditions of sale, (3) the privacy policy and (4) a legal notice containing mandatory information if the hotel is established in France.21

Specific rules apply regarding the contractual process between hotels and consumers. The French civil code22 lays down mandatory rules concerning the conditions of the offer made on the site, for example by ensuring that the “double-click” formality allows the consumer to double-check the details of his order before validation and payment. The French consumer code23 complements these requirements with additional mandatory information to be provided before a consumer makes a reservation. These include the price, if the price is personalized based on automatic decision-making, the main characteristics of the product or service as stated at the start of the booking process (price charged for one night in a double room, information on the services actually offered (internet connection, breakfast included or not, etc.), the method of payment accepted or the contact details of the hotel.24 A price reduction ad must show the previous price, which is the lowest price in the last 30 days before the reduction.25 The conditions and the contract must be provided to consumers on a durable medium once the reservation has been validated.26

French regulations also provide that the withdrawal period usually granted to consumers does not apply to online hotel reservations. The hotel must notify consumers of any such limitation of its right of withdrawal.27

It is also important to note that the French Tourism Code may also impose certain requirements regarding a hotel’s online activities. For example, article L311-5-1 specifies that the contract between a hotel professional and an operator of a platform for renting hotel rooms to consumers can only be concluded in the name of and on behalf of the hotel professional and within the framework of a mandate, although the hotel remains free to grant any discount or advantage to customers.

Finally, and although this does not concern hotels directly but rather their partners, (1) whenever hotels offer their services on an online platform, these platforms must comply with the specific requirements applicable to these platforms under the Decree n° 2017-1434 of September 29, 2017 and (2) specific regulations apply to agencies selling hotel stays (either as part of a package or as a stand-alone service).


Britain's Sunak promises financial stability as Hunt warns of tax hikes for all


Another I-81 Delay: At This Rate, Project Won't Start Until Overpass Collapses (Your Letters)

Check Also