Planning a Business Trip or a vacation stay at Hotels? Know your right with respect to collection of personal data of Hotel Guests

Fundamentally, the hospitality business has a simple practice – as is frequently said, it adds up to placing heads in beds. In any case, managing to find the heads to be placed in the beds is a complex task and requires the organizations to discover a lot of data about their guests. Collecting and handling that data provides business opportunities but also adds up commitments, quite possibly the most essential of which is guaranteeing privacy and personal data protection.

The modern hospitality industry is confronting another test: dealing with the commitment to secure the visitor’s privacy during his/her visit in the hotel. This commitment emerges the second when the visitor goes into an agreement with the hotel after checking in.  Hotel guests enter into a contract with the hotels upon their visit this entitles the hotels to process their information. Hotels can voluntarily offer certain rights to the guests pertaining to their own personal information. This can be outlined to include the right to access information, right to restriction on processing right to object, right to rectify information, right to erasure, etc.

A recent report from Salesforce shows that clients have limited trust in how organizations handle their information. 59% believe their personal information is vulnerable to a security breach, and 54% don’t believe that companies have their best interests in mind. Nonetheless, a similar report likewise showed that giving clients control of what information is gathered, being straightforward about how information is utilized, keeping information secure, and acquiring express client agree to utilize information were all ways organizations could improve that degree of trust. Survey respondents additionally suggest that they were more likely to be loyal, would recommend the company, spend more money, and share their experiences in the event that they trusted the organization.

Types of personal data collected

The type of personal data collected is a subjective approach and varies from one hotel to another. Following is a list of generally collected personal data when you make a hotel booking:

  • Personal Information (name, DoB, marital status, name of spouse, residential address, contact information, photographs);
  • Passport details and visa details;
  • Identification proof/ Address proof (PAN Card, Aadhar Card, Passport, driving license);
  • Guest Stay information (Number of visits in the hotel, date of arrival and departure, any special requests made, services availed, goods purchased);
  • Payment details (Credit/Debit Card Information);
  • Loyalty Membership (Account details, passwords etc.);
  • Information collected through CCTVs and
  • Any other guest-specific information that has been willingly provided during the stay.

The Personal Data collected by the hotels is used to perform the contractual obligations and to comply with the legal obligations. Such information can be used for contract administration, business planning, bookkeeping and review, offering types of assistance, benefits, managing legitimate commitments, to forestall frauds, to ensure network and information security etc.

Data privacy laws

There is no particular enactment on data privacy in India. However, it is to be noted that the Supreme Court of India pronounced the right to privacy as a fundamental right under Article 21 of the Indian Constitution. In its landmark judgement of Justice K S Puttaswamy and Another vs Union of India and Others (2018) the nine-judge bench unanimously held that “privacy is an intrinsic part of the right to life and personal liberty under Article 21 of the constitution”. Since most of the client information is saved electronically by the hotels, the provisions of Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011 are compulsory to maintain. The IT Rules protect both ‘personal data’ i.e. “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person” and ‘sensitive personal data’, that is, certain particular data, like passwords, monetary data like financial balance or MasterCard or charge card or other instalment instrument subtleties, physical, physiological, and emotional well-being condition, and clinical data. Since every one of these client data is fit for distinguishing an individual, the hotel has an obligation to secure this information.

The IT Rules calls for outlining of a privacy policy of a body corporate which ought to be promptly accessible to the client and should be available at a conspicuous part of the website for the disposal of the be very much educated about the sort of personal data collected and the manner of usage of this data. This privacy policy should be published on the website of the hotel. Information providers are qualified to audit this data and add or redress it, if necessary. The IT Rules require certain safeguards if there ought to be an event of move or transmission of the information use of techniques concerning security practices and frameworks by the hotel. In the event that the hotel management wants to advance client information to subsidiaries and specialist co-ops, express assent of the client is compulsory for sharing information.

GDPR compliances

The introduction of European Union’s (“EU“) guidelines on assurance of natural persons with respect to handling of individual information and free movement of such data (“GDPR“) has brought on certain significant implications on Indian organizations processing personal data of EU Residents. Essentially, since GDPR has extra-territorial application and applies to processing of personal data of EU residents even by entities situated outside EU, Indian entities who are acting as either a ‘controller’ (i.e. the person who determines the purposes and means of the processing of data) or a ‘processor’ (i.e. the person who processes the personal data on behalf of the controller), of personal data of persons of EU, in relation to offering of goods or services to such persons or monitoring their behaviour in so far as it takes place within EU, become subject to GDPR.  The concept of personal data has been defined in GDPR to refer to any information relating to an identified or identifiable natural person (i.e. “Data Subject“). An identifiable natural person s one who can be distinguished, straightforwardly or in a roundabout way, specifically by reference to an identifier like a name, an ID number, area information, an online identifier or to at least one variables explicit to the physical, physiological, hereditary, mental, financial, social or social character of that characteristic individual, and consequently all such data is considered as ‘personal data’ under the GDPR. For Indian companies dealing with such ‘personal data’ of EU residents, it then becomes imperative to implement the data protection requirements stipulated in GDPR within their systems. This requires a huge redesign and re-composing of their security approaches and legally binding contractual arrangements with EU counterparts/Data Subjects and their internal data conventions and frameworks to make them GDPR agreeable. It’s a hotelier’s duty to perceive that information has a place with the visitor and characterize a centre information assurance strategy in light of that. Here are some individual rights under the GDPR:

  • The right to be informed– unmistakably diagram what information you are gathering, why and for how long.
  • The right to access/modify data– offer admittance to individual information quickly, in a decipherable configuration, and alter on demand.
  • The right to give/withdraw consent– this alludes to unequivocal assent. Offer a choice to pull out assent effectively and track how and when you gathered the information and assent.
  • The right for data erasure– consider the person’s rights against public interest while accepting an erasure ask for and erase where suitable.
  • The right to transfer data– give the client admittance to their own information to move on demand.

Data breaches

Considering the expanded instances of hacking and need for visitor information by associations around the world, the data gathered by the hotels are under steady danger of going through a data breach. Insurance can be a solution to data breaches, yet its effectiveness is sketchy. Hotel Management Agreements are silent on the aspect of data breach. These agreements state that the ownership of the data is placed with the manager of the organization. However, the data is majorly collected by the employees of the organizations and not the manager and thus it has been a reason of conflict since there is no clear demarcation as regards the manager and the owner. Albeit the owners should bear the damages appended to the offence of data breach, notwithstanding, there are occasions of force majeure like third party acts, which cannot be controlled by any IT systems of the hotels.

Privacy policy of hotels

Majorly a number of hotel organizations have specifically laid out a privacy policy which expresses all the rules and regulations in regards to the utilization of individual data of the guest. Having an all-around drafted privacy policy achieves contractual clarity and trust between the hotel and the guests.  Privacy policies additionally assist the hotels to discharge themselves from any unwanted future liability. The guests are expected to go through this arrangement to guarantee that their data won’t be abused in any capacity.

Concluding Remarks

The hospitality industry is confronting both proceeding with difficulties securing the individual information of visitors, just as wrestling with the new legal landscape. Organizations need to perceive that while the preliminaries are incredible, achievement will make trust in the business’ most significant ware- its visitors. An exhaustive methodology can give organizations the possibility not exclusively to stand up to these issues, however make brand value in doing as such. On the other hand in addition to the fact that the hospitality industry must abide with the legal landscape and invest in good business practices, hotel guests ought to likewise be watchful in ensuring their own privacy. Customers ought to abstain from staying in hotels or giving out information to those organizations that do not have a privacy policy. The guests should provide only that information which is crucial from the hotel’s perspective to ensure a legitimate stay.

From the viewpoint of cybercriminals, hospitality seems to offer an ideal objective vector for directing criminal offences such as identity theft and credit card fraud because of the presence of numerous data sets and gadgets containing both  “Guest Personally Identifiable Information” and monetary data. This data can be utilized in skewer phishing plans, sold on with a huge quantum, or possibly used to make clone cards when solid encryption isn’t set up to ensure the financial information. With a full comprehension of the primary information security threats and some best practices for mitigating those risks, the hospitality industry is better positioned to carry out a thorough data security methodology that involves the essential techniques, cycles, and individuals to improve cybersecurity.

Author Bio

Qualification: LL.B / Advocate
Company: N/A
Location: Indore, Madhya Pradesh, India
Member Since: 12 May 2021 | Total Posts: 1

More Under Corporate Law

Leave a Comment

Your email address will not be published. Required fields are marked *

Search Posts by Date

June 2021