GB EN IT IT ES ES
GDPR · Hotels, B&B & hospitality
⚠ Guest data

GDPR for hotels & B&Bs.
Your guests' IDs and emails are everywhere.

Every guest hands you registration and ID data, and your booking flows through Booking, Airbnb, the PMS, the front desk and the CCTV. Most properties spread that guest data and those marketing lists across booking channels and staff with no access controls — convenient, and a textbook GDPR problem.

Free GDPR Check → Free GDPR Assessment for Your Property → All GDPR sectors
€20M
or 4% turnover — max fine
72h
to report a breach (a lost laptop counts)
Guest reg.
police/tourist registration is a legal duty
CCTV
needs a lawful basis + signage

The reality

What most properties
are getting wrong.

None of this is malicious — it's just how a busy property runs. But each one is a real GDPR gap a guest, a competitor or a disgruntled ex-employee can report.

🪪

Guest IDs shared with all staff

Guest IDs and registration data get passed around the whole team and over WhatsApp — on personal phones, in chat backups, with no encryption, access control or deletion.

📣

Marketing with no consent

Past guests are added to newsletters and promotional broadcasts without a valid legal basis or a clear way to opt out — a classic complaint trigger.

📹

CCTV with no basis or signage

Cameras film guests with no signage, no defined retention and no documented lawful basis — and footage anyone on shift can pull up.

📊

OTA exports in loose spreadsheets

Guest data is exported from Booking and Airbnb into uncontrolled Excel files and shared drives, far outside the platforms' own controls.

🔑

Shared PMS & front-desk logins

Everyone signs into the PMS and front desk with one shared login — no access levels, no audit trail of who saw which guest's data.

🗄️

Registration data kept forever

Police/tourist registration data and guest IDs are kept indefinitely, and there's no data-processing agreement with the OTAs or the PMS.

⚠️

It only takes one. A lost laptop, a leaked OTA spreadsheet, a guest who asks "what data do you hold on me and why?" — any of these can turn into a complaint to the data protection authority. The fix is far cheaper than the incident.

The fix

How we make your
property compliant — for real.

We don't hand you a policy and leave. We change how guest data actually flows through your property, with tools your team will actually use.

🔒

Secure guest data & access control

Guest IDs and registration data handled in a secure system with proper access levels and audit logs — who can see what — replacing WhatsApp and shared inboxes.

Consent & opt-out for marketing

A clean, documented consent and easy opt-out for guest newsletters and offers — so you can market to past guests lawfully and keep the proof.

📹

Compliant CCTV

A documented lawful basis, clear guest signage, a defined retention period and restricted access — your cameras brought fully in line.

Retention & deletion

A retention schedule aligned to your police/tourist registration duties and marketing lists — with deletion once the period ends, so you stop holding data you no longer need.

📄

DPAs with OTAs, PMS & vendors

Data-processing agreements and storage checks for Booking, Airbnb, your PMS, Wi-Fi and CCTV vendors — so your supply chain is covered too.

🎓

Training & breach plan

A short, practical staff briefing and a simple breach procedure (including "I lost the laptop"), plus the records an authority will ask for.

How we work

A path that fits
how a property actually runs.

01

Data-flow audit

We follow a real booking end-to-end: where the guest's ID, registration data and email go, across the OTA, PMS, front desk and CCTV.

02

Gap analysis

We flag the non-compliant flows and the concrete risks — prioritised, in plain language, not a 90-page report.

03

Remediation

We set up secure guest data handling, consent, CCTV controls, retention and the DPAs — and migrate you off WhatsApp and loose spreadsheets.

04

Train & document

A short team briefing, a breach plan and the records of processing — so it stays compliant day to day.

← All GDPR sectors

FAQ

GDPR for hospitality,
answered.

The questions hotels and B&Bs ask us most.

Can we email or market to past guests?+
Only with a valid basis. Adding every past guest to a newsletter or promotional list without consent or a clear opt-out is a classic complaint trigger — and guest emails pulled from Booking or Airbnb are often restricted by the platform's own terms too. We set up a documented consent and opt-out so you can market lawfully and keep the records to prove it.
How does police/tourist guest registration fit GDPR retention?+
Guest registration to police or tourist authorities is a legal obligation, so you can lawfully collect ID and registration data for it. But the same duty also defines how long you may keep it — you cannot hold guest IDs indefinitely. We map the registration duty to a retention schedule and set up deletion once the period ends.
Is our CCTV compliant?+
CCTV films identifiable people, so it's personal-data processing and needs a lawful basis (usually legitimate interest), clear signage, a defined retention period and restricted access to footage. Cameras with no signage, no retention and no documented basis are a frequent finding — we bring your CCTV in line with all of these.
Do we need agreements with Booking, Airbnb and our PMS?+
Yes. OTAs like Booking and Airbnb, your PMS, Wi-Fi provider and CCTV vendor handle guest data on your behalf or alongside you, so you need a data-processing agreement (DPA) with each and must know where data is stored. We review your stack and put the right agreements and safeguards in place.
Hospitality · Free GDPR assessment

See exactly where your property is exposed.

Tell us how you take in guest data and run your bookings today. We'll show you the gaps and the fix — response within 4 working hours, no commitment.

Request Free GDPR Assessment → All GDPR sectors
Free GDPR Check → Free GDPR Assessment →