What is GDPR and Why is GDPR Important?

GDPR stands for ‘General Data Protection Regulation’. It’s an EU regulation coming into effect in May 2018, and concerns the protection of personal data and the rights individuals have to their information. Consumers will have greater control over the data organisations hold on them.

What Rights Do My Hotel Guests Have Under GDPR?

The right to be informed
You must be honest and clear with your guests about how you are using their data.The right to erasure
Also known as ‘the right to be forgotten’, your guests have the right to request that their personal data is deleted or removed by the hotel, without having to give a reason why.

The right to data portability
This allows your guests to obtain and reuse their personal data for their own purposes, enabling your guests to take advantages of services which can use the data to find your guests a better deal.

The right to access
Your guests have the right to know exactly what information is held about them and how it is used.

The right to rectify
Your guests can ask to have their personal data corrected if it is inaccurate or incomplete.The right to restrict processing
Your guests have the right to block or suppress processing of their personal data – meaning that the hotel may store the data, but may not use it without the guest’s permission.

Rights of automated decision making and profiling
The GDPR has put in place safeguards to protect your guests against the risk of a potentially damaging decision being made without human intervention.

The right to object
In certain circumstances, your guests are entitled to object to their personal data being used. This includes if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.


So, My Guests…

can trust that their personal data is safe?
Yes. As the data controller, you (the hotel) manage your guest’s data. Your property management system (PMS) stores personal data, and that system must be protected – both physically and technically – from data theft (using passwords, firewalls, locked doors). Your high-speed internet service (HSIA) also collects personal which must be protected and managed. Hoist Group is proud to offer GDPR-compliant HSIA services where Hoist Group is the data controller and takes on the responsibilities of the GDPR, including technical barriers and requests for information.

can request a copy of the information a hotel holds about them?
Yes. If requested, as the data controller you must provide a copy of the personal data, free of charge, in an electronic format. You must take care that the identity of the person requesting the information matches personal information requested.

have the right to be “forgotten”?
Yes. They have the right to ask the hotel to erase their personal data. On your PMS system, you must comply within 30 days. Once your guest goes online however, you have competing obligations such as data retention laws which vary country to country. When you are obligated to retain data, you can’t honour a guest’s deletion request until the retention period is over. Hoist Group HSIA determines these competing obligations to manage deletion requests legally and fairly.


Since October 2016, Hoist Group has been intensively working to analyze, verify and improve its products on a path of discovery and compliancy with the new regulation. This was made possible thanks to a team of legal experts in data privacy, different teams of developers and Hoist Group’s IT department. These teams have been working constantly to ensure the best results, and will continue even after the regulation is in force as we strive to keep our customers a priority.

This represents Hoist Group’s considered and best thinking on GDPR as it relates to our products.  In the spirit of transparency and communication between processors and controllers that underscores the GDPR, Hoist Group is sharing this information with you, our customers. However, Hoist Group cannot give your hotel legal advice and ultimately your compliance is your responsibility.