WuBook_logo.svg

Official blog

Search
privacy and hotels

Data privacy: how to store and manage guest information in hotels

Contents

Dear WuBookers, as you are well aware, among the obligations of the hotelier is to protect the information of its guests. A statement that may seem trivial but actually has several implications on a practical and legal level. So let’s take a look at what the privacy regulations are for hotels and other tourist facilities, and how to comply with them with the help of technology.  

The GDPR: an overview

The General Data Protection Regulation (GDPR for short) is the European regulation that defines how personal data may be used, stored, protected and shared.

As described by the European Commission, the GDPR applies to:

  • any company or entity that processes personal data as part of the activities of one of its subsidiaries established in the EU, regardless of where the data are processed;
  • any company established outside the EU and offering goods/services (for a fee or free of charge) or monitoring the behavior of people in the EU.

This means, for example, that even hotels that are not based in Europe but process the personal data of European guests are subject to the Regulation. The obligations set by the GDPR are different and include, for example, the possibility for users to request the deletion of their data from company databases (right to be forgotten) or the need for companies to inform users in case of breaches (data breach) to the database.

Here we focus mainly on what concerns data privacy, i.e., the procedures to be followed to collect and use guests’ personal data, right from the time of booking.

What data can be collected and processed by the hotel?

To make a reservation and stay at a facility, guests are asked for certain personal data such as first and last name (essential to identify the customer), email address or phone number (to communicate about the reservation) and payment information. These data are essential in order to stipulate the hospitality contract and provide the service.

Then there is other data, involving, for example, age or gender, which can be collected to improve the guest experience at the facility or for marketing purposes, that is, to engage them in commercial communications and promotions.

Finally, special data are those related to ethnicity, political and religious beliefs, health status and sexual orientation, and so on. The latter may be collected only when necessary to ensure the safety of the guest. For example, it is important to know the information about food allergies to ensure that the food service is adequate.

Data processing in hotels

By data processing we mean any type of operation or set of operations involving data such as its collection, storage and transmission, whether in digital or analog form.

In order to process data, the hotelier must obtain the explicit consent of guests by providing them with a dedicated document: the infamous privacy notice.

The privacy notice must describe legibly, clearly and unambiguously what data is collected and for what purpose, and how the guest can change or delete it.

The document may be submitted in paper form, upon arrival at the hotel, or also electronically, during check-in operations.

In any case, acceptance of the disclosure is mandatory for data with promotional purposes and can be considered implicit for essential ones, but it is always advisable to obtain explicit consent for these as well.

privacy and hotels

Data privacy and PMS for hotels: the case of Zak

As we have seen, some data are crucial to guarantee the service and are also a very useful information base for analyzing and improving one’s offer. So it is crucial that they are collected while complying with all the criteria in the GDPR (penalty: fines of up to 20 million euros or equal to 4% of the company’s global turnover for certain violations).

Zak, the PMS for hospitality facilities from WuBook, has several data protection features in line with the European directive.

Collection of consent

The first one is really about consent to processing. On the booking page of Zak’s Booking Engine (the system that allows direct reservations), the hotelier can insert a link to their privacy policy, which will be shown to the customer for acceptance.

The same link can then also be inserted within the guest page, which is the area where the customer enters and edits his or her personal information and reservation details.

As an additional form of assurance, the hotelier can also request a digital signature of the guest during online check-in (the guest can sign it with a mouse or a finger).

Data retention and deletion

Automating the process of digital data collection and storage has several advantages. In addition to reducing manual errors and saving space, time, and resources (paper and ink first and foremost), digitizing data also allows for quicker action in case of deletion.

Zak, in particular, offers as many as 3 levels of automatic anonymization that apply after a time interval set by the hotelier (e.g., one year):

  • Soft: all customer data except first name, last name and country are deleted;
  • Medium: only the last name, nation and the first letter of the first name are retained;
  • Hard: all data will be deleted.
privacy and hotels

Protection and security

What about possible breaches, such as theft or illegal dissemination of data by unauthorized third parties? Zak is developed to provide high levels of protection even in this case. In fact, its infrastructure is PCI-DSS (Payment Card Industry Data Security Standard) compliant certified. A certification that guarantees the security of credit card transactions (via payment gateways), but which in Zak’s case has been extended to the entire perimeter of the servers to protect not only transactions but also personal data.

Daily backups and advanced backup data recovery systems ensure rapid recovery of databases (within 15 minutes!) and related activity.

In addition, protective measures are in place to prevent data leakage and the malicious action of malware and viruses.The quality of the code with which it is developed, the constant monitoring and the security of the cloud on which it is hosted, make Zak one of the most affordable and reliable software on the market.
In summary, when it comes to GDPR and user privacy protection, it is important to have a clear understanding of what is allowed and how to implement it, including getting help from experienced legal advisors. There is no shortage of technological tools to support this activity, you just need to know how to choose them while also paying attention to these aspects.


Photo by Cottonbro Studio, Mikhail Nilov, Francesco Ungaro and Pixabay @ pexels.com

About WuBook:

We help customers to have easy access to the best technologies in the tourism industry to grow their business.
PMS – CHANNEL MANAGER – BOOKING ENGINE for Hotel, B&B, Hostels and Vacation rentals.
Find out more.

Categories:

Join over 22,000 establishments increasing their business with WuBook!

Integrated Property Management System, Booking Engine and Channel Manager.
Let’s start together – We help you – No restraint

Try WuBook for free

Copyright © 2025  WuBook Official blog. All rights reserved. | Privacy Policy