GDPR Compliance for Hotels, Restaurants, PMS, OTA or Channel managers

How to bring your hotel into GDPR compliance?

Are you an owner, manager, HRM, lawyer or hotel DPO? Datadiem offers a tailor-made GDPR training to bring your hotel into compliance with the General Data Protection Regulation. Manage the personal data of your own employees or customers of your hosting establishment making a reservation on your site, on the external reservation page of your PMS (booking engine) or via an OTA, people filmed by the video surveillance of your institution, etc.

In addition, marketing is now partly challenged by the new rules introduced by the GDPR. For example, hotels that rely heavily on digital marketing need to make significant changes to their procedures. In this sense, Datadiem has designed a training exclusively for the marketing teams and revenue managers of the hotel industry. The goal and browse marketing techniques to be abandoned on the one hand, modified or integrated on the other hand in order to bring your hotel into GDPR compliance. Beyond the hotelier and other professionals of accommodation and tourism, this training is also particularly adapted to the related activities of the reception, and is thus addressed to the cafe maker, restaurant owner and discotheque owner.

We help you set up today the organizational, technical and legal procedures to minimize the risk of financial sanctions and new criminal sanctions provided by the GDPR against the manager.

September 8, 2018 / Detection of a security breach in the Marriott hotel chain: Extent of non-compliance GDPR > 500 million customers affected, potential penalty > up to 4% of their global turnover.


Understanding the issues of GDPR compliance for the hospitality industry. This includes specific activities related to the management of room or bed reservations (for youth hostels) but also related activities such as catering, additional sales (visits, workshops, etc.) or rental of rooms. seminars and more recently wework-like workspaces.

Popularize the requirements of the GDPR specific to the collection of customers and the processing of their personal data. The goal is to allow managers, managers and hotel managers to respond with confidence, from the promotion phase of the rooms, through the booking and monitoring and retention of customers of the establishment.

Get concrete solutions according to your type of establishment (hotel, hostel, guest house, retirement home, cruise ship) and type of activity, immediately applicable within the Establishment by the manager but also each of the receptionists, revenue manager, HR managers, servers, cleaning technicians, with the aim of bringing your hotel into GDPR compliance.

Build a GDPR roadmap adapted to the hospitality industry, with solutions that can be applied in stages and within your facility’s potential for financial burden and restructuring of procedures.

Optimize the valuation of your company (in the eyes of investors or in case of transfer) with a capital of data called clean.

Minimize the risk of litigation particularly numerous, given the large number of prospects or real-life customers and the nature of the sensitive personal data collected during a reservation (bank details, passport, identity sometimes medical data), financial penalties for the company, the criminal liability of the owner or manager of the hotel or other form of establishment.


Minimizing the risk of fines for sanctioning irregularities as well as the risks of criminal liability of the owner / manager. Increased valuation of the company according to its degree of compliance with the legislation on the protection of personal data.

Increased confidence of existing customers as well as potential customers. Decisive advantage over competing entities.

Acquisition of the principles and requirements of the GDPR analyzed and placed in the context of your activity. Distancing itself from other courses offered in the compliance market, Datadiem training courses provide you with solutions that are adapted to your activity, both technically and organisationally.

What will you learn?

The training includes the following modules

Actors of GDPR compliance in your field

DPO relays within your facility are those who by their key function will enable the hotel’s data protection officer to implement the GDPR compliance roadmap. These people will help to propagate within the company the recommendations of the DPO, organize training and sensitization sessions. In the reverse direction, it will allow the essential information to be traced back to the DPO, for example during the creation of the register sheets or the audit of already existing procedures. Finally, they will participate effectively in the implementation of technical solutions with the various managers. The relays of the DPO within a hotel are often the HRD, the legal director, the head of computer systems, the manager of the establishment.

Service providers and subcontractors are actors or rather important links in the GDPR compliance chain of the hotel. It is your software publisher for the hotel Property Management System, CRM provider, customer relationship software, web host, employee payroll management software, your comments management system of your customers during their stay and their loyalty, tracking solutions on the website of your hotel, not to mention your provider of personal data management solution (data mapping type, record keeping and DPIA).

DPO Data Protection Officer who is the lead contractor for the GDPR compliance project.

The supervisory authority for personal data such as the CNIL in France.

Points of collection of personal data

The multitude of collection points for the personal data of the customers increases the risk of putting the responsibility of the controller in charge. The establishment of a list of these collection points makes it possible to quickly have an overview of the amplitude of the different categories of collected data and can constitute a first step towards the edition of the cartography.

As part of the management of reservations, customer prospecting and loyalty, a hotel establishment will use several tools directly or through subcontractors.

  • For the online booking a first collection point is usually set up on the home page of the hotel website, this is the booking form type “date of arrival”, “date of departure” , “number of persons”.
  • Once a reservation has been made with an OTA, the hotel will attempt to retrieve information from the customer by inviting him to do a “pre checkin” (pre-registration on the model of airline reservations), because OTA, for its part, has an interest in transmitting only the strictly necessary information to the hotel. This second collection point is usually set up on one of the pages of the hotel’s website.
  • Another example of a collection point is the comments and opinion module offered to the client in order to anticipate the customer’s loyalty according to his interests and improvements to be made during his eventual next stay.

Of course the list of collection points is all the longer as the establishment invests in marketing and technical promotion, retention and customer loyalty. Each point of collection of personal data implies to foresee its conformity as of its conception and by default (privacy by design and by default).

GDPR Key principles applied to your sector

It is not useful to explore or even review here the list of principles that have been clarified and crystallized in the GDPR Regulations. It is rather relevant to indicate that the key principles of the GDPR are approached under the prism of the new legal obligations put in competition with the reality of the practice of activity of the hotelier.

Rights of individuals, management of claims and breaches

Exercise of the rights of individuals to the institutions: customer rights, employee rights, actual cases of compliance notices and penalties in your sector.Management of reports of security breaches. The penalties incurred and their repercussions.

Practical solutions

  • Edit a mapping of personal data (with specificities for groups also).
  • Realize the digital transformation.
  • Build a web architecture that is tailored to your needs and complies with your GDPR compliance roadmap.
  • Secure personal data.
  • Supervise cross-border transfers of personal data, particularly to customers.
  • Conduct a DPIA impact study according to predictable scenarios for your activity.
  • List and then schedule the transmission of data security breach reports to the authority (eg CNIL).

Collector and processor of personal data

Increased legal knowledge ideally sanctioned by a degree in law or ideally a certificate of aptitude to the profession of lawyer (CAPA).

Technical knowledge: Understanding of the technical solutions available and recommended to meet the requirements of the GDPR and concretely applicable to the hotel sector.

The Data Protection Officer (DPO)

Increased legal knowledge ideally sanctioned by a degree in law or ideally a certificate of aptitude to the profession of lawyer (CAPA).

Technical knowledge: Understanding of technical solutions available and recommended to meet the requirements of the GDPR and concretely applicable to the hotel sector.

Manage a control of the Cnil

Better to be prepared for a CNIL check the day an agent comes to the reception of your establishment to carry out checks. Who is the person designated and prepared to welcome a CNIL agent within the hotel? What documents will be required? What are the points that controllers will be particularly attentive to?

HRD and personal data of employees

Assess the risks associated with the processing of personal data of hotel employees and control the risks of litigation.

Plan a budget

Anticipating the cost of different tools and services of compliance with the GDPR is not necessarily easy. The multiplicity of providers accessible on the internet generally offers very little legibility about the possible cost for a compliance mission. This finding is explained by the difficulty of the provider to be able to accurately assess the extent of future recommendations and their prioritization before having done an important job of assessing the gaps of society with the GDPR.

Datadiem helps you understand the rationale for developing a GDPR compliance roadmap and steps for making recommendations, so you can get a quote for compliance and plan the annual budget ahead of time. be dedicated to this end.

Who should attend this course?

Datadiem’s GDPR courses are scalable according to the audience, some topics particularly relevant for executives of a company will be totally inappropriate for employees and vice versa (For example the management of personal data of employees will be reserved for HR and management teams ). Our courses are particularly adapted to the DPO GDPR (with or without GDPR certification).


Company owners, managers or managers to understand the issues of the GDPR and the solutions to consider for their business. Employees with significant responsibilities within the company (organizational or technical) or whose mission is to train or direct others employees.


Marketing departments and their service providers are now using sophisticated digital technologies. The collection, tracking, sharing and retention of customers’ personal data have become crucial issues, concerns at the heart of each new marketing strategy. A marketing team can not ignore an in-depth knowledge of the GDPR’s principles, as well as available and feasible means to maintain data processing compliance with the GDPR. Each of the tools used by the companies must be analyzed in terms of the criteria set by the GDPR.

Contact or registration forms, newsletter, Analytics or Hotjar tracking solutions, CRM, Visitor and connected user of web or application platforms: each tool must meet all the essential requirements such as data minimization, control flows, in particular outside the countries of the European Union or of the appropriate countries, ect. The Datadiem training addresses all aspects of GDPR related to marketing with the aim of delivering concrete knowledge, immediately applicable by your teams according to the tools put in place.

Compliance with the GDPR requires a thorough knowledge of the text of the Regulation as well as the legal context in which it is inscribed (related legislation, national and territorial legislation). The revision of the contracts, particularly with the subcontractors, the development of the DPA (Data Processing Agreement), the validation of the legal basis of data collection and processing, the exercise of the rights of individuals, all these subjects taken into account. example involve mastering the legal principles and their application with regard to sanctions and case law.

The roadmap, which is the central document for any GDPR compliance project, requires risk assessment work on which the prioritization of risk implementation will depend. Effective risk categorization and prioritization requires knowledge of the legal risks a company faces.

Human ressources

Hospitality professionals are unanimous on one point, nowadays recruitment is a challenge. Mobility is accelerating and the “home-grown” career spirit seems far away. As a result, the HRD multiplies the interviews at increasingly frequent intervals, “it is not uncommon for the receptionists to stay only a few months in the establishment”, managers meanwhile they remain on average 2 years. Given this fact, the management of personal data within a hotel establishment has become a constant concern since the entry into force of the GDPR.

Human resource managers readily recognize that employee data collection is intensifying in quantity and diversity. Indeed the staff turnover effect implies, beyond the mass of CVs collected and treated, to have to answer new problems like for example the investment in automated training of staff in perpetual renewal. HRDs have neither the time nor the motivation to organize real training,

The Datadiem training for GDPR compliance of hotels explores all the new constraints of personal data protections that apply to HRDs in the hospitality and tourism sector: personal data related to recruitment, training, wage and payroll management or sick leave. For each of these categories, your institution must be able to meet the requirements of the GDPR principles: storage, minimization, security, legal basis, compliance of your suppliers, etc.

One of the peculiarities associated with the management of employees’ personal data is that the employer / employee relationship is in itself a fertile ground for litigation under labor law. It is a safe bet that this particular context encourages the subject of data collection, the employee, to lift the GDPR card before the judge in a conflictual relationship with his employer. Datadiem assists you in the preventive management and the minimization of the litigation risk related to the exercise of the rights of your employees related to the obligations foreseen by the GDPR.

Employee facing clients

Entry requirements

This training is reserved for professionals from the sector who have knowledge and experience of the activity within an establishment.

The course includes

  • A presentation slider shared with participants (pdf format).
  • A document of the main articles mentioned during the training.
  • The legislation
  • A certificate of attendance at the training.

Customer Reviews

Dealing with compliance in terms of the actual and daily activity of the establishment’s teams has immediately put all employees at ease from the start. Despite the level of complexity of complying with the GDPR, the trainers have been able to make the subject concrete for each employee, using the same language and referring to situations we face daily.


The training has been developed and regularly updated by experts from the sector as well as cybersecurity experts and privacy lawyers.

Datadiem’s trainers all have years of experience in the industry, experts in group management, web architecture and security of IT solutions for the sector, legal and technical compliance, or certified data protection officer (DPD / DPO)

You benefit from the experience of trainers specializing in the compliance and the training of your teams will thus rely on concrete and real examples of the sector.


The participants are evaluated in a fun way at several stages of the training in order to mark their minds about important recommendations while training to approach the final exam serenely.

At the end, a formal 60 minute exam will evaluate each participant in a formal way.


The exam is offered as 60 multiple-choice questions that can be accessed directly from a tablet or a simple smartphone.

Available languages

  • French
  • English


The results will be available immediately at the end of the evaluation.

The client administrator has access to a full report of the exam.


A certificate Datadiem will be issued within 15 days directly to any candidate having reached a score of 75% (in electronic format). There is currently no officially recognized certification by the data protection regulatory authorities. The certificate issued by Datadiem falls within the scope of the training obligation provided for by the GDPR.


A personal access code to your e-Learning space allowing participants to come back and forth to keys notions.

Food & drinks

A refreshment area (coffee, tea, biscuits, etc.) is at your disposal.

Scroll to Top