An extract from The International Hotel Law Review, 1st Edition

Data and hotel tech

i Data protection

The hotel industry, primarily due to the processing of personal data relating to guests (name, date of birth, nationality, email address, etc.), is subject to the General Data Protection Regulation (GDPR) and the French Data Protection Act.

The GDPR is applicable to the processing of personal data by hotels owners, operators, franchisors, franchisees and technology providers established in the EU, regardless of whether the processing takes place in the EU. It also applies in the case where they are established outside the EU, if the processing is related to the offering of goods or services to data subjects in the EU. The French Data Protection Act is also applicable.

The GDPR provides for different sets of obligations depending on the legal qualification of the party (controller, processor, joint controller), which must be determined – on a case-by-case basis – for each party playing a role in a personal data processing by analysing key elements. Hotel owners are most likely considered controllers. Controllers are subject to a number of obligations including, but not limited to, determining a valid legal basis for processing personal data, providing information to data subjects (privacy policy) or ensuring compliance with data subjects' rights. In any case, they must implement appropriate measures to ensure a level of security appropriate to the risk (e.g., encryption of data).

The hotel industry is likely to collect and process sensitive data (biometric data, health data or religious beliefs of guests). In order to do so, it is necessary to comply with one of the specific applicable conditions. For hotels, processing sensitive data will likely be based on the explicit consent of data subjects provided consent meets validity criteria set by the GDPR.

As a general principle, personal data shall be kept no longer than necessary for the purposes for which they are processed. This is particularly important for hotels since they usually process personal data subject to specific legal provisions under French laws (i.e., video surveillance data can only be retained for 30 days and WiFi traffic data for a year).

The hotel industry operates in multiple countries and in this context may transfer personal data outside of the EEA. Hotels should only transfer data if the recipient country guarantees an adequate level of data protection, or if they implement appropriate safeguards (EU Commission standard contractual clauses, binding corporate rules), or if an exception applies. The EU-US Privacy Shield, on which most of the data transfers to the USA were based was invalidated by the Court of Justice of the European Union (CJEU), in the Schrems II decision of 16 July 2020. In addition to the implementation of appropriate safeguards, hotels should also determine if supplementary measures (technical, contractual and organisational) must be implemented in line with the European Data Protection Board (EDPB) Recommendations.11

If a hotel fails to comply with GDPR provisions, it may face a fine of up to €20 million or up to 4 per cent of its annual global turnover.

The use of cookies on hotels' websites is subject to specific rules and must notably comply with the French Data Protection Authority, National Commission for Informatics and Liberties (CNIL) new Guidelines dated September 2020. In essence, cookies cannot be used 'in writing or in reading' until the user has given his or her proper consent – in a free, specific, informed and unambiguous manner – by a statement or by a clear affirmative action, a list of required information must be provided to the user before he or she gives consent and it must be as easy to accept cookies as it is to refuse cookies.

ii E-commerce in the hotel sector in France

E-commerce in general is subject to a set of rules under French law, which, therefore, also applies to the hotel sector. To begin with, if there is no mandatory step to follow in setting ip a business online, a set of mandatory information must be made available on the hotel website, as part of the pre-contractual information obligation including (1) the terms of use, (2) terms of sales, (3) privacy policy and (4) a legal notice containing mandatory information if the hotel is established in France.12

Specific rules apply regarding the contracting process between hotels and consumers. The French Civil Code13 sets out mandatory rules regarding the conditions of the offer made on the website, for example by making sure that the 'double-click' formality allows consumers to check the details of their orders twice before validation and payment. The French Consumer Code14 supplements those requirements with additional mandatory information to provide before a consumer books a reservation. These include the price, main characteristics of the product or service as stated at the beginning of the booking process (price charged for one night in a double room, information on the services actually offered (internet connection, breakfast included or not, etc.)), the means of payment accepted or the contact details of the hotel.15 The terms and the contract must be provided to consumers on a durable medium once the reservation is validated.16

French regulation also provides that the withdrawal delay usually granted to consumers do not apply to online hotel reservations. The hotel must notify such a limitation of their right of withdrawal to the consumers.17

It is also important to note that the French Code of Tourism may also impose some requirements regarding a hotel's online activities. As an example, Article L311-5-1 states that the contract between a hotel industry professional and an operator of a renting platform of hotel rooms to consumers, might only be concluded in the name and on behalf of the professional of the hotel industry and within the framework of a mandate, although the hotel remains free to grant any discount or advantage to the clients.

To finish with, and although this does not directly concern hotels but rather their partners, (1) whenever hotels offer their services on an online platform, these platforms shall comply with specific requirements applying to those platforms under Decree No. 2017-1434 of 29 September 2017 and (2) specific regulation apply to agencies selling hotel stays (either as part of a package or as a standalone service).