Two recent actions against prominent hotel groups in Europe suggest a heightened regulator focus on data protection issues in the hospitality industry. The lessons learned are equally applicable to many other sectors.

On 19 August, a class action lawsuit was filed in the High Court of England and Wales against Marriott International for a data breach that exposed the information of approximately 500 million guests around the world. The suit was filed by Martin Bryant, founder of technology and media consultancy, Big Revolution, and previously the editor-in-chief of technology publication, The Next Web.

Mr. Bryant is leading the action on behalf of millions of residents in England or Wales who made a reservation to stay at one of Marriott International’s Starwood properties (Marriott) before 10 September 2018.

The suit alleges that the cyber-attack was as a result of failure to take adequate steps to ensure the security of guests’ personal data, and to prevent unauthorised and unlawful processing of personal data. This failure therefore represented a breach of data protection laws.

The Marriott lawsuit follows closely behind a finding in Denmark against the Arp-Hansen Hotel Group, a firm based in Copenhagen and operating 12 hotels (approx. 4,000 rooms). On 28 July 2020, the group was fined a sum of 1.1m Danish crowns (approx. €147,800) for storing clients’ information longer than necessary in violation of Article 5(1)(e) of the General Data Protection Regulation (GDPR).

In an audit visit, the Danish Data Protection Authority (Datatilsynet) found that the group was holding customer profiles that should have been deleted several years earlier. Specifically, the Datatilsynet found 500,000 entries that should have been erased from the group’s systems.

During the inspection, the Datatilsynet discovered that the group’s booking system contained a multitude of personal data that should have been deleted in accordance with Arp-Hansen’s own deletion schedules.

Frederik Viksoe Siegumfeldt, Office Manager for the Datatilsynet‘s Supervisory Unit, noted that in a society where personal data is increasingly being recorded and exploited, it is crucial for citizens to have confidence that their personal data is being processed for objective purposes and that these kinds of information are only stored for only as long as necessary.

The Datatilsynet chose to report the matter to the police because, in its opinion, Arp-Hansen had not given any objective reasoning for their extensive storage of information.

DPO Perspective

The UK regulator’s (ICO) delay in enforcing its intended £99 million fine against Marriott has drawn significant attention. The class action will serve as a timely reminder to business of the wider risks, aside from regulator fines, that can arise from a failure to invest in a robust cybersecurity and data protection programme.

The consequences of poor cybersecurity have dramatically increased. Organisations are not only faced with direct legal and financial consequences under the GDPR, but also additional legal, financial and reputational damages that come with poor data protection. Organisations have a duty of care to their customers, and ongoing monitoring of key systems and robust response procedures must be put in place to minimise the impact of a breach.

Cybersecurity is the responsibility of all employees within an organisation. To prevent costly customer data breaches, organisations are advised to implement ongoing education and awareness at all levels of the organisation. A layered approach to data protection is critical to avoiding the dangers of a breach, along with continuous training and preparation.

Data retention is an often-neglected area of compliance. Many organisations hold too much data for too long without a basis for doing so. Proactive steps are required to assess the nature, purpose, classification and lifecycle of data. This will inform the operational processes that an organisation must implement to ensure ongoing pruning and safe destruction of data.

HewardMills acts and advises as a DPO service. For further information contact