Hospitality operators such as hotels, airlines, and resorts collect and process a substantial amount of sensitive or personal data through multiple channels, not only directly from customers but also via online travel agencies and third-party reservation tools. Whether it is dietary requirements, data of minors or religious and cultural requirements collected to enhance the customer’s experiences, the hospitality sector must ensure that they are complying with the local regulations that this data travels through. 

This extensive data flow can increase complexity in compliance efforts, demanding businesses to take careful consideration of region-specific privacy legislation as businesses process data of people setting off from one location and travelling across borders. Here’s a worldwide review of some of the main regulations relevant to businesses in the hospitality space. 

EU and UK General Data Protection Regulation (GDPR) 

With Europe welcoming close to a billion inbound arrivals in 2024 alone, hospitality businesses must effectively navigate the EU and the UK’s GDPR’s stringent data protection standards. 

The GDPR has implemented strict rules regarding data transfer to third countries (those outside the EU/EEA). If a country is not approved for having adequate data protection laws, businesses must enable tools like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Given the hospitality sector’s reliance on booking platforms and loyalty programs, additional measures like pseudonymisation and encryption are useful safeguards to ensure GDPR compliance. 

For hotels and airlines processing minors’ data, the GDPR mandates strict safeguards to ensure their protection as their data is categorised as high risk. Parental consent is essential when offering digital services like online bookings and loyalty programs to minors under 16 or, in some EU countries, 13. 

China’s Personal Information Protection Law (PIPL) 

Arguably stricter than the GDPR’s ruling on international data transfers, China’s PIPL mandates that any business that collects large amounts of data be stored locally. Hotels or airlines collecting Chinese customer data must conduct security assessments before receiving the green light to transfer customer data outside China.  

Japan’s Act on the Protection of Personal Information (APPI) 

Despite being geographically distant, Japan’s Act on the Protection of Personal Information aligns closely with the GDPR principles and is one of the few countries that are granted an adequacy decision by the EU. 

The APPI primarily relies on consent as a basis for processing, particularly for sensitive data. Like the GDPR, Japan’s APPI requires parental or guardian consent for processing minors’ data, especially if the data falls under the scope of sensitive data such as their dietary requirements or medical information.  

For cross-border transfers, businesses must obtain informed opt-in consent from the recipient, or establish a protection system, including a contract ensuring APPI-compliant safeguards.  

South Korea’s Personal Information Protection Act (PIPA) 

South Korea’s PIPA has unique requirements for international data transfers. When transferring guest or customer data abroad, businesses must provide detailed disclosures, including the time, date and method of transfer, along with the rejection process and destination country. Transfers without consent are permitted if the recipient meets ISMS-P security standards or the country is PIPC-approved. 

Saudi Arabia: Personal Data Protection Law (PDPL) 

Saudi Arabia’s PDPL is yet another law that is structured much like the GDPR, but it does impose stricter requirements on cross-border transfers. Hospitality businesses must use the Saudi Data and Artificial Intelligence Authority (SDAIA) mechanisms like SCCS and BCRs or obtain explicit consent. Article 29 of the PDPL outlines the acceptable purposes for cross-border transfers. 

As a predominantly Muslim country, hotels may need information about religious practices to accommodate guests’ needs such as prayer times and halal food requirements. Under the PDPL, such information is considered sensitive personal data and requires explicit consent before collection. Hotels and airlines should clearly explain why this data is being collected and this data should be handled securely and only for that purpose; being the religious requirements and overall customer experience. 

In the unfortunate event of a data breach, businesses must notify the SDAIA and affected individuals without undue delay; a more immediate response is required in comparison to the GDPR. 

Latin America 

The EU GDPR has set a global benchmark for data protection laws, prompting many countries in Latin America to revise their existing regulations. Countries like Bolivia, Chile and Colombia are among the countries that have pending legislation for more comprehensive data protection laws. 

Argentina’s Personal Data Protection Law (PDPL) 

Argentina is among the pioneering Latin American countries to update their data protection laws in line with the GDPR. Section 12 of the PDPL also adopts the adequacy decision of the EU, with this general prohibition being equally applicable to international data transfers between companies of the same group. 

Brazil’s Lei Geral de Proteção de Dados (LGPD) 

Brazil’s LGPD generally aligns with the EU’s GDPR, with Articles 33 to 36 outlining when data may be transferred internationally. Among the regulated international transfer mechanisms are the SCCs and adequacy decisions on the approval of the National Data Protection Authority (ANPD). 

US State Laws 

In the US, the absence of federal data protection law has resulted in a mix of federal and state laws that the hospitality sector must navigate: 

California Consumer Privacy Act (CCPA) 

Among the patchwork of privacy acts, the CCPA remains the most comprehensive, but it has a narrower scope compared to international regulations. Hospitality businesses operating in California must ensure they meet at least one of these criteria to fall under the CCPA: annual gross revenue of 25 million USD, handling the personal information of 100,000 or more California residents or deriving 50% or more of revenue from selling or sharing personal data. 

Californian residents have the right to opt out of the sale of their personal data, with “sale” broadly covering data sharing, analytics, and marketing partners. For hospitality businesses, this is particularly important when personal data is transferred across multiple entities in the travel ecosystem. Hospitality businesses must provide an easy opt-out process and ensure compliance with these preferences. 

As a global DPO, HewardMills is well-positioned to support businesses to ensure that the correct safeguards are put in place to protect their guests’ sensitive or personal data, ensuring the dots are joined in and between the maze of multiple regulations they have to comply with.