The Hellenic Data Protection Authority has issued compliance recommendations to tourist accommodation businesses over practices that breach rules on the protection of customers’ personal data, including photographing or photocopying identity documents and credit cards.

Complaints over hotel data practices

The Authority acted after receiving complaints about the collection and processing of personal data by hotel businesses. It issued compliance recommendations to the tourist accommodation businesses concerned and also contacted hotel associations, asking them to inform their members immediately about the proper application of the General Data Protection Regulation, GDPR, and their related obligations.

The complaints concerned, in particular, the photographing or photocopying of customers’ identity cards for the purpose of recording identification details or issuing tax documents. They also involved the photographing or photocopying of both sides of customers’ credit cards and the retention of those copies for possible future use in the event of disputed transactions.

Authority says practices breach GDPR principles

According to the Authority, these practices violate fundamental GDPR principles, including lawfulness, fairness and transparency in processing, as well as the principle of data minimisation. Where applicable, they also breach the obligations of data protection by design and by default.

The Authority also warned that such practices unnecessarily increase the risk of unauthorised access, fraud or financial loss for the individuals concerned.

Hotel bodies asked to alert members

The Authority asked the Panhellenic Hoteliers Federation, the Hellenic Chamber of Hotels and the Confederation of Greek Tourist Accommodation Entrepreneurs to inform their members of the need to comply with GDPR principles.

In particular, accommodation businesses have been told not to collect or retain photocopies or photographs of identity cards, passports or other identification documents, as there is no specific and clear legal provision requiring them to do so. They must also refrain from photographing, photocopying or storing copies of customers’ credit or debit cards.

The Authority further said that any processing of personal data must be based on an appropriate legal basis, and that businesses must assess whether the measures they apply are necessary and proportionate.

Accommodation businesses must provide customers with clear, easily accessible and up-to-date information about the processing of their personal data, both through their websites and by any other appropriate means.

They have also been instructed to review their internal procedures for customer check-in, payment and reservation management, and to brief their staff accordingly so that the principle of data minimisation is properly applied.