After four years of preparation and discussion, the General Data Protection Regulation of the European Union (General Data Protection Regulation or GDPR) was finally approved by the European Parliament on April 14, 2016. After the enforcement date, which is May 25, 2018, organizations that do not comply may face exorbitant fines.
The GDPR replaces Directive 95/46/EC on the protection of personal data and aims to harmonize national privacy laws across Europe, protect and enhance the privacy of EU citizens and reform the way this privacy is approached by various actors – public and private.
The main articles of the GDPR, as well as a summary of the text of the Regulation, can be found here. here.
What constitutes personal data and what does not?
As personal data is defined as any information that can be associated with an identified or identifiable living citizen. Various pieces of information, which when found together can lead to the identification of a specific person, also constitute personal data.
Data that is now anonymous and has been stored in ways that do not enable the identification of a citizen is no longer considered personal. The anonymization process in these cases must be irreversible.
The way in which personal data of third parties is collected and maintained – computerized or on paper – does not affect the GDPR's requirements for protection.
Examples of personal data:
- First and last name
- Residential address
- Email address, even a corporate one like name@company.com
- Identity number
- Location data – e.g. the relevant location function of a mobile phone
- IP address
Examples of information that does not constitute personal data:
- Company VAT number
- Press email address info@company.com
- Anonymous data
Examples of sensitive personal data:
- Data revealing racial or ethnic origin
- religious orientation
- political beliefs
- medical history
and in general, personal data which are by nature particularly sensitive in relation to fundamental rights and freedoms require special protection.
Basic rights of citizens
The GDPR strengthens existing rights, provides for new rights and gives citizens greater control over their personal data. It provides, among other things:
- Easier access to their data — including providing more information about how data is processed and ensuring that this information is available in a clear and understandable way
- New right to portability of data — making it easier to transfer personal data between service providers
- Clearer right to erasure ("right to be forgotten") — when an individual no longer wishes their data to be processed and there is no legitimate reason for retaining it, the data will be deleted
- Right to know when their personal data has been leaked due to a security breach of a system — businesses and organisations should inform individuals immediately about serious data breaches. They should also inform the relevant data protection supervisory authority.
How does GDPR affect hotels?
Hotels keep their customers' personal data in their files in three main ways:
A. "Short-lived" data
Data and information that are recorded during the visitor's stay and/or shortly before and shortly after it and are intended to facilitate and automate internal processes and provide hospitality services.
B. Marketing data
This is the way in which personal data files are stored and processed that is most targeted by the Regulation. For marketing purposes or even out of negligence, large volumes of email addresses, names or other data are usually stored for an unspecified period of time – and usually without the explicit consent of the data subject. This situation can lead to a conflict with the new privacy protection regime.
C. The "hidden" sensitive personal data
Although the category of sensitive personal data, which is the most "hot" in relation to its protection by the new Regulation, mainly concerns public organizations, hospitals, doctors' offices and clinics, a hotel may, under certain conditions, retain sensitive personal data of its guests.
For example, at the spa, where there may be a need to keep a brief medical history, or at the restaurant, where the customer's eating habits become known which may lead to the revelation of their religious orientation.
Read here How the new Regulation affects loyalty clubs...
English 
Greek