Publication
13 May 2025 ·
International
GDPR Enforcement in Accommodation & Hospitality
Deep dive into relevant data protection enforcement cases and insights for accommodation & hospitality sectors
4 min read
To date DPAs from 15 different countries (+1 in comparison to the 2024 ETR) have imposed 83 fines (+11 in comparison to the 2024 ETR) in the accommodation and hospitality sector, i.e., on restaurants, hotels and other companies. The fines amount to a total of approximately EUR 22.6 million, with only a minimal increase over the last year (+EUR 0.1 million compared to the 2024 ETR).
The Spanish DPA is still the most active DPA, imposing 50 % of all fines in the accommodation and hospitality sector (42, +5 in comparison to the 2024 ETR), followed by the German authorities (17, +2 in comparison to the 2024 ETR).
Let's take a closer look
- Video surveillance remains the most important topic in the accommodation and hospitality sector. Around two thirds of all fines in this sector involve video surveillance in restaurants, bars and hotels (50 cases; +4 in comparison to the 2024 ETR). The most common reasons for such fines are recordings of public spaces (violation of the principle of data minimisation, Art. 5 (1) c) GDPR) and the lack of sufficient information on video surveillance (Art. 13 GDPR). Most of the fines for unlawful video surveillance are in the three to four-figure range.
- Cyber incidents are becoming increasingly important for the imposition of fines. Two fines in 2024 were imposed for the failure to implement adequate technical and organisational measures to protect personal data, leading to data breaches or fraud incidents: one in the amount of EUR 4,200 (ETid-2349) and another in the amount of EUR 8,000 (ETid-2477). Furthermore, the highest fine against hotels and restaurants in recent years was imposed by the UK DPA on Marriott International, Inc. in the amount of EUR 20,450,000 for customer data lost in a cyber incident (ETid-60). A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). The third largest fine against hotels and restaurants – EUR 475,000 – is also related to a cyber incident: Booking.com B.V. was fined by the Dutch DPA for not reporting a data breach to the DPA in a timely manner (ETid-612).
- The highest fine in this sector in 2024, imposed by the Croatian DPA, amounted to EUR 45,000, and was based on the unlawful processing of personal data through the use of cookies (ETid-2496).
- The DPA of Hamburg, Germany imposed the second highest fine – EUR 16,000 – for the processing of ID cards without a legal basis by a hotel (ETid-2435).
- The highest fines against hotels and restaurants in recent years remain the discussed fine of EUR 20,450,000 imposed on Marriott International, Inc. and the fine of EUR 600,000 imposed by the French DPA (CNIL) on ACCOR SA in 2022, in particular for unlawful processing of customer data for advertising (ETid-1361). In the latter case, guests who made a booking directly with the hotel or one of the hotel group's websites automatically became recipients of an advertising newsletter as the box for consent to receive the newsletter was pre-ticked. In addition, the hotel had not sufficiently informed data subjects about the processing of their personal data in this context, had failed to respond to data subjects' requests for access to personal data in a timely manner, and due to technical problems, many individuals were unable to opt out of receiving the promotional emails.
- However, 83 % of the fines in this sector are still within the range of EUR 50 to EUR 20,000, with 45 % amounting to just EUR 2,000 or less. In contrast, there were only 7 fines (8.3 %) in the six-figure range or higher.
Main takeaways
In the accommodation and hospitality sector, data protection violations in the context of video surveillance remain the most important reason for the imposition of fines. Other important topics are cyber incidents, leading to data breaches or fraud incidents, and the unlawful processing of ID cards. At the same time, fines in this sector remain at a relatively low level, except where large hotel chains or online platforms are concerned.
