Europe’s new framework for data protection laws was launched nearly five years ago, and while some time has passed since its execution, it continues to be important as ever. Properly conforming to the GDPR for hotels is key. It’s important that every hotelier understand the basic principles around this EU Privacy Law in order to protect your reputation, and to protect the data you collect from your guests.

We’ll look at the core principles of this data law, help you understand how it affects hotels, and give you an ultimate GDPR checklist. At Mews, we believe that privacy is a fundamental right. Here we explain why, and also reveal how we’re going beyond GDPR to simplify data controllership for hoteliers. So, keep reading to uncover everything you ever wanted to know about this complex topic.

Table of contents


In a nutshell: what is GDPR?

GDPR is an acronym for General Data Protection Regulation. It is an EU regulation that came into effect on 25th May 2018, which itself was an enforcement of rules that had been created over a decade ago. GDPR gives power back to consumers by forcing companies to become transparent in how they collect, store, and share their customers’ personal data information.

GDPR was created to bring as much uniformity into data protection as possible, aiming to give control back to all individuals over their personal data (“any information relating to an identified or identifiable natural person” – e.g. an individual’s name, identification number, location data, online identifiers…) and to simplify the regulatory environment for international business.


Why is GDPR important for hotels?

GDPR is important for hotels because it’s a way of showing your guests that you care about their privacy and their rights to protecting their personal information. It’s the duty of a hotelier to proactively show the user how their data is being managed and which third parties have access. In the spirit of protecting this data, we should cover all sensitive information, even that which is currently exempt from GDPR, such as credit card information

Why is GDPR important for Mews?

The same level of sensitivity should be applied when designing the best way of dealing with personal data, and we have tried to use state-of-the-art technology and frameworks which would suit this. 

As soon as a guest’s profile is created in the Mews platform, we send them an email to introduce ourselves as the data processor acting on behalf of their chosen hotel, and to give them both the access and information they need to be able to update and maintain their personal data themselves.  Why?  Because we firmly believe that guests should have full control over their own data.

Our Founder, Richard Valtr, explains Mews’ approach as follows:

“We believe that privacy is a fundamental right, and as a business, Mews cares fiercely about the integrity of handling customer data and the protection of their rights.  We think that GDPR is a step in the right direction, but unfortunately an incomplete solution.

We believe that customers will happily give service providers access to their data as long as they can see and control who that data is passed to, and to what end.”


We think that GDPR is a step in the right direction, but unfortunately an incomplete solution.

Richard Valtr, Founder of Mews

How does GDPR affect hotels?

The GDPR affects hotels in many ways, as non-compliance can result in hefty penalties. It is also changing the way hotels collect and process customer data due to the volume of sensitive personal data and credit card information that must be collected and processed to make a reservation. 

What are the 3 core principles of GDPR for hotels?

When executed properly, the GDPR legislation ultimately offers hoteliers the opportunity to establish more open communication streams with their guests. So let’s take a look at the core principles of this privacy law.


By being transparent when explaining to guests exactly what their personal data is being used for, hoteliers can identify and fully understand their guests’ expectations for their stay experience.

Being Specific

By being specific about how personal information will be used, smart hoteliers can build up valuable databases of clients interested in receiving relevant marketing material, and crucially, identify their likes and dislikes. Well-targeted follow-on communication will then increase the chance of repeat bookings, and help with personalization, which is at the heart of the hotel experience.

Hotels are more likely to meet (or hopefully exceed) the pre-stay expectations of guests who provide data related to their personal preferences (desired pillow type, dietary restrictions, favorite beverages...etc.). Read more about simple ways to improve the guest experience.

The right to choose

The GDPR empowers customers to have the right to object to their data being processed at any time. Hotels must get consent to process data, and they are free to withdraw consent at any time. They can also request that their information gets deleted at their will. 

The ultimate GDPR for hotels checklist

Have you checked recently that you continue to uphold GDPR compliance? This is where a checklist can come in handy, since the responsibility lies in the hands of hotels and data controllers. 


Start by auditing your internal processes, including your vendor contracts, the information you already have on hand and understand how this data is interrelated. The key is to understand the information you collect and process and who has access to this data in order to know how to move forward. 


Once you know what data you process, it’s time to get in touch with existing vendors to understand how they are complying with data protection policies. Choose products like Mews who are serious about protecting client data and improving user-rights, and committed to protecting the privacy of all visitors and users.


Now that you’ve audited your own internal processes and those of your vendors, it’s time to come up with a plan of action of how you will manage data. Be sure to include guidelines for policies and processes, and clearly define roles and responsibilities. In the event of a data breach, be sure you know how you will act to mitigate the problem. 


With a plan of action in place, be sure you get consent from your website visitors for cookies and give them a chance to opt out. For marketing activities, be sure to give the chance to double opt-in. Update your privacy policy and be sure that your front desk is in compliance as well with offline data collection. 


Training is one of the best ways to improve front desk operations and to improve GDPR compliance. Ensure your staff knows how to act in order to comply, and what to do in the case of a data breach. The better they are trained, the more you can be sure your hotel lives up to the GDPR regulations. 


Living up to GDPR compliance is an important part of your duty as a hotelier to protect your guests’ privacy, and ensure that you empower guests in this way can also double up as an effective tool for savvy hoteliers wanting to offer a hyper personalized and frictionless stay experience. Guests who trust you because they know you keep their personal data safe, are more likely to choose you over the competition.