Photo: depositphotos.com

Hoteliers have a duty to use enhanced security measures to protect guests. This contractual obligation covers all aspects of guests’ private lives, from the protection of their person and property to the protection of their image and personal or confidential data.

Amending current hotel management agreements appears necessary

GDPR (General Data Protection Regulation - European Regulation No. 2016/679) and Act No. 78-17 on Information Technology, Data Files and Civil Liberties, as amended on 20 June 2018, aim not only to protect personal data but to safeguard the free movement of this data. In this digital era, the protection and movement of personal data must be supervised and regulated to avoid misuse, errors or accidents in processing, the like of which has been seen on several occasions these past few years.

Today, a news agency can hack into Air France’s website to retrieve the names of celebrities travelling on board. Huazhu, a major Chinese hotel group, saw 141.5 Go of guest data – 150 million user accounts – go missing. Fastbooking, the online booking platform and subsidiary of AccorHotels, declared that it was the victim of a major cyber-attack in June 2018. And Marriott has just announced that hackers have breached its reservation system, compromising up to 500 million customer accounts.

The time has come to mobilise hoteliers around these issues

How can these issues be addressed when hotel owners are negotiating a management agreement with hotel brand operators? While the responsibility for the operational management of the hotel is entrusted to the hotel operator, the owner retains the legal and financial responsibility for the property. Each year, the owner and operator set the budget and agree on the main hotel investments and operations, ensuring these are carried out.

Hotel management agreements fall under article 1984 et seq. of the French Civil Code: the owner-principal is therefore responsible for the actions of the operator-agent. Since 25 May 2018, and in accordance with the new regulations, an amendment/ annex to hotel management agreements has been required to provide for the management of personal data and the distribution of the respective responsibilities of the owner-principal and the operator-agent in processing this data. In theory, the data controller is the person (natural or legal) who determines the purposes and means of data processing. In practice, the data controller may therefore be both the principal and the agent, depending on the data processing operations that each carries out. This will depend on the description and scope of the hotel management agreement and the obligations entered into by the parties. Failure to comply with GDPR may expose hoteliers to various types of legal proceedings:

- (i) administrative proceedings, initiated by the CNIL (the French Data Protection Authority), either following a complaint from a victim, an employee, a consumer association, etc., or during an inspection;

- (ii) civil proceedings, brought directly by victims who claim damages resulting from the unlawful processing of their personal data;

- (iii) and potentially criminal proceedings.

(i) Hoteliers are exposed to significant administrative penalties These can range from a simple warning to a fine of up to 4% of the defaulting company’s worldwide turnover, or €20 million. This is, therefore, a particularly serious sanction whose payment is not covered by the hotel’s insurance company. Sanctions are imposed by the competent administrative controlling body – the CNIL, in France. This penalty will be imposed principally on the party considered to be the data controller, and at times on the subcontractor, if the latter has failed in their duty. If the operator-agent alone determines the purposes and means of personal data processing (generally the case, in practice), the operator-agent will be considered as the data controller and is the party that will be administratively sanctioned.

The owner-principal may be considered as a data co-processor if they initially carried out certain data processing operations or were solely responsible for doing so. Yet the imposition of an administrative sanction does not prevent the hotel guest, whose personal data has not been protected, or has been insufficiently protected, from engaging the hotel operator’s civil or even criminal liability.

(ii) Hoteliers are exposed to theoretically minor civil penalties A victim or a group of victims may act upon the hotel’s civil or criminal liability if their personal data has been disclosed, lost or degraded. This could be the case, for example, if, through the disclosure of such unprotected personal data, a person’s spouse accidentally learns that their husband or wife stayed in a hotel in with a lady or gentleman friend, or flew to Reunion Island when they were supposed to be in Saint-Brieuc!

Under the rules applicable to hotel management agreements, action may be brought against both the owner-principal and the operator-agent, subject to proof of damage (as delicate to establish as in matters concerning right to image). In addition, the civil liabilities of the owner or operator are usually covered by insurance.

(iii) Hoteliers are exposed to very severe criminal penalties Criminal sanctions for breaches of data protection legislation are particularly dissuasive and can include up to five years’ imprisonment and/ or a fine of €300,000. This aspect should not be neglected either in the organisation of the hotel’s operation and management.

It is thus essential that hotel management agreements adapt to the GDPR risk

When a hotel is operated under a hotel management agreement, data may be collected either by the owner or by the operator, the latter generally being the party who manages and benefits from the information collected. The principal (or the owner of the hotel business) should take care to include a detailed clause in the agreement in which the hotel operator declares that it will perfectly comply with personal data protection regulations. The operator will also undertake to assume its liabilities in this regard in accordance with applicative legislation.

Consequently, any failure by the operator to comply with this obligation observed by a staff member or a hotel guest would also constitute a breach of the commitments made by the operator against the owner, enabling the owner to escape liability. However, to take into account the possible collection of data by the owner-principal, it is also essential that the hotel management agreement stipulate which data is diffused by the operator, and which responsibilities (that may overlap) both parties will have with regard to data protection. In cases where the hotel management agreement is already in operation, it is recommended that a detailed amendment be drafted to address the emerging GDPR issues.

Beyond the management agreement, hoteliers must ensure that their properties comply with data processing regulations notably by adopting a guest privacy policy and an employee privacy notice. These set out the technical standards for managing data, and raise the awareness of all persons within the hotel who will be required to process personal data. More generally, and further to a specific audit, hotels are also required under GDPR to set up a data processing register. These documents outline the rights and obligations of staff with regard to data protection, and good practices for using information systems.

Supervising the processing of guest data is all the more important as the risks are increasing today: a rise in hack attacks (malicious software of all kinds) or data theft by unscrupulous employees (unfortunately danger often comes from within), for example. The riskier environment, coupled with higher penalties, means making hotels compliant and keeping this compliance “alive” within establishments. Indeed, the regulations now require that any security breach (hacking, data theft, data loss, etc.) be reported within 72 hours and any guest complaints with regard to their data be recorded and answered. A written trace of such incidents must be recorded in the data processing register, otherwise administrative, civil or criminal sanctions will be enforced.

With regard to hotel employees, it is the operator who is responsible for carrying out these compliance measures. It is likely that in the case of a reverse hotel management agreement, the operator’s liability will increase, and it is difficult to appreciate how the hotel operator can avoid being held responsible for the execution of the hotel management agreement.

In conclusion and as seen, the regulations applicable to the protection of personal data constitute an interdisciplinary subject that primarily concerns service professions, of which hospitality is the most representative. In addition to the risks and penalties legally incurred, hoteliers risk their e-reputation, in particular (a new form of court of public opinion and perhaps the most feared) – a criterion of trust undeniably used by guests to select a hotel.

CJUE, gde ch., 13 May 2014, aff. C-131/12, Google Spain SL and Google Inc./ Agencia Espanola de Proteccion de Datos and Gonzales. CNIL Deliberation n°SAN – 2017-006 of 27 April 2017 imposing a fine on FACEBOOK INC. and FACEBOOK IRELAND. CNIL Deliberation n°SAN-2018-001 of 8 January 2018 imposing a fine on ETABLISSEMENTS DARTY ET FILS. CNIL Deliberation n°SAN-2017-010 of the 18 July 2017- HERTZ. CNIL Decision MED n° 2018- 007 of the 5 March 2018 serving notice on DIRECT ENERGIE and CNIL Resolution n° 2018-082 of the 22 March 2018 and decision issued to make public the formal notice to DIRECT ENERGIE.

Cass. 3e civ., 15 Feb 2006, n° 05-11.263 FS-D, Maini c/ Cie européenne d'assurances and others (cassation CA Nîmes, 1re ch. civ. A, 13 Jan 2004): Juris-Data n° 2006-032226.

LIL 3: Act 78-17 of 6 January 1978 amended 22 June 2018: articles 45 and subsequent and GDPR N°2016/679: article 58 §2 and 83.

Classic rules of civil liability in tort (articles 1100 and subsequent of the Civil Code).

Articles 50 to 52 of LIL 3 Act 78-17 of 6 January 1978 amended on 22 June 2018 referring to articles 226-16 to 226-24 of the Criminal Code.