Home / Legal Publications / GDPR Enforcement Tracker Report / Accommodation and Hospitality

Accommodation & Hospitality

To date DPAs from 13 different countries (+4 in comparison to the 2022 ETR) have imposed 59 fines (+22 in comparison to the 2022 ETR) in the accommodation and hospitality sector, i.e., on restaurants, hotels and other companies. The fines amount to a total of approximately EUR 22.4 million, with only a moderate increase over the last year (+EUR 0.9 million compared to the 2022 ETR).

The Spanish DPA has been particularly “active” in this sector (32 fines), followed by the German authorities (13 fines).

Let's take a closer look


  • More than 70 % of all fines in the accommodation and hospitality sector involve video surveillance, especially in restaurants and bars (42 cases; +16 in comparison to the 2022 ETR). The most common reason for such fines is that the recordings (also) capture the public space and thus violate the principle of data minimisation (Art. 5 (1) c) GDPR). Furthermore, controllers often do not provide data subjects with sufficient information on the surveillance (Art. 13 GDPR). The majority of published fines for unauthorised video surveillance in this sector ranged from EUR 400 to EUR 3,000 over the last year.
  • In 2022, the highest fine of EUR 600,000 in the hospitality and accommodation sector was imposed by the French DPA (CNIL) on ACCOR SA (ETid-1361). Deciding on the substantial amount of this fine, the DPA mainly took into consideration the number of data protection breaches and the fact that there were violations of several fundamental principles of the GDPR. Particularly, according to the CNIL, the ACCOR hotel group had used data collected through some of its websites, e.g. when customers made a booking, for advertising newsletters without proper consent, as the checkbox used was pre-ticked. In addition, affected persons could not properly unsubscribe from this newsletter for weeks due to persistent technical problems.
  • The second highest fine (EUR 230,000) imposed on a company from the accommodation and hospitality sector during the last year actually did not involve data protection violations specific to that sector. Instead, the fine was issued due to violations with regards to the handling of employee (health) data by a Finnish ferry operator, Viking Line Oy Abp (ETid-1526).
  • However, more than 88 % of the published fines in this sector are significantly lower, ranging from EUR 50 to EUR 20,000. All fines in the six-figure range or above were imposed on hotel chains (e.g. ETid-60, ETid-361, ETid-1361) or large online platforms such as Booking.com B.V. (ETid-612) and Delivery Hero (ETid-78). The fines against individual entrepreneurs were generally significantly lower.

Main takeaways

There are two main takeaways for the 2023 ETR. On the one hand, most individual fines issued in the hospitality and accommodation sector are still due to violations in the context of video surveillance. On the other hand, roughly 90% of the total amount last year was made up of only two fines, which did not necessarily involve violations specific to the sector.