Home / Publications / GDPR Enforcement Tracker Report / Accommodation and Hospitality

Accommodation & Hospitality

To date DPAs from 14 different countries (+1 in comparison to the 2023 ETR) have imposed 72 fines (+13 in comparison to the 2023 ETR) in the accommodation and hospitality sector, i.e., on restaurants, hotels, and other companies. The fines amount to a total of approximately EUR 22.5 million, with only a minimal increase over the last year (+EUR 0.1 million compared to the 2023 ETR).

The Spanish DPA is still the most active DPA imposing more than 50 % of all fines in the accommodation and hospitality sector (37, +5 in comparison to the 2023 ETR), followed by the German authorities (15, +2 in comparison to the 2023 ETR).

Let's take a closer look

  • Video surveillance remains the most important topic in the accommodation and hospitality sector. Still more than 60 % of all fines in this sector involve video surveillance in restaurants, bars and hotels (46 cases; + 4 in comparison the 2023 ETR). The most common reasons for such fines are the capturing (also) of public space (violation of the principle of data minimisation, Art. 5 (1) c) GDPR) and the lack of sufficient information on video surveillance (Art. 13 GDPR). The highest fine in this sector in 2023, imposed by the Hungarian DPA, amounted to EUR 80,500, and was based primarily, but not exclusively, on data protection violations due to video surveillance (ETid-1824). However, most fines for unlawful video surveillance are still in the three- to four-figure range.
  • The second highest fine (EUR 15,000) in 2023 in the accommodation and hospitality sector was imposed by the Croatian DPA (ETid-2060). The DPA accused a hotel in particular of storing personal data without a valid legal basis. The hotel requested the CVC numbers of guests' credit cards and copies of identification documents as standard for bookings by email and web form, although payment could only be made on site at the hotel and payment details were therefore not required for the booking.
  • The highest fines against hotels and restaurants in recent years remain the fine of EUR 20,450,000 imposed by the UK DPA on Marriott International, Inc for customer data lost in a cyber incident and the fine of EUR 600,000 imposed by the French DPA (CNIL) on ACCOR SA in 2022, in particular for unlawful processing of customer data for advertising (ETid-60).
  • However, 83 % of the fines in this sector are still within the range of EUR 50 to EUR 20,000, with 49 % amounting to just EUR 2,000 or less. In contrast, there were only 7 fines (10 %) in the six-figure range or higher.

Main takeaways

In the accommodation and hospitality sector, data protection violations in the context of video surveillance remain the most important reason for the imposition of fines. At the same time, fines in this sector remain at a relatively low level, except where large hotel chains or online platforms are concerned.