GDPR Enforcement in Accommodation & Hospitality

To date, DPAs from 15 different countries have imposed 91 fines (+15 in comparison to the 2025 ETR) in the accommodation and hospitality sector, i.e., on restaurants, hotels and other companies. The fines amount to a total of approximately EUR 22.7 million, with only a minimal increase over the last year (+EUR 100 thousand compared to the 2025 ETR).

The Spanish DPA is still the most active DPA, imposing around 50% of all fines in the accommodation and hospitality sector (49, +7 in comparison to the 2025 ETR), followed by the German authorities (17).

• Video surveillance without sufficient legal basis for data processing remains the most important topic in the accommodation and hospitality sector. Around two thirds of all fines in this sector involve video surveillance in restaurants, bars and hotels (53 cases; +3 in comparison to the 2025 ETR). The most common reasons for such fines are recordings of public spaces (violation of the principle of data minimisation, Art. 5 (1) c) GDPR) and the lack of sufficient information on video surveillance (Art. 13 GDPR). The fines for unlawful video surveillance were imposed in the amount of EUR 600 in Italy (ETid-3049), EUR 1,800 (ETid-3056) and EUR 800 (ETid-2965) in Spain.
   
• Furthermore, cyber incidents are becoming increasingly important for the imposition of fines. The failure to implement adequate technical and organisational measures, resulting in a cyber incident leading to data breaches or fraud incidents led to the imposition of the second highest fine in 2025 in the amount of EUR 32,000 by the Spanish DPA (ETid-2988) and two fines by the Romanian DPA in the amount of EUR 8,000 (ETid-2996) and EUR 2,000 (ETid-2709).
   
• The highest fine in this sector in 2025 was imposed by the Spanish DPA in the amount of EUR 42,000 on WORLD 2 MEET, S.L. (ETid-2849). The controller has required its guests to provide a copy of their identity card or passport for registration purposes, even though providing only the necessary data would suffice. The original fine of EUR 70,000 was reduced to EUR 42,000 due to immediate payment and admission of responsibility by the controller.
   
• The highest fines against hotels and restaurants in recent years remain the discussed fine of EUR 20,450,000 imposed on Marriott International, Inc. and the fine of EUR 600,000 imposed by the French DPA (CNIL) on ACCOR SA in 2022, in particular for unlawful processing of customer data for advertising (ETid-1361). In the latter case, guests who made a booking directly with the hotel or via one of the hotel group's websites automatically became recipients of an advertising newsletter, as the box for consent to receive the newsletter was pre-ticked. In addition, the hotel had not sufficiently informed data subjects about the processing of their personal data in this context, had failed to respond to data subjects' requests for access to personal data in a timely manner, and due to technical problems, many individuals were unable to opt out of receiving the promotional emails.
   
• Most of the fines in this sector are still within the range between three- and four-figure amounts. In contrast, there were only 7 fines (8.3 %) in the six-figure range or higher.

• Failure to implement adequate technical and organisational measures, resulting in a cyber incident leading to data breaches or fraud
• Video surveillance without sufficient legal basis for data processing

In the accommodation and hospitality sector, unlawful video surveillance and the lack of adequate technical and organisational measures will be the key issues that DPAs will focus on. Recent enforcement practice further indicates that the Spanish and Czech data protection authorities have started to sanction controllers for processing personal identification documents in order to verify the identity of guests, considering such processing to be incompatible with the principle of data minimisation. This suggests that data protection authorities are likely to continue closely examining identity verification procedures in the accommodation and hospitality sector.