Personal data protection and the hospitality industry in France
It Is Not Too Late, Even After The 25 May 2018By Christopher Boinet - Lawyer at the Paris Bar and Partners at In Extenso Avocatsand Sarra Jougla-Ygouf - Lawyer at In Extenso Advocats Paris
Personal data protection and the hospitality industry in France | By Christopher Boinet & Sarra Jougla-Ygouf
France has just adopted the modifications to the Data Protection Act n°78-17, integrating the new General Data Protection Regulation (GDPR) measures. As a reminder, the GDPR - n°2016/679 of the European Parliament and of the Council, voted the 27 April 2016 - is a regulation in EU law on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The act came into effect in all EU member states on the 25 May 2018.
The CNIL has already indicated that it will take into account the "efforts undertaken" by companies in their compliance process, and that no sanctions will be applied until the end of 2018 regarding provisions directly resulting from the regulation. This does not, however, exclude the pronouncement of sanctions in case of breach of the provisions already in force under the Data Protection Act (far from being complied with everywhere).
It is clearly not too late to look at how the regulation can be applied in your own company.
There are a number of ways of implementing GDPR in hotels and restaurants, and the regulation can be viewed as yet another administrative constraint or as an inevitability and an opportunity. Indeed, it should be remembered that its very name embraces personal data protection issues, yet it also covers the free movement of such data. Given this, the regulation not only seeks to protect the personal data of businesses and their clients, prospects or employees, it also allows for the free movement of these data. This free movement merely has to be controlled and regulated to avoid misuse, errors or accidents in data processing - the like of which has been seen several times over the past few years (Google, Facebook, Darty, Hertz, Direct Energie and so many others)[i].
Top of the list of the sectors concerned is the hospitality industry…
The regulation provides for thresholds to take into account the situation and business activity of SMEs or intermediate-size companies. Not all hotel and restaurant businesses are necessarily affected, but if they automatically store and conserve customer data - on preferences, for example (in order to send promotional offers or improve satisfaction during a later visit) - then they are directly concerned. Likewise, if customers can make a reservation through the company website, then the regulation also applies, since the question of the use and compliance of booking platforms (e.g. La Fourchette, Booking.com) evidently arises, as does that of holding records for inspection by the police or maintaining Cardex files.
In the same way, the processing, use and safeguarding of payment methods must be carefully examined. In addition, if hotels and restaurants use video surveillance, they must also examine how such systems could impact on the privacy of their customers and employees.
What measures can hotel operators - and to a lesser extent, restaurant operators - take to serenely anticipate these regulatory obligations after the 25 May 2018?
Beyond implementing a unified legal framework at the European level, the objectives of the GDPR include:
- A strengthening of the individual rights of natural persons, already instigated by a number of decisions such as the Google Spain judgment sanctifying the right to erasure, or Darty's recent fine further to a security breach in the confidentiality of customer loyalty card [ii]
- Compliance based on transparency and accountability;
- Shared and specified responsibilities (the outsourced service provider becomes accountable, just as the contracting party);
- The strict supervision of data transmission outside the European Union;
- Regulated, incremental and stricter financial penalties.
Hotel and restaurant operators should take particular note, since they will move from a reporting regime with an a posteriori penalty to a new regime based on anticipation and accountability. The consequences are multitude, as we will see later. Although this change means fewer reporting obligations, it also reflects the strengthening, or even the creation, of a number of obligations for all hospitality operators (and companies, in general) that process their customers' personal data.
These obligations mainly focus on anticipation, information, transparency and security and documentation.
HOTEL AND RESTAURANT OPERATORS MUST ANTICIPATE:
In case of complaints, security breaches or CNIL controls, business must generally be able to justify their having applied the universal "privacy by design" principle, meaning that they have integrated respect for the privacy of natural persons into data processing right from the start. This principle requires considering the lawfulness of the data processing, conducting preliminary impact studies when necessary, and potentially obtaining the consent of individuals whose data have been collected and informing them of their rights.
HOTEL AND RESTAURANT OPERATORS MUST INFORM:
Henceforth, an obligation of transparency is imposed on hospitality operators who manage, store, host, process or sell personal data. Take, for example, hotel and restaurant customers who are natural persons, and whose data are collected - these individuals must be notified as to the purpose of the data processing and informed of their rights in terms of data access, rectification, erasure and portability.
HOTEL AND RESTAURANT OPERATORS MUST PROTECT:
Everything must be done to protect the data held by a company, in accordance with the "security by default" principle. Going beyond the required and optimal protection, businesses must allow data to be traced, and any security breach has to be declared to the CNIL within a very short time frame (72 hours, as stipulated by the regulation). Penalties for breach of these obligations will be reinforced (up to either 4% of annual global turnover or 20 million euro), although there is an emphasis on making the sanction proportional.
AND LASTLY, HOTEL AND RESTAURANT OPERATORS MUST DOCUMENT:
In certain cases, maintaining a Record of Data Processing Activities is obligatory.
Hotel and restaurant operators are directly concerned by GDPR if:
- They employ 250 employees or more.
- And/ or they processes personal data en masse or automatically.
- And/ or this processing concerns sensitive data and/ or could infringe individual rights and freedoms.
Each of these criteria must be assessed separately, and in certain cases, hospitality operators are required to maintain a Record of Data Processing Activities. Indeed, the sector is especially impacted by GDPR, given its various business activities: organisation and information systems, HR management, sales and marketing (prospection, promotion, customer record management, etc.), supplier management and, of course, hospitality IT management.
The hospitality sector is specifically targeted, whether or not data are conserved in the company's computer server and/ or stored and/ or hosted and/or reprocessed by a subcontracting party.
Hotel and restaurant customer records can no longer contain any old data and must respect certain conditions. These personal data, already considered by some as the new "black gold", can be coveted by malevolent competitors or by hackers for resale or ransom (WannaCry ransomware, for instance). At a time when cyberattacks are on the rise, the sector must ensure the protection of its customers' personal data, as well as those of its employees (who are also covered by the new directive). There is no doubt that a hotel or restaurant's e-reputation also depends on whether or not it complies with the regulations.
In concrete terms, an audit is necessary to evaluate a business's practices and to pinpoint the risks. Further to the audit, an action plan must be instigated to potentially maintain a Record of Data Processing Activities that groups and describes the business's personal data processing practices, or if the maintenance of such a record is not mandatory, to implement minimal GDPR compliance procedures. This requires the assistance of a multidisciplinary technical and legal advisory structure - one that is well-established and specialised in the hospitality sector - so that the process can be correctly handled at the best possible cost.
It is, of course, never too late to comply.
[i] CJUE, gde ch., 13 May 2014, aff. C-131/12, Google Spain SL and Google Inc./ Agencia Espanola de Proteccion de Datos and Gonzales,
CNIL Resolution n°SAN - 2017-006 of the 27 April 2017 imposing a fine on FACEBOOK INC. and FACEBOOK IRELAND
CNIL Resolution n°SAN-2018-001 of the 8 January 2018 imposing a fine on ETABLISSEMENTS DARTY ET FILS
CNIL Resolution n°SAN-2017-010 of the 18 July 2017- HERTZ
CNIL Decision MED n° 2018- 007 of the 5 March 2018 serving notice on DIRECT ENERGIE and CNIL Resolution n° 2018-082 of the 22 March 2018 and decision issued to make public the formal notice to DIRECT ENERGIE
[ii] CJUE, gde ch., 13 May 2014, aff. C-131/12, aforementioned Google Spain
CNIL Resolution n°SAN-2018-001 of the 8 January 2018, aforementioned DARTY ET FILS
Christopher has extensive experience in corporate finance, commercial and real-estate transactions, hotel business, construction law and litigation related matters. He has an extensive practice in managing and structuring investment operations, acquisitions and assignments of resorts (business and premises), financing operations, joint ventures, management and franchising contracts and any management contracts as well as business organization, audit and resolution of disputes. He also writes regularly about hotel industry (hotel commercial leases and management contracts) and he is speaker for seminars and workshops on hotel business law and real estate subjects and namely about building and renovating hotels. Prior to joining IN EXTENSO AVOCATS, Christopher has worked within the Paris offices of Anglo-Saxon law firms such as COUDERT BROTHERS, HSD ERNST & YOUNG and THEODORE GODDARD and a boutique law firm tourism oriented.
Sarra is a partner and lawyer at the Paris Bar, In ExtensoSafety & SecurityMarkets & PerformanceBig DataEuropeFrance