Online Strategy | Hospitality | GDPR

    Ico-Reloj12 min de lectura

    7 principles of the GDPR and what they mean

    Written by: Galina Kulakova

    With only one month left until the GDPR – General Data Protection Regulation – comes into force, you should make sure you know what this new legislation is about and how it will affect your business. In this post, we will go through the 7 principles of the GDPR and will comment what they mean for your hotel.

    You probably already know why the GDPR is so important for marketers all over the world. It is the biggest change in the data protection law since 1995 and it applies to every company that collects, processes or stores any personal data of EU citizens. Earlier we discussed that the GDPR is very challenging  for the hotel sector due to the large volume of sensitive personal data and credit card information that the hoteliers collect and process. The use of booking engines and multiple online points of payments make the hotels vulnerable to cyber attacks and data breaches.

     As you can see, the new legislation is highly important for the hotel sector and you should know exactly what the GDPR consists of to be able to prepare and comply. Let’s see the 7 principles of the GDPR listed and explained below.

    1. Lawfulness, fairness and transparency

    Obtain the data on a lawful basis, leave the individual fully informed and keep your word.

    The concept of lawfulness states that all processes you have that in any way relate personal data of EU citizens must meet the requirements described in the GDPR. That includes data collection, data storing and data processing. The legislation has directions and norms for every step of your data management policy.
    Fairness means that your actions – whether you are a data controller or a data processor – must match up with how it was described to data subject. Simply put, keep the promise you gave your client in the notice before collecting the data. Use personal data only for the purposes and during the time period you indicated.
    A clear notice is what the concept of transparency is about. The data subject must stay informed regarding the purposes, the mean and the time period of data processing. You should let your clients know what exactly you are going to do with their data and who will have access to it.

    2. Purpose limitation

    Be specific

    As we said before in the concept of fairness, you need to stay true to your promise. In the notice, besides other things, you must inform your clients about the purpose of the data collection. As stated in the legislation, this purpose must be “specified, explicit and legitimate”. Data can be collected and used only for those purposes that have been transmitted to the data subject and about which the consent was received.

    3. Data minimization

    Collect the minimum data you need

    The GDPR is designed to bring data collection to the necessary minimum. Personal data to be collected should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Note that under the GDPR you will actually have to justify the amount of data collected, so make sure to design an adequate policy and document it.  

    4. Accuracy

    Store accurate up-to-date data

    Personal data must be “accurate and where necessary kept up to date”. You must make sure that you do not retain old and outdated contacts and ensure the erasure of inaccurate personal data without delay.

    5. Storage limitations

    Retain the data for a necessary limited period and then erase

    This principle relates to Data minimization and states that personal data must be “kept in a form which permits identification of data subjects for no longer than necessary”. You would have to set the retention period for personal data you collect and justify that this period is necessary for your specific objectives. Do not forget to document it.

    6. Integrity and confidentiality

     Keep it secure

    The principle of integrity and confidentiality requires you to handle personal data “in a manner [ensuring] appropriate security”, which include “protection against unlawful processing or accidental loss, destruction or damage”.  You must implement efficient anonymisation or pseudonymisation systems to protect the identity of your clients. You might also consider working towards gaining official certification, such as ISO 27001 to prove your commitment to cyber security.

    7. Accountability

    Record and prove compliance. Ensure policies.

    You are responsible for compliance with the principles of the GDPR. The new legislation requires a thorough documentation of all policies that govern the collection and procession of data. Every step of your hotel’s data management needs to be carefully formulated and justified in the official document form. Under the new law, you must be able to demonstrate the documents that prove the compliance with the GDPR when requested by the authorities.


    These are the 7 principles of the Data Protection Regulation and now you should have a pretty good idea and understanding of each of them. However, the GDPR is much more than these principles so do not stop here and make sure to explore more about the upcoming law. We wish you best of luck!

    Gte ready for the GDPR
    Create the corporate profile of your company

    Related resources


    Marketing Online, CRM, Hospitality

    From DPD to GDPR. The new EU General Data Protection Regulation.

    A new horizon of changes and obligations opens with the new EU General Data Protection Regulation or...

    Online Strategy, Hospitality, GDPR

    7 principios del GDPR y qué significan

    El GDPR es la nueva ley de protección de datos que entra en vigor en mayo de 2018 y afecta drásticam...