Data Subject – GDPR For Hotels




The Data Subject

The Data Subject is the person connected to their own personally identifiable information (PII).

There are a few rules to define the Data Subject:

  1. They must be an EU citizen or resident in the EU.
  2. They must be a “real” (legally speaking a “natural”) person.
  3. They must be alive.

The Data Subject has rights under GDPR.  You can read about them here.

Both your customers and your employees are Data Subjects and they both have exactly the same set of rights.  You can’t discriminate against an employee if they wish to invoke their rights under GDPR.

The Data Subject As A Sales Prospect

Be clear about one thing.  GDPR does not stop you from prospecting for new customers.

What GDPR prevents you from doing is talking to people who don’t want to know.

If you have consent to do what you need to do in order to try to cause an enquiry or a sale, get on with it.

If you don’t have consent, forget it.  This person is never going to be a customer for your business anyway.  Why put them on a list only for them to ignore everything you send?

Think “Opt In”, Not “Opt Out”

GDPR is quite specific about this.  If you are building lists of potential customers for marketing purposes, people need to opt in.  You cannot assume consent.  Nor can you have “consented” as the default position for a list.

Again, if you’re a sensible direct marketer, you already know this.  Lists gathered using clearly understood consent are much more active and profitable than lists cobbled together from the email records on every computer in your organisation.

With consent, I would argue your sales messages are going to be much more favourably received.  As long as you stick to what you promised you’d send and stay relevant to your prospect.  This is basic marketing stuff.  If you’re a sensible business person it should all sound reasonable and plausible to you.

The Data Subject can change their mind and withdraw consent to process.  Indeed they can invoke one of their rights and ask you to stop.  If they do so you must stop using their PII  straight away and maintain records to prove you did so.

Legitimate Interest

There is another lawful reason for processing you can use as a marketer.  It is called “Legitimate Interest”.  You can use it in certain scenarios but you MUST have completed a Legitimate Interest Assessment (LIA) and  balancing test beforehand.  The balancing test weighs your interests as a business against the interests of the data subjects.  It is important to recognise that you can’t just “claim” legitimate interest.  You have to be able to prove that you have thought about it and considered all the options and possibilities.

The Data Subject As A Customer

You are allowed to communicate with a customer.  It’s hard to see how a customer can expect to be able to use your services if they make a booking with you then refuse to allow you to use their PII.  You need it to fulfil your contract with them.  So you should make sure your right to process PII is contained within your contract or terms of business.

But this legal right to process only lasts for the duration of the booking contract.  From the point at which the reservation is made until the point of departure (or the conclusion of an invoicing/payment process if that is appropriate).  Once the stay is complete you have some issues.

  • For how long should you keep PII in your guest history database?
  • What about the archived business records you are obliged to maintain?
  • How can you get consent to promote your services to that customer for a repeat booking?

The Data Subject As An Employee

Your employees have the same rights to protection of, and access to, their PII.

Whether it is contained in a filing cabinet, a computerised record or an email.  They have the right to see the associated personally identifiable information.

Which means you need to be careful about what you record and who has access to it.

The Data Subject As A Business Contact

GDPR does not apply to business communications?

Well, possibly not.  However the GDPR makes no distinction between B2B and B2C.  It does apply to personally identifiable information.

If it is possible to isolate an individual person using the information, then that person is a Data Subject and has the same rights as anyone else under GDPR.

You need to be careful about this as it might prove to be an easy trap for the unwary.  Think about a business email address for example:


This is not PII.  It only identifies a role, it doesn’t define a person.  You won’t need consent to use it.  Although the user can still ask you not to and can remove themselves from your lists using other legislation.

However, what do you think about this one?


It is still a workplace email address.  But this time it contains a name.  How many Jane Smiths work at Bloggsco?  On its own, this email address appears to qualify as Personal Data.  As soon as you combine it with other pieces of data, it can quickly be defined as PII.  In which case the person involved has all the rights and protections provided under GDPR.