Payment Systems – GDPR For Hotels

Payment Systems

Collecting Payments

Depending on the form of payment, there may be a privacy and data protection issue.  let’s look at some examples:


A cash payment in itself will not normally contain any personal data.  So if the transaction is over your public bar, for example, and your till receipt simply says “£10.00” – there are no personal data implications.  However if you issue a written receipt with the customer data on it and keep a copy (in a duplicate book for example), then you are processing at least a name and a transaction, if not full address details.  The same goes for printed receipts or receipted invoices from a computer.  You will be keeping a record of personal data with the transaction.  How long will you be keeping it for and how will you dispose of it?


Cheques contain personal data.  If you have a chequebook take a look at it:  Name and bank account details.  It might be useful to remember that if someone pays you by cheque, you only start processing it once you have received it.  You have no responsibility towards it until it is in your hands.  Then it is up to you to make sure it is banked promptly and securely.  Your record of the cheque payment only really needs to record the cheque number and the amount.

Bank Transfer

The amount of personal data involved depends on the type of transfer involved.  Faster Payments transfers involve very little.  BACS or CHAPS payments might involve a bit more.  You will be recording the information you need in order to make a transfer, so be aware that you might do that.  However we’re talking about receiving payments here, so your records might only be a bank statement containing a bank account name and a reference (which might be your invoice number).  This information might be passed to your accounting system and attached to your customer’s account and transaction record.

Credit or Debit Card

The main point to remember when you use a payment handler such as Worldpay, Stripe, Paypal or PDQ, is that you are merely a data processor in the relationship.  The payment handler is the Data Processor.  They decide what data is needed and how it will be processed, all you do is follow their instructions.

There are already tight rules about how you should process payment card data called the PCI Regulations, however bitter experience has led me to believe that some establishments are more careful than others.  A breach involving payment card data or bank account information is very serious.  The prospect of harm coming to the data subjects involved is real.

There are lots of systems which enable you to process card payments in compliant ways.  You can take advantage of your website to make full use of them, but there are secure “manual” methods available too.  This does not include writing the card details on a post it note and sticking it to your workstation screen.  Nor does it include emailing a 3rd party with a copy reservation confirmation containing clearly printed credit card information.  These two example illustrate the need for staff awareness of the issues involved.