Personal data protection in a hotel
Not all owners and managers of hotels and hotels are fully familiar with all the requirements that the legislation on personal data protection imposes on them. Violating the requirements of the law and Roskomnadzor, they find themselves in a situation that carries potential risks for business. Knowledge of all the nuances of the processing and use of personal data, teaching these rules to staff will help to avoid any types of responsibility and properly regulate relations with clients.
What personal customer data does the hotel need
The conditions for the processing and use of personal data of clients of organizations in Russia are governed by the Federal Law "On Personal Data". Responsibility for their violation is established by the Code of Administrative Offenses of the Russian Federation, and since 2017 it has been seriously tightened. As a standard, filling out a questionnaire upon check-in, a citizen leaves the data of his passport and current residence. They are necessary in order to control the safety of hotel property, their request is governed by the rules for the provision of hotel services for public safety purposes. Sometimes the hotel, on its own initiative, asks for other information, for example, a mobile phone number, to which it subsequently sends advertising mailings.
All this information is personal data. There is no exact list of them in the law, this term means any information related to a specific person and allowing him to reliably identify. The fact of the collection of personal data makes the hotel their operator, and its manager or an individual entrepreneur providing these services is obliged to submit a notification to Roskomnadzor that he is engaged in processing them. As a rule, operators are not punished for untimely notification, if it took place, including in the administrative procedure. In addition to the notification, it is necessary to take care of the development of a package of internal documentation for the protection of infobases in which customer data is stored.
Personal data protection activities
The hotel staff is more busy performing their official duties than complying with legislation on ensuring the protection of personal data. To avoid the risks of bringing to administrative responsibility will help the drafting of instructions for management and personnel, describing the main actions that they are required to perform while interacting with clients and receiving personal data from them for processing. We must not forget that administrative fines are imposed on the manager, even if the violation was committed by the employee.
Mandatory obtaining consent to the processing of personal data
The format of the document must be preliminarily developed based on the recommendations of Roskomnadzor. If the information is collected on the hotel's website, it is necessary to place the phrase "I consent to the processing of personal data" along with the form of their provision with a window in which the client can indicate his consent. Nearby there should be a link leading to a page on which the internal policy on the procedure for processing personal data is laid out.
When filling out paper questionnaires directly at the hotel, the client should be asked to fill out a paper consent form, which can be scanned and taken into account in his questionnaire. When signing a document, the client must understand exactly why his data is collected, in what ways they will be processed, to whom they will be transferred and for what purposes. Violation of this requirement may result in administrative liability. The maximum fine will be 75 thousand rubles, which the hotel will have to pay.
Familiarization of the client with the hotel policy on the processing of personal data
First of all, this document needs to be developed and approved. It is not very difficult, standards are easy to find on the web. The main thing in its preparation is to describe in detail the rights and obligations of the client related to the provision and processing of personal data. If the document is posted on the website and an individual provides information online, the hotel's task is considered completed.
In a situation where a customer fills out forms at a hotel, a printed copy of the policy should be made available to them upon request. It is also advisable to invite him to read it, since it is there that he will find answers to his questions.
The data should only be used in accordance with the purposes of their processing
Each hotel - the operator of personal data - must notify the client about the purpose of collecting information and the methods used to process it. This information should be contained in the personal data processing policy, it is declared to Roskomnadzor when notifications are sent to it. But situations may arise when uninformed employees violate the established order and use information entrusted to them for other purposes.
In the hospitality business, there are three common uses of data in an unidentified way:
- requesting unnecessary information, for example, passport data, when booking a room;
- sending SMS notifications to the client's phone or e-mail without obtaining his prior consent;
- transfer of personal data of clients to third parties.
Such activity of the staff will lead to fines imposed in the administrative procedure, and to a negative reaction of the FAS to illegal advertising, and to claims and lawsuits from dissatisfied clients.
The client's rights to receive information about the procedure for using his personal data must be respected
The hotel policy should stipulate the client's rights to receive information about the fate of his personal data and other actions with them, and the staff should be aware of their availability. These include client rights:
- know what information about him is stored at the hotel;
- find out how and with what technical means they are protected;
- request to change or delete redundant or incorrect information;
- revoke consent to processing.
At the request of customers, personal data should be blocked or destroyed, despite the fact that these actions may not correspond to business processes and information processing standards accepted in the hotel. Thus, the requirement to exclude the customer's phone number from the databases used for SMS messaging must be fulfilled immediately. Violation of this requirement will not only lead to administrative liability and the imposition of a fine in the amount of 45 thousand rubles, but may also become the basis for the initiation of the FAS RF of a case on unfair advertising.
Failure to satisfy the client's request will also lead to a complaint with Roskomnadzor, fines and lawsuits. Therefore, the hotel staff is required to be responsive to customer requests. The solution may be to include responsibilities for supporting the processing of personal data and communicating with clients on these issues in job descriptions.
What technical requirements must be observed by the hotel administration
The technical requirements for storing information must also be followed as closely as possible. If the information system in which the personal data is located is connected to the Internet, anti-virus protection must be installed. When transferring information through telecommunication channels to third parties, they must be encrypted. The computers themselves must be physically protected, access to them must be limited, entrusted only to persons authorized to do so by a separate order of the management. If possible, you need to install a DLP system that completely blocks the ability to transfer information to third parties who may be interested in both the database of wealthy clients and their phone numbers. The personal data protection system should be comprehensive and take into account all possible risks.
The hotel management should remember that the client may be more informed about the protection of personal data than the hotel staff. And this knowledge, when identifying personnel errors, can be used to damage the business reputation of the hotel, and to file claims for compensation for moral damage. The only solution would be to train staff in all aspects of working with personal data.