Question 2 (Data protection)

Since on 25 May 2018 the General Data Protection Regulation (GDPR) will enter into force, recommendations
to Lodging Ltd. shall be made in regard to said regulation.

During the last 30 years, Lodging Ltd.—with headquarters in the UK and hotels in more than 80 countries, some
of them probably within the EU—has been collecting data from their guests, including: leisure and
entertainment interests, hobbies, dietary requirements, allergies, consumption patterns and religious beliefs,
among others.

Lodging Ltd. must be aware that the data collected is considered ‘personal data’ under the GDPR, which in
Article 4 establishes that it is ‘any information relating to an identified or identifiable natural person’ (Article 4
GDPR).

Indeed, some of the personal data gathered (e.g. religious beliefs) will be considered as special category of
personal data (Article 9 GDPR).

It should be noted that the GDPR ‘applies to the processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the
Union or not’ (Article 3.1 GDPR). Accordingly, the GDPR will apply ‘to the processing of data of data subjects
who are in the Union by a controller or processor not established in the Union, where the processing activities
are related to: (a) the offering of goods or services … (b) the monitoring of their behaviour as far as their
behaviour takes place within the Union’ (Article 3.2 GDPR).

By processing personal data using GlobalCRM’s cloud service, Lodging Ltd. will be acting as a controller, this
is ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data…’ (Article 4.7 GDPR).

As a controller, and in the first place, Lodging Ltd. should decide on which legal basis it will rely for the
processing of personal data in order to the processing to be considered lawful (Article 5 and 6 GDPR). Public
task, vital interests, legal obligation and contract shall be left out of consideration (ICO, Guide to the General
Data Protection Regulation). Consent is not likely to be an option, considering Lodging Ltd. has collected
personal data of guests in more than 80 hotels for more that 30 years. Thus, reaching all those guests to obtain
their consent does not seem to be a feasible task. Legitimate interests seem to be, in my client’s case (reservation
and marketing purposes), the most flexible lawful basis for processing personal data.

In regard to special categories of personal data, such as guests’ religious beliefs and data concerning health,
given their sensitiveness, its processing will be forbidden, unless one of the exceptions of Article 9.2 applies
(GDPR). The only exception on which Lodging Ltd. could rely is ‘consent’ (Article 9.2.a GDPR), although, as
mentioned before, trying to achieve consent from all the guests whose data was collected for 30 years, seems to
be an impractical task. Unless it gets data subjects’ consent, Lodging Ltd. might consider not processing special
categories of personal data. Though it has not been specifically informed, Loging Ltd. should take into account
that children’s personal data will also will be subject to a special regime under the GDPR.

Given that GlobalCRM is likely to carry out the processing of personal data on behalf of Lodging Ltd., the latter
has to make sure that the former provides ‘sufficient guarantees to implement appropriate technical and
organisational measures in such manners that processing will meet the requirements’ (Article 28.1 GDPR) of the
GDPR. This is of particular importance, because Lodging Ltd. may be held liable for GlobalCRM’s possible
personal data breaches. In this regard, a written contract with the following details shall be signed between the
parties: ‘the subject matter and duration of the processing; the nature and purpose of the processing; the type of
personal data and categories of data subject; and the obligations and rights of the controller’ (ICO, Guide to the
General Data Protection Regulation).

Lodging Ltd. shall keep a record of all the processing activities, which must include details of the controller, the
purposes of the processing it is been carried out, and details regarding data subjects and categories of personal
data, among other topics (Article 30.1 GDPR). This requirement, may be helpful to demonstrate compliance
with the GDPR (e.g. lawful bases).

As a controller, and in virtue of the principle of accountability included in the Regulation, Lodging Ltd. may be
required to carry out a Data Protection Impact Assessment (DPIA), bearing in mind the special categories of
personal data it has collected, and may need to appoint a Data Protection Officer (DPO).

‘Where a type of processing in particular using new technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural
persons’ (Article 35.1 GDPR) a DPIA is required. If it were not clear if the DPIA is required, Article 29 Data
Protection Working Party advises that it should be carried out anyway (WP29, Guidelines on Data Protection
Impact Assessment).

Since Lodging Ltd. will be processing special categories of personal data and will be tracking data subjects’
behaviour, not only it is likely to be required to carry out a DPIA in order to minimise the risks but will also
have to appoint a DPO in accordance to Article 37.1 of the GDPR. This officer will be in charge of informing
and advising Lodging Ltd. and its employees, while monitoring compliance with the Regulation (Article 39.1
GDPR). The DPO’s details must be published in order to allow data subjects to contact him (Article 38.4
GDPR).

(1087 words)