Hotels and Resorts Alliance

Detailed Outline of a Handbook

for GDPR Compliance
Mạc Hải Long - 10422046

Table of Contents
1. Introduction........................................................................................................................................3
1.1. Purpose........................................................................................................................................3
Mac Hai Long – 10422046 Hotels and Resorts Alliance

1.2. Overview of GDPR........................................................................................................................3

1.2.1. The importance of GDPR compliance for businesses...............................................................3
1.2.2. The potential consequences of non-compliance.....................................................................3
1.2.3. The potential consequences of non-compliance.....................................................................4
2. Entities subject to GDPR.....................................................................................................................4
2.1. Personal data covered by GDPR...................................................................................................4
2.2. Identifiers and related factors......................................................................................................4
2.3. Processing activities covered by GDPR.........................................................................................5
2.4. Territorial scope of GDPR.............................................................................................................5
3. Data Protection Principles..................................................................................................................5
3.1. Lawfulness, fairness, and transparency.......................................................................................5
3.2. Purpose limitation.......................................................................................................................7
3.3. Data minimization........................................................................................................................7
3.4. Accuracy......................................................................................................................................7
3.5. Storage limitation........................................................................................................................8
3.6. Integrity and confidentiality.........................................................................................................8
3.7. Accountability..............................................................................................................................8
4. Data Subject Rights..............................................................................................................................9
4.1. Right to be informed and right to access.....................................................................................9
4.2. Right to rectification..................................................................................................................10
4.3. Right to erasure.........................................................................................................................11
4.4. Right to restrict processing........................................................................................................11
4.5. Right to data portability.............................................................................................................12
4.6. Right to object...........................................................................................................................12
4.7. Right not to be subject to automated individual decision-making.............................................13
5. Data Protection Obligations...............................................................................................................13
5.1. Implementation of appropriate technical and organizational measures....................................14
5.2. Privacy by design and by default................................................................................................15
5.3. Data protection impact assessments.........................................................................................15
5.4. Notification of data breaches.....................................................................................................16
5.5. Appointment of Data protection officer (DPO)..........................................................................16
6. Compliance Process...........................................................................................................................16
6.1. Risk assessment.........................................................................................................................16

Laws and Data Protections 1

Mac Hai Long – 10422046 Hotels and Resorts Alliance

6.2. Raising awareness among employees........................................................................................17

6.3. Training employees on GDPR.....................................................................................................17
6.4. Implementation of compliance measures..................................................................................18
6.5. Monitoring and review..............................................................................................................18
6.6. Documentation of compliance activities....................................................................................18
6.7. Retention of records..................................................................................................................19
7. Data Transfer Mechanisms.................................................................................................................20
7.1. Adequacy decisions...................................................................................................................20
7.2. Appropriate safeguards..............................................................................................................20
7.3. Binding corporate rules..............................................................................................................20
8. Cooperation with Supervisory Authorities.........................................................................................20
8.1. Notification of data breaches.....................................................................................................20
8.2. Consultation on high-risk processing activities..........................................................................20
9. Enforcement of GDPR........................................................................................................................20
9.1. Supervisory authorities..............................................................................................................20
9.2. Fines and penalties....................................................................................................................21
10. Appendices....................................................................................................................................21
10.1. Glossary of terms...................................................................................................................21
10.2. List of relevant resources.......................................................................................................21

Laws and Data Protections 2

Mac Hai Long – 10422046 Hotels and Resorts Alliance

1. Introduction
1.1.Purpose
The purpose of this Policy is to establish the common and general principles and guidelines for
conduct that are to govern Hotels and Resorts Alliance (later mentioned as the Group) as
regards personal data protection, ensuring compliance with applicable law under all
circumstances.
In particular, this policy guarantees the right to the protection of personal data for all natural
persons who establish relations with the companies belonging to the Group, ensuring respect
for the rights to reputation and to privacy in the processing of the various categories of personal
data from different sources and for various purposes based on their business activities, all in
compliance with the Company's Policy on Respect for Human Rights.

1.2.Overview of GDPR
This handbook is designed to provide a comprehensive guide for GDPR (General Data Protection
Regulation) compliance, essential for any business operating within the European Union or
handling the data of EU citizens. The GDPR, a landmark regulation, introduces stringent data
protection requirements, revolutionizing the way personal data is managed globally. It
emphasizes transparency, security, and accountability, ensuring that organizations prioritize the
privacy and protection of personal data.
The importance of GDPR compliance cannot be overstated. It is not merely a legal obligation but
a crucial aspect of business integrity and customer trust. Non-compliance can result in
significant penalties, including substantial fines, which could have a profound impact on your
business’s reputation and financial stability.
This handbook outlines the GDPR’s scope, including its key principles, the rights of data
subjects, and the obligations it imposes on data processors and controllers. It serves as a
practical resource for navigating the complexities of GDPR, ensuring your organization's
adherence to its stringent standards, and fostering a culture of data protection and privacy.

1.2.1. The importance of GDPR compliance for businesses

Compliance with the GDPR is not only a legal requirement but also a critical aspect of business
ethics and customer relations. Adhering to GDPR standards is essential to protect individuals'
privacy rights and maintain the trust of customers and partners.

1.2.2. The potential consequences of non-compliance

Non-compliance with GDPR can lead to severe penalties, including substantial fines. These
consequences underline the importance of understanding and implementing GDPR
requirements within your organization.

Laws and Data Protections 3

Mac Hai Long – 10422046 Hotels and Resorts Alliance

1.2.3. The potential consequences of non-compliance

The GDPR's scope is extensive, covering all aspects of personal data processing. Understanding
its application is crucial for businesses to navigate the complex landscape of data protection and
privacy.
This introduction sets the stage for a deeper exploration of GDPR principles, rights, and
obligations, guiding your organization towards effective and compliant data handling practices.

2. Entities subject to GDPR

2.1.Personal data covered by GDPR.
The GDPR applies to the processing of personal data that is:

 wholly or partly by automated means; or

 the processing other than by automated means of personal data which forms part of, or
is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who:

 can be identified or who are identifiable, directly from the information in question; or
 who can be indirectly identified from that information in combination with other
information.
Personal data may also comprise special categories of personal data or information about
criminal convictions and offenses. These are deemed more sensitive and may only be processed
in certain circumstances.
Pseudonymized data can help lessen privacy threats by making identifying individuals more
difficult, but it is still personal data.
If personal data can legitimately be anonymized, the anonymized data is exempt from the
GDPR. It is critical to understand what personal data is to determine whether the data has been
anonymized.
Because information about a deceased person does not constitute personal data, it is not
covered by the GDPR.
Personal data does not include information about businesses or government agencies.
However, information about individuals working as single traders, workers, partners, and
corporate directors, and information belonging to them as individuals, may constitute personal
data.

2.2.Identifiers and related factors

An individual is 'recognized' or 'identifiable' if they can be distinguished from other people.

Laws and Data Protections 4

Mac Hai Long – 10422046 Hotels and Resorts Alliance

A name is the most popular way to identify someone. However, whether any prospective
identifier truly identifies an individual is context dependent.
To identify an individual, a combination of identifiers may be required.
The GDPR specifies a non-exhaustive set of identifiers, which includes a name, identification
number, geographical data, and an online identity. 'Online identifiers' include IP addresses and
cookie identifiers, which may contain personally identifiable information. Other factors can be
used to identify a person.

2.3.Processing activities covered by GDPR.

Processing encompasses a wide array of activities like collecting, recording, organizing,
structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission,
disseminating, aligning, combining, restricting, erasing, destroying personal data or other
practices of handle user data.
Any entity that processes personal data, whether as a controller (determining the purpose and
means of processing) or a processor (processing data on behalf of the controller), falls under
GDPR regulations.

2.4.Territorial scope of GDPR

GDPR applies to entities both within and outside the EU that process data from EU residents.
This includes companies who provide goods/services to EU people or monitor their behavior, as
well as companies that process user data relating to EU citizens.
The rule has a global reach, making it applicable to multinational corporations, internet services,
and cloud providers all over the world, mandating a global approach to data protection.
Furthermore, as we are working with EU companies and citizens. GDPR should apply to the
Group.

3. Data Protection Principles

In principle, you must identify valid justifications (known as a “lawful basis”) under the GDPR for
acquiring and utilizing personal data. Data that violates any other laws should not be used
under any circumstances. Personal data must be utilized in a fair, clear, open, and honest
manner, which means that it should not be processed in a way that is unduly harmful,
unexpected, or misleading to the individuals involved.

3.1.Lawfulness, fairness, and transparency

Lawfulness: means that you do not do anything with personal data which is unlawful in a more
general sense. This includes statute and common law obligations, whether criminal or civil. If
processing involves committing a criminal offence, it will obviously be unlawful. However,
processing may also be unlawful if it results in:

 a breach of duty of confidence.

Laws and Data Protections 5

Mac Hai Long – 10422046 Hotels and Resorts Alliance

 your organization exceeding its legal powers or exercising those powers improperly.
 an infringement of copyright.
 a breach of an enforceable contractual agreement.
 a breach of industry-specific legislation or regulations; or
 a breach of the Human Rights Act 1998.

Although processing personal data in violation of copyright or industry regulations (for example)
will result in unlawful processing in violation of this principle, this does not mean that the ICO
can pursue allegations that are primarily about violations of copyright, financial regulations, or
other laws that fall outside of our remit and expertise as a data protection regulator. In this
case, there are alternative legal or regulatory avenues of recourse where the issues can be
addressed in a more appropriate setting.
Fairness: means that you should only use personal data in ways that individuals would expect,
rather than in ways that have justifiable negative consequences for them. You must pause and
consider not only how you can utilize personal data, but also if you should.
Personal data processing must always be both fair and legal. If any component of your
processing is unfair, you will be in violation of this principle, even if you can demonstrate that
the processing is legitimate.
Assessing whether you are processing information fairly depends partly on how you obtain it. If
anyone is deceived or misled when personal data is obtained, then this is unlikely to be fair.
To assess whether you are processing personal data fairly, you must consider more generally
how it affects the interests of the people concerned – as a group and individually. If you have
obtained and used the information fairly in relation to most of the people it relates to but
unfairly in relation to one individual, there will still be a breach of this principle.
Transparency: is fundamentally tied to fairness. Transparent processing entails being upfront,
transparent, and honest with people about who you are and how and why you utilize their
personal data from the outset.
Transparency is always vital, but it is especially important when people have a choice whether
to get into a relationship with you. Individuals will be able to make an informed decision about
whether to join into a relationship or to try to renegotiate the parameters of that connection if
they know what you will do with their information from the start.
Even if you have no direct interaction with the individual and receive their personal data from
another source, transparency is essential. In some circumstances, it is even more critical,
because individuals may be unaware that you are collecting and exploiting their personal data,
limiting their capacity to claim their data rights. This is sometimes known as ‘invisible
processing.’

Laws and Data Protections 6

Mac Hai Long – 10422046 Hotels and Resorts Alliance

Group companies shall not collect or process personal data relating to ethnic or racial origin,
political ideology, beliefs, religious or philosophical convictions, sexual orientation or practices,
trade union membership, health data, or genetic or biometric data for the purpose of uniquely
identifying a person, unless such collection is necessary, legitimate, required, or permitted by
applicable law, in which case they shall be co-collected.

3.2.Purpose limitation
The purpose limitation principle ensures that personal data may only be used for one or more
specific reasons. Personal data obtained for one reason cannot be freely utilized for another.
The notion of purpose restriction is likewise contained in EU Charter Article 8(2).
While the controller is allowed to specify any legitimate purpose, Article 5(1)(b) establishes the
principle of purpose limitation in personal data processing. It requires that personal data be
acquired for specific, explicit, and legitimate reasons, and it ensures that data are not used for
purposes that are incompatible with the original purpose(s) provided.

3.3.Data minimization
The data minimization concept derives indirectly from Article 8 of the EU Charter, which states
that any interference with the basic right to data protection must be reasonable. This data
reduction principle is thus strongly tied to the principle of purpose limitation, and it only leads
to accurate results if the controller defines the specific goal precisely. A controller must evaluate
the requirement of each step of a processing operation and each data element to achieve the
goal.
The three elements in Article 5(1)(c) GDPR are redundant and overlapping:

 Personal data is 'adequate' if it is appropriate to use such data for the purpose (for
example, the address of a person is not appropriate information for credit ranking).
 Personal data is 'relevant' if it leads to a different outcome in relation to the purpose (for
example, the address of a customer is relevant to deliver a product).
 Personal data is 'limited to what is necessary' when the purpose cannot be achieved
without the processing of that personal data.

3.4.Accuracy
According to Article 5(1)(d), personal data must be correct and, when required, maintained up
to date, and all reasonable steps must be taken to remove or rectify inaccurate data as soon as
practicable. This retirement is intended to safeguard data subjects from damage, as erroneous
information might have catastrophic repercussions. One of the key elements of the right to
informational self-determination is data accuracy, which embodies a broader principle of
correct representation of the individual at all levels and in all circumstances.
When a controller employs systems that are a "black box" even to the controller, such as
"artificial intelligence," "self-learning," or "big data" analytics, the accuracy principle becomes
extremely difficult to apply. The GDPR, on the other hand, discourages such practices. Article

Laws and Data Protections 7

Mac Hai Long – 10422046 Hotels and Resorts Alliance

5(1)(d), on the other hand, is meant to safeguard against computers making arbitrary and
incorrect conclusions. Regardless of the technology employed, controllers are accountable for
the accuracy of the personal data they process.

3.5.Storage limitation
Personal data shall not be maintained for any longer than is necessary for the purposes for
which they are processed, unless otherwise required by law.

3.6.Integrity and confidentiality

Personal data must be treated in a way that employs technical or organizational safeguards to
protect the data against unauthorized or unlawful processing, as well as loss, destruction, or
accidental damage.
Personal data collected and processed by Group companies must be kept confidential and
secret, may not be used for purposes other than those that justified and permitted its
collection, and may not be disclosed or transferred to third parties except in cases permitted by
applicable law.

3.7.Accountability
Group firms are responsible for adhering to the principles outlined in this Policy as well as those
required by applicable legislation and must be able to demonstrate compliance when required.
Group firms must conduct a risk assessment of their processing to identify the actions to be
implemented to ensure that personal data is processed in line with legal requirements. When
required by law, they must conduct a preliminary evaluation of the risks that new products,
services, or IT systems may pose to personal data protection and take the appropriate steps to
minimize or mitigate such risks.
Group companies must keep an activity log in which they describe the personal data processing
that they do during their business.
In the event of an incident, such as accidental or unlawful data destruction, alteration, or
unauthorized access to mentioned data, the Group will have an internal protocol for
documenting and measuring the scope of affected data, as well as sufficient measures to
mitigate and resolve.
In circumstances where law enforcement requires it, a DPO will be designated to verify that the
Group complies with data protection laws.

4. Data Subject Rights

Data subject rights are a set of legal entitlements granted to individuals under various data
protection regulations, most notably the General Data Protection Regulation (GDPR) in the
European Union. These rights empower individuals to control their personal data and ensure
transparency in its processing.

Laws and Data Protections 8

Mac Hai Long – 10422046 Hotels and Resorts Alliance

4.1.Right to be informed and right to access

Right to be informed:

 Prior to data acquisition: Individuals have the right to be notified prior to the gathering
of their personal data. This includes information about the controller's (the organization
collecting the data's) identity, the purposes of the processing, the legal basis for the
processing, the categories of personal data collected, the recipients of the data, and the
data subject's rights (e.g., rectification and erasure).
 Conciseness, transparency, and simplicity of access: The information presented should
be succinct, transparent, and simple to understand.
 Additional information: In some cases, further information, such as the data retention
duration, the existence of automated decision-making, and the possibility to file a
complaint with a supervisory body, may be necessary.
Right to Access:

 Confirmation and access: Individuals have the right to obtain confirmation from the
controller whether their personal data is being processed and, if so, to access their
personal data.
 Specific information: The right to access encompasses a range of information, including
the categories of personal data processed, the purposes of the processing, the recipients
of the data, and the planned duration of storage.
 Copy of the data: Individuals have the right to obtain a copy of their personal data in a
portable format, facilitating its transfer to another controller if desired.
Important note:
The right to be informed lays the foundation for the right to access. Knowing what data is being
collected and why empowers individuals to exercise their right to access effectively.
Accessing their data allows individuals to verify the accuracy of the information held about
them, identify potential misuse, and exercise other GDPR rights such as rectification or erasure.
Both rights have certain limitations and exceptions, for example, where disclosure would
prejudice the rights and freedoms of others or where it is impossible due to the anonymization
of the data.
Individuals can exercise their rights through various means, such as submitting a data subject
access request to the controller.
Supervisory authorities play a crucial role in ensuring compliance with GDPR and upholding
individuals' data rights.

Laws and Data Protections 9

Mac Hai Long – 10422046 Hotels and Resorts Alliance

4.2.Right to rectification
The right to rectification is one of the crucial data subject rights granted by the General Data
Protection Regulation (GDPR). It empowers you to ensure the accuracy and completeness of
your personal data held by organizations.
The right to rectification allows customer to request that a controller:
 Correct any inaccurate personal data about you. This includes factual errors, outdated
information, or incomplete data.
 Delete any personal data that is incomplete or no longer necessary for the purposes for
which it was collected.
Anyone whose personal data is being processed by a controller within the scope of GDPR can
exercise the right to rectification. This applies regardless of nationality or residency.
You can submit a request to the controller in writing, clearly stating the inaccuracies or
incompleteness you identified in your personal data. You can also provide evidence to support
your request if available.
The controller must respond to your request within a reasonable timeframe, typically one
month. They should:
 Acknowledge your request: Confirm receipt and provide an estimated timeframe for
response.
 Investigate your request: Analyze the accuracy and completeness of your data based on
the information provided and any available evidence.
 Rectify the data: If the data is found inaccurate or incomplete, the controller must rectify
it by correcting or adding the missing information.
 Inform you of the outcome: The controller must inform you of the decision, whether
they have rectified the data or not, and their justification for any refusal.
While the right to rectification is powerful, there are some limitations and exceptions:
 Public interest: In rare cases, public interest may override the right to rectification, such
as when data is necessary for historical, statistical, or scientific research purposes.
 Excessive burden: If rectifying the data would impose an excessive burden on the
controller, we may be able to refuse. However, we must still provide customers with a
justification and inform them of their right to complain.
If customers need help exercising their right to rectification, contacting the data protection
officer (DPO) of the controller is recommended.

Laws and Data Protections 10

Mac Hai Long – 10422046 Hotels and Resorts Alliance

4.3.Right to erasure
The right to erasure, also known as the "right to be forgotten," is a powerful tool granted by the
General Data Protection Regulation (GDPR) in Europe. It empowers individuals to request the
deletion of their personal data from an organization's systems under certain circumstances.
When customers can exercise this right:
 The data is no longer necessary for the purposes for which it was collected or
processed. For example, if you've closed an account and the company doesn't need your
data for any further legitimate purpose.
 You withdraw your consent to the processing of your data. This applies if your consent
was the legal basis for the processing.
 The data processing is unlawful. This includes situations where the data was obtained
without your consent or in violation of other GDPR principles.
 The data must be erased to comply with a legal obligation. This could be a national or EU
law.
 The data is excessive, inappropriate, or no longer relevant. This applies to data collected
for marketing purposes, for example.
The controller responsibilities:
 Acknowledge customer request: we should confirm receipt and provide an estimated
timeframe for response.
 Consider customer request: we must assess whether the conditions for erasure are met.
 Erase the data: If a customer’s request is granted, we must delete your data from our
systems and any third-party systems where it may have been shared.
 Inform the customer of the outcome: We must inform the client whether we have
erased the data or not, and our justification for any refusal.

4.4.Right to restrict processing

The right to restriction of processing is another important data subject right granted under the
General Data Protection Regulation (GDPR). It allows customers to limit the ways in which an
organization can use their personal data, giving customer control over its circulation and
application.
Customer can request the restriction of processing in several situations:
 Customers contest the accuracy of your personal data. Customer can request that the
processing be restricted while the controller verifies the accuracy of customer’s data.

Laws and Data Protections 11

Mac Hai Long – 10422046 Hotels and Resorts Alliance

 Customer object to the processing of your data for legitimate reasons. If a customer
objects to the processing for reasons other than direct marketing, they can request
restriction while the controller considers customer’s objection.
 The processing is unlawful, but the customer does not want the data deleted. In such
cases, customers can request restriction instead of erasure.
 The controller no longer needs the data for the original purposes, but the customer
needs it for legal claims. If you need the data for legal purposes, customer can request
restriction even if the controller no longer needs it for its initial purposes.

4.5.Right to data portability

The right to data portability is one of the most empowering tools granted to individuals under
the General Data Protection Regulation (GDPR). It allows customers to easily transfer their
personal data from one controller (organization holding your data) to another in a structured,
commonly used, and machine-readable format.
The following information can be subject to transfer, including but not limited to:
 Identification data: Name, address, email, phone number, etc.
 Activity data: Purchases, browsing history, location data, etc.
 Social data: Posts, comments, likes, etc.
 Health data: Medical records, fitness tracker data, etc.
The controller may not be able to transfer certain types of data, such as financial information or
sensitive personal data.
The controller may refuse your request if it is technically impossible or involves excessive effort.

4.6.Right to object
The right to object empowers customers to oppose the processing of your personal data in
certain situations, giving them rights in how their information is used.
Customer can object to the processing of their personal data if:
 Direct marketing: Customer have the absolute right to object to the processing of their
data for direct marketing purposes, including profiling related to such marketing. This
means Customer can stop us from sending Customer unwanted emails, targeted ads, or
personalized marketing messages.
 Processing based on legitimate interests: Customer can object to the processing of their
data if it's based on the controller's legitimate interests, unless they demonstrate
compelling legitimate grounds that override their interests, rights, and freedoms. This

Laws and Data Protections 12

Mac Hai Long – 10422046 Hotels and Resorts Alliance

applies to situations where their data is used for purposes such as fraud
prevention, market research, or improving services.
 Automated decision-making: Customer have the right to object to decisions made solely
by automated means (e.g., algorithms) that significantly affect Customer, such as credit
scoring or insurance pricing. Customer can also request human intervention or contest
the decision.
Once the objection is resolved, the controller must cease processing the customer's data unless
we have a compelling legal reason to do so. We must also tell customers about our internal
decisions and give them the option to file a complaint with a supervisory authority.

4.7.Right not to be subject to automated individual decision-making

Customers have the right not to be subjected to a decision when it is based on automated
processing and has a legal effect on them. The customer has the following, but not limited to,
rights:

 The choice is completely based on automatic means: There was no human intervention
in the decision-making process.
 The decision has legal consequences for you or has a substantial impact on you: As
already said.

5. Data Protection Obligations

All customers data are under the control of GDPR, hence personal data must:

 be processed lawfully, fairly and in a transparent manner.

 be collected only for specified, explicit and legitimate purposes, and not be further
processed in any manner incompatible with those.

 be adequate, relevant, and limited to what is necessary in relation to the purposes for
which it is processed.

 be accurate and, where necessary, kept up to date.

 not be kept as identifiable data for longer than necessary for the purposes concerned;
and

 be processed securely.

5.1.Implementation of appropriate technical and organizational measures

To maintain data security within a business, proper technical and organizational procedures
must be implemented. These safeguards serve to keep personal information safe from
unauthorized access, loss, alteration, or disclosure. Here are some important things to take
while establishing data security measures:

Laws and Data Protections 13

Mac Hai Long – 10422046 Hotels and Resorts Alliance

 Risk Assessment: Conduct a thorough risk assessment to identify potential data security
vulnerabilities and threats. This assessment should consider data sensitivity, the possible
consequences of a breach, existing security procedures, and industry best practices.
 Access Control: Implement strong access control systems to ensure that personal data is
only accessed by authorized personnel. This includes creating unique user accounts,
requiring strong passwords, adopting multi-factor authentication when applicable, and
reviewing and changing access privileges on a regular basis.
 Encryption: Use encryption techniques to protect personal data in transit and at rest.
This includes encrypting data during network transmission and storing sensitive data in
an encrypted manner to prevent unauthorized access.
 Data Minimization: Apply the data minimization principle by collecting and retaining just
the personal data required for the intended purpose. Avoid collecting too much data and
frequently review and delete old or superfluous data.
 Data Backup and Recovery: Set up frequent data backup methods and test data
recovery processes to ensure that personal data can be recovered in the case of a data
loss disaster. Backups should be kept in a secure location, and restoration methods
should be recorded and validated on a regular basis.
 Employee Training and Awareness: Employees should receive extensive training on data
security best practices, such as data handling, secure communication, password
management, and spotting and reporting any security events or breaches. Reinforce
awareness on a regular basis through continued training and communication.
 Incident Response Plan: Create a solid incident response strategy that describes what to
do in the event of a data breach or security incident. This plan should include protocols
for reporting events, containing the breach, assessing the impact, alerting affected
parties, and executing corrective actions.
 Vendor Management: When working with third-party service providers or vendors, be
sure they follow relevant data security standards. Establish specific contractual
responsibilities and evaluate their security policies on a regular basis to ensure the
security of personal data provided with them.
 Regular Security Audits and Assessments: Conduct frequent security audits and
assessments to examine the effectiveness of security measures in place and identify any
vulnerabilities or areas for improvement. Penetration testing, vulnerability scanning, and
security assessments by internal or external experts are examples of such audits.
 Compliance Monitoring: Continuously monitor compliance with data protection rules,
such as the GDPR, to ensure continued legal compliance. Review and update policies,

Laws and Data Protections 14

Mac Hai Long – 10422046 Hotels and Resorts Alliance

processes, and controls on a regular basis to keep up with growing security standards
and regulatory changes.

5.2.Privacy by design and by default

Privacy by design is consist of two main concepts:
 Privacy by design: This aspect focuses on proactively incorporating privacy safeguards
into the development and implementation of systems, processes, and technologies. It
encourages organizations to ask themselves how to minimize data collection and
processing, ensure data security, and empower users to control their data.
 Privacy by default: This aspect emphasizes that the most privacy-protective settings
should be the default options. Users should not have to actively opt-out of data
collection or adjust privacy settings to protect their data. The most privacy-friendly
options should be readily available and chosen by default.
Following this concept, following action should take place when collecting customer data:

 Provide customers with easily accessible and understandable information about how
their data is collected, processed, and shared.
 Allowing users to decide how their data is used and shared, such as opting out of
targeted advertising or data sharing.
 Only data related to booking and staying on the premises should be collected. When the
transaction is finished, any unnecessary data should be removed from the system.
 Data stored in the system should be encrypted and protected from unauthorized access.
This data should only be accessed when requested by the customer, or any lawful
request regarding the user data.

5.3.Data protection impact assessments

As we collect and process a significant amount of personal data from customers, we need to
have a strong data protection measure.
Several factors can trigger the need for a DPIA (Data Protection Impact Assessments) in a hotel,
including:
 Using modern technologies: Implementing facial recognition, guest tracking through
RFID wristbands, or other novel technologies may require a DPIA.
 Large-scale data processing: Processing data from a large number of guests or creating
detailed profiles with sensitive information may warrant a DPIA.
 Profiling and automated decision-making: Using guest data for targeted
advertising, personalized pricing, or automated room assignments could involve a DPIA.

Laws and Data Protections 15

Mac Hai Long – 10422046 Hotels and Resorts Alliance

 Sharing data with third parties: Sharing guest data with third-party service
providers, marketing partners, or law enforcement requires careful consideration and
might trigger a DPIA.
We should Clearly describe the types of personal data collected, the purposes for
processing, and the technologies used. As well as identifying and preventing the potential risks
to individuals' data privacy and fundamental rights, such as unauthorized
access, profiling, discrimination, or surveillance.

5.4.Notification of data breaches

Data breaches are a critical incident for any organization, but they can affect hotels, where
guests entrust them with sensitive personal information. Prompt and effective notification of
data breaches is crucial for protecting guests and complying with regulations.
Following the GDPR, when data breaches happen that result in a high risk of rights and
freedoms of customers, we have a responsibility to inform customers about this incident. Such
incidents include:
 Risks of unauthorized access or disclosure: If guest data has been accessed or disclosed
without proper authorization, a notification should be sent.
 Loss of control: If the hotel loses control over guest data due to malware, system failure,
or other incidents, notification may be necessary.

5.5.Appointment of Data protection officer (DPO)

The DPO should possess specific qualifications and expertise:
 Expert in data protection laws and regulations: They must have a deep understanding of
the GDPR and relevant data protection principles.
 Strong analytical and technical skills: They should be able to assess data risks, implement
security measures, and analyze data flows.
 Excellent communication and people skills: They need to effectively communicate data
protection policies to various stakeholders, including guests, management, and
authorities.
 Independence and authority: They must be able to operate independently within the
organization and report directly to the highest management level.

6. Compliance Process
6.1.Risk assessment
Risk assessment should focus on several key areas of compliance process:
 Data inventory and mapping: Identify and map the flow of all types of personal data
gathered, processed, and stored by our systems and processes.

Laws and Data Protections 16

Mac Hai Long – 10422046 Hotels and Resorts Alliance

 Vulnerabilities in data security: Evaluate the technical и organizational safeguards in

place to protect data from unauthorized access, loss, or abuse.
 Data subject rights compliance: Assess how we enable guests to exercise their rights to
access, rectify, erase, or restrict processing of their data.
 Third-party data sharing: Determine and evaluate the risks of sharing guest data with
third-party service providers or partners.
 Data breach and incident response: Review our policies for dealing with data breaches
and other issues impacting guest data.
 Training and awareness: Evaluate the effectiveness of our data protection policy and best
practices training programs for employees.
 Internal controls and audit processes: Assess the effectiveness of internal controls and
audit procedures in assuring compliance with data protection rules.

6.2.Raising awareness among employees

For all employees to comply with GDPR, the following strategies should be in place:
 Training programs: Create and conduct interactive training classes for various staff
positions that include data protection fundamentals, visitor rights, data security
practices, and incident response protocols. All new employees and staff who have been
with us for more than 5 years should participate in a training program.
 Visual reminders: Remind staff on data protection policies and best practices by using
posters, infographics, or screensavers.
 Lead by example: Management should actively promote data security by adhering to
policies, flagging questionable activity, and openly discussing the value of data privacy.

6.3.Training employees on GDPR

 GDPR Fundamentals: Explain crucial topics such as personal data, legal bases for
processing, data subject rights, and accountability requirements.
 Train personnel on correct guest identification methods, data minimization principles,
and gaining informed consent for data gathering.
 Data Security: Discuss data storage and encryption procedures, password security, and
secure data disposal.
 Subject Rights to Data: Explain how guests can access, rectify, remove, or limit the
processing of personal data, as well as how these requests are handled.
 Incident Response: Train workers to recognize and report data breaches, adhering to
established containment and notification protocols.
 Role-Specific Education: Training should be tailored to specific jobs, such as
housekeeping (guest room access and data security) or marketing (targeted advertising
and data subject rights).

Laws and Data Protections 17

Mac Hai Long – 10422046 Hotels and Resorts Alliance

6.4.Implementation of compliance measures

The following strategies will help to ensure the compliance of GDPR:
 Approach in Phases: Break down the deployment into manageable stages, beginning
with essential areas such as data security and guest privileges.
 Technology Solutions: To automate and streamline compliance steps, use data
protection software, encryption tools, and access control systems.
 Documentation and Policies: Make your data protection policies and procedures clearly
documented and easily available to all workers and guests.
 Regular Reviews and Updates: Review and update your compliance measures on a
regular basis to keep up with growing rules and handle emerging data security concerns.

6.5.Monitoring and review

The following attributes need to be monitor and review:
 Data inventory and mapping: Keep your data inventory up to date to ensure correctness
and completeness.
 Data security: Keep an eye on security logs, access limits, and incident reports to spot
any flaws or breaches.
 Requests for data subject rights: Keep track of the number and types of requests for data
subject rights and evaluate your response times and procedures.
 Third-party data sharing: Regularly review your contracts with third-party vendors to
ensure they follow data protection requirements.
 Plan for dealing with a data breach: To guarantee the success of your data breach
response strategy and to find areas for improvement, test it.
 Staff education and awareness: Surveys or audits can be used to track staff training
completion rates and assess their grasp of data protection regulations.
 Data protection impact assessments (DPIAs): Conduct new DPIAs for any new processing
activity that may pose substantial risks to data privacy.
For effective monitoring and review, schedule regular reviews, utilization of monitoring tools,
conduct internal audits, involving stakeholder, planning and documentation are necessary for
the process.

6.6.Documentation of compliance activities

We should cover the following aspects of the customer data as follow:
 Inventory and mapping of personal data: A comprehensive list of all personal data
gathered, saved, and processed within your hotel.
 Policies and processes for data protection: Policies that clearly outline your approach to
data collection, storage, usage, and disposal.
 Implementing data subject rights: Documentation describing how you handle requests
to access, correct, erase, or limit the processing of visitor data.

Laws and Data Protections 18

Mac Hai Long – 10422046 Hotels and Resorts Alliance

 Agreements for third-party data sharing: Contracts with all third-party providers with
whom you share guest data, defining their data protection duties.
 A data breach response plan is a step-by-step approach for detecting, mitigating, and
reporting data breaches.
 Training documentation and materials: Employee training on data protection policies
and best practices must be documented.
 Internal audit reports: Records of any internal audits performed to ensure that data
protection requirements are being followed.
Best practices for the documentation are:
 Make sure your documentation is understandable to both technical and non-technical
readers by using clear and simple language.
 Keep a central repository: All documents should be kept in a safe, centralized area for
easy access and retrieval.
 Version management: Implement a system for document tracking and updating to
ensure you are always using the most recent version.
 Review and update on a regular basis: Review and update your paperwork on a regular
basis to reflect changes in regulations, technology, or your hotel's data protection
practices.

6.7.Retention of records
Retention Periods and Key Record Categories:
 Guest registration and identification: Retention terms vary by country but are commonly
5 to 10 years following the guest's stay.
 Financial records: Tax regulations frequently demand financial records to be kept for 7 to
10 years.
 Emails, phone conversations, and other communication logs from guests might be
stored for various periods of time depending on their purpose. Consider storing
operational messages for a shorter amount of time and complaint logs or legal issues for
a longer period.
 CCTV footage: Security footage retention periods commonly range from 30 days to 3
months.
 Employee records: Depending on local legislation, HR papers such as contracts,
performance reports, and disciplinary records should be kept for the duration of
employment and for a period after the employee leaves.

Laws and Data Protections 19

Mac Hai Long – 10422046 Hotels and Resorts Alliance

7. Data Transfer Mechanisms

7.1.Adequacy decisions
The European Commission may rule that certain third-country data protection legislation
provides acceptable safeguards for personal data. You can freely transfer data to a jurisdiction
with an adequacy ruling without any additional precautions.

7.2.Appropriate safeguards
Transfers to countries that do not have an adequacy determination must include adequate
measures to guarantee the data is protected to the same level as it would be within the EU.
These precautions may include the following:
 Standard contractual clauses: Contracts between the sender and the receiver that
include specified data protection requirements.
 Binding corporate rules are internal data protection rules within a multinational
corporation that have been approved by the relevant data protection authorities.
 Derogations: Limited exceptions to the general transfer ban, such as contractual
necessity or consent.

7.3.Binding corporate rules

Binding corporate rules (BCRs) are a complicated but potentially efficient method of transferring
data throughout a multinational corporation group. However, obtaining approval from data
protection authorities takes a significant amount of time and effort.

8. Cooperation with Supervisory Authorities

8.1.Notification of data breaches
The Group must notify the appropriate data protection authorities within 72 hours of
discovering a data breach that poses a substantial risk of harm to persons.

8.2.Consultation on high-risk processing activities

If The Group intends to participate in high-risk processing activities, such as large-scale profiling
or automated decision-making with major consequences for individuals, it must first
communicate with the competent data protection authorities.

9. Enforcement of GDPR
9.1.Supervisory authorities
Each EU country has its own data protection authority in charge of executing the GDPR. These
authorities have the authority to conduct data breaches investigations, levy fines, and require
corporations to cease non-compliant data processing operations.

Laws and Data Protections 20

Mac Hai Long – 10422046 Hotels and Resorts Alliance

9.2.Fines and penalties

Non-compliance with the GDPR can result in significant fines, up to €20 million or 4% of the
annual global turnover of the company responsible for the violation.
Due to this, employees are required to comply with the GDPR.

10. Appendices
10.1. Glossary of terms
 The term “user” here means an individual whose personal data is processed by a
controller or processor (also known as the data subject).
 The term “controller” means any person or legal entity involved in determining the
purpose and ways of processing personal data.
 The term “processor” means any person or legal entity involved in processing personal
data on behalf of the controller.
 The term “the Group” means Hotels and Resorts Alliance

10.2. List of relevant resources

[1] “Official Legal Text,” General Data Protection Regulation (GDPR), https://gdpr-
info.eu/ (accessed Dec. 16, 2023).

[2] “Vietnam - Data Protection Overview,” Data Guidance,

https://www.dataguidance.com/notes/vietnam-data-protection-overview (accessed
Dec. 16, 2023).

[3] “GPDR For organizations,” ICO, https://ico.org.uk/for-organisations (accessed Dec.

16, 2023).

[4] GDPR compliance manual - regiôtels,

https://www.regiotels.com/wp-content/uploads/2022/12/RegiOtels-GDPR-
Compliance.pdf (accessed Dec. 16, 2023).

Laws and Data Protections 21