Since the General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018, it has reshaped how personal data is handled, especially in data-heavy industries like hospitality.
Now in 2025, GDPR compliance remains both a legal obligation and a competitive necessity for hotels operating in or catering to the European market. Fines can reach up to €20 million or 4% of global annual turnover, whichever is greater.
This guide offers insight on the challenges and obligations presented by GDPR, drawing from insights shared by hospitality tech leaders like Nick Price (citizenM Hotels), Uli Pillau (Apaleo), and Suzanne Ward (Mövenpick Hotels & Resorts).
At the Young Hoteliers Summit held at Ecole hôteliere de Lausanne, industry experts emphasized the critical nature of GDPR compliance for the hospitality sector.
Nick Price, CEO of NetSys Technology and CIO of citizenM Hotels, highlighted a sobering reality: careers in the hospitality industry could end abruptly for those responsible for data breaches.
The hospitality industry faces unique challenges due to the volume and variety of personal data it processes.
Hotels collect and store information across numerous operational systems, from property management systems to customer relationship management platforms, creating complex data environments that require careful oversight.
Entrepreneur Uli Pillau, founder of tech firm Apaleo, drew parallels to Payment Card Industry (PCI) compliance, noting that GDPR initially wasn't taken seriously enough by many in the industry.
However, the intervening years have brought greater awareness of the regulation's implications and the need for comprehensive compliance strategies.
Legacy systems continue to represent significant risk factors for hotels. Many properties still operate on decades-old systems that weren't designed with modern data protection principles in mind.
The recommended approach involves implementing token technology that encrypts data entirely, ensuring that sensitive information cannot be compromised even if systems are breached.
Suzanne Ward, Director of Digital Solutions at Mövenpick Hotels & Resorts, emphasized that protection extends beyond guest data to include employee information such as payroll and HR records. This approach to data protection has become standard practice across the industry.
Beyond avoiding penalties, GDPR compliance has proven to be a competitive advantage. The regulation protects fundamental information about individuals and helps establish trust between hotels and their guests.
This trust is essential in an industry where customers literally place their safety in the hands of hoteliers. The regulation has also highlighted the value of customer data as a business asset.
Companies like Google and Amazon have built significant valuations on their ability to monetize personal information.
Hotels, with their unique relationship with guests and rich data sets, are well-positioned to derive similar value while maintaining the trust that GDPR helps establish.
Price noted that hotels have a unique opportunity to provide beneficial returns to customers through the responsible use of their data, creating a win-win scenario where guests receive personalized services while hotels build stronger, more profitable relationships.
As we progress through 2025, GDPR compliance has evolved from a regulatory burden to a business enabler.
Hotels that have invested in proper data protection infrastructure find themselves better positioned to leverage customer insights, personalize services, and build lasting relationships with guests.
The regulation's emphasis on transparency, consent, and individual rights has raised the bar for customer experience across the hospitality industry.
Hotels that excel in data protection often find that their commitment to privacy becomes a differentiating factor in an increasingly competitive market.
GDPR isn’t going away, and noncompliance is no longer tolerated as a learning curve. Regulators continue to interpret its application through case law and enforcement actions.
For example, EU authorities have begun targeting not just large tech firms but also smaller companies (including hospitality brands) for cross-border data transfers, lack of consent, and inadequate data security measures.
Hotels that are proactive about compliance can reduce legal risk and reinforce their brand’s reputation for trustworthiness. As data becomes even more central to hotel operations, the ability to handle it responsibly will define which brands thrive.