How a non-compliant breakfast could cost hoteliers dearly

Did you miss the headline fine dished out to Marriott by the Information Commissioner’s Office this year? A whopping £100m for the loss of personal data including credit card details, passport numbers and dates of birth stolen in a massive global hack of guest records.


In fact, our previous blog explored this breach and its consequences for hoteliers. Most startling, the fact that two-thirds of hotel websites leave guests’ personal data exposed to hackers.


While Marriott has stolen the limelight for hotels hit by GDPR enforcement, they aren’t the only hoteliers coming under the cosh. We were alerted to an interesting case of non-compliant breakfasting by travel blogger One Mile at a Time that left us thinking about the myriad GDPR challengers this industry comes up against. 


On July 2nd the World Trade Center Bucharest’s Pullman hotel was fined 15k Euros by the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).


A photograph was taken without the guests’ permission that showed a list of 46 names of those booked in for breakfast at the hotel. That was all it took for the hotel to have to hand over thousands in fines. 

Here’s the summary from


 – The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties – 


You can imagine this scenario play out across so many functions. From travel arrangement lists, event guest lists used on the door, to breakfast, lunch and dinner! How would you feel coming up against a 15k fine for non-compliant printouts?


It goes to show that it isn’t just high-profile hacks that can land hoteliers in hot water when it comes to GDPR. Proper data protection encompasses the whole business – not just email marketing permissions or hack precautions.


With this in mind it is essential to track and respond to any potential business practices that can lead to breach. This should go hand in hand with staff training and awareness. As this latest example shows, an employee armed with a printer could see your business end up on the register of GDPR offenders – and cost you a lot more than the price of a free breakfast…



If you are struggling to identify the weak links in your GDPR strategy get in touch to find out how we can help shore up your defences with our bespoke auditing services. 


Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email