Caution: Data protection

Data protection cloud softwareAt least since the GDPR went into effect, data protection should be at the top of your agenda. However, when it comes to selecting cloud software systems, the applicable legislation is often negligently violated.

In case your Cloud Provider is located outside the EU

Today, every cloud provider is obliged to take sufficient technical and organizational measures with regard to data protection and data security.

This also includes regulations on any subcontractors, such as hosting providers or integrated software components. Both of these are part of the so-called Data Processing Agreement (DPA). However, experience has shown that these are rarely checked comprehensively by the contractor, e. g. the hotel, before they are concluded – with dangerous consequences. Since last year, there has been a very significant court decision that for all those cases in which either the cloud provider itself or one of its subcontractors is not based in the EU or EEA but outside. This applies to many large soft-ware providers, especially in the hotel industry.

Background: Protection from US Authorities

In July 2020, the European Court of Justice (ECJ) declared the successor to the Safe Harbor Agreement, the so-called Privacy Shield Framework between the U.S. and the European Union, invalid. This means that personal data transferred to recipients in the USA on the basis of this agreement may NOT be transferred there anymore. This affects cloud software providers as well as hosting companies in the USA, as well as all subcontractors in the USA. Anyone who processes their guest data using a US cloud software provider or stores it in a hosting environment in the USA is therefore committing a data protection violation – insofar as this continues to take place against the background of the Privacy Shield – which can be punished with a fine of up to 4% of last year’s global turnover.

  • eHotelier Essentials Banner
  • APN Solutions Banner
  • Duetto Trends Banner

The reason for the court ruling is the fact that the Privacy Shield cannot provide sufficient protection for data stored by US companies against access by US authorities, as it binds US companies but not government investigating authorities in the USA. The EU court, which a few years earlier had also overturned the Safe Harbor agreement as a predecessor regulation, sees this as a serious violation of the high European data protection standards for the protection of the data subjects, in the hotel sector primarily the hotel guests.

The Privacy of Hotel Guests

This legal opinion is quite understandable and has a great significance especially for the hotel industry. On the one hand, hotels try everything to protect their guests and their privacy. On the other hand, however, the guests’ data is often transferred to a country outside the EU, such as the USA, without their knowledge or consent and thus made accessible to the authorities there.
Especially some guests of luxury hotels would probably have their hair stand on end if they knew this.

So be cautious, when it comes to selecting cloud software systems!

About the authors

This article is co-written by Dr. jur. Robert Selk and Dr. Michael Toedt.

Dr. jur. Robert Selk, a lawyer specializing in IT law, is a partner at SSH Rechtsanwälte in Munich. He received his doctorate in 2002 in the field of Internet and data protection law. The focus of his parallel master’s postgraduate studies was European and international business law (Master of Law, LL.M.). For many years, his practice has involved computer, Internet and data protection law as well as trademark, copyright and competition law. Dr. Selk is also appointed as an external data protection officer in various internationally active companies, works extensively as a speaker on IT and data protection law, and is a member of, among other things, the legislative committee on IT law of the German Bar Association and co-chairman of the “Data Protection” specialist committee of the German Society for Law and Information Technology. In addition, he regularly publishes legal articles.

Tags: Cloud systems, cyber security, data protection, Hotel Technology

dailypoint™ is the leading Data Management and CRM platform for demanding individual hotels and hotel groups. dailypoint™ collects data from all relevant sources such as PMS, POS, website, newsletter or WiFi and automatically creates a central and consolidated guest profile.

Related Articles

Related Courses

You might also like:

  • Cendyn 240 400 2404
  • Duetto Trends
Join over 60,000 industry leaders.

Receive daily leadership insights and stay ahead of the competition.

Leading solution providers:

  • 2024 Predictions