According to the General Data Protection Regulation (GDPR) in the European Union, any processing of personal data must have a legal basis, which may include consent. The completion of a contract can also be a valid legal basis for processing personal data. In other words, for a hotel booking, you may rely on “fulfilling a contract” as the legal basis for processing the guest’s personal data.
However, it’s important to note that the GDPR limits the processing of personal data to the original purpose. For example, if you also plan on sending marketing emails to your guests, you will have to obtain their consent to process personal data for that specific purpose.
(The following information is not intended to be legal advice).
This is the definition of consent according to the GDPR:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Bookings can be received in different ways – through your website, email, phone, etc. Based on the above definition, it could be argued that when a guest contacts your property to make a booking, and states his or her personal data to be registered in that booking, that is a “clear affirmative action”. There is no need to explicitly ask for permission to process the personal data for the purpose of that booking.
For bookings made online through the Sirvoy booking engine, you might still want to clearly obtain the guest’s consent, especially if you plan on processing personal data for additional other purposes. You can do that by activating the “terms & conditions” checkbox feature. Or you can create a “custom field” in the booking engine – a checkbox with your own customized text; for example “I hereby give my consent to the processing of my personal data for the purpose of this booking”.