Industry Guides
Data Protection for Hotels and Hospitality
Guidance for Jamaican hotels, guest houses, villas, and restaurants on handling guest data, ID at check-in, bookings, and CCTV.
What you will learn
- The guest data hospitality businesses hold
- Handling ID and passport details at check-in
- Working with booking platforms and processors
- Practical steps for guests, staff, and CCTV
Overview
Hotels, guest houses, villas, and restaurants collect a steady stream of personal data: bookings, identity documents, payment details, preferences, and CCTV. With many international guests, getting this right matters for reputation as well as compliance. This guide explains how.
Why this matters
Guests hand over sensitive details, sometimes including passport or ID information, and expect them to be protected. A leak or careless handling can harm guests and your property's reputation, especially with overseas visitors who compare you to international standards.
The data you hold
- Guests: names, contact details, identity or passport data, payment information, stay history, and preferences.
- Bookings: data from your own site and from third-party platforms.
- On-site: CCTV footage and, for restaurants, reservation records.
- Staff: employment and payroll records.
Identity documents at check-in
Collecting ID at check-in is common, but collect only what you actually need, store it securely, and do not keep copies longer than necessary.
Booking platforms and processors
When you take bookings through a third-party platform, that platform usually acts as a processor, handling data on your instructions. You remain the controller for the guest data you collect and use (see Who is a Data Controller?). Make sure those relationships are backed by proper terms.
CCTV
Cameras in lobbies and common areas record personal data. Use clear signage, limit who can view footage, set a retention period, and handle requests for footage carefully. Avoid cameras in private areas such as rooms.
Common scenarios
- International guests. Be transparent about what you collect and why, and protect it to a standard they would expect.
- Marketing to past guests. Rely on clear consent and offer an easy opt-out.
- A guest asks what you hold. Treat it as an access request.
Common mistakes
- Keeping passport copies indefinitely.
- Emailing offers to every past guest without consent.
- CCTV without signage, retention limits, or access controls.
Best practices
- Give guests a clear privacy notice at or before check-in.
- Minimise and securely store identity data.
- Confirm your booking platforms and payment providers are reputable and properly contracted.
Put this into practice
Create a guest-facing privacy notice tailored to your hotel, guest house, or restaurant.
Generate a privacy notice for your propertyFrequently asked questions
Key takeaways
- Hospitality businesses hold guest identity, payment, booking, and stay data.
- ID and passport details collected at check-in need careful, limited handling.
- Booking platforms are usually processors, but you remain the controller.
- Clear notices, secure storage, and sensible retention cover most obligations.
