Collection of Personal Data: If legislation requires it, then why so much confusion?

Taking into account that the hotel industry collects, processes, retains and transmits personal data by law, it is important to take into account the form, legality and procedures relating to this process. In one of my first articles I warned about the approaching entry into force of the Regulation (EU) on the protection of natural persons with regard to the processing of personal data and the free movement of such data. However, there is some confusion regarding the obligations and limitations imposed, not only by the upcoming European regulation, but above all because there is national legislation in force. Also considering cases of reproduction of the Citizen Card, I decided to make my contribution to help better understand what is really at stake.

COLLECTION, RETENTION, PROCESSING AND TRANSMISSION OF PERSONAL DATA

In national legislation, the activities of collection, retention, processing and free movement of personal data are covered by Law No. 67/98, of 26 October . This Law transposes Directive No. 95/46/EC of the European Parliament and of the Council, of October 24, 1995, which in turn gave rise to the aforementioned Regulation (EU) 2016/679 and which will only be applicable from of May 25, 2018. On the other hand, it is important to know that Law no. 67/98 already meets many of the requirements of the European Regulation. However, there are still some important gaps that will need to be filled by May 2018.

THE HOTEL AND PERSONAL DATA

It is important to frame - regardless of the form - why the Hotel Industry collects personal data. It can happen for several reasons, namely:

• Compliance with Decree-Law No. 256/86, of August 27th – Guest Book (Article 22), exempted in the case of using computerized means for the respective registration;
• Compliance with Law No. 23/2007, of February 4th – Communication of accommodation (Article 16);
• Compliance with Notice No. 10263/2015, of September 8th – Municipal Tourist Tax (articles 68 and 70) and respective implementation rules.

It should be noted that these are some of the most common reasons, and there may be others, for the possible collection of personal data on a mandatory basis, and there is also the possibility of doing so for commercial or marketing reasons, not directly covered by legislation. However, when it comes to a citizen card, there is an additional need to comply with Law no. 7/2007, of February 5th , namely its article 5, paragraph 2, which stipulates that the reproduction of this card is prohibited. document in photocopy or any other means without the holder's consent, except in cases expressly provided for by law or by decision of a judicial authority.

Question: if the legislation requires it, then why so much confusion?

Keeping the focus on current legislation, it establishes that personal data must be:

• Collected for specific, explicit and legitimate purposes and cannot be further processed in a way that is incompatible with those purposes;
• Treated lawfully and with respect for the principle of good faith;
• Adequate, relevant and not excessive in relation to the purposes for which they are collected and subsequently processed.

It also establishes that the processing of personal data can only be carried out if the holder has unequivocally given his consent or if the processing is necessary to, among others, comply with a legal obligation to which the person responsible for the processing is subject. I would like to remind you that the same legislation also establishes that the data subject has rights, namely to information about the purpose of the processing, among many others .

Answer: because the data subject must be informed about the purposes of the collection before giving their consent to the collection and processing of personal data, and also because if it is to comply with the law, the personal data collected cannot be used for nothing more.

WHERE TO START?

Therefore, regardless of the form of collection – whether by paper form, digital recognition, web form or any other – the typical question regarding the use of scanners at reception no longer makes sense, as the important thing is whether they were informed and obtained or not consent of the data subject . We can easily conclude that this is a situation related to the procedure used and not the equipment. In this particular case, I can only recommend analyzing and fine-tuning any data collection procedures, in order to:

• Clearly inform the data subject of the legal obligation (with references to the respective legal regulations) before collection;
• Inform about the objectives of collection and processing , if they are collecting data beyond the situations provided for by Law;
• Do not collect data beyond what is necessary for the established objectives ;
• If possible, implement pre- check-in processes , letting the guest fill in the data in an online form (don't forget that you must encrypt the transmission of this data), so at reception it will only be necessary to confirm that everything is ok ;
• At reception, position scanners within view of data subjects , assuming a transparent attitude towards their use, preventing them from being confused with photocopiers;
• Clearly indicate that the documents are not being copied or scanned , but rather the automated recognition of the data necessary for collection is carried out;
• Alternatively, provide a paper form for the guest to fill out if they express discomfort regarding the scanners.

Due to the European regulation mentioned above and the changes foreseen by SIMPLEX, particularly with regard to the reproduction of the Citizen Card, this issue is on the agenda, and we can expect increasing attention from data holders. The implementation of appropriate procedures will certainly reduce potentially uncomfortable situations and at the same time convey an image of increased professionalism and security to your guest.

This article is for informational purposes only, not being a legal opinion, not binding its author to the information provided and, therefore, not precluding an evaluation by the compliance or legal departments of the hotel units – but at least here are the clues necessary so that your hotel can quickly overcome this challenge.

‍