A loyalty program is the ultimate means to bind guests to your organization and build a long-standing relationship with them. In the past years, more and more hotels have joined franchise formulas, resulting in a greater number of hotel chains in the Netherlands. By this development, the hotel market is transforming every year and guest loyalty is getting even more important.
An inherent feature of loyalty programs is that you collect information about your guests. This information includes name and address details, but also purchase history or customer numbers. Such information is regarded as personal data. Since the use of personal data is governed by the General Data Protection Regulation (GDPR), certain conditions must be met. But what are these conditions? What about the sending of direct marketing mails to your guests in connection with the loyalty program? What does the forthcoming European ePrivacy Regulation say about this?
Conditions of use guest data for loyalty program
The Article 29 Working Party1 has recommended expressly2 that organizations can only process guest data for a loyalty program if the guest has consented to this. For such consent to be legally valid, it has to meet a number of conditions. Consent must have been freely given (without pressure or coercion), be specific and informed, and must be an unambiguous indication of the guest’s wishes, by which the guest accepts the processing through an affirmative act. In other words: valid consent is not created by doing nothing. Consent to the processing of personal data means that consent must be given by, for example: (i) completing a form of the loyalty program; (ii) ticking a box on the website that is not automatically ticked; or (iii) an oral communication by the guest.
Consent is ‘specific’ if the guest can consent to the processing of data for the purpose of the loyalty program separately from other consent questions. Consent is ‘informed’ if the guest was informed in time, clearly and completely about the way in which the data are used for the loyalty program. Such information is usually recorded in a privacy statement (published online), and issued prior to the processing of the data for the loyalty program.
A logical place for the online integration of the request for consent is (i) for guests who have an account: on the screen where the guest registers as a guest; and (ii) for guests without an account: on the check-out screen that they go through when buying a product or service. It is important always to refer actively to the privacy statement on these screens, e.g. by adding a hyperlink to your organization’s web page where the privacy statement can be found.
Informing guests
As mentioned above, the guest's consent to the use of guest data for the loyalty program has to be ‘informed’. In order to meet this condition, the information below should always be included in the privacy statement:
- name and contact details of your organization and possibly of the data protection officer;
- purposes for which the guest data are used, along with a clear explanation of your loyalty program;
- which personal data you use of your guest;
- which third parties will also receive these guest data;
- whether the data can end up beyond the European Economic Area3, for example because service providers (IT suppliers) or servers are based there;
- how long the guest data will be retained for the loyalty program;
- rights of the guest, such as revoking a given consent.
Rights of guests
Your guests have several rights in connection with personal data. For instance, your guest may request access to the personal data. In practice this means that a copy must be provided, but it may also involve the deletion of personal data and/or the loyalty account. The correction of inaccurate data may also be requested. None of these rights is absolute, which means that it is up to the organization to assess whether it will facilitate them.4 For example, a request for deletion need not be facilitated if the data are necessary in connection with a legal dispute.
A right that is absolute and must therefore always be honoured is the right of the guest to revoke his given consent. Revocation is possible at any time and need not be supported by reasons. After a request for revocation has been received, the organization cannot use the guest data for the loyalty program any longer. The revoked consent will not affect the processing of the guest data for other, legitimate purposes, such as tax administration.
Other obligations under the GDPR
To allow the lawful processing of guest data for the loyalty program, the other obligations from the GDPR must also be complied with. This means, among other things, that the processing must be recorded in the organization’s register of processing activities. A concrete retention period must also be determined; only those data that are actually necessary for the loyalty program can be processed; and the data must be protected adequately.5
Direct Marketing Rules
Besides the GDPR, the ‘direct marketing’ rules also apply if you approach your guests via e-mail, telephone, SMS or WhatsApp in connection with the loyalty program. At present, these rules are set out in the Dutch Telecommunications Act, but this Act is intended to be replaced by the EU ePrivacy Regulation. However, negotiations in the EU about this Regulation have been going on since 2016(!), without any current prospect of reaching agreement. It is by no means certain that this Regulation will see the light any time soon. It is even rumoured that negotiations have become so deadlocked that the ePrivacy Regulation will not happen altogether. Be that as it may, you should be aware of it that – both under the Telecommunications Act and the ePrivacy Regulation – you can only send your guests messages via the above-mentioned channels if the guest has consented (opted in) to this. Such an opt-in must be given separately from the GDPR consent, but can be integrated in the same place and the same way (by an empty check box) as the GDPR consent.
This article was written for Hospitality Management by Laura Poolman and published on 16 January 2024.
Footnotes
1 The authoritative European data protection advisory body, in which all national data protection supervisors are represented.
2 Article 29 Working Party, “Opinion 15/2011 on the definition of consent”, adopted on 13 July 2011 (WP187), which can be consulted here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf
3 These are all countries of the European Union plus Norway, Iceland and Liechtenstein.
4 Chapter V of the GDPR explains the permitted exceptions to this for each type of right (i.e. when these rights do not have to be facilitated).
5 Under the respective articles 30, 5 (1) under e, 5 (1) under c and 32 of the GDPR.
