From luxury resorts to budget hotels, the hospitality industry runs on personal data. Every booking, ID proof, phone number, and payment detail makes hotels custodians of highly sensitive guest information.
With the Digital Personal Data Protection Act, 2023 (DPDP Act) now in force, hotels in India must rethink how they collect, store, and use guest data, or risk serious penalties and reputational damage.
Let’s understand what the DPDP Act means practically for hotels.
Why Hotels Are Directly Impacted by the DPDP Act
Hotels routinely process:
- Guest names, phone numbers, email IDs
- Aadhaar, passport, visa copies
- Address and nationality details
- Payment and billing information
- CCTV footage
- Employee personal data
Under the DPDP Act, any entity that determines the purpose and means of processing personal data is a “Data Fiduciary.”
Hotels clearly fall into this category.
Common Data Collection Points in Hotels
Most hotels don’t realise how many touchpoints involve personal data:
- Online bookings (website, OTA platforms)
- Walk-in guest registrations
- KYC and ID verification at reception
- CCTV surveillance
- Wi-Fi login systems
- Loyalty programs and marketing emails
- Staff HR records
Each of these must now comply with DPDP Act requirements.
Key Obligations of Hotels Under the DPDP Act, 2023
1️⃣ Lawful and Transparent Data Collection
Hotels must:
- Collect only necessary data
- Clearly inform guests why their data is being collected
- Provide a privacy notice in simple language
Example:
Asking for ID proof for legal compliance is valid, storing it indefinitely “just in case” is not.
2️⃣ Consent Is Central
Guest data (especially for marketing or promotions) must be:
- Collected with free, informed, and specific consent
- Capable of being withdrawn easily
Pre-ticked consent boxes or forced marketing opt-ins can violate the Act.
3️⃣ Reasonable Security Safeguards
Hotels must take reasonable security measures to prevent data breaches, including:
- Restricted access to guest records
- Secure PMS and booking software
- Password policies and role-based access
- Vendor due diligence (OTAs, CRM, payment gateways)
A breach of guest data can invite heavy penalties.
4️⃣ Data Breach Reporting Obligations
In case of a personal data breach, hotels must:
- Notify the Data Protection Board of India
- Inform affected guests where required
Delays or concealment can worsen liability.
5️⃣ Data Retention and Deletion
Hotels must:
- Retain personal data only for as long as necessary
- Delete data once the purpose is fulfilled (subject to legal requirements)
Old guest records sitting unprotected on systems are a ticking compliance risk.
Special Care: Foreign Guests & Sensitive Data
Hotels dealing with:
- Foreign nationals
- Passport and visa details
- International bookings
must ensure higher diligence, especially when using cloud systems or third-party vendors.
Penalties Hotels Should Be Aware Of
Under the DPDP Act, penalties may be imposed for:
- Failure to implement reasonable security safeguards
- Failure to report personal data breaches
- Violations of consent and notice obligations
Penalties can extend up to ₹250 crore, depending on the nature and severity of the breach.
Practical Compliance Checklist for Hotels
✔ Privacy Notice displayed at reception and website
✔ Consent-compliant booking and check-in forms
✔ Secure storage of ID proofs
✔ Defined data retention and deletion policy
✔ Staff training on data privacy
✔ Vendor contracts aligned with DPDP requirements
✔ Incident response and breach reporting plan
Why DPDP Compliance Is Good for Business
Beyond legal compliance, DPDP readiness:
- Builds guest trust
- Improves brand reputation
- Reduces operational risk
- Enhances readiness for global data standards
In hospitality, trust is everything, data protection is now part of guest experience.
Final Thoughts
The DPDP Act, 2023 marks a shift in how hotels must treat guest information, from casual record-keeping to structured data responsibility.
Hotels that act early will not only avoid penalties but also position themselves as privacy-respecting brands in a competitive market.
Need Help With DPDP Compliance for Your Hotel?
If you operate a hotel or hospitality business and want to ensure DPDP Act compliance, professional guidance can save you from costly mistakes and future penalties.
Frequently Asked Questions (FAQs): DPDP Act, 2023 and Hotels
1. Does the DPDP Act, 2023 apply to all hotels in India?
Yes. The DPDP Act applies to all hotels operating in India, including luxury hotels, budget hotels, resorts, guest houses, and homestays, if they collect or process personal data of guests or employees.
2. Is collecting Aadhaar or passport details allowed under the DPDP Act?
Yes, hotels may collect ID proofs such as Aadhaar or passports where required by law or for legitimate purposes. However, hotels must:
- Inform guests why the data is collected
- Store it securely
- Not retain it longer than necessary
3. Can hotels use guest data for marketing and promotions?
Only with explicit consent. Guest phone numbers or email IDs collected for booking or check-in cannot be automatically used for marketing unless the guest has clearly agreed to it.
4. What happens if a hotel suffers a data breach?
In case of a personal data breach, the hotel must:
- Notify the Data Protection Board of India
- Inform affected guests where required
Failure to do so can result in significant penalties under the DPDP Act.
5. Are hotels responsible for data handled by third-party platforms?
Yes. Hotels remain responsible as Data Fiduciaries even if guest data is processed by:
- Online Travel Agencies (OTAs)
- Property Management Systems (PMS)
- Payment gateways or CRM tools
Proper contracts and due diligence are essential.
6. How long can hotels retain guest personal data?
Hotels should retain personal data only for the period necessary to fulfill legal, operational, or contractual obligations. Once the purpose is completed, the data should be securely deleted or anonymised.
7. Can guests ask hotels to delete their personal data?
Yes. Guests (Data Principals) have the right to:
- Seek access to their personal data
- Request correction
- Request erasure, subject to legal retention requirements
Hotels must have a mechanism to respond to such requests.
8. What is the maximum penalty for non-compliance by hotels?
Depending on the nature of violation (such as failure to protect data or report breaches), penalties under the DPDP Act can extend up to ₹250 crore.
