Euro Checkin

Menu
CONTACT US

Your data and GDPR

When accommodation providers collect and submit guest identification data, they must comply with the General Data Protection Regulation (EU) 2016/679 (GDPR).

GDPR applies across the European Union and sets strict rules on how personal data may be processed, protected, and used.

Lawful basis for processing

Guest data is processed because it is required by law.

Under GDPR, personal data may be processed when it is necessary to comply with a legal obligation imposed on the data controller.

In this case, the legal obligation arises from national guest registration laws adopted by EU Member States.

Accommodation providers do not collect guest data for commercial purposes, marketing, or profiling.

Who processes your data?

Depending on the country, guest data is processed by:

  • The accommodation provider, solely for the purpose of legal compliance
  • Competent public authorities, such as police, immigration, or tourism authorities. Guest data is submitted directly to official government systems and is not shared with third parties beyond what is required by law.

What GDPR rights do guests have?

Under GDPR, guests have the right to:

  • Access their personal data
  • Request correction of inaccurate or incomplete data
  • Receive information about the purpose and legal basis of data processing
  • Know how long their data will be retained
  • Lodge a complaint with a national data protection authority.

These rights apply even when data is processed due to a legal obligation.

Rights that may be limited

Because guest data is processed to comply with legal requirements, certain GDPR rights may be restricted by national law, such as

  • The right to erasure (“right to be forgotten”);
  • The right to object to processing

Such limitations are permitted under GDPR when necessary for public security, law enforcement, or compliance with legal obligations.

Data retention

Guest data is retained only for the period defined by national law.

Retention periods vary by country and are determined by public authorities. Once the legal retention period expires, the data must be deleted or anonymised in accordance with applicable regulations.

Data security and confidentiality

GDPR requires both accommodation providers and public authorities to implement appropriate technical and organisational measures, including:

  • Secure data transmission
  • Encryption where required
  • Access controls limited to authorised personnel
  • Protection against unauthorised access, loss, or misuse

Failure to protect personal data may result in legal penalties under GDPR and national law.

No central EU database

Guest personal data is not stored in a central European Union database.

Each Member State processes guest data independently, within its own legal framework and under the supervision of national data protection authorities.