Lawfulness of Processing PII Data In The Context Of A Hotel Business

Lawfulness Of Processing

Lawfulness Of Processing Conditions

This means you need to have at least one lawful reason for processing Personal Data.

If you don’t have at least one lawful reason your business is in breach of GDPR.

Helpfully, GDPR identifies six lawful reasons for you to choose from:

  1. Consent of the Data Subject
  2. Processing is required for the performance of a contract with the Data Subject or to move towards entering into a contract
  3. Processing is required for compliance with a legal obligations
  4. Processing is required to safeguard the vital interests of a Data Subject
  5. Processing is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
  6. Processing is necessary for the purposes of legitimate interests pursued by the Controller or a third party, except where such interests are outweighed by the interests, rights or freedoms of the Data Subject.

Source: Information Commissioner’s Office, Overview of the General Data protection Regulation (GDPR) 17th August 2017, licensed under the Open Government Licence

The Processing Conditions – Some Thoughts

In reality, most businesses are likely to make use of the first two on that list.  Your business will need Consent from the Data Subject for online direct marketing.  Item 6 “Legitimate Interest” may also be available to you IF you prepare properly and is certainly useful for offline direct marketing.

Your other lawful reason for processing personal information will probably be for the “performance of a contract”.

Occasionally you may be able to use “compliance with a legal obligation”. Using the terms of the liquor licensing law for example.

“Safeguarding the vital interests of a Data Subject” might become relevant when handling certain aspects of customer or employee data. But you really need to seek a qualified legal opinion in each case.

Item 6 “Legitimate Interests Pursued By The Controller” is going to be an option, in some cases, to allow good direct marketing to take place.  It is possible that this could signal a resurgence in direct mail for example.  GDPR appears to recognise that it is quite reasonable for a business to wish to add value to a relationship with a customer, or to seek new customers using “Legitimate Interest” instead of consent as a lawful reason for processing personal data.

However.  Be aware that if you want to make use of this reason for sending out direct marketing pieces, you need to be able to illustrate that you have thought things through, planned carefully and observed the interests of the private individuals involved.  You should complete a “Legitimate Interest Assessment” (LIA) before you send anything to anyone.

>