A loyalty program: it is the ultimate means to bind guests to your organization and build a lasting relationship with them. In recent years, more and more hotels are becoming part of franchise formulas, resulting in more chain formation in the Netherlands. This development is transforming the hotel market every year and making guest loyalty even more important.
It is inherent to loyalty programs that in the process, information about your guests is collected by you. Think of name and address details, but also information such as purchase history and customer numbers. This information is considered personal data. The use of personal data falls under the General Data Protection Regulation (AVG) and because of this, certain conditions must be met. But what conditions are these exactly? And what about sending direct marketing messages to your guests in connection with the loyalty program? What does the upcoming European ePrivacy Regulation say about this?
The Article 29 Working Party1 has explicitly recommended2 that guest data may only be processed by an organization for a loyalty program if the guest has given consent. This consent must meet a number of conditions if it is to be legally valid. For example, the consent must have been given freely and thus without pressure or coercion, must be specific and informed, and must be an unambiguous expression of will, whereby the processing is accepted by the guest through an active action. In other words, inaction does not produce valid consent. Consent to process personal data means that consent must be given by, for example, (i) filling out a form for the loyalty program, (ii) checking a non-automatically selected check box on the Web site, or (iii) a verbal communication from the guest.
A consent is 'specific' if the guest can give consent to the processing of data for the loyalty program separately from other consent questions. We speak of 'informed' consent if the guest is informed in a timely, clear and complete manner of how the data will be used for the loyalty program. This information is usually included in a privacy statement (published online), and issued prior to the processing of the data for the loyalty program.
A logical place for integrating the consent question online is (i) for guests with an account: in the screen where the guest registers as a guest and (ii) for guests without an account: in the check-out screen that is passed through to purchase a product or service. It is important to always actively reference the privacy statement in these screens, for example, by including a hyperlink to your organization's web page where the privacy statement can be found.
The guest's consent to the use of guest data for the loyalty program must - as stated above - be "informed. The following information should always be included in the privacy notice to meet this requirement:
Name and contact information of your organization and, if applicable, the data protection officer;
purposes for which guest data is used, with the loyalty program clearly explained);
What personal data you use from your guest;
What other third parties receive this guest data;
whether the data could end up outside the European Economic Area3 , for example because service providers (IT suppliers) or servers are located there;
How long guest data is kept for the loyalty program;
rights of the guest, such as withdrawal of consent given.
Your guests have several rights related to personal data. For example, your guest can request access to personal data. In practice, this means providing a copy but also deletion of personal data and/or the loyalty account. Correction of erroneous data can also be requested. None of these rights is absolute, that is, it is up to the organization to judge whether they comply. 4 For example, a request for deletion need not be facilitated if the data is needed in connection with a legal dispute.
A right that is, however, absolute and must therefore always be honored is the guest's right to withdraw the consent given. This withdrawal may take place at any time and need not be justified. After a request for withdrawal is received, the organization may no longer use the guest data for the loyalty program. The withdrawn consent does not affect the processing of the guest data for other legitimate purposes, for example tax administration.
The other obligations of the AVG must also be met in order to validly process guest data for the loyalty program. Among other things, this means that the processing must be included in the organization's register of processing activities. A concrete retention period must also be established, only the data that is truly necessary for the loyalty program must be processed, and the data must be appropriately secured.5
In addition to the AVG, so-called "direct marketing" rules also apply if you contact your guests via email, phone, text message or whatsapp in connection with the loyalty program. These rules are currently laid down in the Telecommunications Act, but the intention is that this will be replaced by the European ePrivacy Regulation. However, this regulation has been under negotiation at the European level since 2016 (!) with no prospect of agreement at this time. The (smooth) creation of this law is therefore not given. There are even cautious sounds that the negotiations have stalled to the extent that the ePrivacy Regulation is not coming at all. Whatever the case may be, it is important for you to realize that - according to both the Telecommunications Act and the ePrivacy Regulation - you may only send your guests messages through the aforementioned channels if the guest has given permission (opt-in). This opt-in must be given separately from the AVG consent, but it can be integrated in the same place and in the same way (empty checkbox) as the AVG consent.
1 The authoritative European data protection advisory body, in which all national data protection supervisors are represented.
2 Article 29 Working Group, "Opinion 15/2011 on the definition of consent," adopted July 13, 2011 (WP187), available here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf
3 This covers all countries of the European Union, including Norway, Iceland and Liechtenstein.
4 Chapter V AVG explains the exceptions to each type of right (and thus: when they need not be facilitated).
5 Based on Articles 30, 5(1)(e), 5(1)(c) and 32 AVG, respectively.
