Every hotel in India that enters guest details into any software — from a basic billing system to a full Property Management System — is a Data Fiduciary under the DPDP Act 2023. With guest data including Aadhaar, passport numbers, travel dates, and payment information, the hospitality sector faces significant compliance obligations.
The Data Trail of a Hotel Guest
When a guest checks in, a hotel typically collects:
- Full name, nationality, date of birth
- Aadhaar number or passport number (mandatory under Form C regulations)
- Home address
- Phone number and email address
- Travel dates (arrival and departure)
- Payment information (card details, UPI, or bank transfer records)
- Room preferences (stored in PMS for repeat guests)
- Vehicle registration (for parking)
- Purpose of visit (business/leisure)
This is dense personal data — some of it identity-sensitive (Aadhaar, passport), some financial (payment records), and some behavioural (travel patterns of repeat guests).
Legal Obligations for Hotels
Dual-Track Obligation
Hotels face an interesting duality: Form C under the Foreigners Act and similar regulations require hotels to collect Aadhaar/passport data from guests. However, the DPDP Act applies to how that data is handled after collection. You cannot use a guest's Aadhaar number (collected for ID verification) for any other purpose — such as marketing — without separate consent.
Complying with one law doesn't give you a free pass under another. The legal obligation to collect doesn't override the DPDP obligation to protect and limit the use of that data.
Consent at Check-In
The check-in process is the natural point to collect DPDP-compliant consent. A tablet or touchscreen at the front desk can display a brief consent notice before the guest fills in their details. The consent should cover:
- What data is collected (ID, contact details, payment)
- Why (check-in, billing, legal ID verification obligation)
- Who it's shared with (payment processor, OTAs if booked through them, government if required by law)
- How long it's kept (specify your retention policy)
OTA and Booking Platform Relationships
Hotels that list on MakeMyTrip, Goibibo, Booking.com, or Airbnb receive guest data from these platforms. These OTAs are Data Processors for the guest booking, and you become a joint/separate Data Fiduciary once you receive and process that data at your property.
Review your contracts with each OTA. Do they have DPDP-compliant data processing terms? Are they sharing data for the right purposes? If a guest booked on Booking.com, the guest may not have consented to you using their email for your own marketing campaigns — that requires separate consent from you.
Property Management System (PMS) Security
Your PMS is the central data store for guest information. Security requirements:
- Role-based access — front desk staff, housekeeping, management should see only what they need
- Secure login (no shared passwords; two-factor authentication for administrative access)
- Regular access logs — who accessed which guest record and when
- Encrypted storage of sensitive data (Aadhaar, passport numbers)
- Clear policy on PMS access after an employee leaves
For cloud-based PMS solutions (Hotelogix, Oracle Hospitality), check if they provide a Data Processing Agreement and confirm their security certifications.
Loyalty Programmes
If your hotel runs a loyalty programme, you're collecting and processing data for a marketing purpose beyond the original booking transaction. This requires explicit, separate consent. A guest who books and stays at your hotel has consented to booking-related processing — not to being enrolled in a marketing database.
Loyalty programme sign-up must be voluntary and clearly explained. Every communication via the loyalty programme requires the ability to opt out.
CCTV and Surveillance
Hotels extensively use CCTV for security. CCTV footage that captures identifiable individuals is biometric-adjacent personal data. The DPDP Act's obligations apply:
- Display notices informing guests/visitors that CCTV is in operation
- Define retention periods for footage (most hotels use 30 days)
- Restrict access to footage to security personnel and management
- Log when footage is accessed and for what purpose
Data Retention After Check-Out
How long does a hotel need to keep guest data? Key considerations:
- Form C records (ID verification): required by law for a specified period — check current Ministry of Home Affairs requirements
- Financial transaction records: 7 years (GST/income tax requirements)
- General guest data (contact details, preferences): should be deleted or anonymized after the legal minimum retention period unless the guest has given specific consent for ongoing contact
- Marketing data: only for as long as consent is valid
Small vs. Large Properties
A budget hotel with 20 rooms faces the same fundamental obligations as a 5-star chain — the DPDP Act does not currently exempt small accommodation providers. However, the Data Protection Board's enforcement approach will likely be proportional. That said, a complaint from even one guest can trigger an investigation, regardless of property size.
The minimum viable compliance for a small property: a consent notice at check-in (digital or paper), a clear data retention policy, secure PMS access, and a process for responding to data requests from former guests.