Sun, sea, and a side of GDPR -because it turns out I can’t escape data protection, even on my holidays.
02/11/2025
After a long flight to Greece, a coach full of weary holidaymakers, myself included, spilled into the marble-covered reception of our very grand hotel. All I wanted was my room key, a cool drink and perhaps the faint promise of air-conditioning.
Instead, we were handed pieces of paper with a QR code and told to “check in online” via the hotel’s app. The reps cheerfully explained that we just needed to connect to the hotel Wi-Fi and upload our details including name, email, passport number to get our room keys.
No privacy notice.
No explanation of where our data was going.
No option to check in manually.
When I asked at the reception desk whether I could simply provide my details directly, the answer was an apologetic shake of the head and another wave of the QR code. Apparently, no upload, no key.
So there I was, standing under a chandelier, using my personal phone (with 17% battery…) on an unsecured Wi-Fi network to submit my passport information to an app I’d never heard of.
Once I finally got into my room, as everyone does, I unpacked and looked for the privacy policy, which, naturally, was tucked away in the app’s settings after you’ve already shared your data. What a read it was:
“Your data may be shared with service providers, business partners, or legal authorities…”
🚩Red flag, right? No detail, no locations, no reference to a supervisory authority, and no clarity on where my passport details were heading. “Service providers, business partners” could mean the booking agent, a marketing platform, or someone’s cousin’s laptop in another time zone.
Why it matters
Light-hearted holiday grumbles aside, this raises real questions about transparency and lawful processing. UK and EU travellers have a right to know:
- Who is collecting their data,
- What is being collected and why,
- Where that data is going (especially if it’s outside the UK or EU), and
- How it will be secured and for how long.
A simple printed privacy notice at reception, or a proper link on that QR code, could have made all the difference. If they were my client, I would also be nudging them to consider…is it necessary?
Takeaway for businesses
Even outside the UK, the principles of transparency, fairness, and accountability still travel with us. Whether you’re a hotel chain, travel company, or small UK business collecting guest or client information, make sure your customers don’t have to go on a data-protection treasure hunt just to understand what’s happening with their personal information.
Because as lovely as Greece was, knowing my passport details might be sunning themselves somewhere unknown in the cloud isn’t exactly the souvenir I wanted.
JH Data Protection help businesses of all sizes put transparency and trust at the heart of what they do, from privacy notices and data sharing to staff training and breach response.
If your organisation handles customer data, let’s make sure your processes are crystal clear, compliant, and confidence-building from the very first click.
JH Data Protection Limited 
Leave a comment