The “Personal Information Protection Law” is implemented, how hotels can upgrade their data asset management

Back to All Thought Leadership


On August 20, 2021, the “Personal Information Protection Law of the People’s Republic of China” was reviewed and approved by the Standing Committee of the National People’s Congress and will be officially implemented on November 1. Together with the previously promulgated “Network Security Law” and “Data Security Law” and other laws, my country’s personal information protection matrix has been formed. The state’s requirements for the protection of personal information continue to increase, and follow-up rules may be issued one after another to further increase the intensity of supervision and punishment.

Today’s hotel industry, with rapid intelligence and networking, has become a highly intensive industry of personal information. Whether it is a hotel owner or an operator [1] , the personal information they hold has become an important intangible asset of the company, but if it is not handled properly, the asset can also become the potato that burns hands. In the current popular “hotel asset management” topic, personal information security management should become a core compulsory course.

The hotel industry giant has been due to

Heavy penalties for personal data breaches

In October 2020, the UK Information Commission Office (ICO) issued a statement announcing a £18.4 million penalty imposed on M Group, a well-known international hotel operator. ICO believes that Group M has failed to take appropriate technical or organisational measures in accordance with the EU’s General Data Protection Regulation (“GDPR”) to protect personal data processed on its system, resulting in global agreements. The data of 339 million guests was leaked due to hacker attacks.

Slightly dramatic, the data involved in the case originally belonged to S Group, which is also a hotel operator, and M Group acquired S Group in 2018. At that time, the data breach already existed, but it was not discovered until after the acquisition was completed. Even so, Group M still failed to escape punishment. In fact, the ICO originally planned to impose penalties as high as 99.2 million pounds, which was then significantly reduced after the M Group filed a complaint and cooperated with the investigation.

“Personal Information Protection Law” sets a high penalty mechanism

According to the “Personal Information Protection Law”, if the necessary security measures are not taken in accordance with the regulations in the handling of personal information, and the circumstances are serious, you may be fined up to 50 million yuan or 5% of the previous year’s turnover, and you may also be fined Confiscation of illegal income, order to suspend related business, suspend business for rectification, revoke related business license or revoke business license, etc.

As far as the hotel industry is concerned, every individual hotel (especially high-end international brand hotels) holds a large number of personal information of guests, while the personal information held by hotel management companies is even greater. Once a leak occurs, it often triggers huge Social impact and adverse consequences. Regarding the upper limit of penalties stipulated by the “Personal Information Security Law”, it will be very important for both individual hotels and management companies. Judging from the current market, 50 million may be equivalent to a full year’s operating income of a mid-to-high-end international brand hotel in a second/third-tier city; and 5% of the turnover or more stringent, especially for management companies, many international and domestic The annual profit rate of well-known hotel management groups does not exceed 10%. Once a hotel owner or management company is fined for violation of regulations, its performance will be a very heavy blow.

So, how should hotels manage their data assets and protect personal information in accordance with the law? Below we will analyze the subject of obligation, the definition of personal information, the statutory requirements for personal information protection, and the specific measures for personal information protection.

Which subjects have the obligation to protect personal information?

The “Personal Information Protection Law” does not draw on the GDPR to distinguish between controllers and processors of personal information, but instead uses the concept of “personal information processors” uniformly. Under the “Personal Information Protection Law”, the processing of personal information includes: collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.

According to the “Personal Information Protection Law”, whether it is a hotel owner or a management company, as long as the processing purpose and processing method are independently determined in the personal information processing activities, it shall constitute a personal information processor as defined by the law and shall comply with the requirements of the law. Process the personal information held by it.

What personal information should the hotel protect?

The “Personal Information Protection Law” defines personal information in a verbal manner, that is, various information related to an identified or identifiable natural person recorded electronically or in other ways. This definition is similar to the EU GDPR definition (any information relating to an identified or identifiable natural person). The above definition follows the standard of “identification + association”, and the scope of personal information is relatively broad.

If this definition is put into the business scenario of the hotel industry, it is not difficult to find that the hotel will be exposed to a large amount of personal information in the legal sense, such as: guest’s name, gender, birthday, ethnicity, ID number, membership number, face Information, fingerprint information, contact information, payment information, consumption information, whereabouts information; in addition, special information such as religious beliefs, special diseases, habits and preferences may be involved when receiving special guests.

The above-mentioned personal information will be included in the protection scope of the “Personal Information Protection Law”. Among them, biometrics, religious beliefs, specific identities, medical and health, financial accounts, whereabouts and other information, as well as personal information of minors under the age of fourteen, are all sensitive personal information, which must be fully necessary, informed and relevant according to law After the individual agrees, it can only be processed under the premise of taking strict protective measures.

It is also worth noting that although the hotel deals more with guests’ personal information, the “Personal Information Protection Law” is not limited to this, and the protection of the personal information of its employees cannot be ignored, especially since many management companies have a large number of personal information. The personal information database of hotel general managers and other executives should also be given enough attention.

What statutory requirements should the hotel meet to process personal information?

According to the “Personal Information Protection Law”, the author summarizes the statutory requirements for personal information processing as follows:

Clear purpose principle

The processing of personal information should have a clear and reasonable purpose

Limited processing principle

Should be limited to the minimum scope and shortest time for the purpose of processing, and not excessive collection of personal information

Principle of legal treatment

The processing of personal information by the hotel shall be subject to the consent of the relevant individual, and the aforementioned consent shall also be made voluntarily and clearly by the individual with full knowledge; in addition, the “Personal Information Protection Law” clarifies the other six legal reasons for processing personal information

Quality principle

Should ensure the accuracy and completeness of personal information

Principles of openness and transparency

Disclosure of personal information processing rules, clearly indicating the purpose, method and scope of processing

Principle of Responsibility

Personal information processors shall be responsible for their personal information processing activities and take necessary measures to ensure the security of the personal information processed

Although the formulation of the above requirements is relatively clear, there are still some practical issues worth noting in specific operations. For example, what is the scope of limited processing? What is excessive collection? In this regard, it may be necessary to combine national standards such as “Information Security Technology Personal Information Security Specification”, “Information Security Technology Mobile Internet Application (App) Collection of Personal Information Basic Regulations”, “App Illegal Collection and Use of Personal Information Behavior Identification Method” and other national standards and Laws and regulations make judgments. In addition, how to ensure the accuracy and completeness of personal information, and in what form and procedure can be disclosed in order to meet the requirements of the law, these practical issues also need to be considered.

What measures should the hotel take to protect personal information?

Since the protection of personal information is a complex project involving laws, technology, management, equipment procurement, etc., hotels need to establish a multi-dimensional protection system when handling personal information.

First, formulate internal management systems and operating procedures related to the protection of personal information. The above systems at least include: formulating personal information protection guidelines and manuals, clarifying the procedures and requirements of personal information processing, the operating authority and responsibilities of different departments and positions, etc.; establishing personal information protection logs and regular reporting mechanisms; establishing responses to individual rights claims Mechanism; formulate emergency plans for personal information security incidents; establish a personal information security education and training mechanism.

Second, implement classified management of personal information. With the development of technology, the platforms for hotels to process personal information are becoming more and more abundant, including: websites, APPs, official accounts, short video platforms, hotel management systems (PMS), etc., all involving the Internet. According to the “Network Security Law”, the state implements a hierarchical network security protection system. If the hotel is the operator of the relevant network, a series of measures such as rating, filing, evaluation, rectification, and regular self-inspection of its network are required to ensure the security of its network. Since the waiting insurance system is relatively complicated and involves many legal and technical issues, we will write a separate article for discussion in the future.

Third, make necessary upgrades to related software and hardware equipment. The “Personal Information Protection Law” requires personal information processors to adopt corresponding security technical measures such as encryption and de-identification. The “Network Security Law” requires technical measures to prevent computer viruses, network attacks, and network intrusions that endanger network security. The above technical measures depend on the corresponding hardware and software equipment. Therefore, the hotel needs to update and upgrade these equipment regularly to ensure data security.

Fourth, conduct regular compliance audits on personal information processing activities. In the process of hotel operation, financial audit and tax audit are relatively common audit methods. In recent years, compliance audits have gradually attracted the attention of the market. Since compliance is a dynamic process, as laws, regulations, and policies are revised, updated and adjusted from time to time, the requirements of the hotel may also change accordingly. Therefore, it is necessary for the hotel to conduct regular compliance audits to ensure that the hotel is always in compliance with the legal requirements. Operate within the scope to avoid penalties for violations.

Fifth, conduct prior impact assessment on specific personal information processing activities. The Personal Information Protection Law requires personal information processors to conduct impact assessments before handling sensitive personal information, using personal information to make automated decision-making, entrusting the processing of personal information/providing personal information to others/disclosing personal information, providing personal information overseas, etc. . What needs special attention here is that international brand hotels may have personal information transferred from local servers to overseas headquarters servers, which involves the cross-border flow of personal information; more and more domestic brands have been or are achieving internationalization, and they are also facing the same situation. The problem. The Personal Information Protection Law uses a separate chapter to provide for the cross-border provision of personal information. The provision of personal information overseas shall complete a series of procedures such as security assessment, protection certification, and signing of standard contracts established by my country’s regulatory authorities with overseas recipients. In addition, the National Internet Information Office is formulating the “Measures for the Security Evaluation of Personal Information Exiting the Country” and has issued a draft for comments in 2019. Follow-up legislation and law enforcement developments are worthy of the industry’s attention.

Sixth, promptly and correctly handle the rights claims of relevant individuals on personal information. According to the “Personal Information Protection Law”, individuals have the right to know their personal information, the right to make decisions, the right to restrict and refuse, the right to access and copy, the right to transfer (similar to GDPR portability), the right to correct and supplement, and the right to delete. The hotel’s operating standards generally include response and processing mechanisms to respond to guest claims and requests. After the “Personal Information Protection Law” is promulgated, relevant individuals may make one or more of the above requirements from time to time, for which the hotel needs to address personal rights And legal provisions supplement and upgrade the existing processing mechanism.


The promulgation of the “Personal Information Protection Law” on the one hand demonstrates the country’s determination and strength in the protection of personal information, on the other hand, it also places higher requirements on personal information processors, including the hotel industry. For the hotel industry, with the promulgation of the “Personal Information Protection Law”, the cases of foreign giants being punished by huge amounts may no longer be so far away from us. Improving data security and protecting personal information is not only the social responsibility of hoteliers. It is also the “prescribed action” required to keep the purse. This article summarizes the meaning and statutory requirements of the protection of personal information in conjunction with the “Personal Information Protection Law” that has just been promulgated, and focuses on specific measures to protect personal information. Due to space limitations, many questions cannot be developed. If you are interested in discussing, please email to [email protected].

Note release

[1] Although hotel owners and operators are usually different legal and economic entities, in order to facilitate understanding, the two are collectively referred to as “hotels” in many places below.


Sun Lingyue

Tianda Republic Partner

Beijing office

[email protected]

+8610 6510 7480

Lawyer Sun is mainly engaged in the full-process legal services involving the development, management, operation, investment and mergers and acquisitions of commercial complexes, tourism, hotels and other various real estate projects.

Sign In

[login_form] Lost Password