Data protection headache for Hospitality & Leisure sectors

Man holding head

How compulsory data collection rules for the hospitality & leisure sector could cause data protection headaches for some.

The government has introduced new rules (which came into effect on the 24th September) that apply to restaurants, cafes/canteens, bars and public houses/pubs, clubs, hotels, museums, leisure centres, and close contact physical services like hairdressers and sports therapists. The effect of these rules is that these businesses are now legally required to obtain the contact details of customers, (previously, this collection was only encouraged).

From a data protection perspective, these new rules* mean that:

  • signage/privacy notices must be updated
  • A QR Code must be displayed “in an appropriate place” so that visitors with smartphones can scan the code to “check in” if they have downloaded the government’s new contact tracing app
  • Contact details must be obtained from staff, customers and other visitors/guests. The government has set out exactly which details must be requested. Organisations must ask for name, contact telephone number (failing which contact e-mail address, failing which postal address – in that order), and date and time of entry. The exceptions to this are when the individual concerned has scanned the QR code, or the organisation has reason to believe that they can’t do that for disability/health reasons, or that they are under 16 years of age.
  • Organisations are legally obliged to refuse entry if the information requested has not been provided or it has reason to believe that the information is incomplete or inaccurate (this obligation applies only to the hospitality sector, not leisure/tourism, etc.).
  • Organisations must securely retain the above details for 21 days (the same period as before, but now enshrined in law), and destroy them as soon as reasonably practicable after that. (Meanwhile, they must provide the information to relevant authorities if so requested “as soon as reasonably practicable”).

*this list is not a comprehensive.

Failure to do any of the above without reasonable excuse is a criminal offence punishable on summary conviction by a fine, and directors/officers could also be criminally liable if the failure was with their connivance/consent or due to their neglect.


Many organisations will, understandably, struggle to understand and comply with these rules. Failure to do so will mean that police officers are empowered to issue “fixed penalty notices” for these failures of £1,000 for the first offence, but increasing in tiers of £1,000 up to £4,000 for the fourth or further offence.

However, in addition, failure to process the names, contact telephone numbers, e-mail/postal addresses – all of which is personal data – in accordance with the GDPR will expose organisations to the risk of fines or other enforcement action by the ICO, causing a real data protection headache for the hospitality & leisure sectors. It is therefore essential that all organisations affected by these rules understand their legal obligations under data protection law.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.