4 mins read


The GDPR gives power back to the consumers by forcing companies to become transparent in how they are collecting, storing, and sharing their customers’ personal data information. Although the GDPR applies to any organization or business collecting data on EU citizens, the nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.

PassportScan is complying with GDPR to ensure the privacy settings, adequately integrated, allowing our clients/partners to adapt at every stage of the life cycle of customer personal information data.

All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.


1.- Deletion of Periodic Data: In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

PassportScan can be easily set up from the controller/processor to delete automatically the data captured in a certain interval time. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

After 24 hours the image of the ID and other sensitive data can be darkened in PassportScan. Any explicit request to completely erase the guest’s data will bring to a total deletion of the customer data/images in PassportScan.

2.- Consents: The controller, login as ADMIN in PassportScan, can add any kind of text that the guest can accept/deny, ticking a box on the tablet and signing. Normally one text is the mandatory one (required from the local law/institutions) the rest can include any kind of policy not specifically related to privacy (ex. indemnity for credit card payment, bike rent, smoking, etc.).

All the text can be completely customised following any specific requirements of the hotel on privacy. The texts can be uploaded in two languages (normally the country language as primary language and English as the second one).

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means or an oral statement.

This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

3.- Protecting Sensitive Personal Data: In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

PassportScan guarantees a high level of security, protecting all the data captured through advanced encryption (Blowfish+).

4.- Right To Be Forgotten: Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data is processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Using PassportScan, when signing on the tablet, the guest can choose to deny / not sign the policy that asks to process / maintain his personal data. A denial of this policy will bring to a total deletion of his / her data.

Respect to the policy “right to be forgotten”, this will be shown as first, as per GDPR, for the guest’s approval/denial.

5.- Allocation Of The Responsibilities: The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.

PassportScan offers different levels of access based on the responsibility in a certain premise/organisation. The logins used are as user, superuser, and administrator (these could be, in a hotel for example, respectively for a receptionist, a FOM and a GM/IT).

This operation restricts, in this way, access to sensitive data to normal users and avoids a security threat that is often overlooked.

Furthermore all the passwords used by the different users, with GDPR, have been strongly enhanced in PassportScan (it is now compulsory to create a password using small and capital letters, numbers and special characters).

A particular action, modification or process, made by a certain user, can be easily traced with the audit history record, another service that PassportScan implemented with for the GDPR compliance.