Spotlight on Data Protection and E-Commerce Law for Singapore Hotels

An excerpt from The International Hotel Law Review, 1st edition

Data and hotel technology

i Data protection overview

In recent years, data protection has become one of the most discussed topics among businesses in Singapore. Individuals are increasingly aware of their data privacy rights and the Personal Data Protection Commission (PDPC), which is Singapore’s data protection regulator, has taken a relatively strict approach in monitoring and the regulation of personal data breaches. For example, the PDPC imposed a combined financial penalty of S $ 1 million on Singapore’s public healthcare provider and its technology provider for a serious breach involving the personal data of approximately 1.5 million patients, which is the biggest financial penalty imposed by the PDPC to Date.

With increasing digitization (eg replacing existing IT infrastructure with cloud solutions) and increasing adoption of technology (eg “smart rooms”, automated check-in, etc.) in the marketplace. hospitality industry, it is crucial that industry players place an increased focus on its data protection practices and policies to ensure the security of the personal data in its possession.

ii Data protection in the hotel industry

The overall data protection legislation in Singapore is the Personal Data Protection Act 2012 (PDPA). Under the PDPA, organizations are generally required to inform individuals of the purposes and obtain their consent before collecting, using or disclosing their personal data in Singapore. In a hotel franchise model where the responsibility for collecting personal data or databases may be shared between the franchisor and the franchisee, providing proper notice and obtaining consent can become tricky. For example, a franchisor may violate the PDPA if it uses personal data that has been inappropriately collected by the franchisee (for example, without notice and without consent). Therefore, such data sharing agreements should be carefully considered by the parties beforehand and reflected accordingly in the relevant franchise agreements and policies.

Branding is a vital asset for hotel franchises and any high profile case of data breach incidents or negative data handling practices would likely result in damage to a franchise’s brand reputation. Therefore, it is important that hotel franchises put in place appropriate safeguards to ensure data security. Such guarantees should include both technical and organizational measures such as the implementation of appropriate policies and training for employees. In addition to ensuring data security, it is also important for an organization to ensure that it handles any data breach incident carefully and promptly, as failure to do so could also result in a public relations nightmare for the organization. franchise. Therefore, hotel franchises should ensure that they have an appropriate response plan in place to data breach incidents and that their employees are properly trained to handle such data incidents.

The large-scale global operations of large hotel chains would also inevitably result in a significant flow of international transfers of personal data between intra-group entities. This creates additional challenges for hotel businesses, as they would be required to ensure that such international transfers do not violate the data transfer or location requirements of the jurisdictions involved, especially where those requirements overlap or contradict each other. Overcoming such legal restrictions would require proper analysis of the data transfers to be made and ensuring that the necessary legal mechanisms and safeguards are in place.

With careful planning and consideration of potential issues, hospitality businesses can fully reap the benefits that the digital business has to offer while minimizing the data protection risks that come with it.