Accommodation facilities and the new data protection law (nLPD)

As of September 1, 2023, the new law to better protect the data of its residents* went into effect in Switzerland.

HotellerieSuisse** has provided a checklist to help hotels and associated accommodations identify a number of key points to follow in implementing the Data Protection Act. These points cover several areas of data management and privacy, and it is recommended that hotels adopt them to ensure compliance with data protection regulations. Here is a summary of the main points:

1. Data protection statement for customers: Create a privacy statement for customers that includes details on data processing, including contract data, reservations, video surveillance, and WLAN use.

2. Data protection statement for staff: Draft a privacy statement for staff covering the processing of personnel data, such as application documents, contractual and salary data.

3. Note on the data protection statement: Make sure that wherever data is collected, there is a reference to the data protection statement.

4. Data security measures: Implement security measures to protect data processing systems from unauthorized access, such as website security certificates and password protections.

5. Data protection information requests: Establish processes to fulfill requests for data protection information within a maximum of 30 days.

6. Contracts with third-party service providers: Check whether there are additional data protection agreements in contracts with third-party service providers, especially those in the U.S. and outside Europe.

7. Overview of data processing: Create an overview of all data processing and ensure easy access to data and documentation.

8. Processing Activity Log: Complete a processing activity log for all data processing as required by the Act, unless exceptions are met.

9. Data protection assurance concept: Develop a concept to ensure compliance with the provisions of the Data Protection Act when implementing new processes and using new products or services.

10. Verification of existing data processing: Periodically check whether existing data processing complies with regulations and implement identified needs for action.

11. Instructions on data protection: Draft instructions for staff on the internal processing of personal data.

12. Disclosure of Data Abroad: Establish a process to ensure that legally required additional measures are taken prior to disclosure of personal data to countries with inadequate levels of data protection.

13. Consent of affected persons: Ensure that the consent of affected persons is effectively sought and documented when necessary.

14. Use of cookies: Providing transparent information and requesting consent for the use of cookies on the website.

15. "Data breach": Establish a process to manage and document data protection breaches and data security issues, including reporting to authorities and customers.

Online service providers such as Iubenda*** or Cookiebot can assist operators in generating an up-to-date privacy and cookie policy that complies with the new regulations and integrate a banner for whether or not website and booking engine visitors accept these policies.

More complex, however, is ensuring the processing of personal data according to the regulations by external service providers, management software, WIFI network, and the management of the risk of "data breach" (item 15).

To be able to meet this need, there are specialized companies in the area that have been working in cybersecurity for years.

Tectel***** in Manno is a virtuous example in Ticino on data breach and cybersecurity issues and has developed a special service to test the security level of hospitality facilities in compliance with the nLPD.
After an initial thorough screening, a document will be delivered with the activities to be implemented to be compliant with the new regulation. In addition, a training course designed for employees is offered, complementing infrastructural protection with increased awareness and corporate culture to understand and prevent network dangers.

For more information, please feel free to contact us:

Next Level Hospitaity
+41 (0)79 254 64 30
info@nextlevelhospitality.ch

* https://www.kmu.admin.ch/kmu/it/home/fatti-e-tendenze/digitalizzazione/protezione-dei-dati/nuova-legge-sulla-protezione-dei-dati-nlpd.html

** https://www.hotelleriesuisse.ch/it/prestazioni-e-supporto/marketing-e-comunicazione/protezione-dei-dati-e-gdpr

*** https://www.iubenda.com/it/help/77668-come-prepararsi-alla-lpd

**** https://www.cookiebot.com/it/

***** https://www.tectel.ch/