GDPR + hotel contracts: the 7 data clauses procurement will demand

GDPR is one of the most under-covered areas of hotel contract content. The contract templates in circulation in 2026 still treat attendee data as a side-issue — a paragraph buried in the privacy section, a generic "we comply with applicable law" sentence, an out-of-date reference to the Privacy Shield that has been invalid for six years. Procurement teams at large enterprises and at any organisation in regulated sectors (banking, pharma, public sector) have stopped accepting that. The data-protection addendum is now a gating document: no DPA addendum, no signature, no event.

This guide sets out the seven mandatory clauses, written for procurement and meetings teams rather than for lawyers. The legal citations are real — GDPR Art. 28, 32 and 46, Schrems II (CJEU C-311/18), the 2021 EU SCCs (Commission Implementing Decision 2021/914) — and the drafting language has been reviewed against the European Data Protection Board's published guidelines. At the end you will find an interactive DPA Addendum Builder that walks you through the seven clauses and generates a printable addendum and a Schrems II SCCs Annex from your inputs.

Why GDPR matters in hotel contracts — the role-allocation question

The first question in any data-protection conversation is: who is the controller and who is the processor? Under GDPR Art. 4(7), the controller is the entity that "determines the purposes and means of the processing of personal data". Under Art. 4(8), the processor processes personal data "on behalf of the controller". The contract has to allocate those roles, because the entire regulatory regime — including who pays the EUR 20 million / 4% turnover fine — depends on it.

For a MICE event the typical allocation is: the planner (or the planner's corporate client) is the controller, because it decides why the data is being processed (to run the event) and how (which hotel, which booking flow). The hotel is the processor when it receives a room list, a BEO with named attendees, dietary preferences, or accessibility requirements: it acts on the planner's instructions to deliver the contracted services and does not decide the purposes of the processing. Where the hotel goes off-piste — enrolling attendees in its loyalty programme, retaining the BEO for its own marketing, using the dietary preferences to target a future campaign — it becomes a controller in its own right, for a separate purpose, and the planner has lost control of the data.

This is not abstract. The European Data Protection Board's Guidelines 07/2020 on the concepts of controller and processor walk through the exact MICE scenario at paragraph 76 and the worked examples in Annex II. A hotel that "goes its own way" with attendee data is treated as a controller for that further purpose and incurs its own Art. 5 lawfulness duties. The cleanest defence for both sides is a clause that says the hotel processes only on documented instructions of the planner, for the purposes of the event, and for nothing else.

Controller vs processor vs joint controllers — why hotels are usually processor

Three role configurations matter: sole controller, joint controllers (Art. 26), and processor. A sole-controller arrangement means one entity decides purposes and means; for the planner, that is the normal position. A joint-controller arrangement means two or more entities jointly decide purposes and means — for example a planner and a corporate client who together design the attendee experience. A processor arrangement means one entity decides; the other executes on instructions. Most hotel relationships fall into the processor box.

The joint-controller route is rare in hotel contracts but it does arise in two scenarios. First, when the hotel offers a "venue-co-branded" experience where it actively shapes the agenda, the registration flow, or the attendee communications — at that point it is jointly deciding the purposes. Second, when a hotel chain bundles loyalty enrolment into the event registration and effectively makes the data flow a two-purpose flow (attend the event + join the loyalty programme). In both cases the planner should push back on the role allocation: joint-controller status imposes a parallel transparency duty under Art. 26(2) that the planner often cannot meet without a separate notice to attendees.

For most MICE contracts in 2026, the right outcome is processor for the hotel, with a clear carve-out: any data the hotel collects directly from a guest at check-in (the front-desk registration card, the room key, the in-room billing) is the hotel's own controller-data, processed under the hotel's own privacy notice and outside the DPA. The clause must distinguish those two data flows. Where the hotel mixes them — using the planner's room list to enrich its own guest profile, for example — the clause should expressly prohibit the cross-use unless attendees consent separately.

Article 28: the six mandatory contents of any processor contract

GDPR Art. 28(3) lists six items the processor contract must set out. They are not optional. A contract that omits any of them fails to "govern the processing" within the meaning of Art. 28, and the controller is liable for using a processor without a compliant arrangement.

1. Subject matter, duration, nature and purpose of the processing. For a MICE event this is the services contracted (room block, F&B, AV, meeting rooms), the duration of the event plus a defined post-event tail (typically 30 days for billing reconciliation), and the purpose limited to delivering those services.
2. Types of personal data and categories of data subjects. Typically: attendee identification data, contact data, dietary and accessibility preferences, room allocations, and for room blocks the passport / ID data the hotel needs for check-in. Data subjects are the attendees and the planner's staff.
3. Obligations and rights of the controller. The planner's rights to give documented instructions, audit, terminate for breach, and receive cooperation on data-subject requests.
4. The set of processor duties listed in Art. 28(3)(a)-(h). Eight processor duties: act only on documented instructions, ensure confidentiality, take Art. 32 security measures, observe sub-processor rules, assist with data-subject rights, assist with Arts. 32-36 duties, delete or return at the end, make information available for audits.
5. The sub-processor authorisation regime. Either specific (named list, written consent for each change) or general (written authorisation with a controller veto on additions). General authorisation with veto is the modal MICE practice.
6. The treatment of data on termination. Either return or delete at the controller's choice, with a written certification.

The contract that meets these six items is the floor. Procurement teams at regulated buyers usually go further and require additional clauses (security standards, breach timing tighter than Art. 33, audit cadence, indemnity allocation). The seven clauses in this guide are the practical 2026 baseline that satisfies both Art. 28 and procurement's working standard.

Clause 1: Purpose limitation

The first clause states what the hotel may do with the data, and — equally importantly — what it may not. The drafting move is to anchor the purpose to the contracted services and explicitly exclude marketing, loyalty enrolment, profiling, and onward transfer outside the sub-processor regime.

Purpose. The Hotel shall process Attendee Personal Data only for the purpose of providing the services described in the Main Agreement (the "Services") and only on the documented instructions of the Planner. The Hotel shall not use Attendee Personal Data for: (a) marketing or promotional purposes, including loyalty programme enrolment; (b) profiling or automated decision-making; (c) any onward transfer outside the sub-processor regime set out in this Addendum; (d) any purpose for which the Hotel would itself become a controller under GDPR Art. 4(7). Any processing outside this paragraph shall constitute a material breach of this Addendum.

The "material breach" wording matters. Without it, a hotel that enrols attendees in its loyalty programme is technically in breach of Art. 28 but the planner has no contractual remedy beyond the GDPR enforcement route, which is slow and unpredictable. Naming it a material breach gives the planner an exit and damages route.

Clause 2: Personal-data categories — scope

The second clause defines exactly what data flows. This serves two functions: it satisfies Art. 28(3)'s "types of personal data" requirement, and it limits the scope of the hotel's permitted processing. Data not in the list is data the hotel may not process; if a use case arises that needs different data, the contract has to be amended.

The modal MICE data set is: attendee full name, business contact (email and phone), employer or affiliation, dietary preferences, accessibility requirements, room preferences (smoking, view, twin / double), arrival and departure dates, passport or ID data (only when required for international check-in under destination-country law), and the planner's billing reference per attendee. Where the event has VIPs the list expands to include security or close-protection notes; that data should be flagged as special-handling even where it is not technically a special category under Art. 9.

A common drafting mistake is omitting accessibility data and dietary data on the basis that it is "operational" rather than "personal". Both are personal data; both can constitute special categories under Art. 9 (health data, religious belief inferred from dietary preference); both must appear in the list with their own retention rule. The clause should also expressly carve out anything the hotel did not collect from the planner — guest-registration data the hotel collects at check-in remains the hotel's controller-data under a separate legal basis.

Clause 3: Sub-processor authorisation

Hotels almost never deliver MICE services single-handed. The AV is outsourced. The F&B may be in-house or via a caterer. Housekeeping may be a contract operation. Loyalty enrolment runs on a chain-level platform. Each of those is a sub-processor of the planner's data, and Art. 28(2) requires the hotel to have specific or general written authorisation from the controller before engaging any of them.

The two routes are: specific authorisation (the planner approves each sub-processor individually in writing) and general authorisation (the planner authorises a defined class, the hotel publishes a list, the planner keeps a veto on additions). Specific authorisation is unworkable in a multi-vendor MICE setting. General authorisation with a veto is the modal practice.

Sub-processors. The Planner grants the Hotel general written authorisation to engage sub-processors to perform the Services, subject to the following: (a) the Hotel shall maintain an up-to-date list of sub-processors processing Attendee Personal Data and shall make this list available to the Planner on request and at least 30 days before any new sub-processor begins processing; (b) the Hotel shall ensure that each sub-processor is bound by data-protection terms no less protective than those set out in this Addendum; (c) the Planner may object on reasonable grounds to any proposed sub-processor; if the objection cannot be resolved within 30 days, the Planner may terminate this Addendum and the Main Agreement insofar as it depends on the affected sub-processor, with full refund of any pre-paid sums attributable to undelivered services.

The 30-day window matters. Hotels resist a shorter window because their sub-processor changes (catering rotation, AV vendor switch) sometimes happen on shorter notice. A 30-day notice with a backstop right to terminate is the balance that holds up in negotiation.

Clause 4: International transfers — the Schrems II problem

If every party is in the EEA and the data stays in the EEA, no transfer clause is needed beyond confirmation of that fact. The Schrems II problem arises whenever data flows to a third country without an EU adequacy decision — most commonly to a US-headquartered hotel chain (Marriott, Hilton, Hyatt, IHG, Choice) that routes booking data through its US central reservation system, or to a chain with non-EEA support operations (call centres, data analytics, fraud platforms).

Schrems II did three things. It invalidated the EU-US Privacy Shield. It confirmed the validity of the SCCs but only when paired with a case-by-case Transfer Impact Assessment. And it raised the bar on the assessment: the exporter must look at the destination country's surveillance law and adopt supplementary measures (technical, contractual, organisational) if equivalent protection is not provided.

The 2026 toolkit has three layers. First, check whether an adequacy decision applies — the European Commission maintains a list of adequate jurisdictions (Andorra, Argentina, Canada commercial, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK, Uruguay, plus the EU-US Data Privacy Framework for DPF-certified US importers as of 2023). If the destination is adequate, the transfer is treated like an intra-EEA flow. Second, if not adequate, attach the 2021 EU SCCs (Commission Implementing Decision 2021/914) using the Controller-to-Processor module. The 2021 SCCs replaced the 2010 set and are now the only valid version. Third, run a Transfer Impact Assessment per EDPB Recommendations 01/2020 covering the destination country's law and the supplementary measures needed.

For UK transfers post-Brexit, the UK has its own regime under the UK GDPR. Two instruments are valid for UK-origin transfers: the UK International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs, both effective from March 2022. The UK and the EU have an adequacy decision in each direction, but the underlying drafting differs. A hotel contract for a UK-resident planner with an EU-located venue (or vice versa) should specify which instrument applies and attach the right Annex.

The clause should require the hotel to (a) identify the third country, (b) attach the SCCs or DPF reliance as appropriate, (c) cooperate in the TIA by providing local-law information on request, and (d) flag any change in route or jurisdiction that affects the assessment. A static SCCs attachment without a TIA cooperation clause is the most common 2024-25 deficiency we see.

Clause 5: Data breach notification — timeline and format

Art. 33(1) requires the controller to notify the competent supervisory authority within 72 hours of becoming aware of a personal-data breach where the breach is likely to result in a risk to the rights and freedoms of natural persons. The processor must notify the controller "without undue delay" under Art. 33(2). The contract has to convert "without undue delay" into a specific window — otherwise the controller cannot meet its own 72-hour deadline if the processor delays.

Modal 2026 practice is 24-48 hours from processor awareness, with content requirements: a description of the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of records concerned, the likely consequences, and the measures taken or proposed. The clause should also name the recipient: a named DPO or privacy contact, not a generic "sales contact".

Breach notification. The Hotel shall notify the Planner without undue delay and in any event within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting Attendee Personal Data. The notification shall be in writing to the Planner's DPO at [contact] and shall include, to the extent known: (a) the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects; (d) the name and contact details of the Hotel's DPO or equivalent privacy contact. The Hotel shall provide updated information as it becomes available and shall cooperate with the Planner in the Planner's notification to the competent supervisory authority under GDPR Art. 33(1) and to Data Subjects under Art. 34.

The 48-hour figure is a compromise. Stricter clauses (24 hours, even 12 hours) appear in regulated-sector buyers' templates. 48 hours is the modal MICE practice that holds up in negotiation across most hotel chains; below that, the chain's legal team usually pushes back on operational grounds.

Clause 6: Data return or deletion post-event

Art. 28(3)(g) requires the processor, at the choice of the controller, to delete or return all personal data after the end of the provision of services. The clause must specify which (return or delete), the timeline (30 days post-event is modal practice), the scope (all copies, including backups), and the format of a written certification.

The wrinkle is the retention exception: "unless Union or Member State law requires storage of the personal data". For hotels this typically means tax law (Italian / Spanish receipts retention, German GoBD), accounting law (book-keeping retention of invoices), and in some cases tourism-law requirements (regional registration of foreign guests). The clause should require the hotel to identify any such retention basis, the legal source, the data categories affected, and the retention period — and to limit the retained data to what the law requires and segregate it from operational stores.

The other wrinkle is backups. A hotel's IT backup may run on a 30-day or 90-day cycle; deleting "all copies including backups" within 30 days is sometimes technically impossible. The pragmatic drafting is to require deletion from production systems within 30 days, with backups overwritten on their normal cycle and the data effectively unrecoverable within 90 days. The certification should reflect that two-stage process.

Clause 7: Audit rights

Art. 28(3)(h) requires the processor to make available all information necessary to demonstrate compliance and to allow for, and contribute to, audits including inspections conducted by the controller or another auditor mandated by the controller. The audit clause is the area where hotels push back hardest because of operational impact, and where buyers' legal teams insist most firmly.

The negotiated middle is a tiered audit right: (a) documentary audits (provision of certifications, policy summaries, sub-processor list, training records) on demand and at least annually; (b) on-site inspections on reasonable notice (modal: 30 days), with reasonable scope, no more than once per year except after a breach; (c) immediate audit right after a breach or after credible evidence of non-compliance, with shorter notice. The clause should also specify cost allocation: documentary audits at the hotel's cost (compliance cost of being a processor), on-site audits at the controller's cost unless they reveal material non-compliance, in which case the hotel covers the cost.

For multi-chain procurement, audit cooperation extends to accepting third-party certifications (ISO 27001, SOC 2 Type II) as substitutes for some documentary requests, provided the certification is current and covers the relevant scope. The clause should name the acceptable certifications rather than leaving it open, to avoid the hotel offering a chain-wide certification that does not cover the specific property.

The SCCs (Standard Contractual Clauses) integration

For any non-EEA transfer that is not covered by an adequacy decision, the 2021 EU SCCs must be attached to the addendum. The 2021 SCCs are modular, with four modules corresponding to the four transfer scenarios:

• Module One: Controller-to-Controller (rare in MICE — only where the hotel is also a controller for the same data).
• Module Two: Controller-to-Processor (the default MICE module).
• Module Three: Processor-to-Processor (where the planner has appointed an agency as a processor that in turn engages the hotel).
• Module Four: Processor-to-Controller (rare).

Attaching the SCCs is not a copy-paste exercise. The exporter and importer details must be filled in (Annex I.A), the description of the transfer must be completed (Annex I.B), the competent supervisory authority must be named (Annex I.C), the technical and organisational measures must be set out (Annex II), and the sub-processors must be listed (Annex III if relying on a specific authorisation; the general authorisation regime substitutes the Clause 9 mechanism).

The TIA is a separate document. EDPB Recommendations 01/2020 walk through the six-step methodology: (1) know your transfers, (2) identify the transfer tool relied on, (3) assess the law and practice of the third country, (4) identify and adopt supplementary measures, (5) document the procedural steps, (6) re-evaluate at appropriate intervals. The clause should require the hotel to cooperate at step (3) and to flag any change at step (6).

The sample DPA addendum (full)

The full text below incorporates the seven clauses above plus the boilerplate required by Art. 28. It is drafted to be attached to a main hotel contract as a stand-alone addendum. Counsel review remains essential — this is a starting point, not a turnkey provision — but the structure is the working 2026 standard.

Data Processing Addendum (DPA) — MICE event services

This Data Processing Addendum (the "Addendum") forms part of the Hotel Services Agreement between [Planner] (the "Controller") and [Hotel] (the "Processor") dated [date] (the "Main Agreement"). To the extent of any inconsistency, this Addendum prevails over the Main Agreement on data-protection matters.

1. Definitions. Terms used and not defined in this Addendum have the meaning given in Regulation (EU) 2016/679 ("GDPR") and, where applicable, in the United Kingdom General Data Protection Regulation.

2. Roles. The Controller is the controller of the Attendee Personal Data described in Annex 1. The Processor is the processor of that data. The Processor is a separate controller for any data it collects directly from a guest at check-in for its own contractual purposes with that guest.

3. Purpose limitation. [Clause 1 above.]

4. Categories of Personal Data and Data Subjects. As set out in Annex 1.

5. Processor duties. The Processor shall: (a) act only on documented instructions of the Controller; (b) ensure persons authorised to process the data have committed to confidentiality; (c) implement Art. 32 security measures, as described in Annex 2; (d) observe the sub-processor regime in clause 6; (e) assist the Controller with data-subject rights requests; (f) assist with Arts. 32-36 duties; (g) at the Controller's choice, delete or return all data at the end of the Services per clause 8; (h) make available all information necessary to demonstrate compliance and allow for audits per clause 9.

6. Sub-processors. [Clause 3 above. Current sub-processor list at Annex 3.]

7. International transfers. Where the Processor transfers Attendee Personal Data outside the EEA to a country without an adequacy decision, the parties shall enter into the 2021 EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) using Module Two, attached at Annex 4. The Processor shall cooperate with the Controller in the Schrems II Transfer Impact Assessment. For UK-origin transfers, the parties shall use the UK IDTA or the UK Addendum to the EU SCCs as applicable.

8. Breach notification. [Clause 5 above.]

9. Return or deletion of data. Within thirty (30) days of the end of the Services, the Processor shall, at the written choice of the Controller, return or delete all Attendee Personal Data from production systems, with backups overwritten in normal cycle and the data effectively unrecoverable within ninety (90) days. The Processor shall provide a written certification of completion. Any retention required by Union or Member State law shall be identified, the legal basis cited, and the retained data segregated.

10. Audit rights. [Clause 7 above.]

11. DPO contact. The Processor's data-protection contact is named in Annex 5. Any change shall be notified to the Controller within five (5) business days.

12. Liability. Each party shall indemnify the other against losses (including regulatory fines) arising from that party's breach of GDPR or this Addendum, subject to the liability cap in the Main Agreement.

13. Termination. This Addendum terminates with the Main Agreement, save for the survival of clauses 8 and 9 until completion of return / deletion.

Annexes: 1. Data categories & subjects · 2. Art. 32 security measures · 3. Sub-processor list · 4. 2021 SCCs Module Two · 5. DPO contacts.

The non-EU hotel scenario — US, UK, APAC

Three scenarios outside the EEA recur. Each has its own drafting moves.

US hotels (DPF-certified or not). If the chain is certified under the 2023 EU-US Data Privacy Framework for the relevant data categories, the transfer can rely on the DPF adequacy decision without the SCCs. Verify the certification on the official DPF list (do not trust the chain's own statement). If the chain is not certified, attach the 2021 SCCs Module Two and complete a Schrems II TIA covering US surveillance law (FISA Section 702 and EO 12333 are the principal concerns). The clause should require the hotel to maintain the certification if relied on, and to notify the Planner promptly if it is withdrawn or expires.

UK post-Brexit. The UK has adequacy from the EU side (and vice versa) but operates a separate regime. For EEA-to-UK or UK-to-EEA transfers, no special mechanism is needed beyond confirmation of the adequacy basis. For transfers from the UK to a third country, use the UK IDTA or the UK Addendum to the EU SCCs. The two adequacy decisions are subject to periodic review; the addendum should require both parties to flag any change.

APAC hotels. Adequacy exists for Japan, Republic of Korea and New Zealand. For other APAC destinations (Singapore, Hong Kong, Thailand, Indonesia, Vietnam, etc.) the 2021 SCCs Module Two plus TIA are required. China-headquartered chains and chains with mainland China processing add a separate layer because PIPL requires its own transfer mechanism out of China (CAC standard contract or security assessment) that the planner needs to be aware of even when its own transfer is into China.

For all three scenarios, the cancellation-policy interaction matters. If the transfer mechanism fails (e.g. the DPF is challenged or the SCCs are invalidated), the contract may become unperformable on data-protection grounds. The clause should provide a graceful exit — a right to terminate with refund of pre-paid sums — rather than leaving the planner stuck. The 2026 force-majeure clause library addresses the data-law-failure scenario as a named trigger in some recent drafts.

DPA Addendum Builder — interactive wizard

The tool below walks you through the seven mandatory clauses and generates a printable addendum from your inputs. It also generates a Schrems II SCCs Annex when you select a non-adequate destination. It runs entirely in your browser — no LLM call, no upload, no server processing. The output is a starting point for counsel review, not a substitute for legal advice.

Counsel checklist before signing

Six questions surface the most common drafting weaknesses procurement teams catch in the final review:

1. Is the controller / processor allocation explicit and does it carve out the hotel's own controller-data at check-in? Silent contracts default to disputes about scope.
2. Does the data-category list match what your registration platform actually exports? A clause that omits accessibility data is a clause the hotel can claim was never authorised to receive it.
3. Is the sub-processor regime general or specific, and is the controller's veto window workable (30 days)?
4. For non-EEA hotels: is the right transfer mechanism attached (DPF reliance, 2021 SCCs, UK IDTA), and is the TIA cooperation duty in the clause?
5. Is the breach-notification window short enough (24-48 hours) for you to meet the Art. 33(1) 72-hour clock?
6. Is the audit regime tiered, with cost allocation and acceptable certifications named?

For events involving Art. 9 special-category data (health, dietary inference, religious), or for events in regulated sectors (banking, pharma, public-sector procurement), counsel review is non-negotiable. The seven clauses here are the floor; the regulated-sector ceiling is typically higher (additional liability caps, third-party audit rights, breach notification at 12 hours).

For more on related contract surfaces, see the master account vs individual billing piece (the billing data flow is a separate processor relationship), the hidden costs guide (some "data handling fees" appear there), and the clause decoder for the broader contract anatomy. The registration-side GDPR tool covers the upstream flow from registrants to the planner; this guide covers the downstream flow from the planner to the hotel.

Frequently asked questions

Is a hotel a controller or a processor under GDPR?
Processor for the data the planner shares (room list, BEO, dietary). Controller for the data the hotel collects directly at check-in. The clause must distinguish the two.

Do I need a written DPA with every hotel?
Yes whenever you share attendee personal data with the hotel. Art. 28(3) requires a written contract setting out the listed matters. A DPA addendum to the main hotel contract is the modal MICE solution.

What about US hotels post-Schrems II?
If DPF-certified for the relevant data categories, the DPF route is sufficient. If not, attach the 2021 EU SCCs Module Two and complete a Schrems II TIA covering US surveillance law.

Are SCCs still required in 2026?
Yes for transfers to non-adequate jurisdictions. The 2021 set (Commission Implementing Decision 2021/914) is the only valid version. The Schrems II TIA duty applies regardless.

Who notifies attendees of a hotel data breach?
The controller (planner) under Art. 34, when the risk is high. The hotel notifies the controller under Art. 33(2) — the clause should compress that to 24-48 hours.

Can the hotel keep attendee data after the event?
Not as processor. Art. 28(3)(g) requires return or deletion. The hotel may keep its own controller-data from check-in under its own retention policy.

What is the GDPR fine for non-compliance?
Up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher (Art. 83(5)).

Does GDPR apply to a Latin American hotel hosting EU attendees?
The transfer from the EEA is governed by Art. 46 and requires a transfer mechanism (SCCs + TIA, unless Argentina or Uruguay). The LatAm hotel may itself be outside Art. 3 for its own controller-data.

Is the BEO a personal-data document under GDPR?
Usually yes when it names attendees or carries dietary / accessibility data. The clause must cover BEO handling, redaction, and post-event destruction.

Are room lists personal data?
Yes. Names linked to room numbers, plus ID / passport data, plus dietary / accessibility — all personal data. Authenticated channel, post-checkout deletion, no loyalty enrolment.

Can the hotel use attendee data for marketing?
No, not on the basis of the processor relationship. The clause should expressly prohibit marketing use, loyalty enrolment and onward transfer.

Do hotels need DPO contact details in the contract?
Yes per Art. 28(3)(h). The DPO or privacy lead must be named as the recipient for breach notice, SAR escalation and audit coordination.

Is the post-event satisfaction survey GDPR-relevant?
Yes. If the planner shares the attendee list with the hotel for the survey, that processing must sit inside the DPA. If the hotel runs its own survey, it needs its own legal basis.

Related reading

• Force-majeure clause library 2026 — language that holds up after COVID rulings
• Master account vs individual billing — the parallel data flow
• Hidden costs in hotel contracts — including the "data handling" fees
• Hotel contract clause decoder — the broader contract anatomy
• GDPR event-registration compliance — the upstream flow
• Easy RFP pricing — see how the platform auto-attaches DPAs to outgoing RFPs

Author: Easy RFP Editorial. The seven-clause framework is the work of the Easy RFP editorial team reviewing GDPR, the EDPB guidelines, the Schrems II judgment, and the 2021 EU SCCs. Contact the team.

Sources (real, public): Regulation (EU) 2016/679 (GDPR), particularly Art. 28, 32, 33, 34, 46 and 83 — eur-lex.europa.eu. Court of Justice of the European Union, Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), 16 July 2020 — curia.europa.eu. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries — eur-lex.europa.eu. European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR — edpb.europa.eu. European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data — edpb.europa.eu. European Commission, list of adequacy decisions — commission.europa.eu. EU-US Data Privacy Framework list — dataprivacyframework.gov.

Disclosure: Easy RFP is a commercial MICE sourcing platform. The platform auto-attaches a DPA addendum to outgoing RFPs and tracks DPF certification status of hotel chains. We have made the seven-clause framework and the Builder public and free of proprietary gating to encourage adoption beyond the platform. No specific competitor pricing, percentages or market-share claims are made in this guide.

Not legal advice. This guide is a practitioner's reference. Data protection has material legal consequences and is jurisdiction-specific (UK GDPR diverges in places from EU GDPR; national supervisory authorities publish their own guidance). Validate any clause with qualified data-protection counsel before signing, particularly for cross-border events and special-category data.