GDPR Art 32 (TOMs) in Hotel RFPs (Plain English Definition + Examples)

Definition

GDPR Article 32 requires data controllers and processors to implement appropriate Technical and Organisational Measures (TOMs) to ensure a level of security appropriate to the risk — including encryption, access controls, business continuity, and regular testing — when processing attendee personal data.

In European MICE sourcing, gdpr art 32 (toms) sits inside a broader workflow that includes the brief, the longlist, the shortlist, the contract negotiation, and the post-event reconciliation. Understanding it in isolation is not enough — what matters is how it interacts with the other levers a planner can pull. The definition above is the textbook version; the sections below explain how it actually behaves in real RFPs.

Why GDPR Art 32 (TOMs) matters

Article 32 applies any time a hotel receives attendee personal data — registration lists, dietary preferences, room assignments, special needs. The hotel becomes a data processor under GDPR Art 28, and Art 32 TOMs are the security baseline. Modern enterprise RFPs include a 30-question Art 32 TOMs questionnaire covering encryption at rest, in transit, access logs, retention, and sub-processor controls.

Example

Pharma planner sends attendee list (200 names + dietary + medical accommodations) to Madrid hotel. Hotel responds with Art 32 TOMs evidence: TLS 1.3 transmission, AES-256 encryption at rest, access log retention 12 months, role-based access, attendee data deleted 30 days post-event. Compliant. Without TOMs evidence, the data transfer is risk.

Where GDPR Art 32 (TOMs) appears in contracts

TOMs are referenced in the Data Processing Agreement (DPA) that accompanies the hotel contract under GDPR Art 28. The contract itself may reference 'compliant TOMs as detailed in the DPA Schedule 2'.

Related terms

Deeper reading