Can the hotel ever be a controller?

Yes — when the hotel collects data for its own purposes (loyalty programmes, on-property marketing) it acts as a controller. For the same dataset, hotel can be controller for its own data and processor for the buyer's data. The DPA distinguishes the two.

What if both parties are controllers (joint controllership)?

Joint controllership requires a documented agreement under GDPR Article 26 specifying who handles which obligations (transparency, rights requests, regulator interaction). Rare in MICE but appears in marketing-heavy events with significant data-sharing.

Home › Glossary › GDPR Data Controller

Compliance

GDPR Data Controller — Plain English Definition + Examples

GDPR Data Controller is the natural or legal person that determines the purposes and means of processing personal data — for MICE events, this is usually the buyer (event organiser), not the hotel.

Definition

Under GDPR Article 4(7), a data controller is the natural or legal person that determines the purposes and means of processing personal data — for MICE events, this is usually the buyer (event organiser), not the hotel.

In day-to-day European MICE and procurement work, gdpr data controller sits inside a broader workflow that includes the brief, the longlist, the shortlist, the contract negotiation, and the post-event reconciliation. Understanding it in isolation is not enough — what matters is how it interacts with the other levers a planner or procurement team can pull. The definition above is the textbook version; the sections below explain how it actually behaves in real sourcing.

Why GDPR Data Controller matters

Controller vs. processor designation determines who bears the primary regulatory burden under GDPR. Controllers face higher fines, more disclosure obligations, and direct exposure to data-subject rights. Getting this wrong in a contract creates real liability for the buyer.

The practical takeaway: planners and procurement teams who get gdpr data controller right typically see measurable improvements in either cost, risk exposure, or cycle time — sometimes all three. Teams who default to the supplier's standard language usually leave 5-15% of total event value on the table, often without realizing it. The skill is recognising gdpr data controller when it appears, knowing the market-standard range, and treating any deviation from that range as a negotiation point — not a take-it-or-leave-it.

Example

A buyer organising a 200-pax conference collects attendee names, dietary requirements, and accommodation preferences via their RFP platform, then shares the rooming list with the hotel. The buyer is the controller (decides why and how data is processed); the hotel is the processor (acts on the controller's documented instructions).

This example is representative of mid-to-large European corporate MICE — pharma, finance, tech, professional services. Smaller events (under 50 attendees) and very large events (1,000+) often follow different conventions, but the underlying logic of gdpr data controller stays the same. The numbers move, the principle doesn't.

Where GDPR Data Controller appears in contracts

The controller/processor relationship requires a written Data Processing Agreement (DPA) under GDPR Article 28. The DPA defines what the processor (hotel) may and may not do with the controller's (buyer's) data — typically as a schedule to the MSA.

When reviewing a hotel proposal or contract draft, scan for gdpr data controller early — it's often easier to negotiate before the supplier has anchored on their preferred position. Easy RFP surfaces these terms in every comparison view so planners can spot deviations from market-standard ranges at a glance, rather than reading 14-page proposals line by line.

Related terms

Deeper reading

Related guides on the blog

Put this into practice

Easy RFP builds gdpr data controller thinking into every hotel RFP — so you negotiate from data, not from memory.

Audit your GDPR posture →