All hotels, in the course of their operations, collect and process personal data of their employees, guests, and other individuals. In doing so, they are required to comply with the obligations prescribed by the Law on Personal Data Protection (hereinafter referred to as the “Law”).
If you operate a hotel and have not yet aligned your business with the Law, the upcoming activities of the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter referred to as the “Commissioner”) may change your mind and prompt you to take necessary steps.
If your hotel has not yet received a request from the Commissioner to complete the Checklist, you are one of the few, and there is a high chance that it will happen soon.
What is the Checklist and what is its purpose?
As one of the Commissioner’s powers, as the supervisory authority in the field of personal data protection, is to monitor and analyze the state of data protection, which is also done through data obtained via Checklists.
As mentioned, the Commissioner has begun the compliance verification of hotels’ activities with the requirements of personal data protection, starting with the submission of the Checklist.
As stated by the Commissioner, Checklists present complex and extensive legal obligations through a series of understandable questions, to which accurate and comprehensive answers are required.
The concept of the Checklist is as follows – Checklists include questions that indicate to data controllers what their obligations are under the Law.
The Checklist consists of a total of 14 questions, with each question having two or three possible answers. Furthermore, certain answers require you to explain and provide evidence of your compliance. Each answer is scored with a specific number of points, and the total number of points that the supervised entity, in this case, a hotel, can achieve is 100 points. If the hotel accumulates a total score of 100 points, it falls into the category of entities with insignificant risk.
According to the questions in the Checklist, the hotel (which is the supervised entity in this situation) compiles a self-assessment report, which is submitted to the Commissioner within 7 days of receiving the Checklist.
The collected reports serve the Commissioner to develop and later implement an inspection plan based on the established state and risk assessment.
The Checklist form with instructions for completion is publicly available and can be found on the Commissioner’s website in the “Data Protection” section under “Checklists”(only on Serbian). Data controllers can use it independently of the Commissioner’s request to self-assess their compliance with the Law and the level of risk.
How to Complete the Checklist?
In order to be able to complete and accurately answer the questions on the Checklist, it is necessary to first understand all the processes within your organization, in this case, the hotel. This includes knowing what data you process, why you need the data, where and how you store the data, with whom you share the data with, and more. However, that is just a good start but it is not enough.
To correctly answer the Commissioner’s questions on the Checklist, you also need to be familiar with the terms and obligations outlined in the Law.
Checklists not only lack explanations of what certain terms mean, such as data breach, data collection, records on processing activities, data processors, etc., but they also contain questions that refer directly to the Law’s provisions.
Although the questions are clear to the Commissioner and us, who have been working in this area for a long time, are they clear to you?
To answer some questions correctly, it is not enough to simply read the provisions of the Law referred to by the Commissioner, but you must be fundamentally familiar with this area of law. For example, to correctly answer the last three questions (12, 13, and 14), you must first understand the difference between the definitions of data controllers, data processors, and recipients, and then determine which contract should be concluded in each specific case.
Keep in mind that the data in the report, i.e., your answers, are subject to verification by the Commissioner. Falsifying or concealing facts in the report carries legal consequences as it involves drafting a document of untrue content.
What if the Checklist shows a high or critical level of risk?
Depending on the number of points you score on the Checklist, you can be classified into predefined risk categories, from insignificant to critical.
If, based on your answers, you do not achieve a sufficient number of points, you may be classified into the category of data controllers with a high or critical level of risk regarding personal data protection.
Regardless of the number of points you score and the assessed risk, it is recommendable to submit the completed Checklist to the Commissioner. If you do not provide the Commissioner with the requested report within the given deadline, the Commissioner will consider that the likelihood of risk occurring at your organization is already high, and this will be taken into account when planning inspections. This practically means that there is a high probability of initiating an inspection to determine whether your hotel’s operations comply with the Law on Personal Data Protection.
It is important to note that even if you are assessed as having a high or critical risk, do not worry yet, it does not mean that the Commissioner will immediately penalize you or impose corrective measures. It serves as an indicator that you need to seriously pay attention to personal data protection and align your business with the Law to minimize the risk, including the risk of penalties.
Finally, the number of points and the classification on the Checklist do not necessarily indicate actual compliance with the Law, which, as mentioned, the Commissioner will verify during the inspection supervision.
How to Achieve a High Score on the Checklist?
To achieve a high score on the Checklist and successfully pass the Commissioner’s inspection, it is necessary to genuinely align your activities and business with the Law on Personal Data Protection.
In previous articles, we have emphasized the importance for entities to comply with the obligations of the Law on Personal Data Protection and provided a brief guide on how to align.
In summary, in addition to knowing all the data you process, the individuals involved, the reasons for processing, the duration of data retention, and the legal basis for processing, you must also apply appropriate technical, organizational, and personnel security measures to protect the data.
One of the key data protection measures is adopting appropriate internal acts that regulate the procedure for collecting and processing personal data, retention periods, data breach procedure, procedure for handling requests to exercise data subjects’ rights, and similar matters.
Additionally, even though it’s a legal required only for businesses with over 250 employees to maintain records of data processing activities, this obligation applies to all data processing activities that are not occasional, irrespective of the number of employees. This means that a hotel, at a minimum, must maintain records of data processing activities for data related to employees and guests that it processes regularly, which the Commissioner will request during an inspection.
Furthermore, data controllers should carefully consider the need to appoint a Data Protection Officer (DPO) and report their appointment to the Commissioner in accordance with the Law. The Commissioner can easily verify whether a data controller has fulfilled this obligation since they maintain a record of appointed DPOs.
Moreover, if data controllers, including hotels, engage third parties to handle certain aspects of data processing or share data with third parties, they should regulate these relations with appropriate written agreements. These agreements are not only required by the Law but also help define the rights and obligations of the parties involved, thereby minimizing the risk of data breaches.
Last but not least, if you transfer personal data to other countries, whether you are sending them to individuals in another country, storing them in the cloud, or granting access to someone from another country, you must have adequate data transfer mechanisms put in place.
Positive Aspects of the Checklist
For those who have not complied with the Law until now, the Checklist represents the last opportunity to take data protection seriously and align their business with the Law.
The Commissioner’s approach, which allows data controllers to initially assess their compliance with the Law, serves as a useful preventive measure and an opportunity for self-assessment and improvement before facing an inspection.
Although the Commissioner has primarily focused on education and prevention in the past and has not strictly penalized those who have not complied with the Law, it seems that the Commissioner’s practice is changing, aligning with the practice of colleagues from the European Union. This is evident from the first fines and misdemeanor reports issued by the Commissioner during the past year.
Keep in mind that apart from the monetary fines you may have to pay, non-compliance with the Law leads to a loss of trust from your guests, partners, and the public in your business. This negatively affects the reputation of your hotel and jeopardizes your existence.
Therefore, if you have received the Checklist from the Commissioner and have not yet aligned with data protection regulations, seize the opportunity, take action now, and prevent the consequences that may arise from violating the obligations prescribed by the Law, which go far beyond monetary penalties.