When the Data Protection Commission investigated a Donegal hotel group in 2024 and issued a €405,000 fine for failing to delete guest data after checkout and for inadequate security measures, the response from the hospitality sector was muted. Most operators assumed the fine reflected a large corporate failure — something that would not apply to a family-run guesthouse or a small independent hotel. That assumption is wrong. The DPC's data protection obligations apply to every accommodation provider that processes personal data, regardless of size, and the obligations are specific, documented, and enforceable against any business in Ireland.
Most Donegal accommodation providers have never conducted a GDPR audit. They do not know what data they hold, where it is stored, who has access to it, or how long they are keeping it. This guide walks through the practical audit that every Donegal hotel, guesthouse, and self-catering operator needs to complete.
What Guest Data You Actually Hold
The volume of personal data flowing through a typical Donegal accommodation business is larger than most operators realise. Every guest who makes a booking provides their full name, email address, phone number, home address, and payment information. If you use a property management system, these details persist in the system long after checkout — often indefinitely, because nobody has set a deletion schedule. That persistent retention is itself a GDPR obligation you may not be meeting.
Passport and identity document copies present a higher-risk category. Many Donegal properties take a copy of a guest's passport at check-in for verification. Under GDPR, the legal basis for collecting identity documents must be clear, and the retention period must be defined and enforced. Storing passport scans in email inboxes or on shared network drives without encryption is not compliant, and retaining them beyond the period of legitimate need — typically 24 hours after check-in unless a specific legal requirement applies — creates ongoing liability.
Dietary requirements and accessibility needs are sensitive personal data under GDPR because they reveal information about health, religion, or lifestyle. Collecting this information requires explicit consent rather than the legitimate interest or contract basis that covers standard booking data. If a guest has not clearly opted in to sharing this information, you should not be recording it. If they have opted in, you must delete it after checkout unless they are enrolled in an ongoing loyalty programme with active consent.
CCTV footage is one of the most commonly mismanaged data categories in Irish hospitality. You must display clear signage that CCTV is in operation, ensure cameras are not positioned in private areas, and delete footage within 28 days unless you have a specific documented reason to retain it longer — an ongoing investigation, for example. Storing months of CCTV footage by default, with no deletion schedule, is a documented pattern the DPC has investigated.[^2]
Wi-Fi network logs may be recording more than you realise. Many commercial router systems log device MAC addresses, IP addresses, and connection times by default. You should verify what your router is logging, limit logging to technical data needed for network management, and set a maximum retention period of 90 days. Logging website visits or content would require explicit consent and a specific legal basis you almost certainly do not have.
Have you reviewed what personal data your property management system retains after a guest checks out? Book a free 20-minute strategy call — we work with Donegal hospitality businesses to conduct practical GDPR audits and implement the procedures that keep them compliant.
The Legal Principles That Apply to Every Category
Under GDPR, every piece of personal data you collect must have a lawful basis — the reason you are collecting it. For booking data, the basis is contract: you need it to fulfil the reservation. For CCTV and network management data, the basis is legitimate interest: you need it for security and operational purposes. For dietary requirements and marketing preferences, the basis is consent: guests must have explicitly agreed to provide this information.
Data minimisation is the principle that requires you to collect only what you actually need. If your property does not offer dietary services, you should not be asking about allergies. If you do not have a loyalty programme, you should not be collecting preference data. Every field on your booking form, your check-in form, and your guest survey should have a documented reason for existence. Fields that exist "because we've always asked" without a documented purpose are a liability.
Retention periods must be defined and enforced. Booking records must be kept for six years for tax and accounting purposes under Irish Revenue rules — but the personal data elements that are not required for tax purposes can and should be deleted or anonymised earlier. CCTV must be deleted within 28 days. Payment card data should be deleted immediately after payment is processed — you should never be storing full card details on your own systems. Use a PCI-compliant payment processor such as Stripe or Worldpay and let them handle card data storage.
What Happens When Things Go Wrong
If the Data Protection Commission investigates your property, the consequences scale with the severity of the failure and the responsiveness of the operator to correct it. Fines up to €20 million or 4% of global annual turnover are the legislative maximum for serious breaches. Enforcement notices requiring you to change your practices, delete data, or improve your security measures can affect your operations immediately. Mandatory breach notifications can require you to contact every guest whose data was compromised — a practical and reputational challenge for any hospitality business.[^1]
The NCSC Ireland notes that data breaches in the Irish hospitality sector are frequently caused by inadequate access controls on property management systems — staff who have left the business retaining system access, shared login credentials that cannot be attributed to individuals, and unencrypted guest data stored in cloud services without adequate access restrictions.[^3] These are engineering problems, but they are also GDPR compliance failures with specific legal consequences.
Failing to notify the DPC of a personal data breach within 72 hours is itself a compliance failure separate from the underlying breach. Every Donegal accommodation provider needs a documented data breach response procedure that includes who to notify, what information to gather, and how to complete the mandatory notification. This procedure should be tested at least annually.
What Next: Three Actions for Donegal Accommodation Providers
First, map every category of guest data your property collects and where it is stored this month. List each data type, identify the legal basis for collection, document the retention period, and identify who has access. This data map does not need to be complicated — one page per category is sufficient. The act of mapping will reveal retentions and access arrangements that need immediate correction.
Second, set automated deletion schedules in your property management system this quarter. Most modern PMS systems support data retention rules. Configure them: booking data retained for six years, then archived; personal data not required for tax purposes anonymised after twelve months; CCTV recordings deleted after 28 days. If your PMS cannot support automated deletion, that is a system limitation you need to address.
Third, create a one-page data breach response procedure and brief your management team on it. The procedure should state that any suspected breach is reported to management within one hour of discovery, that the DPC notification is filed within 72 hours if required, and that affected guests are notified promptly. Print it and post it where your management team will find it when they need it, not buried in a folder nobody opens.
[^1]: Data Protection Commission Ireland [^2]: An Garda Síochána — Cybercrime [^3]: NCSC Ireland — Advice for Organisations
Related Reading
- CCTV in Your Donegal Hotel, Restaurant or Pub: GDPR Obligations
- Your Booking System Is Your Biggest Attack Surface
- Cyber Insurance for Donegal Hospitality
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.