1、China:Data Compliance in theHospitality IndustryThe hospitality industry is becoming digitalized.Hotel operators are increasingly relying on theInternet of Things,big data and cloudcomputing to deliver more convenience andbespoke offerings to their guests.Often the datacollected is then combined wit

2、h artificialintelligence technologies to deliver intelligentperception,intelligent decision-making andadaptive learning.Dealing with all this data alsobrings greater responsibility and obligations inrelation to personal information compliance.These greater compliance requirements aretypically reflec

3、ted in four aspects:collection ofpersonal information,personal informationinteraction,building cloud platforms and cross-border transfer of personal information.01Collection of Personal Information inthe Hospitality Industry1.Scenarios when personal informationis collectedAn easy way to improve a ho

4、tel guest?sexperience is to provide a seamless check in.These include?mobile check-in?,?smart frontdesk?and?door access with facial recognition?.Hotel group companies and hotel managementcompanies(Hotel Party or Hotel Parties)are constantly seeking to improve the efficiencyof the check-in and thereb

5、y provide a betteroverall guest experience.Providing efficient andhigh-quality service requires analysis of guestdata which is typically collected at every stagefrom the booking until check-out.Data will beprocessed and analyzed by the Hotel Parties?Property Management System(PMS).（1）BookingDuring b

6、ooking,Hotel Parties collect guests?personal information both directly andindirectly.They may directly collect guests?personal information through self-operatedApps,applets,official websites and hotel frontdesks.In addition,Hotel Parties may indirectlycollect personal information from third partiess

7、uch as Online Travel Agencies(OTA),airlines ortravel agencies.Upon arrival,Hotel Parties typically offer guestsself-service check-in or staff assisted check-in.At this point,guests will confirmbookings/requests,scan IDs(which may becollected by both Hotel PMS and the publicsecurity information syste

8、m)and sign a check-inconsent form(paperless hotels will collectguests?electronic signatures).This personalinformation from the guests may not becollected only for providing basic services suchas booking and check-in,but also for improvingservice quality.Examples include:（2）Check-inDuring check-in,Ho

9、tel Parties will collectpersonal information relating to services to beprovided.For room service,Hotel Parties willcollect guests?personal information in order toprovide Internet connected devices such assmart TV and smart assistants.In addition,fornon-room services,relevant guests?personalinformati

10、on can be collected by Point-of-Sale(POS)systems so as to allow guests to enjoy thehotel?s amenities such as food and beverage orother services(e.g.spa,fitness center,conference center,etc.).POS may collect guests?personal informationbased on different membership levels andscenarios,for example:Hote

11、l Parties may also collect guests?personalinformation during the check-in stage by othermeans,such as cameras in public areas or bodycameras worn by security staff.（3）Check-outAfter guests check out,Hotel Parties will oftencollect guests?ratings and reviews throughtelephone enquiries,SMS enquiries,p

12、ushnotification on their own website,Apps or onthird party OTAs.In practice,some hotels have implemented anunmanned hotel operation mode.That is havinga full hotel check-in with facial recognition andall processes from check-in to check-outoperated without human interaction.In thismode,guests will r

13、each their floor by usingfacial recognition when taking an elevator.During the Covid-19 panic this operation modehad the advantage of avoiding cross-contamination(i.e.no direct finger contact withthe elevator)and also improve security.2.Compliance obligations for thecollection ofpersonal information

14、The Notification of Apps Infringing User?Rightsand Interests issued by the Ministry of Industryand Information Technology sets out conductwhich is considered to infringe upon guests?rights and interests by Apps of hospitalityindustry and OTA.Infringing behavior includes?compulsory,frequent and exces

15、sive requestsfor permission by Apps?,?illegal collection ofpersonal information?,?collection of personalinformation beyond scope?,?forcing users touse the function of a targeted push?,etc.1When collecting personal information,HotelParties are not only required to comply withrequirements such as info

16、rmed consent,onlycollecting minimum necessary data,etc.butalso need to pay special attention to enhancedcompliance obligations for:（1）Collection of sensitive personalinformationIn the process of providing services,HotelParties inevitably collect sensitive personalinformation from guests(ID card/pass

17、portdetails during check in;financial details when aguest makes a transaction;facial informationand other biometric information collected fordoor access;and the personal information ofminors under the age of 14 may be collectedwhen providing hotel nursing or babysittingservices).When collecting sens

18、itive personal informationfrom guests,Hotel Parties need to obtain theguests?separate consent and notify guests ofthe purposes and methods of personalinformation processing,types of personalinformation to be processed,and storageperiods,as well as the necessity of theprocessing of sensitive personal

19、 informationand the impact on their individual rights andinterests.2In addition,hotels seeking to adopt anunmanned hotel operation mode,will need toensure alternatives are available to obtainingdoor access with facial recognition.Shanghaiand Shenzhen expressly require that imagecollection and person

20、al identificationtechnology shall not be used as the sole methodof verification for access to public places(thisextends to hotels).3（2）App?s collection of personalinformationApps are commonly used by Hotel Parties tocollect guests?personal information.TheInformation Security Technology-BasicRequirem

21、ents for the Collection of PersonalInformation by Mobile Internet Applications(Apps)(GB/T 41391-2022)(hereinafter referredto as?Basic Requirements?)provides guidelinesin such regard.According to the Basic Requirements,an App?sbusiness functions are divided into basic andextended business functions.T

22、he basic businessfunctions are those needed to fulfill the users?main purpose for using the App(i.e.guestregistration,identity verification,hotel booking,check-in).The Basic Requirements specifies thescope of necessary personal information intravel and hospitality industries:4（3）Collection of employ

23、ees?personalinformationHotel Parties do not collect personalinformation only from guests but also from theiremployees.The collection of employees?personal information and requirements ofnotification and consent are not described indetail.Please refer to the article The Conflictand Balance between Hu

24、man ResourceManagement and Protection of EmployeeInformation不执端求其圆资源管理与员信息保护的冲突与平衡.02Personal Information Interactionbetween Hotel Parties and ThirdParties1.Sharing and transfer of personalinformationPersonal information sharing is when thepersonal information processor providespersonal information

25、to another processor andboth have independent control over thepersonal information.5 Personal informationtransfer is when relevant personal informationrights and interests are transferred from onepersonal information processor to another.6Both sharing and transfer fall within theprovision of persona

26、l information.7Manydigital operations are not able to be performedby the Hotel Parties themselves and thereforethe Hotel Parties will need to share personalinformation.In addition,personal informationas a new type of valuable asset will raise issueswhen there is a merger,reorganization ortransfer of

27、 hotel assets.（1）Hotel Parties share personalinformation with cooperativepartnersPersonal information can flow between HotelParties and their cooperative partners in bothdirections(Hotel Parties can either provide orreceive data).Typical scenarios include：（2）Hotel Party shares personalinformation wi

28、thowner and franchiseeHotels are often operated by an entrusted orfranchise operation.These different operational modes addcomplexity as to how the Hotel Parties may act.In most cases,Hotel Parties obtain guests?personal information through hotel?s officialwebsite,applets,Apps and front desk,etc.and

29、share the personal information with owners andfranchisees.Owners and franchisees havelimited rights to use certain personalinformation(or must obtain separate consent ofthe personal information subject if the agreedlimits are exceeded).Under franchise operation,the franchisee is entitled to act as a

30、nindependent processor of accommodationinformation(i.e.guest names,contactinformation,travel routes,etc.)as shared by theHotel Party.Under entrusted operation,ownersmay process guests?names,accommodationinformation,etc.shared by the Hotel Parties tofulfil their compliance obligations under thelaw.2.

31、Entrusted processing of personalinformationHotel Parties often have technology or hardwarelimitations and therefore entrust third parties toprocess guests?personal information(e.g.terminal information,network information,guest behavior information,etc.).Typicalscenarios include:3.Joint processing of

32、 personalinformationJoint processing of personal information is lesscommon in the hospitality industry thansharing.Reference can be made to theGuidelines 07/2020 on the concepts of controllerand processor in the GDPR adopted by theEuropean Data Protection Board(EDPB)wherehotel A,airline B and travel

33、 agency C jointly setup network company D.The agreement betweenA,B and C stipulates that personal informationof guests who book hotels,buy flight tickets orpurchase travel products through the networkplatform of D will be collected by D and thenjointly used by A,B and C to carry out jointmarketing p

34、ractices and accordingly pushrelevant advertisements to guests for eachcompany.8 In this case,the processing conductmay be considered to be joint if the hotel is anindependent processor of personal informationand shares a common purpose with third-partypartners.4.Compliance advice for personalinform

35、ationinteraction（1）Conduct personal informationprotection impactassessmentEntrusted processing,sharing or transferringpersonal information to other personalinformation processors explicitly requires apersonal information protection impactassessment to be carried out in advance.9 Theassessment has fi

36、ve key points:purpose ofprocessing and the legality,notification andconsent of personal information subject,detailsas to the entire life cycle assessment of personalinformation,response to individual rights andinterests and security guarantee measures.10Security measures may include encryptedtransmi

37、ssions,continuous monitoring andaccess control in combination of bothassessment results and risk level of the personalinformation processing activities,so as tosafeguard the security of the personalinformation.11（2）Enter into data processingagreementsIn an entrusted processing relationship,the lawcl

38、early requires the parties to agree on thepurpose,period,processing methods,type ofpersonal information,protection measures andrights and obligations of both parties.12 Injoint processing relationships,both parties needto agree on their respective rights andobligations.13 Although there is no explic

39、itrequirement under PRC law as to whether acontract is required on the sharing or transfer ofpersonal information,relevant nationalstandard clearly states that the responsibilitiesand obligations of the recipient shall bestipulated in the contract.14To differentiate between the above three typesof d

40、ata processing agreements,please refer tothe article Data Processing Agreements in theFlow of Personal Information,Are youPrepared?个信息流动中的数据处理协议，你准备好了吗？.03Hotel Digital Cloud Platform1.Current situation of hotel digitalcloudplatform constructionCloud computing is a crucial part of the hotelindustry?

41、s digital infrastructure.It allows forsophisticated data analysis and personalizedguest services.At present,about 51%of hotelsystems rely on the cloud-most importantly forPMS,central reservation system,POS and otherfront-end hotel operation management andbusiness systems account as well as back-ends

42、ystems such as human resource managementsystem and supply chain management systems.15 Most hotels use third party cloud systems asthe cost of a private cloud is prohibitive.2.Allocation of responsibilities betweenHotelParty and cloud service providerIf a public cloud is being used then part of theop

43、erating system is controlled by the HotelParty and the ownership of data deployed onthe public cloud will belong to the Hotel Party.On the other hand,the infrastructure isprovided by the cloud service provider.Thegeneral view on data security responsibility is?shared responsibility?.That is the clou

44、d serviceprovider is responsible for the?security of thecloud itself?while the Hotel Party is responsiblefor?security inside the cloud?.（1）Security of the cloud itselfCloud service provider is responsible forprotecting the infrastructure for running allcloud services,including hardware,software,netw

45、ork and equipment for running cloudservices.（2）Security inside the cloudResponsibility of Hotel Party is determined bythe cloud service selected.For example,(a)forguest data,Hotel Party bears most of thesecurity responsibility.The cloud serviceprovider only provides storage,access control,encryption

46、,and remote replication.Hotel Partyis responsible for implementation of securitymeasures and bears corresponding costs andresponsibilities;(b)for Hotel Party?system,suchas PMS,POS operated based on cloud service,Hotel Party can choose and use functions asprovided by the cloud service provider,but th

47、eoperation result and security responsibility willbe borne by Hotel Party.(c)In respect ofIdentity&Access Management(IAM)the cloudservice provider onlyprovides the systemwhereas the Hotel Party is responsible for themaintenanceand operation of the information.3.Personal information complianceadvice

48、on hotelcloud platformsWhen a hotel uses cloud services,Hotel Partyusually has the right to determine the purposeand method of processing personal informationand is deemed as a personal informationprocessor.However,the cloud service providerthat provides the storage function of personalinformation m

49、ay also fall within the scope ofpersonal information processor.Currently,thelegal situation in China on this point is unclear.（1）Hotel Party and cloud serviceprovider enterinto personal informationprocessing agreementsWhen a Hotel Party requests a cloud serviceprovider to provide personal informatio

50、nstorage service,such request should beinterpreted as entrusted processing.The partiesshall enter into a written agreement to agree onthe purpose,method,scope and period of theentrusted processing and the storage location,type,sensitivity and volume of the personalinformation,and the cloud service p

51、rovidershould process the personal information inaccordance with the agreement.Processingactivities shall not exceed the agreed processingpurpose and method.（2）Anonymization and deletion ofpersonalinformationUnlike de-identification16,personalinformation after anonymization17 is when aspecific natur

52、al persons cannot be identified,nor the identity recovered.This no longer fallswithin the scope of personal information.HotelParties storing a large amount of personalinformation(including sensitive personalinformation)on the cloud should anonymize(orhighly de-identify)information to the maximumexte

53、nt possible.In addition,it is important todelete relevant personal information after theminimum storage period is reached.Theminimum storage period depends on theminimum time necessary to achieve thepurpose authorized by the personal informationsubject(tenant/guest).18（3）Compliance of cross-border t

54、ransferof personalinformation on the cloudCloud service has the characteristic of?location-independent?,meaning that the cloud systemmay be located within China or outside China.Ifthe cloud system is within the China,the HotelParty will not be involved in cross-bordertransfer of personal information

55、.However,if theoverseas group headquarters of the HotelParties remotely accesses the domestic cloudplatform in China,the cross-border transfer ofpersonal information is involved.If the cloudsystem is located outside China and the HotelParties collect personal information withinChina,uploading such p

56、ersonal information tothe cloud is considered as cross-border transferof personal information.Cross-border transfer of personal informationhas a relatively simple compliance path in thatthe Hotel Party and a cloud service providerneed to enter into a PRC version standardcontract;however,if the perso

57、nal informationprocessed by a Hotel Party reaches 1 millionpersons or the personal information of 100,000persons or sensitive personal information of10,000 persons has been provided overseassince January 1 of the previous year,such HotelParty shall apply for data cross-border transfersecurity assess

58、ment to the CyberspaceAdministration of China(CAC).（4）Establish cybersecurity protectiongradedsystems and channels for receivinginformation on productsecurityvulnerabilitiesCloud service providers should establishcybersecurity protection graded systems,taketechnical measures to monitor and recordnet

59、work operation status and cybersecurityevents,and retain relevant cyber logs for nolonger than 6 months.19 In addition,cloudservice providers as cyber product providersneed to establish channels for receivinginformation on security vulnerabilities of cyberproducts,and retain information related tose

60、curity vulnerabilities for not less than 6months.Upon discovering or being informed ofa security vulnerability in a cyber product,thenthe cyber product provider should immediatelytake measures and organize the verification ofsecurity vulnerabilities,assess certain harm andimpact.Relevant vulnerabili

61、ty information shallbe submitted to the Cybersecurity Threat andVulnerability Information Sharing Platform ofthe Ministry of Industry and InformationTechnology within two days and any securityvulnerabilities need to timely repaired.2004Cross-border Transfer of PersonalInformationInternational Hotel

62、Parties often transferpersonal information collected and generatedduring their operations in China overseas inorder to provide services on a global level.Cross-border transfer of personal informationby Hotel Parties mainly involves the followingcircumstances:A domestic entity of an internationalhote

63、l group transfers guests?personalinformation collected within China toanother hotel entity(or headquarters)located overseas;andAn overseas hotel entity remotelyaccesses guests?personal informationstored in China.When transferring personal informationoverseas,Hotel Parties need to conduct a datacross

64、-border transfer security self-assessment.If the conditions are met,the Hotel Parties willneed to apply for data cross-border transfersecurity assessment to the CAC through thelocal cyberspace administration at theprovincial level.Due to the large amount of personalinformation,including sensitive pe

65、rsonalinformation,collected by a Hotel Party in thecourse of their business operations there is arisk that major hotel chains may be identified asbeing critical information infrastructureoperator(CIIO).If a Hotel Party is identified as aCIIO,then it shall also be subject to reportingobligations for

66、data cross-border transfers andneed to pass a security assessment.CIIOs andpersonal information processors handlingpersonal information up to the amountprescribed by the CAC are required to storepersonal information domestically beforetransfer overseas.Many domestic guests in China directly visit th

67、ewebsites of overseas hotels to book overseashotels and in doing so provide personalinformation.This should also be compliant withArticle 3(2)of the Personal InformationProtection Law,which provides for?extraterritorial effect?.Although there is nodefinitive conclusion as to whether an overseasHotel

68、 Party collecting personal information fromdomestic guests is required to conduct a datacross-border transfer security assessment underthe?extraterritorial effect?scenario,werecommend parties should be prepared to fulfilltheir data cross-border transfer securityassessment obligations as required und

69、er PRClaw.ConclusionThe hospitality industry is embracing digitaltools to transform the way it does business.Hotel Parties use digital tools to market,interact better with guests and improvebetter member engagement through onlinechannels.However,this greater employmentof digital tools also means Hot

70、el Parties havegreater obligations in safeguarding personalinformation.Footnotes：1 Notification of Apps Infringing Users?Rights andInterest(batch 4,2022)https:/ Articles 17,28,29 and 30 of the PersonalInformation Protection Law3 Article 23 of the Shanghai Data Regulations,Article19 of the Shenzhen S

71、pecial Economic Zone DataRegulations4 Information Security Technology-BasicRequirements for the Collection of PersonalInformation by Mobile Internet Applications(Apps)(GB/T41391-2022)Appendix A:Scope of NecessaryPersonal Information and its Use Requirements forCommon Service Apps5 Article 3.13 of In

72、formation Security Technology-Personal Information Security Specification(GB/T35273-2020)6 Article 3.12of Information SecurityTechnology-Personal Information Security Specification(GB/T35273-2020)7 Article 23 of the Personal Information ProtectionLaw8 See Guidelines 07/2020 on the concepts ofcontrol

73、ler and processor in the GDPR No.68https:/edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf9 Article 55 of the Personal Information ProtectionLaw10 See Article 56 of the Personal InformationProtection Law11 See article:?Opportunities and Challenges-DataCompl

74、iance in the New Retail Industry?https:/ Article 21 of the Personal Information ProtectionLaw13 Article 20 of the Personal Information ProtectionLaw14 Article 9.2 d)of Information Security Technology-Personal Information Security Specification(GB/T35273-2020)15 See Shiji InformationSurvey Report on

75、the Statusof China?s Hospitality Industry Systems on theCloud in202116 Article 73 of the Personal Information ProtectionLaw:De-identification refers to the process in whichpersonal information is handled so that it is impossibleto identify certain natural persons without the aid ofadditional informa

76、tion.17 Article 73 of the Personal Information ProtectionLaw:Anonymization refers to the process in whichpersonal information is handled so that it is impossibleto identify certain natural persons and that it cannotbe recovered.18 Article 6.1 of Information Security Technology-Personal Information S

77、ecurity Specification(GB/T35273-2020)19 Article 21 of the Cybersecurity Law20 Articles 5 and 7 ofthe Administrative Provisions onSecurityVulnerabilities of Cyber ProductsAuthorsMark SchaubPartnerCorporate&Commercial GroupAreas of Practice：Mark Schaub specializesin foreign direct investment,cross bor

78、derM&A,intellectual property,and privateequity investment in China.He has advised investment projects in awide variety of sectors includingautomotive,autonomous cars,consumer,life sciences manufacturing and tech.Transaction sizes have varied from USD500,000 to over USD 1 billion.He is familiarwith C

79、hina issues faced by companies of allsizes.Since 1993 he has advised on foreigninvestment projects in all major sectorsacross China with a cumulative valueexceeding US$20 billion.Zhao XinhuaPartnerCorporate&Commercial GroupAreas of Practice：Atticus Zhao specializesin M&A,foreign direct investment,co

80、rporate restructuring and other corporatematters.Atticus has more than 10 years?experienceas a corporate and commercial lawyer.Hehas provided services to many well-knownmultinational and domestic companies,including equity or asset sale or purchase,corporate restructuring,setting up jointventures an

81、d franchise.Atticus has advisedclients for various industries includingautomotive,AI,IOT,high-tech,retail,education,modern agriculture,shipping,manufacturing and pharmacy.Wang ZhefengCorporate&Commercial Group Dai XueyunCorporate&Commercial Group Sima DanniCorporate&Commercial Group Thanks to intern Hongyu Xu for hiscontributionto this article.版权声明：杜律师事务所2022年版权所有 杜律师事务所保留对本的所有权利。未经杜律师事务所书许可，任何不得以任何形式或通过任何式（写、电或机械的式，包括通过复印、录、录笔或信息收集系统）复制本任何受版权保护的内容。