Hotels: destroying guest registration data
A hotel processes the data of everyone who stays there: name and address, an identity document for the guest register, payment data, reservations and sometimes preferences or health questions. Part falls under a statutory registration duty, part under the tax retention obligation, and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the guest register has its own retention period under local rules, the invoicing falls under the tax seven years. Reservation and preference data you keep no longer than necessary for the stay and its settlement. What may go disappears confidentially and with a certificate.
Two frameworks: guest register and GDPR
At a hotel two things run together. The registration duty requires you to register guests in a guest register, with its own retention period that can differ by locality. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The registration duty sets the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.
So treat the guest data per type. The guest register has a different status than a reservation via a booking site or a note about a preference. If you make that distinction, you keep exactly what you must and clear out the rest on time.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the stay.
| Part | Starting point | Period |
|---|---|---|
| Invoicing and administration | Tax retention obligation | 7 years |
| Guest register | Local registration duty | own period |
| Guest identity data | As limited as possible | only what is needed |
| Reservation and payment data | Until settlement and tax | purpose-bound + 7 years |
| Preferences and health questions | Sensitive, storage limitation | as briefly as possible |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for the local rules. When in doubt, consult your municipality or privacy adviser. The tax side is in the 7-year tax retention obligation.
Identity documents: be restrained
For the guest register you need certain data from a guest, but that does not mean you may keep a full copy of a passport. A passport copy contains a national ID number, a photo and more than you need, and is therefore sensitive. Note only the data the registration duty requires and do not keep loose copies longer than necessary. Whatever you did have on paper you clear out confidentially.
That way you avoid managing a mountain of identity data you did not actually need. How you handle a copy ID when you do process one is comparable to other sectors that ask for an identity document.
Preferences, health questions and sensitive data
Hotels sometimes record preferences, from an allergy or diet to accessibility needs. A diet for medical reasons or an accessibility need can touch on health data, which is special-category personal data. Keep that information recognisably separate, use it only for the stay and clear it out afterwards. Keeping it to come in handy one day is not a valid ground.
How to handle it in 6 steps
- Split the data into administration, guest register, reservation and preferences.
- Limit identity data to what the registration duty requires.
- Treat health and preference data separately and clear it out after the stay.
- Keep the guest register for the local period.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Guest data is destroyed confidentially, because it contains identity, payment and sometimes health data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old reception computer or backup with guest data belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Guest data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping passport copies. Note only what the guest register requires.
- Keeping reservations forever. After settlement and the tax period the purpose lapses.
- Treating health and preference data as ordinary paper. Those need extra care.
- Throwing away unshredded. A guest registration on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long must a hotel keep guest registration?
The guest register has its own retention period under local rules, often a few years. The invoicing falls under the seven-year tax retention obligation. Other guest data you keep no longer than necessary for the stay and its settlement.
May I keep a copy of a guest's passport?
Be restrained here. Note only the data you need for the guest register and do not keep a full copy longer than necessary. A passport copy contains a national ID number and photo and is sensitive.
How long do I keep reservation and payment data?
Payment data falls under the seven-year tax administration. Reservation data without a further ground you clear out as soon as the stay has been settled and no complaint or dispute is in play.
How do I destroy guest data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A hotel works with identity, payment and sometimes health data of every guest, between a registration duty and the GDPR. Keep the guest register for the local period, keep the administration seven years and be restrained with identity copies. Preferences and health questions you clear out after the stay. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your guests' data.
Read also: campsites and holiday parks: destroying guest data, restaurants: destroying reservations and allergy data, event agencies: destroying attendee lists and the GDPR retention periods cheatsheet.
Have guest data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.