https://www.polity.org.za
Deepening Democracy through Access to Information
Home / Legal Briefs / Webber Wentzel RSS ← Back
Africa|Automation|Business|Design|Innovation|Lighting|Rental|SECURITY|Service|Services|Surface|Systems|Technology|Tourism
Africa|Automation|Business|Design|Innovation|Lighting|Rental|SECURITY|Service|Services|Surface|Systems|Technology|Tourism
africa|automation|business|design|innovation|lighting|rental|security|service|services|surface|systems|technology|tourism
Close

Email this article

separate emails by commas, maximum limit of 4 addresses

Sponsored by

Close

Article Enquiry

Privacy check-in – POPIA pitfalls in the hospitality industry

Close

Embed Video

Privacy check-in – POPIA pitfalls in the hospitality industry

Webber Wentzel

24th July 2024

ARTICLE ENQUIRY      SAVE THIS ARTICLE      EMAIL THIS ARTICLE

Font size: -+

South Africa's hospitality industry is seeing a shift from traditional leisure-based tourism to experience-based tourism, focused on providing tourists with unique, authentic life-enriching experiences.

This shift has necessitated the rapid adoption of technological advancements such as digital contactless booking and reservations, digital tourism platforms, smart room technology that allows the automation of various Internet of Things devices (thermostats, lighting, entertainment systems, and cooling systems), AI-powered customer support, chatbots and service robots, virtual and augmented reality tours and experiences as well as enhanced biometric security and surveillance systems. 

Advertisement

While these technological advancements may enable South Africa's hospitality industry to meet evolving customer expectations, one should not lose sight of the increasing invasiveness of these technologies and the impact that this will have on customers' privacy and personal information.

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's primary data protection regulation that governs the processing of personal information. Businesses, particularly in the hospitality industry, may face various POPIA challenges as digitisation and innovation increase, as discussed below.

Advertisement

Inadequate data security measures

In terms of POPIA, responsible parties, or those who determine the means and purposes of the processing, are required to protect any personal information in their possession or control. Responsible parties must implement appropriate, reasonable technical and organisational measures to prevent loss, damage, or unauthorised destruction and unlawful access to processing personal information. While POPIA does not specify or require specific security safeguards, it states that responsible parties must adhere to generally accepted information security practices and procedures that may apply to them or be required by specific industry or professional rules and regulations. 

While introducing advanced digital technologies and their interoperability has accelerated technological development in the industry, the technologies also increase a business' attack surface and bring additional vulnerabilities. Hospitality businesses should ensure that they implement robust security measures to protect all personal information in their possession or control and that these measures are regularly tested and updated to address any potential reasonably foreseeable risk to the personal information. Practically, these measures should at least be as secure as those security measures used by the average business in the hospitality industry and related sectors. 

Processing of biometric information

Regardless of functionality, industry stakeholders who have implemented biometric systems must demonstrate a legal basis for processing such biometric information (which may include information based on a guest's physical, physiological or behavioural characteristics, such as fingerprinting, retinal scanning, and voice or gait recognition). Consent is one such legal basis, but it is not the only one available. Furthermore, industry players should be cautious when transferring biometric information to third parties, particularly if the information is shared with entities outside of South Africa, as this may require prior notification to the Information Regulator if the third party or foreign country does not provide for an adequate level of protection as required by POPIA. 

Third-party data sharing

Given the shift to experience-based tourism, hospitality businesses have been collaborating to develop holistic tourism portals, allowing guests to not only book accommodation but also other interconnected services such as car rental or transportation, guided tours or other leisure experiences. These platforms have become common within the industry and involve the sharing and transferring of guests' personal information across various businesses and service providers. 

When personal information is shared within South Africa, the entities that share the personal information (and special personal information as the case may be) must demonstrate an appropriate legal basis to process and share such information. Consent, where the processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party, or where the processing protects a legitimate interest of the data subject or the responsible party itself are examples of legal bases for sharing personal information.

POPIA, however, places additional requirements on responsible parties when transferring personal information outside of South Africa. POPIA, with limited exceptions, prohibits the transfer of personal information outside of South Africa, subject to certain exceptions. These exceptions include circumstances in which:

  • a data subject has consented to the transfer; or
  • the recipient of the personal information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection and terms materially similar to those contained in POPIA for the lawful processing of personal information.

If a responsible party is unable to establish an exception under Section 72 of the POPIA, that party must obtain prior authorisation from the Information Regulator before transferring any special personal information, (including biometric information). 

There is no one-stop shop for POPIA compliance, particularly in a constantly growing business such as the hospitality industry. However, the above pitfalls attempt to demonstrate some of the common issues that should be considered when implementing new and advanced digital technology. Industry players must adopt a privacy-by-design approach to POPIA compliance in their various businesses, especially given the current digital and technological rat race in which the hospitality industry finds itself.

Written by Prineil Padayachy, Senior Associate at Webber Wentzel

 

EMAIL THIS ARTICLE      SAVE THIS ARTICLE ARTICLE ENQUIRY

To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here

Comment Guidelines

About

Polity.org.za is a product of Creamer Media.
www.creamermedia.co.za

Other Creamer Media Products include:
Engineering News
Mining Weekly
Research Channel Africa

Read more

Subscriptions

We offer a variety of subscriptions to our Magazine, Website, PDF Reports and our photo library.

Subscriptions are available via the Creamer Media Store.

View store

Advertise

Advertising on Polity.org.za is an effective way to build and consolidate a company's profile among clients and prospective clients. Email advertising@creamermedia.co.za

View options

Email Registration Success

Thank you, you have successfully subscribed to one or more of Creamer Media’s email newsletters. You should start receiving the email newsletters in due course.

Our email newsletters may land in your junk or spam folder. To prevent this, kindly add newsletters@creamermedia.co.za to your address book or safe sender list. If you experience any issues with the receipt of our email newsletters, please email subscriptions@creamermedia.co.za