Personally Identifiable Information (PII) is any data that can identify a natural person directly or indirectly; under GDPR Article 4(1) it is referred to as personal data and is subject to strict processing obligations.
Personally Identifiable Information, often shortened to PII, is any information that can be used on its own or together with other data to identify a specific individual. Under EU law the equivalent term is personal data, defined in GDPR Article 4(1) as "any information relating to an identified or identifiable natural person". An identifiable person is one who can be recognised directly, for instance by name, or indirectly by reference to an identifier such as an email address, phone number, IP address, cookie ID, location data, or a combination of contextual attributes. In hospitality, even a room number combined with a stay date can constitute PII because it points to a single guest.
A typical hotel handles a wide range of PII across its hotel tech stack: name and contact details from the booking engine, passport scans at check-in, payment metadata in the PMS, dietary preferences in the F&B system, IP addresses in web analytics, and message content in the WhatsApp channel. Each system is a potential point of risk and must be governed by a clear retention policy, access controls, and a record of processing activities. Properties that integrate CRM tooling typically also need to map purpose-of-processing for marketing versus service communications.
The most common mistake hotels make is treating PII as a static list. Identifiability is contextual: a coffee preference is harmless on its own, but combined with a room number and date it becomes PII. The practical implication is that any operational dataset, including chat transcripts and AI-generated summaries, should be treated as containing personal data unless proven otherwise. Strong data security practices assume sensitivity by default and enforce minimisation throughout the guest journey.
Viqal processes guest PII strictly under the hotel's instructions, in line with GDPR Article 28. The platform applies data minimisation, role-based access in the team inbox, encryption in transit and at rest, and configurable retention windows for chat history. A standard data processing agreement is offered to every customer, formalising the controller-processor relationship and covering sub-processor disclosures, security measures, and breach notification timelines.
On its own, a room number is not personal data. Combined with a stay date or guest name, however, it points to a specific individual and therefore qualifies as PII. The contextual nature of identifiability means hotels should default to treating room-stay combinations as personal data within the meaning of GDPR Article 4(1).
Under GDPR, dynamic IP addresses are treated as personal data when the controller, possibly with the help of a third party such as an internet service provider, can identify the user behind them. The Court of Justice of the European Union confirmed this in the Breyer ruling. Hotels should therefore log and retain IP addresses with the same care as other personal data.
Pseudonymised data, where the identifier is replaced by a token, remains personal data under GDPR if the original identity can still be reconstructed using additional information. Only fully anonymised data, where re-identification is no longer reasonably possible, falls outside the regulation's scope.
GDPR does not set a fixed retention period; data must be kept no longer than necessary for the original purpose. Hotels typically align retention with legal duties such as tax or police-registration laws, then delete or anonymise. A documented retention schedule is required as part of the records of processing activities.
Yes. The phone number, message content, and metadata exchanged on WhatsApp are personal data. Hotels using the WhatsApp Business Platform must reflect this in their privacy notice, lawful basis assessment, and data processing agreements with their BSP and any messaging platform such as Viqal.
Viqal applies role-based access, encryption in transit and at rest, configurable data retention, and processes data strictly under the hotel's documented instructions in line with GDPR Article 28. A data processing agreement is available to every customer.
.avif){kind=spacer}
