Jorge Morell (Términos y condiciones): “Only a third of spanish SME’s have properly adapted to the GDPR.”

Jorge Morell Ramos is the founder of the consultancy firm on technological law and legal tech, Términos y Condiciones. He has been providing legal services regarding technological law for the last 10 years, in both the public and private sectors.


He also founded Legaltechies, one of Spain’s first consultancy firms specialising in the study and implementation of legal tech, which drafted the first map on Spanish legal tech. In 2017, he helped to organise Spain’s first legal tech conference. He also created Jade, which was one of the first open source legal tech projects worldwide. Currently, besides participating in other forms of media and publications, he writes and collaborates in Abogacía Española’s blog on legal innovation.

What has the implementation of GDPR been like in the hotel industry? How does this compare to its general implementation?

In general, only one third of Spanish SMEs have properly adapted to the new GDPR regulations. In fact, only 14% of the websites visited by Spanish browsers comply with regulations on cookies found in the new General Data Protection Regulation laws.

We don’t have specific data for the hotel industry, but it would make sense for it to have similar numbers.

What has been the main change as a result of GDPR?

Undoubtedly, the main change entailed by the General Data Protection Regulation is that the data manager, besides adhering to the law, needs to also demonstrate that he/she adheres to it. Besides this, there are also other changes such as the disappearance of tacit consent, the emergence of a data protection delegate and the ways of managing security breaches, amongst others.

Do you think the information of users/clients have been used responsibly?

In general yes, but some services that are highly specialised in the management of personal data, such as Facebook, have been massively exploiting these data in a way that benefits their business model and harms their users.

Are hotel establishments up-to-date with regards to the latest data protection regulations?

Most of them are, yes. They are making efforts to properly adapt to the new regulations, at least. In any case, there is still lots of room for improvement in certain areas (e.g. managing cookies or sending commercial communications).

In which ways does a hotel need to adapt to the GDPR? What is the first thing that an accommodation establishment needs to do?

The first thing that a hotel needs to consider is where they get their personal data from. For example, they may gather their information from their guests, social media platforms, websites or news bulletins.

Once they are sure of the origin and type of the personal data that they collect, it will be much easier to start adapting to the corresponding regulations

Do you have any recommendations for hotel owners with regards to data protection?

They should take note of their guests’ country of origin; many of the guests at the hotel won’t be Spanish citizens, in which case the hotel will need to translate the data protection information into languages other than Spanish. The hotel must therefore be clear and transparent about its use of personal information in as many languages as required by its guests.

What are the legal sanctions for non-compliance with these regulations?

One of the biggest changes introduced by the General Data Protection Regulation relates to economic sanctions, which now reach 20 million euros or 4% of the company’s annual turnover, depending on the case and severity of the sanction.

In any case, warnings are now issued when the data manager breaches the regulations for the first time. This isn’t serious a serious offence, with appropriate measures duly applied to rectify the situation. When they receive a warning, the hotel has to address the non-compliance but is not faced with economic sanctions.

In order for this warning to be invoked, please note that the hotel must have made the required effort to properly adapt to the regulation, at the very least.

How can a hotel guarantee the security of its guests’ data?

They could adopt the security measures recommended by data protection agencies, for example. These measures may include anonymising or encoding the data bases that they have created. In other words, this means that the personal information will be stored in a “cage” that can only be accessed by the hotel.

In the era of digitalisation in which we are currently living, can data management be intelligent and ethical at the same time?

Indeed it is possible, and this should be the way forward. However, this is far from easy and requires aligning regulatory compliance with the company’s business plan. In order to do this, it would be hugely useful to have a broad knowledge of the applicable regulations and the business sector in which the company operates.