Swiss Hotel Booking Platform must comply with the GDPR

The Austrian Data Protection Authority has ordered a Swiss online hotel booking platform to comply with the requirements set forth in the EU General Data Protection Regulation (GDPR), in particular to provide the information according to Art. 13 GDPR to the data subject.

The ordinance was based on the following facts: An Austrian citizen living in Austria had requested an offer for a vacation trip via the contact from of a Switzerland-based hotel booking platform. After having declined the company’s offer, the data subject received an e-mail invitation to sign up for their newsletter. The Austrian noticed that he had not received any information whatsoever from the company regarding the processing of his personal data as prescribed by the GDPR and brought the matter to the Austrian Data Protection Authority’s attention.

Thereupon, the Authority ordered the Swiss company to provide the information according to Art. 13 GDPR to the data subject in hindsight, such as the responsible party’s contact details, the purposes of the data processing, and the recipients of the personal data, and to complete the information in their data privacy notice.

Applicability of the GDPR

The Swiss company could be the addressee of the Austrian Authority’s ordinance to comply with GDPR requirements, even though Switzerland is not a member of the European Union: In the case at hand, the Authority found that the GDPR was applicable according to Art. 3 (2) of the GDPR, as a non-EU-based entity had provided services that were tailored to persons in the EU, and, in doing so, processed personal data of data subjects in the EU. Decisive circumstances in the case at hand were the use of an Austrian top-level-domain (.at), the fact the website was presented in German, and the possibility of EU-based persons to receive newsletter offers.

Obligation to designate a EU representative

The Authority furthermore stated that when the GDPR is applicable based on territorial scope due to offerings made to persons in the EU, the non-EU-based responsible party is obliged to designate a representative in the EU according to Art. 27 GDPR.