The new European Data Framework transforms the role of hotels in the digital economy. The Data Act gives back to establishments control over the information generated by their connected systems and opens opportunities to innovate, optimize costs and strengthen their competitiveness.
Hotels are at the epicenter of a data economy whose rules have just changed. On December 22nd, 2023, Regulation (EU) 2023/2854 on harmonized rules for fair access and use of data, known as the Data Act, was published in the Official Journal of the European Union, and has been mandatory, with some exceptions, since September 2025. This is a different regulation from the renown General Data Protection Regulation (GDPR) and, as we will see, it introduces a legal framework that substantially transforms the way in which data, both personal and non-personal, is generated, shared and exploited. This has a significant impact on the hotel and tourism sector, which is immersed in a process of proliferation of connected devices – from smart locks to air conditioning sensors and hotel management platforms (PMS)–.
The Data Act establishes new rights and obligations for hotels, technology providers and clients, and requires a contractual and operational adaptation that must be undertaken in coordination with the personal data protection regulations (GDPR).
What is the European Data Act?
The main objective of the Data Act is to regulate the access to and use of personal and non-personal data in the European Union, with special emphasis on fairness, transparency and interoperability.
This regulation modifies and complements previous regulations, such as the Data Governance Regulation (DGA) and the General Data Protection Regulation (GDPR), to create a coherent regulatory environment adapted to the challenges of the digital economy.
As of the date of publication of this post, the Data Act is in the process of being modified by the European Commission, with the aim, among other modifications, of integrating the DGA regulation into its articles.
How can the Data Act impact the hotel and tourism sector?
From a business point of view and, in particular, in the hotel sector, the Data Act gives rise to two potential opportunities that each operator should analyses in detail:
- Connected devices (IoT): The Data Act gives users of connected products and services (hotels and customers) the right to access the data generated by those products and services, such as smart locks, occupancy sensors, etc.
This right of access has a direct and very relevant implication for hotels, since the technology providers that supply these devices or systems must facilitate such access and may not impose unjustified restrictions. For hotels, this means getting back control over data that, until now, was in the hands of, and at the discretion of, the manufacturer or software provider.
- Data spaces: The Data Act encourages the creation of transversal and sector-specific data spaces. These are regulated environments where different actors in the same sector can share data under criteria of governance, quality and interoperability.
For the hotel sector, it implies the opportunity to share data (e.g. energy consumption, occupancy, internal mobility) for benchmarking, environmental certifications or innovation in services. The decision to promote its own sectoral data space, or to join an existing one, will depend on factors such as the governance of the space, the required interoperability standards and the quality of the available data.
Likewise, rules are established to facilitate the change of cloud service providers, avoiding blocking by providers and guaranteeing data portability, which is especially relevant for hotels that use cloud-based management systems.
In this regard, contracts with technology and cloud service providers must be reviewed and adapted to reflect new rights of data access, portability, and security. The Data Act requires contracts to be fair, especially in B2B relations with SMEs, and provides for the drafting of contractual models by the European Commission.
Relationship with GDPR and other regulations
It is important to underline that the Data Act does not replace the GDPR, but rather complements it. Personal data remains subject to the requirements of protection, lawfulness, transparency and rights of the data subjects. The Data Act primarily regulates non-personal data and its sharing/interoperability, but requires companies to clearly document and separate both types of data in their systems and contracts.
This normative coexistence requires integrated and coordinated management. Hotels must establish clear data maps that identify what information is subject to the GDPR and which falls under the scope of the Data Act, as well as adopt the necessary technical and organizational measures to prevent the undue re-identification of natural persons from apparently anonymous data.
Practical example: the hotel which took back control of its personal data
To illustrate the real implications of the Data Act, let’s imagine the case of a mid-upper-range urban hotel that has a cloud-based management system (PMS), rooms equipped with thermostats, IoT sensors for climate control and energy consumption, and electronic locks managed by third party technology providers.
Until now, all the data generated by these systems (occupancy patterns per room, energy consumption per floor, time slots with the highest demand for air conditioning) were stored on the technology provider’s servers, who had effective control over them. The hotel only saw it partially, through limited dashboards and without any real possibility of exporting it or integrating it into other analysis tools.
With the Data Act, the situation changes. The hotel will have the right to access all such data in an interoperable format, and the supplier must provide it free of charge, without undue delay and without imposing disproportionate conditions. The hotel will also have the right to request the provider to share this data directly with a third party of its choice (e.g. an energy analysis platform). The hotel will then be able to:
- Optimize its energy efficiency by integrating data from sensors with its facility management system, identifying cases of anomalous consumption and reducing operating costs.
- Join a sector-specific hotel data space to carry out comparative analyses with other establishments in its category and location, obtaining valuable market intelligence for its operational strategy.
- Change technology providers without losing its data history, thanks to the portability rules that the Data Act imposes on the outbound provider.
This scenario of opportunities is not without risks. An incorrect definition of roles and responsibilities in the management of the data, especially when the same data may have personal (guest behavior) and non-personal (energy consumption per room) dimensions, can lead to administrative sanctions by the Spanish Data Protection Agency or other competent bodies, as well as legal claims by suppliers or customers.
It is therefore essential to define precisely in contracts with technology providers the ownership of the data, the access rights of each party, the obligations regarding notification of security breaches and the conditions of portability at the end of the contractual relationship.
To approach this new legal framework from a stronger position, hotels should consider the following priority actions:
- Review and update contracts with technology providers (PMS, IoT, home automation, cloud) to incorporate the data access, portability, and security rights required by the Data Act. The European Commission has already published a draft recommendation on Model Contractual Terms, as well as Standard Contractual Clauses for Cloud Service Contracts, which will serve as a practical reference for hotels to negotiate with their technology providers on fair terms.
- Develop joint regulatory compliance plans between owners and managers of the establishment, clearly setting out the responsibilities of each party.
- Transparently inform customers about the use of data generated during their stay, in line with GDPR obligations.
- Guarantee cybersecurity and traceability of access to data systems, especially when multiple suppliers are involved with access to sensitive information of the establishment.
In short, the Data Act is not just another regulation. For the hotel sector, it represents a real opportunity to regain control over a strategic asset – data – that for years has been in the hands of third parties. Taking advantage of it will require legal, technological and operational preparation. Hotels that get ahead of this process will be better positioned to compete in an environment where data increasingly entails a true competitive difference.
