top of page
  • The Storyteller

Personal Data Protection Act (PDPA): A Big Slip-Up

My husband said in a somewhat mysterious yet cheeky manner over our first day of breakfast at the Strasbourg hotel, that he had the email addresses of every guest in this restaurant.

"What do you mean?" I asked half-heartedly while sipping my cappuccino thinking it was one of his dry humour jokes which I do not get.

"Really, the email addresses. Everyone here!" He insisted, looking eager to convince me now.

Turned out that few days prior to arriving, he had received an email from the hotel, informing him of the limited parking (and rates) during the festive period, as well as some hotel information. In this email, there were at least 50 email addresses copied in - yes, under CC, not BCC. All these were guest email addresses and my husband's contact was in there too. Presumably, the hotel sends out emails daily to guests arriving in 5 or 7 days' time, to inform them of pertinent information that relates to their period of stay (e.g. hotel's restaurant or spa promotion, festivities, etc.)

Putting all guests' email addresses into the visible CC field is a huge breach of privacy policy, especially when this chain hotel, like many others, is bounded by the Personal Data Protection Act (PDPA).

I was shocked at this incredulous slip-up. My husband wrote back to the Front Desk - not to all recipients of course - that it was "not cool" to have all email contacts visible. He received a prompt response with barely two sentences, including an apology (sincere?) and about looking forward to having us there.

We had actually wanted to bring this issue up when we were at the hotel, especially when we encountered the sub-par service from the female receptionist. However, when we re-read the mass email, we realised it had been sent by the very nice and welcoming employee we had met on the first day. Mmm.....we did not want to make it difficult for this kind individual as it was likely he had already been given a warning for the slip-up. Given that it was a short stay on this trip and we were most likely not to return anyway, we decided to bury the matter to rest.

Learning from this episode:

  • Always check the fields before sending out your emails (and especially when groups of external parties are involved)

  • Reciprocity matters - be nice to others and others are more likely to treat you the same

Service Bank: Minus 50! (as it was still a huge violation of the PDPA)

Reflective thoughts: What follow-up actions should the hotel have carried out upon learning of this grave mistake which violates the PDPA? If one guest makes a big fuss about the matter, it is most likely the property will carry out some form of service recovery for this guest. It makes me wonder, what about the other guests who did not make a din then?

Recent Posts

See All

A Cold Check-out

This had happened at one of the properties we were auditing in south Vietnam. When we approached the reception desk the evening prior to settle for payment - as we had an early departure the following

Communication Matters

Situation 1 During food delivery for room service: Guest: I will call later for the tray clearance Employee: You can leave the tray outside the room. Guest: Oh, I am not sure if it will attract ants


Commenting has been turned off.
bottom of page