top of page

Personal Data Protection Act (PDPA): A Big Slip-Up

The Storyteller

My husband said in a somewhat mysterious yet cheeky manner over our first day of breakfast at the Strasbourg hotel, that he had the email addresses of every guest in this restaurant.


"What do you mean?" I asked half-heartedly while sipping my cappuccino thinking it was one of his dry humour jokes which I do not get.


"Really, the email addresses. Everyone here!" He insisted, looking eager to convince me now.


Turned out that few days prior to arriving, he had received an email from the hotel, informing him of the limited parking (and rates) during the festive period, as well as some hotel information. In this email, there were at least 50 email addresses copied in - yes, under CC, not BCC. All these were guest email addresses and my husband's contact was in there too. Presumably, the hotel sends out emails daily to guests arriving in 5 or 7 days' time, to inform them of pertinent information that relates to their period of stay (e.g. hotel's restaurant or spa promotion, festivities, etc.)


Putting all guests' email addresses into the visible CC field is a huge breach of privacy policy, especially when this chain hotel, like many others, is bounded by the Personal Data Protection Act (PDPA).


I was shocked at this incredulous slip-up. My husband wrote back to the Front Desk - not to all recipients of course - that it was "not cool" to have all email contacts visible. He received a prompt response with barely two sentences, including an apology (sincere?) and about looking forward to having us there.


We had actually wanted to bring this issue up when we were at the hotel, especially when we encountered the sub-par service from the female receptionist. However, when we re-read the mass email, we realised it had been sent by the very nice and welcoming employee we had met on the first day. Mmm.....we did not want to make it difficult for this kind individual as it was likely he had already been given a warning for the slip-up. Given that it was a short stay on this trip and we were most likely not to return anyway, we decided to bury the matter to rest.


Learning from this episode:

  • Always check the fields before sending out your emails (and especially when groups of external parties are involved)

  • Reciprocity matters - be nice to others and others are more likely to treat you the same



Service Bank: Minus 50! (as it was still a huge violation of the PDPA)


Reflective thoughts: What follow-up actions should the hotel have carried out upon learning of this grave mistake which violates the PDPA? If one guest makes a big fuss about the matter, it is most likely the property will carry out some form of service recovery for this guest. It makes me wonder, what about the other guests who did not make a din then?


Recent Posts

See All

Warm welcome in Cape Town hotel

The doorman extended a cheery welcome as we arrived at the QV Hotel at about noon. First impression matters, so we felt we were off to a...

A Cold Check-out

This had happened at one of the properties we were auditing in south Vietnam. When we approached the reception desk the evening prior to...

bottom of page