DPDPA Compliance for Hotels & Restaurants in Dehradun

Hospitality businesses collect guest identity proofs, contact details, stay history, payment data and loyalty profiles — often retained well beyond the stay.

Dehradun context: An education and hospitality hub where institutes and hotels carry children's and guest-data duties. The obligations below apply to hotels, restaurants and hospitality businesses operating in Dehradun, Uttarakhand — there is no local exemption and no turnover threshold under the DPDP Act.

DPDPA applies. ID collection at check-in and marketing to past guests are the key compliance pressure points.

• Guest ID proofs
• Booking & stay history
• Contact & payment details
• Loyalty programme profiles
• CCTV footage

• ID scans retained indefinitely
• Marketing to guests without consent
• OTA/agent data sharing undocumented
• CCTV without notice or limits

• Consent for marketing/loyalty use
• Notice at check-in/booking
• Retention limits for ID and stay data
• Processor contracts with OTAs and PMS vendors
• CCTV signage and retention

• Promotional messages without consent
• ID photocopies kept for years
• No privacy notice at check-in

• Add consent at booking/check-in
• Purge old ID scans on a schedule
• Publish a guest privacy notice
• Document OTA/PMS data sharing

Can we keep guest ID copies after checkout?

Only as long as a lawful purpose and any statutory requirement need it — then erase.

Can we message past guests with offers?

Only with consent collected for marketing, with an easy opt-out.