Latest legislative updates

Kurt JansonKurt Janson, Director of the Tourism Alliance, gives a monthly update on the latest regulatory changes affecting the hospitality industry. 

Last updated 2nd July 2018

Disclaimer:  Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. This guide is not intended to be a definitive statement of the law in England. If you require precise or detailed information on the legislation mentioned in this guide, or on the legal implications for you in particular, you should consult a professional legal adviser.

At a glance:

Package Travel and Linked Travel Arrangements Regulations 2018

  • New regulations came in on 1 July that will affect businesses who sell multiple services, such as accommodation & attraction packages.  

Reminder: GDPR

  • An overview of the changes to data protection regulations from 25 May.


Package Travel and Linked Travel Arrangements Regulations 2018 (PTRs)

The new regulations come into force on 1 July 2018 and will impact all businesses that sell two or more of the following “elements”, or have arrangements whereby the customer can purchase two or more elements either together from you, or through an arrangement that you have created with another business.

The elements are:

1.            Transport

2.            Accommodation

3.            Motor vehicle hire

4.            Other Tourism Service (this can be anything from tickets to an attraction, a meal, a spa treatment or a round of golf)

Depending on the circumstances, linking two or more of these elements will either constitute a Package or a Linked Travel Arrangement.

A package is formed when:

You work with another business to provide a package that combines two or more elements

This is the traditional package, where you work with another business to sell a package for an inclusive price. For example, if you provide a single package that includes accommodation at your business and tickets to a nearby amusement park.

Your business sells, or allows customers to buy, a product that combines two or more elements.

If you have a restaurant in your hotel and sell a product that combines accommodation with a meal – or allow the customer to purchase the accommodation and meal at the same time - this is deemed to be a package.

There are a couple of important exemptions:

  1. If it is not possible for the customer to buy one of the two components separately, you are not deemed to be combining elements to form a package. So, if you run a B&B where it is not possible to purchase the meal separate from the accommodation (or vice versa), then you are not combining separate elements and are not subject to the regulations.
  2. If you are selling a combination of “accommodation” and “other tourism service”, a package is only formed when the “other tourism service is more than 25% of the total cost or is deemed to be an “essential element” of the offer. What constitutes an essential element is a bit vague but as a rule of thumb, if you are using the “other tourism service” to promote the product, it is an essential element. I.e., If you are promoting a golfing weekend break, the golf would be an essential element even if the cost was less than 25% of the total product.

What do you need to do if you are selling packages?

There are a number of requirements if you are selling packages. These include:

  • Having insolvency protection that covers all reasonable costs, including the return of all payments for services not performed and repatriation. This can be achieved through buying insolvency insurance, keeping customer payments in a trust account or becoming bonded.
  • Providing the customer with comprehensive pre-contractual and contractual information on the package, the terms and conditions and the customers’ rights
  • Only altering the price in specific circumstances and not within 20 days of departure
  • Allowing the customer to cancel without being charged if any price increase exceeds 8%
  • Not significantly changing the main components of the package without offering free cancellation to the customer.
  • Charging only a justifiable fee if the customer terminates the contract. Best efforts must be used to resell the components of the package.


It is important to note that, in addition to possible fines, the PTRs contain a number of criminal offences. These include:

•             Failure to provide pre-contractual information.

•             Failure to provide a contract or confirmation of contract and prescribed information.

•             Failure to put in place compliant insolvency cover.

Linked Travel Arrangements (LTAs)

The Regulations introduce a new form of package called a Linked Travel Arrangement. A linked travel arrangement is formed where, on the basis of booking one element, the customer is provided with a targeted offer for another element and takes-up that offer within 24 hours.

This includes offers where if the customer stays in your accommodation they can take advantage of an offer at another business that they wouldn’t otherwise get. So, for example, you tell a customer that if they stay with you, they can get a 10% discount on a meal in the local pub, or 2 for 1 tickets to an attraction or access to the local golf course, this would be a linked travel arrangement if the customer took-up the offer within 24 hours of booking with you.

It is important to note that you don’t have to benefit financially from the offer for a Linked Travel Arrangement to be formed. So even if you don’t get a commission, you are still selling a Linked Travel Arrangement.

However, Linked Travel Arrangements are not formed if you are merely “signposting” local pubs and attractions, or making a recommendation as to which pub a visitor should go to. It also does not apply if you are highlighting an offer that the other businesses is providing to its customers. For example, if you say that a local attraction does half price tickets on Tuesdays, or even “stay with us on Tuesday to take advantage of half price entrance”, this is not a Linked Travel Arrangement because the customer does not have to stay with you in order to receive the offer.

What do you need to do if you are selling a Linked Travel Arrangement?

The requirements if you are selling a Linked travel Arrangement are a lot lower than if you are selling a Package. The key requirement is that you have some form of insolvency protection, such as insolvency insurance, keeping customer payments in a trust account or being bonded.

As with selling packages, it is a criminal offence to sell Linked Travel Arrangements without Insolvency Protection.

If you believe that you may be selling either Packages or Linked Travel Arrangements, it is important to read and understand the Government guidance to the new regulations. This will give you more detail on your responsibilities under the new legislation and includes a number of case studies to aid interpretation.

GDPR: an overview

The new General Data Protection Regulation (GDPR) came into force on 25 May 2018 as part of new legislation designed to update and expand the Data Protection Act 1998.

Compliance with the GDPR is relatively straight-forward if you are already complying with existing data protection regulations. You need to remember three main things in looking at what changes you need to make to the way you handle and use the personal details of customers when the new regulations come into effect:

  • If you are already complying with the Data Protection Act, you will be complying with 80-90% of the requirements of the GDPR. The GDPR isn’t a whole new set of requirements, it simply builds on existing requirements.
  • The GDPR is designed to give customers more control over the information that companies have on them. If you look at it from the perspective of what you would expect from other companies when you give them your data, you will have a fair understanding of what you should do with your customers’ data.
  • Remember when looking at your storage and use of personal data, this extends beyond things like a person’s name, address, phone number and includes images and recordings (i.e., CCTV recordings), comments they have put on your website or notes that you have taken to help staff (e.g., “has a nut allergy”, “requires wheelchair access” or “reads The Times”).

Keeping these points in mind, here’s what you need to look at to make sure that you comply with the GDPR.

1. The information you take from people, and the length of time you keep it, should be determined by the purpose for which it is required

This a pre-existing requirement of the Data Protection Act but it is a good starting point for discussing the additional requirements of the GDPR. The level of information you have on someone and the length of time that you keep it must be proportionate to the legitimate purpose for which it is kept. This means that there is no blanket right for you to keep a customer’s personal information indefinitely and that you should always be reassessing what information you are keeping. This should include the regular removal of personal information where there is no justifiable reason for keeping it.

For example, CCTV footage of the car park used to help protect customer’s cars should be regularly wiped when it is no longer needed.

2. Personal data can only be used for the purpose that was agreed when the customer gave it to you.

For example, If the customer gives you their email address so that you can email them confirmation of their booking, this does not allow you to send them marketing emails or pass their details to a third party to send them offers. Customers have to actively give you express consent as to how you can use their information. This means that customers have to “opt-in” rather than “opt-out”, so you can’t have a “pre-ticked” consent box on your website which says, “tick here if you don’t want to receive emails with offers”.

3. The customer has the right to withdraw consent on how their information is used at any time and the process for doing this must be simple

This means that if the customer has agreed to allow you to use their information for a particular purpose, they still have the right to demand that you stop using it for that purpose at any time.

For example, if a customer has agreed to receive marketing emails, they can, at any time, inform you that they no longer wish to receive these emails and you must stop ending them. As a rule of thumb, the process for them withdrawing consent should be as simple as the process by which they gave consent. So, if you had an opt-in button than gave consent for marketing emails, you should have an “unsubscribe” button for allowing consent to be withdrawn.

4. The customer has the right to know what information you keep on them and why you are keeping it

There are two parts to this. First the customer has the right to ask you what personal information you are keeping on them and why you are keeping it. You are required to explain what the information you hold and justify why you are holding it. Bear in mind Point 1 above – you must explain why the level of information you hold and the time that you have held it is proportionate to the purpose for which it was taken.

The second part of this is that the customer has the right to ask you to show them all the person information that you hold on them. As mentioned above, this would include any CCTV recordings on which they appear and any notes you have attached to their booking.

5. The customer has the right to be forgotten.

The principle here is that the customer retains “ownership” of their data. This means that not only can the customer demand that you stop using the data they provided, they can demand that you remove all their personal data from your records. For example, rather than just asking you not to send emails, the customer can ask you to remove their email address from your database.

6. The customer’s rights under the GDPR do not over-ride the requirements of other legislation

It is important to note that the customer’s rights under the GDPR don’t over-ride the data requirements of other legislation. For example, the Immigration (Hotel Records) Order 1972 requires you to record the full name and nationality of all guests and to keep this information for 12 months. As such, a guest cannot ask you to delete this information from your records until 12 months have elapsed. Similarly, a customer cannot ask you to delete any financial information you are required to keep for tax purposes.

For more information and help guides, go to the Information Commissioner's Office website or call their dedicated small business helpline on 0303 123 1113.