Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

AI in hospitality and tourism: dynamic pricing, profiling and the GDPR

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

Hospitality and tourism use AI for dynamic pricing, recommendations and guest profiling. The AI Act rarely treats this as high-risk, but the GDPR is decisive: profiling, automated decisions and transparency call for clear legal bases.

Short answer: Hospitality and tourism use AI for dynamic pricing, recommendations, chatbots and guest profiling. These applications rarely fall under the AI Act's high-risk category. The decisive framework is the GDPR: as soon as you profile guests or make automated decisions about them, you need a legal basis, transparency and safeguards.

Dynamic pricing

Dynamic pricing โ€” prices that move with demand, time or occupancy โ€” is permitted in itself. It becomes sensitive when the price is determined by the individual customer's personal data: browsing behaviour, device, past purchases or estimated purchasing power.

Personalised prices based on profiling require a GDPR basis and transparency. The consumer must know that automated processing influences the price. Prices that discriminate on sensitive characteristics are moreover unlawful.

Profiling and recommendations

Recommendation systems that suggest rooms, restaurants or outings process preferences and behaviour. Insofar as this is personal data, the GDPR applies in full: purpose limitation, data minimisation and a valid legal basis.

Profiling is permitted, but the guest has rights: access, objection and โ€” for fully automated decisions with legal or similarly significant effect โ€” the right to human intervention. A chatbot that independently refuses bookings or imposes surcharges may fall into that last category.

Transparency about AI interaction

Article 50 of the AI Act requires that a guest knows when they are interacting with an AI system, for example a chatbot. The interaction must be recognisable as such, unless it is obvious. This is a light but concrete obligation for the sector.

High-risk obligations rarely apply here; the high-risk obligations overview is mainly relevant if you use AI for staff, for example in recruitment or scheduling.

What to do

  • Justify your pricing logic: know whether the price rests on market data or on personal data โ€” the latter requires a GDPR basis and transparency.
  • Document profiling: purpose limitation, data minimisation and a legal basis for each profile.
  • Secure guest rights: facilitate access, objection and human intervention for automated decisions.
  • Make AI interaction recognisable: label chatbots in line with Article 50.
  • Avoid discrimination: pricing or access decisions must not rely on sensitive characteristics.

In hospitality and tourism the guest is the centre โ€” and therefore the GDPR is the sharpest framework. That differs from AI in agriculture, where business data and machine safety come first.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): legal bases, profiling and automated decision-making about guests.
  2. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): risk-based framework; hospitality AI mostly falls outside high-risk.

Share on LinkedIn

Read next

U

AI in retail: pricing, recommendations and profiling

Retail and e-commerce use AI for dynamic pricing, recommendations and profiling. These trigger the AI Act (prohibited practices, transparency), the GDPR (profiling, automated decisions) and the DSA (recommender systems, advertising) at the same time.

W

The AI Act for DPOs: where it meets the GDPR

The AI Act and the GDPR overlap but are not the same. The DPO is not automatically responsible for AI compliance, yet plays a key role wherever AI processes personal data. This guide maps the touchpoints: DPIAs, legal grounds, transparency and the limits of the DPO role.

U

AI in marketing and advertising: profiling, dark patterns and transparency

AI in marketing touches three frameworks at once: the AI Act prohibits manipulation (Art. 5) and requires transparency (Art. 50), the GDPR limits profiling and automated decisions, and the Digital Services Act sets rules for online advertising and the protection of minors.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.