EU AI Act for Hotels & Hospitality: Requirements & Compliance

Hotels and hospitality businesses in Germany must comply with the EU AI Act for any AI systems used in guest services, pricing, facial recognition at check-in, or recommendation systems that affect guests. Most hospitality AI — dynamic pricing, booking recommendations, chatbot concierges — falls into minimal- or limited-risk categories with few compliance obligations. Three areas carry strict requirements: biometric check-in systems, AI-driven staff scheduling, and general-purpose AI (GPAI) deployed in guest-facing roles.

What Does the EU AI Act Require from Hotels?

Hotels must classify every AI system they operate under Regulation (EU) 2024/1689 and meet the applicable requirements for each risk tier. In practice:

• Minimal-risk AI (dynamic pricing, room recommendations, booking engines): no specific AI Act obligations, though GDPR data minimisation principles still apply
• Limited-risk AI (chatbots, virtual concierges): mandatory transparency disclosure to guests under Article 50 AI Act
• High-risk AI (facial recognition for check-in, staff scheduling AI): full requirements under Articles 9–16 apply from 2 August 2026 — technical documentation, conformity assessment, human oversight, and EU database registration
• Prohibited AI (emotion recognition for guests or staff, biometric categorisation): banned since 2 February 2025

Which AI Systems Do Hotels Use?

Understanding what you already operate is the first step in compliance:

AI Application	Risk Class	Key Obligation
Dynamic pricing / revenue management	Minimal	No specific AI Act duties
Chatbots / virtual concierge	Limited	Transparency notice (Art. 50)
Room and service recommendation engines	Minimal	No specific AI Act duties
AI-driven staff scheduling	High-risk	Full Art. 9–16 requirements
Facial recognition at check-in	High-risk	Full requirements + GDPR DPIA
Emotion recognition for guests or staff	Prohibited since Feb. 2025	Cannot be deployed
GPAI models in guest contact (e.g. ChatGPT)	Limited	Transparency obligations Art. 50

Dynamic Pricing: Minimal-Risk but Not Unregulated

Revenue management systems and dynamic pricing algorithms are not classified as high-risk under the AI Act. Systems that calculate room rates based on demand, seasonality, or competitor pricing fall into the minimal-risk category — no technical documentation or conformity assessment is required.

However, pricing is not entirely free of obligations:

• Non-discrimination: If pricing algorithms draw inferences about ethnicity, nationality, or other protected characteristics, liability arises outside the AI Act — under the German General Equal Treatment Act (AGG).
• Explainability: In the event of a regulatory inquiry or guest complaint, you should be able to explain why a specific price was generated for a specific guest at a specific time.
• GDPR: If pricing logic accesses personal guest data (booking history, device, location), data minimisation and purpose limitation under Article 5 GDPR apply.

Practical recommendation: Maintain an internal description of your revenue management system — which data inputs are used and which are not. This is sufficient for compliance purposes.

Facial Recognition at Check-In: High-Risk and GDPR-Intensive

Facial recognition for guest identification at check-in is one of the most sensitive AI applications in hospitality. The AI Act classifies biometric identification systems under Annex III, No. 1 as high-risk, with full obligations applying from August 2026.

What Is Prohibited

Biometric categorisation to infer sensitive characteristics (skin colour, emotions, nationality) is prohibited under Article 5(1)(g). Emotion recognition in guest or hospitality contexts is prohibited under Article 5(1)(f) — this has been in force since 2 February 2025.

What Is Permitted (with Strict Conditions)

Facial recognition for identity verification at check-in — comparable to e-passport control systems — is permitted where:

1. Explicit GDPR consent is obtained from guests before biometric data is collected (Article 9 GDPR for special category data)
2. A Data Protection Impact Assessment (DPIA) has been completed under Article 35 GDPR
3. The system is registered as a high-risk AI system with full technical documentation (Art. 11), a conformity assessment (Art. 43), and CE marking
4. A human oversight process is in place — guests must be able to check in without biometrics

For most hotels, the compliance burden outweighs the benefit. A PIN-based or key-card self-check-in solution is generally preferable.

Staff Scheduling AI: High-Risk Under Annex III

AI-driven staff scheduling is classified as high-risk under Category 4 (Employment) of Annex III. This covers systems that:

• Automatically create or modify shift schedules
• Evaluate worker performance through AI
• Support hiring decisions
• Generate dismissal recommendations

High-Risk Obligations (Articles 9–16, from August 2026)

1. Risk management system (Art. 9): continuous identification and mitigation of risks
2. Data governance (Art. 10): training data quality assurance
3. Technical documentation (Art. 11): full system description and design rationale
4. Logging and record-keeping (Art. 12): automatic audit trail for traceability
5. Transparency to workers (Art. 13): employees must be informed that AI is used
6. Human oversight (Art. 14): scheduling decisions must be reviewable and overridable by humans
7. Works council co-determination: Under Section 87(1)(6) of the German Works Constitution Act (BetrVG), the works council has co-determination rights over technical monitoring systems — AI scheduling systems are covered

Recommended action: If you use AI scheduling software (e.g. Quinyx, Shiftbase, HotelTime with AI components), verify that your vendor meets AI Act requirements and that your works agreement explicitly addresses AI use.

GPAI Models in Hospitality: What Operators Need to Know

Many hotels now use General-Purpose AI (GPAI) models — either directly via API (OpenAI, Anthropic, Google) or through integrated hotel software with embedded AI features. The AI Act’s Chapter V (Articles 51–56) imposes specific requirements on GPAI providers, effective from 2 August 2025.

As a deployer (not a provider) of GPAI models, hotels carry lighter obligations than the model developers themselves. Nevertheless:

• Transparency obligation under Article 50: Where guests interact with a GPAI-powered chatbot, you must disclose that it is an AI system — even if the chatbot runs through a third-party software solution.
• Contractual protection: Ensure your software contracts with hotel technology vendors include clear AI Act compliance clauses — who is responsible for technical documentation, who for conformity assessment.
• No own model obligations: Hotels do not need to submit performance benchmarks, technical documentation, or copyright summaries under Article 53 — that is the model provider’s responsibility.

GDPR and AI Act: Dual Compliance Requirements

For any AI system that processes guest personal data, the AI Act and GDPR overlap. Key considerations:

• Profiling and automated decisions: If AI shapes guest experiences (room upgrades, service access, pricing), Article 22 GDPR applies — guests have the right not to be subject to purely automated decisions with significant effects. Ensure human review is available.
• Data minimisation: AI systems should only access personal data strictly necessary for their function.
• Purpose limitation: Data collected for booking cannot be repurposed for AI training or profiling without a separate lawful basis.
• DPIA requirement: Any high-risk AI processing biometric data requires a DPIA before deployment.

Compliance Checklist for Hospitality Businesses

Immediate Actions (in force since February 2025)

• Emotion recognition deactivated: No system analyses guest or staff emotions
• Biometric categorisation checked: No software infers sensitive characteristics from biometric data
• Chatbot transparency implemented: Guests are informed of AI interaction on first contact (e.g. “You are chatting with our AI assistant”)

By August 2025 (GPAI Requirements)

• GPAI contracts reviewed: Software contracts with AI components checked for AI Act clauses
• Deployer transparency fulfilled: Article 50 disclosure implemented wherever GPAI is used in guest contact

By August 2026 (High-Risk Requirements)

• AI inventory completed: All AI systems documented and classified by risk category
• Scheduling AI classified: Identified as high-risk (Category 4) with documentation process initiated
• Works agreement updated: Works council co-determination right for AI scheduling systems addressed
• Facial recognition decision made: Either DPIA + conformity assessment completed, or use discontinued
• Conformity assessments completed: All high-risk AI systems assessed and registered in EU database

AI Act Timeline for the Hospitality Sector

Date	Obligation
2 August 2024	AI Act enters into force
2 February 2025	Prohibitions apply: emotion recognition, biometric categorisation
2 August 2025	GPAI obligations: transparency, registration
2 August 2026	High-risk obligations in full: staff scheduling, facial recognition

How Compound Law Helps

As a law firm advising hospitality businesses on AI compliance, Compound Law supports:

• AI inventory and risk classification: Systematic mapping of all AI systems in operation and classification under the AI Act
• Works agreements for AI use: Drafting compliant agreements with works council involvement
• Data Protection Impact Assessments: DPIA under Article 35 GDPR for biometric and high-risk AI systems
• Vendor due diligence: Reviewing software contracts for AI Act compliance provisions
• Guest transparency frameworks: Drafting legally compliant disclosure texts and consent forms

Frequently Asked Questions

What does the EU AI Act require from hotels?

Hotels must classify all AI systems they operate under the EU AI Act and meet requirements based on risk level. Most hospitality AI (pricing, recommendations, chatbots) requires only basic transparency disclosures. Facial recognition and staff scheduling AI are high-risk and require full compliance measures by August 2026.

Does the EU AI Act apply to small hotels?

Yes. The EU AI Act applies to all operators using AI systems in the EU market, regardless of business size. However, the compliance burden is proportional to risk: a small hotel using only a booking chatbot needs only a transparency notice. High-risk systems trigger full documentation requirements regardless of company size.

Is dynamic pricing regulated under the EU AI Act?

Dynamic pricing algorithms are classified as minimal-risk under the AI Act — no specific high-risk requirements apply. However, discriminatory pricing based on protected characteristics creates legal exposure outside the AI Act. Keep pricing logic documented and explainable.

Can hotels use facial recognition for check-in?

Yes, with strict conditions: explicit guest consent, a GDPR Data Protection Impact Assessment, full high-risk AI compliance (technical documentation, conformity assessment, CE marking), and an alternative check-in option without biometrics. Emotion recognition during check-in is prohibited since February 2025.

What must hotels do by August 2026?

By 2 August 2026, all high-risk AI systems must have: a risk management system, technical documentation, logging mechanisms, transparency to affected workers, human oversight processes, a conformity assessment, and registration in the EU AI database. This applies to facial recognition at check-in and AI-driven staff scheduling.

Do chatbots need an AI disclosure notice?

Yes. Under Article 50 of the EU AI Act, users must be informed when they interact with an AI system that could be perceived as human. A simple label such as “AI assistant” or “This chat is powered by AI” is sufficient.