You may already be aware that a privacy notice is an essential element when it comes to producing appropriate documentation for a GDPR-compliant holiday let.
But I know there are still some holiday let owners out there that aren’t sure of exactly what’s required – which is why I’ve put together this blog post to help you.
1. An introduction
2. Who you are
2. What types of data you’re collecting
Now, you should make it clear the types of data you’re collecting, and how you’re collecting it. This could include, for example, names, email addresses, details of bookings, payment details etc.
You may be storing information provided to you directly as well as indirectly. What are the different sources you’ll be collecting this data from? (Personal information coming from sites like AirBnB, as well as website cookies and social media? It’s important to mention them here)
Perhaps personal information is being passed onto you by third parties (more about that below).
3. The reason for collecting it
What legitimate business reasons do you have for collecting an individual’s personal data? If you’re like most holiday let owners, it’s perhaps to help you provide your guests with a wonderful stay, and to provide a lovely clean holiday cottage or apartment upon their arrival.
Be as specific as possible, and detail all of the reasons you need to process the personal data of your guests. (But also don’t be afraid to question it – are you storing any data you DON’T need? Now’s the time to rectify that.)
4. Any third parties involved
Whether you’re sharing any personal data with third parties (say cleaners, for example) or receiving data for third parties, it’s important to mention them here.
You may also want to reserve the right to disclose personal data to third parties under a couple of special conditions, such as buying or selling business assets (perhaps if you sell properties as holiday lets) or your assets are acquired by a third party.
5. How personal data will be used
You can include things such as sending out emails, keeping a record of your relationship with guests, contacting guests with offers, to meet legal obligations, respond to complaints, and to send any correspondence at all regarding a guests’ stay.
6. How long data will be stored for
You can be specific here, or you can state that you have specific guidelines in place determined by both legal and operational considerations for how long you store personal data associated with your holiday let.
You can also give an example, such as the need to store some information for tax purposes (a fairly common practice).
7. How an individual’s data is protected
Telling potential guests that you care about their privacy and will practice due diligence to protect their personal data goes a long way to providing the necessary reassurance they’ll need to make a booking with you. You may want to mention you use a secure network (if applicable).
You may also want to mention that you’ll never sell an individual’s data to third parties for marketing purposes. That’s usually a big one!
8. The rights of the individual
Ensure potential guests can see their rights, and explain in a little more depth what each one means for them. Their rights are as follows:
- The right to access their personal information
- The right to have incorrect personal information corrected
- The right to restrict use of personal information
- The right to be forgotten
- The right for their personal information to be portable
- The right to object to the use of their personal information
9. How individuals can make data requests
Everyone should be able to make a request to access, amend or have their personal data deleted, so it’s important to tell them how they can do this. Who can they get in touch with?
It may also be worth mentioning that once they get in touch with you, you’ll then have a month to comply, as per the new legislation (rather than the previous 40 days).
If you have a website, you may also want to mention cookies and how you collect them. If you use third party cookies from the likes of Google Analytics, HotJar or any other online app or software that’s helping you learn more about your visitors’ activity, mention them.
Your safest bet is to also link to the privacy policies of these third parties, just to ensure you’re covered.
12. Contact details
Finally, finish off by including your key contact (if you don’t want to use a name, you can say ‘The Data Protection Officer’, postal address, email address and phone number.
Advice from an experienced holiday letting agent
If you follow the guidelines I’ve outlined above, you won’t go far wrong. However, if you’d like to see some real-life examples of privacy policies all neatly laid out, take a look at some of these examples:
Key GDPR resources to keep bookmarked
- ICO (Information Commissioner’s Office, UK): Preparing for the General Data Protection Regulation (GDPR) – ’12 Steps to Take Now’.
- The Full law text: GDPR, dated April 27th 2016
- European Commission Fact Sheet
- DMA UK: All the latest news, updates and webinars relating to GDPR
- Protection of Personal Data (via the European Commission)
Do you have any questions about GDPR? Let me know in the comments section! I’d love to hear from you, and try to reply to every comment I receive.