The Ultimate GDPR Privacy Policy Checklist For Holiday Lets

Posted by Linda Maclaughlan on 02 July 2018

In need of advice on putting together a GDPR-compliant privacy policy for your holiday let?

You may already be aware that a privacy notice is an essential element when it comes to producing appropriate documentation for a GDPR-compliant holiday let.

So, whether you’ve already published a privacy policy up in time for last month’s legislation, or whether you’re only just getting round to sorting out your privacy policy – and all the rest – now, this blog is here to help.

As a seasoned holiday let owner and agency operating in the Scottish Borders, I’ve been busy ensuring I’m entirely up-to-speed with GDPR – and my privacy policy is up-to-scratch!

But I know there are still some holiday let owners out there that aren’t sure of exactly what’s required – which is why I’ve put together this blog post to help you.

1. An introduction

The best place to start is with a little introduction. What is this privacy policy people are about to read, why is it needed and when it is effective from? I find this is a good way to start as it’s just common courtesy.

2. Who you are

When you’re referring to yourself in your privacy policy (most likely as ‘we’ and ‘us’ or in some cases ‘I’ or ‘me’) then you should make it clear who you are – company name or perhaps refer to yourselves as the owners’ of your property (including property name).


“In terms of this privacy policy, ‘we’ or ‘us’ or ‘our’ means; the owners of 14B Jolly Holiday Street, based in Holiday Island, located in the Holiday Republic.”

2. What types of data you’re collecting

Now, you should make it clear the types of data you’re collecting, and how you’re collecting it. This could include, for example, names, email addresses, details of bookings, payment details etc.

You may be storing information provided to you directly as well as indirectly. What are the different sources you’ll be collecting this data from? (Personal information coming from sites like AirBnB, as well as website cookies and social media? It’s important to mention them here)

Perhaps personal information is being passed onto you by third parties (more about that below).

3. The reason for collecting it

What legitimate business reasons do you have for collecting an individual’s personal data? If you’re like most holiday let owners, it’s perhaps to help you provide your guests with a wonderful stay, and to provide a lovely clean holiday cottage or apartment upon their arrival.

Be as specific as possible, and detail all of the reasons you need to process the personal data of your guests. (But also don’t be afraid to question it – are you storing any data you DON’T need? Now’s the time to rectify that.)

4. Any third parties involved

Whether you’re sharing any personal data with third parties (say cleaners, for example) or receiving data for third parties, it’s important to mention them here.

You may also want to reserve the right to disclose personal data to third parties under a couple of special conditions, such as buying or selling business assets (perhaps if you sell properties as holiday lets) or your assets are acquired by a third party.

5. How personal data will be used

How you use personal data is also a vital element to include in your privacy policy, and I highly recommend you be as specific and explicit as possible here; including bullet pointing all the ways you have, will and plan to use personal data in future.

You can include things such as sending out emails, keeping a record of your relationship with guests, contacting guests with offers, to meet legal obligations, respond to complaints, and to send any correspondence at all regarding a guests’ stay.

6. How long data will be stored for

You can be specific here, or you can state that you have specific guidelines in place determined by both legal and operational considerations for how long you store personal data associated with your holiday let.

You can also give an example, such as the need to store some information for tax purposes (a fairly common practice).

7. How an individual’s data is protected

Telling potential guests that you care about their privacy and will practice due diligence to protect their personal data goes a long way to providing the necessary reassurance they’ll need to make a booking with you. You may want to mention you use a secure network (if applicable).

You may also want to mention that you’ll never sell an individual’s data to third parties for marketing purposes. That’s usually a big one!

8. The rights of the individual

Ensure potential guests can see their rights, and explain in a little more depth what each one means for them. Their rights are as follows:

  • The right to access their personal information
  • The right to have incorrect personal information corrected
  • The right to restrict use of personal information
  • The right to be forgotten
  • The right for their personal information to be portable
  • The right to object to the use of their personal information

9. How individuals can make data requests

Everyone should be able to make a request to access, amend or have their personal data deleted, so it’s important to tell them how they can do this. Who can they get in touch with?

It may also be worth mentioning that once they get in touch with you, you’ll then have a month to comply, as per the new legislation (rather than the previous 40 days).

10. Use of cookies

If you have a website, you may also want to mention cookies and how you collect them. If you use third party cookies from the likes of Google Analytics, HotJar or any other online app or software that’s helping you learn more about your visitors’ activity, mention them.

Your safest bet is to also link to the privacy policies of these third parties, just to ensure you’re covered.

11. Changes to your privacy policy

Let people know that your privacy policy is subject to change in future, and if any significant changes occur, this will be made clear on your website – and in an email to anyone whose personal data you store.

12. Contact details

Finally, finish off by including your key contact (if you don’t want to use a name, you can say ‘The Data Protection Officer’, postal address, email address and phone number.

Advice from an experienced holiday letting agent

If you follow the guidelines I’ve outlined above, you won’t go far wrong. However, if you’d like to see some real-life examples of privacy policies all neatly laid out, take a look at some of these examples:

And there’s always the Lowland Lettings privacy policy, which you’re very welcome to take a look at! Ours has been checked over and approved by a solicitor, so we know it’s doing the job.

Once you’ve put together your privacy policy for all to see, your next step is to diligently display it whenever you’re capturing a user’s data. This helps ensure that you can prove you’re making the effort to comply with the new legislation – and that’s really all anyone can ask for!

Key GDPR resources to keep bookmarked


I hope you’ve found this blog helpful – whether you’re only putting your GDPR privacy policy together now, or you’re just checking your policy is fully-compliant.

Do you have any questions about GDPR? Let me know in the comments section! I’d love to hear from you, and try to reply to every comment I receive.