READING TIME: 12 minutes
Spain-Holiday.com has created an informative webinar for all its holiday rental homeowners and agents to attend and learn about what you need to do to be GDPR-compliant.
The Webinar "Practical Recommendations for Holiday Rental Owners to Prepare for GDPR" is aimed at the holiday rental industry. It is offers practical advice that is relevant for the holiday rental owner and agent. It provides relevant examples, practical recommendations and useful guides and handouts.
Below, we answer the most popular questions that holiday rental owners and agents are asking as well as give the links to download our essential GDPR toolkit for the Holiday Rental Industry
Brief Overview of GDPR
GDPR – General Data Protection Regulation – which is the new EU data protection law that comes into effect on 25th May. Its application and adoption has become one of the hottest topics across a broad spectrum of industries. The travel industry is no exception.
You may think that this is only relevant to big companies such as Facebook - who have been in the headlines a lot recently for misusing people’s personal data, Google and Amazon, but it applies to EVERY business, big or small, that has personal or sensitive data on its customers in the EU. That means it affects the entire tourism industry from the travel industry giants like Booking.com, to Spain-Holiday.com, right down to the holiday rental homeowner who owns just one property.
If you have searched on Google about how the new law affects you and your holiday rental business, there is every chance that you are overwhelmed by the sheer volume of information (and misinformation) online, the scare-mongering threats of the risk of a €20 million fine for non-compliance, and you probably panicked by the prospect of how much it is going to cost you to implement the regulation to your business and promptly stuck your head back in the sand.
A Trip Down Memory Lane
The current law regarding data protection is the Data Protection Directive which was introduced over 20 years ago in 1995.
Indulge me for one nostalgic second while we take a trip down memory lane to how the internet looked back in 1995…
Google, MySpace, Facebook, YouTube and Hotmail didn’t exist yet...
Smart phones didn't exist. The Nokia 2110 was the mobile phone to have, with its cutting-edge ability to send SMS messages, although it would be another 2 years before the popular snake game was created...
Windows 95 was launched. It took 13 floppy disks to install it!
Simpler times! One thing is for certain, the update to the data protection law is long overdue. The new law consists of the handling of personal data in all the member states of the European Union (and even post-Brexit UK).
Informative Webinar with Practical Suggestions for GDPR compliance
As part of the travel & tourism industry, you probably have personal data on your guests such as name and email address at the very least. You may also have more highly sensitive personal data such as financial details, date of birth and passport details.
This useful webinar will cover is how the new data regulation will affect you, as a holiday rental homeowner as well as offering specific examples and specific examples from the travel and tourism industry as well as practical recommendations how to become GDPR-compliant.
The new regulation is an 80-page document with 99 directives. It is a law that applies to every company from the internet giants to SMEs. So, it is understandable that trying to navigate the masses of information available online, to find what is applicable to you, can seem a huge task.
As a small or medium business owner, such as a holiday rental owner with one or more properties, or a holiday rental manager, a lot of GDPR regulation directives do NOT apply to you. This presentation is not full of legal jargon or acronyms. Its purpose is to provide simple and effective solutions that do not require IT expertise, legal expertise, marketing expertise, lots of time, or money, or both.
The presentation covers:-
- Introduction and overview to GDPR
- GDPR and the Holiday Rental Industry
- GDPR and You - Responsibilities, risks and benefits
- Roadmap to GDPR compliance
You can watch a video recording of the presentation here
Or view the presentation slides below
Questions & Answers
At the end of the live webinar presentations, which were widely acclaimed by attendees from all around the world, we held a quick Q&A session. Below, in no particular order, are the most popular questions that holiday rental owners and agents want to know relating to GDPR.
Could you clarify the differences between data obtained via informed consent and data obtained via legitimate interest?
Consent and legitimate interest are two of the legal bases upon which you may process personal data under GDPR.
In the travel sector, in order to fulfil a travel booking contract, you require personal data. This is legitimate interest.
But to use that personal data obtained via legitimate interest for other purposes other than the travel booking, you require the explicit, and freely-given consent explaining clearly exactly your intentions are.
Are there any circumstances where GDPR does not apply?
Yes, the regulations are relaxed a little for SMEs like holiday rental owners in relation to record keeping, for example. This is why this webinar focuses on the most important steps that you need to take and glosses over or doesn’t even mention at all other points that are not as important.
How is GDPR seen as an opportunity?
GDPR represents evolution, not revolution. Meaning, to that extent that your organisation is already complying with the 1995 Data Protection Directive, you should have a good foundation from which to raise your standards and improve your practices in line with GDPR.
Being able to assure your customers that your business is GDPR-compliant and takes protection of data seriously should set you apart from competitors who are behind the curve in this regard.
How will Brexit affect GDPR?
The UK has indicated that it will apply GDPR regulations even after the UK leaves the EU.
Could I get a huge fine?
There will be much more power for the regulator to take action against firms that do not comply. Fines will be up to €20 million or 4% of annual turnover, whichever is the greater, but only for the most serious breaches.
While you should assume there is more scope to increase fines across the board for smaller breaches, if you show you take privacy seriously and have taken the relevant steps to comply, you should not be hit with a huge fine.
Where do I begin?
You are expected to be able to demonstrate compliance through accountability. Proving accountability requires auditable evidence created through the application of appropriate organisational and technical measures.
You must start with an audit to identify and document all information you hold concerning Data Subjects. A good way to do this is to implement the 5W approach: WHO, WHAT, WHERE, WHY, WHEN, HOW
What am I holding? Identify all personally identifiable information (PII). This is typically items such as name and address, telephone numbers, date of birth and passport number.
Why am I holding it? If you don’t have a reason for holding data, consider getting rid of it.
Where is it held? This might, for instance, be in your reservation system, CRM system or just in copies of invoices in PDF format within the normal file structure of a disk drive.
Who is responsible for it? This is a key role in ensuring that rules are being followed when handling the data.
FREE TOOL: Download a free simple audit document to help you get started.
How long can I hold data for?
You can keep data no longer than is necessary, and only for the purpose for which it was collected. There are two levels of data retention which affect travel businesses:
Contractual data. Contractual data must be retained for the purpose of fulfilling all aspects of the contract and may be extended based on legitimate interests such as fraud protection or as required by tax authorities.
Consent data. It is up to the Data Controller to define how long consent from a Data Subject can be maintained, but the legislation prevents open consent periods. Once the final data retention period has passed, any personal data must be deleted, or if you are using it for data analysis, statistics etc, then it must be anonymised, which basically means that you remove or encrypt the data which can identify a person.
Can I presume that all the big holiday rental platforms will have the highest levels of compliance in place ready for these new regulations?
I really couldn’t say what any other company is doing or what stage they are in complying with the regulations. I recommend that you contact any companies that you deal with and ask them directly.
What about data from several years ago? Do we need to ask for consent to keep it?
If you can prove where the data came from and that you are using it for the purpose that it was provided, then you already have consent. So, if you have an email newsletter sign up feature that people add their email address to, and it was clear that they would receive newsletters, then you can carry on. If you want to use that same mailing list and, for example, share it with a third party i.e. a car rental company that perhaps pays you commission, that you cannot do, unless they OPTED-IN to allow their data to be shared with third parties.
Do you have a Privacy Policy template available for owners?
Yes, below is the link to an example privacy policy document as part of our Free GDPR Toolkit for Holiday Rental Owners which one of our homeowners kindly allowed me to share on this blog. The property in question is based in Estepona and therefore is governed by the Andalucia Rental Licence Law and includes reference to those legal requirements therefore please amend the policy where applicable for your own personal circumstances.
FREE TOOL: Download a free Privacy Policy example template to help you get started.
Can I continue to communicate by email with renters for small questions? I noticed that they like to keep it simple and "chatty".
You do not need permission to communicate and answer emails from past or present guests.
If I only own one property that I rent out, does it mean we don´t have to keep record of the communication (email, whatsapp) with customers?
That is correct. GDPR regulations are relaxed for small business owners with reference to documenting data usage. Something to be grateful for!
Is GDPR also applicable for the Guardia Civil since it is within Europe? How does the Guardia Civil protect the data that we are legally required to provide on all guests – passport details etc - while they are using a http website and not a secure encrypted HTTPS?
As stated in a previous answer, it is recommended that you directly contact any entity or business to ask them if they are GDPR-compliant.
GDPR is not applicable for a small business. What is your definition of a "small" business.
This link should help you understand if you are considered a SME (Small/Medium Enterprise) as it is called in English, or a PYME (Pequena y Media Empresa) in Spanish.
It was mentioned [during the presentation] that guest details [provided to the Spanish police] need to be kept [on file] for 1year. I thought it is 3 years
Me aculpa! I did know this but, in the moment, I incorrectly stated one year instead of three. To confirm, booking details need to be kept for ONE YEAR, and the guest details that are sent to the Police/Guardia Civil must be kept for THREE YEARS.
I am creating a letter asking client permission to use data relating to Spanish law and bookings, is this allowed?
You need to be specific when asking for permission how exactly you are going to use the data. If you only need the data to make the booking, then you do NOT need permission/consent because you have a contractual reason to use it. But if you want to do something else with the data, then make it clear what your purpose is.
FREE TOOL: Download our free email consent template examples #1 and #2 to help you get started.
Who is the data controller/processor in the case of having your website on a platform designed especially for holiday rental sites (i.e., platforms with templates that you fill out with your details but that are ultimately controlled by them)?
Before I answer this question please remember two things: -
- I am not a lawyer, so these answers do not constitute legal advice and therefore I would recommend that you consult with a lawyer about your own circumstances.
- The principal objective of the webinar presentation is to provide a positive impression that becoming GDPR-compliant is achievable even for the smallest, one-man business and or the least technically-minded person.
I have taken an 80-page legal document, with 99 directives and condensed it with simple actionable takeaways (and tools) that you could feel confident they could tackle this task, and not feel overwhelmed. So - and some people may find the answer below too simplified - but I recommend that you do not get too bogged down in the jargon, the terminology, the acronyms etc.
In answer to the question, regarding whether you are a Data Controller or a Data Processor is, in my opinion, fluid. As explained in the webinar presentation with the flow chart, in some instances you are the Data Processor, and other times you are the Data Controller, and then other times you are both, depending on how you are using the data. It is more important that you take positive steps towards becoming GDPR compliant with the data you receive, use, share, store etc, than worry too much about the terminology.
ADDITIONAL READING: Here is the official definition of Data Controller and Data Processor
Again, it is recommended that you contact the websites that you promote your holiday rental home on and ask them directly, since there is no general answer to this question.
Should we be deleting contacts from outlook email account ? Is outlook protection ok to rely on if leave clients on contacts list?
I suggest that you contact Microsoft and ask them directly about Outlook, and also check with your domain server provider to check with them too. So, if you use a free emailing service i.e. Gmail, then either contact them directly or google to see if the answer if already available on the internet (from a reputable source i.e. Google’s own blog), or if you have your own domain name and email address i.e. INFO@YOURDOMAIN.COM then you need to contact the website host and ask them.
What does the regulation say about the use of photos of people (guests doing activities for example). Do I need permission for every photo?
Yes you need permission but this is something you should already have requested and been granted under the 1995 Data Protection Directive
Can you recommend what software we should be using for malware protection, data storage and encryption etc.
I specifically did not recommend or endorse any service or product providers during the webinar presentation for a reason. The simple reason is that if I recommend a product that is for Windows, then it is relevant for Windows users, not Mac, iOS, Linux, Android etc. Additionally, there are 100s of products and services to choose from, so the decision is ultimately a personal preference, having done your research and verified the service/product is GDPR-compliant.
What do I do with my audit? Do I have to communicate it to someone, upload it somewhere? Or is it just a survey for my information, to know what data I collect?
The audit is for your information only and to keep on record, should you be asked for this documentation. Its purpose it mainly for you to just take stock of what practices you have in place so you can see what areas you need to review and revise.
I hope you found the information useful.
Here are the folder where you can access and download the free tools and sample documents that we have created to help you on the road to becoming GDPR-compliant as a holiday rental owner or agent.