General Data Protection Regulation and Vacation Rentals

The General Data Protection Regulation, or GDPR, is on everyone’s lips. Although the subject has been known for two years, word is now spreading throughout the vacation rental economy, particularly on blogs and medias. The main reason being the deadline on the 25-05-18. This date marks the end of the transition period and the beginning of important penalties. We should not panic as we want the transition to be stress free. In this post we explain briefly and simply what it means to vacation rental owners and what actions needs to be taken.

What is the General Data Protection Regulation?

With the General Data Protection Regulation, the European Union created a uniform legal framework for the process and storage of personal data. The protection of personal data is a very honorable concern. Therefore, a single European regulation is in principle welcome. However, the complete GDPR has been overwhelming small business owners. Therefore, we took the time to briefly explain the most important points for our customers and interested landlords.

Which landlords are concerned?

All of them. Since every landlord receives data such as the name, the address or other data relative to the guests and stores them somewhere in some form. But that was definitely the simplest question of all on this topic.

Can I store personal information?

Yes. Most landlords only keep the data needed to process the booking. Like the name, contact details, billing address … These fall under the so-called earmarking, and it is not a problem. Only the principle of data minimization should be taken in consideration. However, an excessive data collection, brings limited value to the landlord anyway. It represents more work, causes mistrust from the guests and should therefore be prevented.
Moreover, if you collect other data for different purposes, you need a separate consent. For example, a newsletter cannot be sent automatically if the guest didn’t agree explicitly.

Do I have to disclose what data I store and what I do with it?

Yes, in addition to the information at the beginning, if the permission was granted there is an explicit right to information afterwards. The guest may demand insight, processing, rectification or removal of data is not a problem as soon as the guest has left. The data required for tax return may, of course, be sorted and deleted after the legal retention of period.
In the situation of disclosure, it is somehow a little bit more complicated: according to the GDPR, a list of processing activities must exist on the spot. This should list all data processing actions. However, it can only be claimed by authorities. This shouldn’t happen too quickly and so frequently for small businesses. There are many free templates on the internet.

Can I share personal information?

No. Although, an exception stands for service providers such as Smoobu. For such cases, a processing data contract is made, which is concluded with every customer which is accessible in our software in a digital format. If there are other service providers, a contract must be made with them.

Do I have to adapt my own homepage?

Yes, if the previous privacy policy does not already consider all points. We recommend keeping the imprint carefully and adjust if needed your privacy policy. In your privacy policy, you must mention Smoobu as a processor in the following way:

Data use

To make a booking, you must provide your contact details. You need to enter the specify contact data (specify mandatory fields here) as well as the data concerning the booking (eg stay period). We also save your booking date and time. Additional information (specify optional fields here) are not mandatory.

The information you provide on our website, including notes, are personally identifiable information and are processed and used by us to ensure the processing of the booking and the provision of the requested service. We also use your data to provide you with information relevant for the booking or during the stay. The personal data collected when the booking is made will be forwarded to the following third parties:
Smoobu GmbH – is a Software for rental owners
Pappelallee 78/79
10437 Berlin
Link to Smoobu privacy policy:

Do I need a data protection officer?

No, usually not. Unless the company has more than 10 employees, which should apply to few landlords. If you have doubts whether you need a data protection officer, you should ask an expert adviser.

Does the use of Smoobu comply with the GDPR?

Yes, as a German company, data protection has always played a major role and we will do our utmost to meet this demand in the future as well. Consequently, to us the GDPR is more than a law, it is a necessity for our image. Since we collect all bookings from all booking portals, Smoobu is the ideal and only place for guest data for most landlords. We are aware of the responsibility it represents, and we will protect this information as much as possible.

Is there something else to be considered?

Most certainly. The Complete General Data Protection Regulation has 260 pages. If you want to read it, you can download it here. I have tried to be as brief and understandable as possible. Of course, I cannot go into every single sections in detail. This contribution can by no means replace legal advice and should not be understood as such. On the web, you can find plenty of lawyers, consultants and companies specializing in this legal advice. The local Chambers of Commerce and Industry often offer appropriate advice. It can be useful to seek such advice.

If you do not use Smoobu yet, you can register here for free and without compromise. If you have experience, comments and remarks, I look forward to your feedback.