GDPR for Holiday Rentals

by
Last updated:
in   Spain Industry board
Francisco Serrano del Rey
by Francisco Serrano del Rey
1. Mar 2018 (12. Mar 2018)

After years of debate, the European Union finally published the General Data Protection Regulation (GDPR) in April 2016. However, it will not be applicable until the May 25th, 2018, a deadline for which all companies must have adapted their data storage systems and policies.

As the EU states, the GDPR is designed to establish a common framework in which European citizens have greater control over their personal data. This means that, no matter where the company, business or the person from whom the data is taken from, all companies that use data from European citizens are obliged to comply with this rule.

GDPR data storage

Does the GDPR affect me?

Whether you are a homeowner of a single holiday rental property or a rental manager managing several holiday homes, the new European regulation affects you. As many holiday rental business and homeowners collect personal data from their guests and suppliers, GDPR now establishes the guidelines for storage, analysis, and protection of the data capable of identifying the guests and/or suppliers.

What constitutes personal data?

According to GDPR article 4, the definition of personal data is now much broader than under the current Spanish Data Protection Law. Article 4 of the regulation establishes that personal data is any information that is capable of identifying an individual.

Does this mean that if I have only one email address I am not subject to the regulations? No. For example, a mail address together with another set of data can be linked to the identity of a subject.

In order for a set of data not to be considered as "personal data", the GDPR establishes that it must be encrypted or pseudonymised.

Data encryption for GDPR

Pseudonymisation is the process that transforms personal data in a way that the resulting data set cannot be attributed to a specific subject unless we use additional information related to the customers. The process of pseudonymisation implies that the encryption cannot be undone.

Some examples of "personal data" are: name, postal address, e-mail address, IP address, telephone number, etc.

In case you are not sure about what type of data you are dealing with and if it corresponds to the “personal data” defined by the regulation, the best option is to treat this information with caution. Storing and protecting personal data from our customers with a strong data protection policy are the first steps.

Current Data Protection Law vs. GDPR

In Spain, the current data protection legislation has been the legal reference for companies handling personal data. As of May, the new regulation introduces new features in this regard:

  1. The regulation states that the minimum age for consent to process personal data is 13 years old. A measure that equals Spain with other member countries of the EU (current law establish a minimum age of 16 years old).

  2. At the request of the inheritors, the treatment of the data corresponding to deceased persons may be modified.

  3. The user can enjoy the principle of transparency. If you wish, you can request information about the processing of your data.

  4. A new legal concept appears with the GDPR. Companies and institutions can now employ a data protection delegate if necessary. The delegate or Data Protection Officer will be the person and/or company who maintains a relationship between the Spanish Agency for Data Protection (AEPD) and the company holding personal data.

  5. Self-regulation mechanisms are promoted (the user is the one who controls how their personal data is treated), as well as the possibility that the subjects exercise their right to block said information in case of denunciation before the competent authorities.

I already comply with the Spanish Data Protection Law

The GDPR is a European regulation that unlike European Directives, does not require legislative adaptation by each country. After its approval in 2016, an adaptation period has been established that ends next May, when it will come into effect.

Personal data treatment - GDPR

What happens if I break the law?

The sanctions established by the European Council are substantial. For infractions such as those related to technical measures for data protection, record keeping, and data security breaches, fines can reach up to 10 million euros, or 2% of the annual global turnover of the previous financial year of the company.

These penalties can even double up to 20 million euros or 4% of billing if the infractions are related to the lack of consent, violation of the rights of the interested parties and the transfer of personal data to a third country outside the EU.

In compliance with the requirements established by the Data Protection Law, you, the owner or agent, should comply the majority of the conditions imposed by the GDPR.

Where do I begin?

All companies must start with the implementation of organisational measures and techniques capable of covering the scope, context, and risk of storing and processing personal data. Other measures may include:

  • Pseudonymisation and encryption of personal data

  • Ensure the confidentiality of data storage systems

  • Guarantee a method of periodic verification of the effectiveness of these systems

  • All business holding the data must have records of how they store and treat all personal data from their guests and/or suppliers. In addition, they must comply with the transparency procedures necessary if any of the guests and suppliers request the information they hold and/or want it deleted.

With less than three months ahead, these are the main factors to consider in order to adapt your business to the European regulation:

- Understand what type of data you work with

Sort and categorise the type of data you store. In most cases, these are emails, postal addresses, names or passport numbers. Reflect on the current use of this data and review your storage and security policy. Make sure you know the security procedure and who has access to this data.

- Are you authorised to process this data?

As established by the GDPR, the personal data must be legitimised by the subjects. The data of the users will only be able to be used and analysed when:

  • There is consent (written) to the assignment and use of this data

  • Be necessary data for the provision of the service. For example, identification documents of guests are needed to provide this information to the police for the registration of guests.

  • If they are necessary for the protection of a user's interest

  • If they are necessary for the fulfillment of a legal obligation;

If your needs do not correspond to any of the above, an explicit consent is required for the use and treatment of the personal data required.

to process data

- Communication to the user

Despite being a requirement of the current Data Protection Law, the GDPR introduces additional instructions such as:

  • The use of a clear, simple and intelligible language that conveys the information in a concise and transparent manner to the user.

  • Express the legal basis on which the use of their data is based

  • The existence and contact of the data protection delegate

  • The possibility of claiming before the Spanish Agency for Data Protection

  • The period during which the data will be processed and stored.

- Attention to the rights of users

The right to be forgotten, the limitation of treatment and the right to data portability are some of those included in the European Regulation.

To attend the requests of the users is of obligatory fulfillment in a term not superior to a month. A free service that, in a justified and exceptional way, can be extended up to 2 months.

- Relationship between the person in charge and the person in charge of data processing

The Regulation introduces requirements about the current relationship between the company and its suppliers:

  • Keep a record of the activities carried out with the data

  • Security measures applied to procedures

  • Use of the figure of Data Protection Officer if necessary

  • Collaboration with the Control Authority


It is important to clarify that any relationship established between both parties must be formalised in writing. It is, therefore, necessary to review the existing agreements and adapt them if necessary to the new regulations.

- Proactive liability measures

From May onwards, companies must demonstrate the security measures adopted for the classification of the data treated.

For this, they will have to elaborate a risk analysis by means of which the impact of the treatment to be developed on the protection of the data is documented. After this, it is the company's obligation (Data Protection Officer) to adopt measures in order to minimise or eliminate the risks detected during the first phase.

- International data transfers

In case the data used by the company are transferred to other countries, it should be considered that:

  • There is a contract that meets the requirements of the regulation.

  • Be done through a Privacy Shield agreement

  • Corroborate that the transfer of data is made to a country with a level of protection recognised by the EU authorities.