GDPR for landlords

The Data Protection Act has been amended and tightened up for a few years now. The aim is to better protect the fundamental rights and freedoms of natural persons when processing personal data. Non-compliance with the new General Data Protection Regulation (GDPR) can result in penalties. There are a few things landlords should also bear in mind.

The new General Data Protection Regulation (GDPR) affects tourism businesses and private landlords when it comes to guest registration, the guest database (booking confirmation, invoicing), the website and the use of a newsletter tool. The new regulation governs how guest data may be processed and what rights the guest has (inspection, deletion, correction). There are principles that must be adhered to:

• Purpose limitation - there must be a legitimate reason why a landlord stores and processes a guest's personal data
• Data minimization - the data collected should be limited to the minimum necessary
• Consent requirement - clear consent from the guest is required for the use of the data collected (for each purpose separately - e.g. consent for the newsletter, consent for the GTCs, etc.).
• Right of access - guests have the right to know what happens to their data and can request access, rectification or erasure
• Documentation - as a landlord, I must keep a record of processing activities. It must always be possible to present the register when asked for it. (See sample templates below)

• Cookie notice according to the latest standards: Cookies are small files that a statistics program (usually Google Analytics) stores on the visitor's computer. Every visitor to your website must be able to decide for themselves which data is saved. If cookies are rejected, none may be stored.
• Google Analytics integration: When integrating Google Analytics, the last 8 bits of the visitor's IP address are no longer recorded, as this would otherwise be personal data. It is important to ensure that the tool is integrated correctly.
• Privacy policy: In addition to the legal notice, a separate privacy policy is now required on the website, which must contain information about data storage, cookies, the newsletter tool (if available), web analysis and information rights as well as information options. For offers/bookings, it is essential to include a link to the privacy policy on the website. Printed copies should also be available at reception and in the rooms. See below for sample templates.
• Encryption of guest data: If not already done, have the website converted to https immediately. This means that all data entered on the site is transmitted in encrypted form and thus protected against unauthorized access. 
• "Double opt-in" for newsletter registration: If a newsletter tool is used, the registration must be made via the website with the so-called "double opt-in", i.e. the guest must confirm the registration for the newsletter via an automatically sent e-mail.
• Online bookability via external providers: If an external booking tool such as Feratel or a hotel program/channel manager is integrated on the website, you must ensure that the providers work in compliance with the GDPR. This must also be stated in the privacy policy.

Please fill in missing information or delete what is not required. The places are usually marked in color. These are only sample templates!

All information on this page without guarantee! Details on DSVGO on the website of the Chamber of Commerce: www.wko.at