%20--%3e%3cg%3e%3cg%20id='Logotype'%3e%3cg%3e%3cpath%20fill='%23141313'%20d='M46.37,250.9L136.63,28.98H0v237.25C0,296.87,21.93,318.83,52.56,318.83v-.03h160.64v-154.45l-156.9,95.23c-5.8,3.71-12.82-2.05-9.94-8.68Z'/%3e%3cpath%20fill='%23141313'%20d='M347.35,104.3c-68.33,0-115.93,44.71-115.93,108.91s47.6,108.9,115.93,108.9,115.93-44.72,115.93-108.9-47.6-108.91-115.93-108.91ZM347.35,255.04c-24.41,0-42.23-17.39-42.23-41.8s17.79-41.83,42.23-41.83,42.23,17.39,42.23,41.83-17.79,41.8-42.23,41.8Z'/%3e%3cpath%20fill='%23141313'%20d='M633.86,118.01c0,3.31-3.71,3.31-7.02,1.66-18.22-9.54-32.29-15.3-53-15.3-56.71,0-95.62,42.66-95.62,108.08s39.32,109.7,93.14,109.7v-.03c21.93,0,35.61-7.02,56.31-19.87,3.71-2.48,8.28-1.66,6.19,3.71l-5.36,12.85h86.51V28.98h-81.15v89.03ZM594.11,255.04c-24.41,0-42.23-17.39-42.23-41.8s17.79-41.83,42.23-41.83,42.23,17.39,42.23,41.83-17.79,41.8-42.23,41.8Z'/%3e%3cpath%20fill='%23141313'%20d='M1406.03,107.65l-23.58,112.61c-1.66,8.68-11.59,9.11-13.65-.4l-24.84-112.22h-94.79c-39.32,0-51.74-11.99-51.74-29.81s10.33-28.15,27.72-28.15c20.27,0,30.64,16.16,32.69,32.29h79.5C1325.35,29.38,1286.43,0,1230.52,0,1168.85,0,1130.32,36.04,1130.32,91.09v16.56h-44.71v67.07h44.71v144.08h81.15v-143.68h70.23l46.53,124.21c3.31,8.28,2.88,17.39-.4,26.1l-28.55,68.73h80.25l120.47-286.51h-93.97Z'/%3e%3cpath%20fill='%23141313'%20d='M886.41,117.98c0,3.31-3.71,3.31-7.02,1.66-19.87-9.94-34.35-15.3-54.65-15.3-60.45,0-93.97,49.29-93.97,107.65,0,64.59,37.26,98.54,87.77,98.54,23.19,0,40.57-7.02,62.1-19.47,5.37-3.31,9.51-.4,7.45,4.57-9.11,20.7-28.55,31.47-59.62,31.47h-83.2v67.07h98.5c72.04,0,123.78-47.63,123.78-114.67V107.65h-81.15v10.33ZM846.67,255.04c-24.41,0-42.23-17.39-42.23-41.8s17.79-41.83,42.23-41.83,42.23,17.39,42.23,41.83-17.79,41.8-42.23,41.8Z'/%3e%3cpath%20fill='%23141313'%20d='M1026.35,18.18c-26.1,0-44.71,16.16-44.71,39.35s18.61,39.35,44.71,39.35,44.72-16.16,44.72-39.35-18.62-39.35-44.72-39.35Z'/%3e%3crect%20fill='%23141313'%20x='985.78'%20y='107.65'%20width='81.15'%20height='211.15'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
What is GDPR for Vacation Rentals?
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union. For vacation rentals, it mandates how property managers and owners must handle the personal data of guests from the EU.
This includes information like names, email addresses, payment details, and copies of identification. Even if a property is located outside the EU, GDPR applies if it markets to or processes data from EU residents.
Join the Lodgify newsletter
How it works
To comply with GDPR, a host must have a lawful basis for processing guest data, such as explicit consent or contractual necessity. They must securely store all personal information and limit its use to the purpose for which it was collected.
Hosts need a clear privacy policy explaining what data is collected, why it's collected, and how long it's retained. For direct booking websites, this includes implementing cookie consent banners and ensuring booking forms are compliant, features often included in platforms with a vacation rental website builder.
Hosts must also be prepared to honor guest rights, such as the right to access, correct, or delete their data.
Why it matters
Compliance with GDPR is critical for vacation rental operators to avoid substantial fines, which can be up to 4% of annual global turnover or €20 million. Adhering to these regulations demonstrates a commitment to guest privacy and data security, which helps build trust and enhances brand reputation.
Proper data handling protects both the guest and the business from data breaches and associated liabilities. See the official website for current details.
Examples
- An American property manager with rentals in Florida receives a booking from a German family. The manager is subject to GDPR rules when handling the family's personal data, such as passport copies for ID verification.
- A host in Italy must obtain explicit, opt-in consent from a guest via a checkbox on their booking form before adding them to a marketing newsletter list.
- A former guest from France contacts their UK-based host and invokes their 'right to be forgotten.' The host must delete all the guest's personal data from their systems, unless legally required to retain it for tax purposes.
- A host's direct booking website must feature a clear privacy policy and a cookie consent banner that allows visitors to accept or reject non-essential cookies.
Frequently asked questions
Does GDPR apply to me if my rental property is not in the EU?+
What kind of guest information is considered 'personal data' under GDPR?+
What is the 'right to be forgotten'?+
How can I obtain valid consent for marketing emails?+
Related terms
Privacy Policy
A Privacy Policy is a legal document explaining how a vacation rental business collects, uses, stores, and protects personal data from guests and website…
Cookie Consent
Cookie consent is the process of informing website visitors about the use of cookies and obtaining their explicit permission before storing or accessing data…
Guest Screening
Guest screening is the process of verifying a potential guest's identity and background to assess the risk of property damage, fraud, or rule violations.
PCI Compliance
PCI Compliance refers to the set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information…