You may already be aware that a privacy notice is an essential element when it comes to producing appropriate documentation for a GDPR-compliant website. If you are not sure what GDPR is or need further clarification then see this post.
1. An introduction
2. Who you are
2. What types of data you’re collecting
Now, you should make it clear the types of data you’re collecting, and how you’re collecting it. This could include, for example, names, email addresses, details of bookings, payment details etc.
You may be storing information provided to you directly as well as indirectly. What are the different sources you’ll be collecting this data from? (Personal information coming from other sites, as well as website cookies and social media? It’s important to mention them here)
Perhaps personal information is being passed onto you by third parties (more about that below).
3. The reason for collecting it
What legitimate business reasons do you have for collecting an individual’s personal data?
Be as specific as possible, and detail all of the reasons you need to process the personal data of your guests. (But also don’t be afraid to question it – are you storing any data you DON’T need? Now’s the time to rectify that.)
4. Any third parties involved
Whether you’re sharing any personal data with third parties (your service providers or colleagues, for example) or receiving data for third parties, it’s important to mention them here.
You may also want to reserve the right to disclose personal data to third parties under a couple of special conditions, such as buying or selling business assets (perhaps if you sell properties as holiday lets) or your assets are acquired by a third party.
5. How personal data will be used
You can include things such as sending out emails, keeping a record of your relationship with guests, contacting guests with offers, to meet legal obligations, respond to complaints, and to send any correspondence at all regarding a guests’ stay.
6. How long data will be stored for
You can be specific here, or you can state that you have specific guidelines in place determined by both legal and operational considerations for how long you store personal data associated with your holiday let.
You can also give an example, such as the need to store some information for tax purposes (a fairly common practice).
7. How an individual’s data is protected
Telling potential clients that you care about their privacy and will practice due diligence to protect their personal data goes a long way to providing the necessary reassurance they’ll need to make a booking with you. You may want to mention you use a secure network (if applicable).
You may also want to mention that you’ll never sell an individual’s data to third parties for marketing purposes. That’s usually a big one!
8. The rights of the individual
Ensure potential guests can see their rights, and explain in a little more depth what each one means for them. Their rights are as follows:
- The right to access their personal information
- The right to have incorrect personal information corrected
- The right to restrict use of personal information
- The right to be forgotten
- The right for their personal information to be portable
- The right to object to the use of their personal information
9. How individuals can make data requests
Everyone should be able to make a request to access, amend or have their personal data deleted, so it’s important to tell them how they can do this. Who can they get in touch with?
It may also be worth mentioning that once they get in touch with you, you’ll then have a month to comply.
If you have a website, you may also want to mention cookies and how you collect them. If you use third party cookies from the likes of Google Analytics or any other online app or software that’s helping you learn more about your visitors’ activity, mention them.
Your safest bet is to also link to the privacy policies of these third parties, just to ensure you’re covered.
12. Contact details
Finally, finish off by including your key contact (if you don’t want to use a name, you can say ‘The Data Protection Officer’, postal address, email address and phone number.
Key GDPR resources to keep bookmarked
- ICO (Information Commissioner’s Office, UK): Preparing for the General Data Protection Regulation (GDPR) – ’12 Steps to Take Now’.
- The Full law text: GDPR, dated April 27th 2016
- European Commission Fact Sheet
- DMA UK: All the latest news, updates and webinars relating to GDPR
- Protection of Personal Data (via the European Commission)