Vacation rental News
Guide to GDPR for vacation rentals
General Data Protection Regulation (GDPR) is a European Union’s new regulation which defines how companies should protect the personal data of its clients.
GDPR establishes a common framework for safeguarding the right to the protection of personal data. It affects vacation rental agencies, property managers and other companies as it must be followed by all the Member States of the EU.
Until now, the legal reference to the topic in Spain was LOPD – Law On Data Protection which establishes a set of principles, rights and duties that organisations must abide by. Now both standards – LOPD and GDPR will coexist. In terms of law application: the 25th of May is a date when the regulation will come into effect and it is a deadline for all companies to adapt their storage systems and policies.
What does the new regulation change?
One of the most important changes that the new European Data Protection Regulation brings is that the consumer must give explicit consent for a company to use their personal data.
According to Spanish LOPD law, it was enough that consent was tacit but with the new GDPR, acceptance must be explicitly expressed each and every time the company wishes to use the data for different purposes. To guarantee compliance with this standard, the data controller must be able to prove that the data owner has allowed them to process their personal information.
According to the new standards, there will be more data which will be protected, such as information obtained from the person when using a service or device (search history, location etc.).
As the definition of the personal data is much broader now there are new rights to be considered:
- Right to limitation: the interested party may request the restriction of treatment of their data. In this case, the data can only be processed if it was agreed with the interested party.
- Right to portability: the interested party has the right to receive the data with the objective of transmitting the data to another parties.
- Right to suppression and to be forgotten: the interested party can request that personal information that is considered outdated or not relevant is deleted, blocked or suppressed.
Another important issue expressed in the new regulation is that a Data Protection Officer (DPO) must be designated. The DPO’s mission is to guarantee the correct application of the legislation, as well as to control the adequate management of the data processing developed within the organization in which s/he holds that position.
The GDPR confirms the existing obligation to create an Independent control authority at the national level, which establishes mechanisms to achieve a coherent application of data protection legislation across the EU.
In Spain, the control authority is the Spanish Agency for Data Protection (AEPD). Besides the AEPD, there is also the Basque Agency of Protection of Data (AVPD) and the Catalan Autoritat de Protecció de Dades (APDCAT).
The GDPR establishes that each member state can have one or more Control Authorities who are in charge of supervising the application of the new regulation within their territory.
As there is in Spain, if there is more than one authority, the member state has the power to determine which of the various authorities is the one designated to exercise its representation and to be part of the European Data Protection Council.
Avantio & GDPR
Avantio is dealing with the new data protection law with a help of auditing and consultancy service to comply with the conditions imposed by the GDPR. The new regulation helps us to improve a level of protection giving security and greater control over the personal data of the users.
As the development of new devices and new technologies affects the private sphere of its users, the improvement in the legislation is necessary. That helps companies to be more transparent and generate more confidence.