PeteKnight wrote:GDPR Compliance shouldn’t be too much of an issue in this situation, although it does depend to a degree what personal information the police need about each adult. My guess would be that it’s something like:
Gender
Date of Birth
Nationality
Passport or ID Card Number
In that case, the data doesn’t fit into the GDPR ‘Special’ category.
As you’re an organisation of less than 250 employees and the data processing is “occasional” then the restrictions aren’t too onerous.
If you plan on retaining contact information for guests after their stay, and maybe doing occasional marketing emails to them to see if they want to visit again (this includes sending them electronic Christmas cards etc) then they should be given the option to opt out of this type of marketing when they supply the contact information, and on each occasion when you contact them (by telling them how to unsubscribe from future emails).
Once you know the data required by the police, I’d put together a form that needs to be completed by each person aged 16 or over. The form should state:
1) that the data will be shared with the police to comply with the terms of the tourist licence and local legislation
2) that the data won’t be sold or given to any other 3rd parties
3) give them the option to opt-out of future marketing, and if you plan to use various marketing channels (email, SMS, direct mail etc) then give them the choice of how they prefer to be contacted.
4) tell them how to opt-out of future marketing communications.
5) tell them that they have the right to see/review/amend the data you store about them.
Get a signature from each person who completed the form, and you may want to use the opportunity to get them to agree that they will comply with the house and community rules during their stay.
When you do send marketing emails then you should ensure that the recipients of mass emails can’t see each other’s email addresses (by putting the email addresses in the BCC box). You should include a line at the bottom of the email saying “to opt out of further marketing emails please do the following...”. If you plan to do a lot of email marketing then there are some good online email list management products that automatically handle the unsubscribe process for you, as well as tracking dead email addresses and managing email campaigns.
Where people’s data is no longer required to be retained by you (you don’t plan to contact them again and you’re not keeping the data for tax audit or other valid purposes) then you should destroy it securely. It makes no difference if the data is stored in paper or electronic form, the rules about its use and destruction are the same.
The key things about compliance are that:
You only collect relevant data
You tell people how the data is being used
You give people the option to opt-out of marketing
You don’t sell or share the data without the owner’s consent
You keep the data secure
You destroy the data once it is no longer needed
You give People the ability to review and amend their data on request.
Having a simple GDPR policy statement is a good idea. This can just be for your own purposes, but it’s nice to be able to produce it of you’re asked. It’s also a good idea to re-read your own policy statement when you’re about to do a marketing campaign, to remind yourself what your own rules and guidelines are.
Pete.
Hi Pete. Thanks for your input. The details I need to submit to the police are as you mention, i.e. Name, DOB, Nationality, Gender, ID Type/Number/Date of issue. There isnt any problem with this as far as GDPR regs go, the main issue I need to address is that each guest over 16 needs to sign the a form with their personal data on and this needs to be stored for 3 years. As far as I can judge, as long as I have a lockable cabinet, which only us owners and our Property Manager have access to this should comply with the regs.
I have attended a GDPR Webinar and have Privacy Statement already drafted, I am just waiting to get the damn username and password to access the police database to submit the data. Very difficult when even the local authorities don't seem to know anything about it all.
As a footnote we are just a retired couple who rent their holiday home for the summer months, we live there all winter and I have no intention of sending any guests Marketing info or Christmas cards
.