GDPR for hotels, pensions, apartments and other accommodation facilities

What is GDPR?

GDPR is an EU regulation on personal data protection. It requires personal data processors (controllers and processors) operating in the EU to take appropriate technical and organizational measures against the risks of personal data processing.

Does GDPR apply to me and my accommodation?

If you do business in the EU market and store personal data, yes. But there is no need to worry about any drastic measures or costs.

Do I have to have consent from my guest to store personal data?

You don't have to. When ordering or booking accommodation, you have a legal reason to keep the necessary personal data of the customer without consent. You need personal data to fulfill the contract between you and the guest and also to fulfill the legal obligations arising from the Act on Local Fees and the Act on the Residence of Foreigners in the Czech Republic. However, you should inform guests about the privacy policy.


You can find a sample policy here, for example.

In Trevlix, you can enter policies here:

privacy policy

If you want to require consent "for your well-being", you can check the "require consent" button. But from a GDPR point of view, this is not necessary.

Can I save any data?

No. In particular, you can store personal data that you need for legal reasons (including, for example, date of birth, contact details, address). However, we recommend that you avoid sensitive personal information such as religion, race, sexual orientation, or medical condition.

What measures should every company take to meet EU GDPR requirements?

There is no single procedure for putting GDPR requirements into practice, but here are a few points that every company should pay attention to when complying with GDPR:

1. List of activities performed

If you want to be well prepared for a possible (although due to the number of inspectors in the whole Czech Republic very unlikely) inspection, write down all the steps performed below in a simple way in points and create your "GDPR component". In it you will have records of all measures taken for possible inspection. The control body in the Czech Republic is the Office for Personal Data Protection.

2. Do I inform about the Privacy Policy on my website?

This is the most visible point of all. It tells guests and potential supervisors that you take data protection seriously. If you do not already have a Privacy Policy on the website, complete it. You will find a sample policy and how to embed it in Trevlix (and thus in your website) above this text. Verify that the policy is indeed appropriate for your situation. It's not unnecessary work, if you start the payment gateway, they will probably require you to publish the policy before activating the payment gateway.

3. Where within the company do we store personal data (electronic and paper)?

Make a list of all places where personal data is stored within the company (computers, laptops, servers, smartphones, folders, lockers,…).

4. Is personal data sufficiently protected against loss or destruction?

If not, take appropriate measures, such as installing antivirus and backing up regularly to external disks or remote storage.

5. Is personal data sufficiently secured against data leakage?

Consider all places where personal data is most likely to leak.

For example: Do you have strong enough passwords to log on to computers? Do you store passwords securely (eg using secure password management applications)? Is written personal data securely stored in a lockable cabinet? Are computers with personal data located in a locked room or are they always secured with a password? Do you dispose of personal data carriers (disks, media, documents) in such a way that data cannot be recovered and leaked? If not, take appropriate measures.

6. Who has access to personal data in the company?

Write down who in the company has access to what personal data (electronic and paper). Verify that the person's access to the data is necessary. If not, provide access only for authorized persons. If so, inform the person about the principles of handling personal data.

7. Do I pass on personal data to other entities to process it for me?

One of the main reasons for the creation of GDPR was the prevention of trading in personal data. Never pass on personal data to anyone who does not need it. Do you pass on personal data, eg to an accounting firm, a transport service, an online service provider, a web hosting company, a cloud service, etc.? If so, the EU GDPR Regulation obliges you to conclude a processing contract with all entities. You can find ours below under this downloadable article.

8. Do I use customers' personal data for marketing purposes?

For example, do you send newsletters? Opinions on the interpretation of this area differ perhaps the most. It is ideal if you have a voluntary demonstrable consent to receive newsletters for each recipient. Also make sure that each newsletter contains a link to unsubscribe from the newsletters and that the unsubscription takes place immediately and has a lasting effect (eg this recipient will no longer be able to be entered into the database by mistake).

9. Rules for deletion and correction of personal data

Can you arrange for the deletion of personal data in the company if they are no longer needed or on the basis of revoking the person's consent, unless there is a legal reason to retain the data? (For example, in the case of an order, you have a legal reason to keep the necessary personal data of the customer even without consent.) Can you delete personal data in all electronic and paper forms? Can you edit personal data? If not, take the necessary measures.

10. Do I store personal data for which I do not have consent or a legal reason?

Delete personal data for which you do not have a legal reason or a verifiable consent of the person.

Conclusion: Do I need to be afraid?

The above information summarizes our views on the implementation of GDPR obtained by studying the laws and various information sources. Maybe some of the measures seem a bit exaggerated. Experience shows that there is no big hunt for the few small business inspectors who process their customers' personal data. After all, the Office for Personal Data Protection has made it clear that it does not intend to bulge or bully anyone unnecessarily. When you handle personal information securely, do not sell it to anyone and do not repeatedly harass someone who is not interested in the services, there is no need to worry unnecessarily 😉

pdfSmlouva o zpracování osobních údajů [pdf, 47 kB] - GDPR zpracovatelská smlouva pro uživatele systému Trevlixu