DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Bed and Breakfasts: A Complete Compliance Guide

#gdpr #hospitality #privacy #compliance

Why GDPR Applies to Bed and Breakfasts

Running a bed and breakfast means you are in the business of hospitality — welcoming guests into your home, providing comfortable rooms, and serving breakfast each morning. But alongside the warm welcome comes a legal responsibility that many B&B owners overlook: data protection under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

From the moment a guest makes a booking, you begin collecting personal information. Names, addresses, email addresses, phone numbers, dietary requirements, and payment details all constitute personal data under UK GDPR. If your guests include visitors from the European Union, EU GDPR applies in parallel. Either way, as a data controller, you have clear obligations — and the Information Commissioner's Office (ICO) has the power to investigate complaints and issue fines.

The good news is that GDPR compliance for a bed and breakfast is entirely manageable. You do not need a dedicated legal team or enterprise-grade software. You need a clear understanding of what data you collect, why you collect it, how long you keep it, and what rights your guests have.

What Personal Data Do B&Bs Collect?

Before you can comply with GDPR, you need to understand exactly what personal data flows through your business. For a typical bed and breakfast, this includes:

  • Booking information: Guest names, arrival and departure dates, room preferences, number of guests in the party.
  • Contact details: Email addresses, phone numbers, home or business postal addresses.
  • Payment data: Credit or debit card details (usually processed via a payment provider), bank transfer records, or cheque details.
  • Dietary and allergy requirements: Information about food allergies, intolerances, or dietary preferences (vegan, halal, kosher, etc.). This is particularly sensitive because it can reveal health conditions or religious beliefs.
  • Passport and identity information: For non-UK, non-EEA guests, the Immigration (Hotel Records) Order 1972 requires you to record nationality, passport number, and their next destination.
  • CCTV footage: If you have cameras in common areas such as hallways, car parks, or entrances, you are processing biometric and personal data.
  • Marketing preferences: Whether a guest has opted in to receive newsletters or promotional emails.
  • Website data: If you have a website with a contact form, booking widget, or analytics tools, you are also collecting data about website visitors.

Lawful Basis for Processing Guest Data

Under UK GDPR, you must have a lawful basis for every type of personal data processing. Three are most relevant to bed and breakfasts:

1. Contract Performance

When a guest books a stay, you enter into a contract with them. Processing their name, contact details, booking dates, and payment information is necessary to fulfil that contract. You do not need to ask for separate consent to process this data — the contract itself provides the lawful basis.

2. Legal Obligation

Some processing is required by law. Recording passport details for overseas guests under the 1972 Hotel Records Order is one example. Retaining financial records for HMRC purposes (typically six years) is another.

3. Legitimate Interests

Operating CCTV for security purposes, maintaining records of past guests to improve future stays, and basic fraud prevention can all fall under legitimate interests — provided you carry out a Legitimate Interests Assessment (LIA) and document it.

Special Category Data: Dietary and Allergy Information

If a guest tells you they are coeliac, diabetic, or that they keep halal, you are collecting special category data under Article 9 of UK GDPR. This requires an additional lawful basis on top of your standard one. The most practical basis for B&Bs is explicit consent combined with vital interests where food safety is a genuine concern. Delete dietary information after the guest checks out.

Booking Platforms: Booking.com, Airbnb, and Data Processor Relationships

Many bed and breakfasts use third-party booking platforms. When a guest books through Booking.com, the platform acts as a data controller in its own right. When it passes booking information to you, you become a separate data controller for that data. This means:

  • You are responsible for how you handle the guest's data once it reaches you, regardless of how it arrived.
  • You must not use the contact details provided by the platform to market to guests outside the booking relationship without their separate consent.
  • If a guest submits a data subject access request or erasure request, you must handle their data held by you — you cannot simply point them to the platform.

If you use channel management software or a property management system (PMS), ensure you have a Data Processing Agreement (DPA) in place with that provider.

CCTV in Common Areas

If you have cameras operating in any area where guests or staff might be recorded, you must comply with the ICO's CCTV guidance.

Signage: Display clear, prominent signs at the point where people enter the camera-covered area. The signs should state that CCTV is in operation, identify who is responsible, and provide contact details.

Footage Retention: The ICO recommends retaining CCTV footage for no longer than 31 days in most cases. Implement automatic overwriting where possible.

Access Requests: If a guest submits a Subject Access Request for CCTV footage featuring them, you must respond within one calendar month. Redact footage of third parties before providing it.

Important: CCTV cameras must never be placed in guest bedrooms or bathrooms. This is not just a GDPR issue — it is a criminal matter under the Voyeurism (Offences) Act 2019.

Email Marketing and Return Guest Promotions

Under PECR, you can send marketing emails to previous guests without their prior consent (the "soft opt-in" rule) if:

  • They made a booking from you (an existing customer relationship);
  • You are marketing similar products or services;
  • You gave them a clear opportunity to opt out at the time of booking; and
  • You include an unsubscribe mechanism in every email.

For prospective guests who have not yet stayed with you, you need explicit prior consent — an unticked opt-in checkbox on your enquiry form.

Data Retention

Financial Records: HMRC requires retention for a minimum of six years.

Hotel Register Records: The 1972 Order requires records of non-EEA guests to be retained for at least twelve months.

General Booking Data: A reasonable approach for most B&Bs is to retain full booking records for two years and then delete or anonymise them unless accounting obligations require longer retention.

Dietary and Special Requirements: Delete dietary and allergy information as soon as the stay is over. There is no justification for retaining this data beyond the end of the guest's visit.

Data Subject Access Requests (DSARs)

Guests have the right to request a copy of all personal data you hold about them. You must respond within one calendar month at no charge. A typical DSAR might include: all booking records, emails or correspondence, CCTV footage in which they appear, and notes about their preferences.

Guests also have the right to request erasure. If a guest asks you to delete their data, you must comply — unless you have a legal obligation to retain certain records. Explain clearly what you have deleted and what you have retained, and why.

Do You Need to Register with the ICO?

Most organisations that process personal data must pay the ICO's data protection fee — currently £40 per year for small businesses (Tier 1). Almost every B&B that uses a computer, email, or any digital booking system will need to be registered. Failure to pay the fee when required is a criminal offence and can result in a fine of up to £4,000.

Practical GDPR Compliance Checklist for B&B Owners

  • Register with the ICO and pay the annual data protection fee if required.
  • Map your data: List every type of personal data you collect, why, where stored, who has access, and retention periods.
  • Document your lawful bases for each type of processing.
  • Write a privacy notice and publish it on your website.
  • Review your booking forms: Only collect data you genuinely need.
  • Handle dietary and allergy data carefully: Collect it, use it for the stay, delete it after check-out.
  • Check your booking platform relationships: Have DPAs in place with any processors.
  • Implement CCTV signage at every camera entry point. Set footage to auto-delete after 31 days.
  • Review your marketing practices: Ensure you have a lawful basis for every marketing email.
  • Set retention periods and delete or anonymise data when no longer needed.
  • Prepare for DSARs: Know where all your data is stored so you can respond within one month.
  • Secure your data: Use strong passwords, keep software updated, limit access to guest data.
  • Have a data breach plan: Report certain breaches to the ICO within 72 hours.

This guide covers UK GDPR and is intended for informational purposes. For specific legal advice, consult a qualified data protection solicitor or the ICO website at ico.org.uk.

Originally published on Custodia Privacy

Top comments (0)