GDPR for Vacation Rental Owners 2026: What you can and can’t do with guest data
In 2022, the Spanish Data Protection Agency fined a hospitality company EUR 75,000. The reason: they were asking guests during online check-in to send photos of ID cards for themselves and all guests in the booking.
In August 2025, the same agency fined World 2 Meet, part of the Iberostar group, EUR 70,000 for the same practice through their online check-in platform. Not a coincidence, not an exception.
When a guest books your vacation rental, you collect their data. When you send them arrival instructions, you use their email address. At check-in, you input data from their ID. During the stay, you may record them with a camera. Their data goes into the local guest registration system (in Croatia, that is eVisitor). Every one of these steps is regulated by GDPR and the Croatian Implementation Act on the General Data Protection Regulation.
This text is not legal advice. It is a practical guide through all six phases of a guest stay, with concrete rules and tech solutions. For detailed legal consultation, contact the Croatian Personal Data Protection Agency (AZOP) or a lawyer.
Phase 1: Booking
Everything starts with the booking. The guest books through your website, through Booking.com, Airbnb, or another platform. Already at that moment, you are processing their personal data. The legal basis for all data necessary for the booking is contract (Article 6(1)(b) GDPR), not consent. Without that data the booking would not be possible, so guest consent is neither required nor applicable.
You can ask the guest for this at the moment of booking:
- Basic contact and stay data: first name, last name, email, phone number, dates of stay, number of guests.
- Card pre-authorization: allowed, but only through a secure payment processor (Worldline, Monri, Stripe, WSPay, M2Pay, or similar).
- Billing address: if the guest requests a company invoice, you can ask for the data needed for that purpose.
You can’t do this at the moment of booking:
- Ask for a photo of the card by email: insecure channel and excessive data collection, especially if it includes the CVV on the back.
- Ask for a copy or photo of the ID in advance: not necessary for booking, it is enough that the guest shows the document on arrival.
- Rely on legitimate interest for marketing cookies: for analytics, advertising, and remarketing, you need the guest’s explicit consent, not legitimate interest.
When a guest books through Booking.com or Airbnb, they also process the guest’s data. In legal terms, you and the platform are jointly responsible for the guest’s data. Booking.com has its own privacy policy, you have yours, the guest sees both. When the booking reaches you through a Channel Manager, you are already in some form of data processing.
The biggest risk during booking is not server security, it is an ordinary email asking for a photo of a card or ID.
Phase 2: Pre-arrival communication
Between booking and arrival, you send the guest information. Address, location, parking instructions, house rules, how to unlock the door. If you use self check-in, asking for eVisitor data starts already here.
A regular email is not a secure channel. Messages go through unknown servers or can end up in the wrong inbox because of a typo in the address. For ordinary communication (house rules, arrival instructions) email is fine because it does not contain sensitive data. The problem starts when you use email to exchange personal data, specifically a photo of the ID, credit card number, or a list of data for several guests in one document.
If you have to send something like that by email (e.g. to a partner who issues invoices for you), protect the document with a password and send the password through a different channel, ideally SMS or WhatsApp. The password and the document it protects must not be in the same message.
Legal self check-in works like this:
- The guest receives a link to a secure form before arrival: use a platform that encrypts data in transit, not a basic Google Form created from a personal Gmail account.
- The guest enters the data from their document themselves: first name, last name, date of birth, document type and number. No photo, no copy.
- On arrival, you simply verify the original document: you see the photo, you see the name, you confirm that the data in the form matches. The document stays in the guest’s hands.
This difference between entering and photographing cost EUR 70,000 and EUR 75,000 in two Spanish fines. Asking for a photo of the ID is excessive collection. Asking the guest to enter the data is enough for all legal obligations, including eVisitor.
Some guests do not want to enter data in an online form. That is their right. In that case, agree that you enter the data on arrival. A small loss in speed, but no issue. If a guest also refuses to show the document on arrival, you have the right (and the obligation under the Croatian Tourism Services Act) to refuse the service, because without that data you cannot complete the eVisitor registration.
Legal self check-in means one thing: the guest types in the data, they do not send photos.
Phase 3: Guest check-in
This is the phase with the highest fine risk. All the fines mentioned in the introduction happened right here. It all starts with the wrong assumption: I need a copy of the ID for security. You don’t. In fact, you can’t.
You can do this at check-in:
- Ask to see the ID card or passport: you have the right to verify the identity of the person checking in by inspecting the document.
- Copy down the data needed for eVisitor: first name, last name, date of birth, nationality, document type and number, residence.
- Use a document scanner: as long as the device does not store an image of the document, only extracts the text needed for registration.
- Refuse service if the guest will not show a document: without that data you cannot complete the legal eVisitor registration, which is your obligation.
You can’t do this at check-in:
- Photograph the ID with your phone: not for internal records, not to make the guest pass through faster. Excessive collection under Article 5 of GDPR.
- Keep a copy of the document: not digitally on a laptop, not as a photocopy in a folder, not as a scan in an email mailbox.
- Store a copy with the claim of consent: consent does not change the fact that the processing is excessive. Consent under GDPR must be freely given and explicit, and a guest in the position of "just to get through faster" cannot freely refuse.
For eVisitor registration, you do not need the guest’s consent. The registration is a legal obligation under the Croatian Tourism Services Act and the eVisitor regulation, and the legal basis for processing is Article 6(1)(c) GDPR (legal obligation). Consent here is neither required nor applicable.
Identity verification means the following: you see the photo on the document, you see the name, you see the date of birth, you compare them to the person in front of you. If everything matches, identity is verified. You do not need a copy to do this.
For details on eVisitor registration itself, deadlines, and automation, see the complete eVisitor guest registration guide. For a scanner that reads document data without storing the image itself, there is Rentlio DocScan. For full automation of the online check-in process with legal registration, use Rentlio One.
A guest’s consent does not erase the proportionality obligation. If you photograph the ID, it is excessive with consent and without it.
Phase 4: During the stay
The guest is in the property. You may be filming them with a camera in common areas. You may be giving them WiFi access. You may be sending them a "how is everything?" message. All of this is regulated by GDPR. The biggest share of attention here goes to video surveillance, because that is the area where vacation rental owners most often cross the line without realizing it.
Where you can place a camera:
- Entrances to the building and parking that you own: the legal basis is legitimate interest (protection of people and property).
- Shared corridors between units: yes, with a mandatory notice before the recording perimeter.
- Outdoor spaces you own: yard, entrance.
Where you can’t place a camera:
- Inside individual units: bedrooms, living room, bathroom, kitchen. Never.
- Toilets, pools, wellness areas: spaces with a reasonable expectation of privacy.
- Elevators: hard to justify, avoid unless there is a serious security reason.
- Public areas and neighbors’ properties: streets, parking lots that are not yours, neighboring yards.
A video surveillance notice is mandatory and must be placed before the recording perimeter, meaning before a person enters the area under camera surveillance. The notice must include the name and contact of the controller (your name and company), the purpose of processing, the legal basis (legitimate interest), the rights of data subjects, and a link to a detailed privacy policy. In practice, this is a sticker or a sign at the entrance to the perimeter.
Recordings can be kept for as long as the purpose justifies. In practice that is 1 to 3 months, longer than 3 months is hard to justify. After that, recordings must be automatically deleted. If the camera records in a loop (overwriting), that already solves the problem.
A guest can ask you for a copy of a recording they appear in. You have a legal obligation to respond within one month. You must provide the copy, but you are obliged to protect the identity of other people in the same recording, usually by blurring faces. The right is almost never exercised, but when it is, it must be fulfilled.
Only authorized people should have access to guest data, which includes you and possibly your employees. If you use one shared login or an Excel that everyone sees, that is not a well-designed system. A proper PMS system gives different access levels per user and logs who accessed which data and when, which is a big advantage over keeping records in spreadsheets.
Video surveillance is not about where the camera fits. It is about where the notice fits, before the perimeter.
Phase 5: Payment and additional services
When the guest pays, when they book an excursion through you, when you arrange a transfer or something similar, you are again handling personal data. The rules are similar to those for the booking, but there are specifics.
If you accept card payments, use a licensed payment processor (Rentlio Pay, Worldline, Monri, Stripe, WSPay, M2Pay). They are the controllers for the card data. You see the last four digits and the transaction date, which is enough for the invoice and reconciliation. The full card number and CVV are not in your system, and that is a good thing.
You can’t do this with card data:
- Store the full card number and CVV anywhere in your system: not in Excel, not in CRM, not in an email mailbox.
- Send or ask for the CVV by email: the CVV is information that even the payment processor is not allowed to keep, let alone you.
- Store bank PDF statements with card data in an unprotected folder: on a laptop, in Google Drive without access controls, on a USB stick in a drawer.
If you offer excursions, transfers, bike rentals, or event organization alongside the accommodation, you usually work with external partners. If the service is included in the package (e.g. breakfast at the neighboring bakery by agreement), the legal basis for sharing data with the partner is contract. You do not need separate guest consent, but the partner must have a contract with you as a data processor. If the service is optional (e.g. an excursion paid separately), the legal basis is consent. The guest must know you are sharing their data with another entity and must agree.
In both cases, the data is not exchanged through a plain email in an unprotected document. If you send a partner a list of five guests with names, phone numbers, and dates of stay, protect the document with a password and send the password through a different channel.
Your accountant is your data processor. You need to sign a contract under Article 28 GDPR (a data processing agreement) with the external accounting service. It is a short contract that defines what the partner can do with the data, how long they keep it, and how they store it. Without that contract, sharing guest data with the accountant is not compliant.
For secure card payments inside the same platform you use for bookings, Rentlio Pay removes the need to copy data manually. For the new fiscalization obligations from 2026 onward, see the text on vacation rental invoices in Croatia.
Cards never in your system, passwords never in the same email as the document they protect.
Phase 6: After departure
The guest is gone. The question is what to do with the data. The rule is simple: you cannot keep data forever, every type has a retention period that derives from a legal purpose. After the period expires, you must either anonymize the data or securely delete it.
Retention periods by data type:
- eVisitor data: 10 years on your side (eVisitor regulation).
- Accounting documents: 11 years (Croatian Accounting Act).
- Contracts and booking data: until the limitation period for claims expires, usually 6 years.
- Marketing database (newsletter): until the guest unsubscribes.
- Video surveillance recordings: 1 to 3 months, automatic deletion.
Deletion means actual deletion, not "I removed it from the visible list but the file still exists in the backup". A backup that keeps personal data longer than the prescribed period is also a problem for GDPR compliance.
You can send a newsletter to existing guests based on legitimate interest. For legitimate interest to apply, you need to run and document a balancing test (a simple document that explains why your interest is justified and how it does not harm the guest’s rights). The guest must have an easily visible unsubscribe link in every newsletter. You cannot send promotional messages to new contacts whose email addresses you collected from business cards without consent, for new contacts you need consent at the moment of collection.
If a guest leaves a written review, you can publish it under the name the guest chose (first name, initials, pseudonym). If you publish photos of guests (e.g. on Instagram), you need their consent. When you publish on Meta platforms (Facebook, Instagram), Meta is legally co-responsible for the data, and the guest must be aware of this at the moment of giving consent.
A guest can ask you to delete their data. The right to erasure (Article 17 GDPR) is not absolute, you can refuse it if you have a legal obligation to keep the data (eVisitor 10 years, accounting 11 years). You must respond within one month, justify your answer, and delete the data you can actually delete.
Smaller vacation rental owners in Croatia are not required to appoint a Data Protection Officer (DPO). The obligation arises when personal data processing is your core activity on a large scale, which is usually not the case for accommodation with fewer than 10 units. The recommendation is different from the obligation: even if you are not required, appoint a contact person for personal data protection (it can be you), put the contact on your website and in your privacy policy. This gives the guest a channel for exercising their rights and shows that you are organized.
Centralized management of guest data through a PMS system also solves the retention problem, because automated deletion and anonymization policies come with the system, and you do not have to manually track when each piece of data expires.
Deletion means actual deletion, not "I removed it from the visible list but the file still exists in the backup".
Frequently Asked Questions (FAQ)
Can I photograph a guest’s ID card?
No. Photographing personal documents is excessive collection of personal data. For eVisitor registration, only inspection of the document and transcription of the data is needed, not a copy. The Spanish Data Protection Agency fines this practice (EUR 75,000 in 2022, EUR 70,000 in 2025).
How do I run a legal self check-in without photographing the ID?
Send the guest a link to a secure form before arrival from Rentlio One. The guest enters the data from their document themselves (first name, last name, date of birth, document number). On arrival, you verify the original document against the data in the form. No photo, no copy.
Do I need the guest’s consent for eVisitor registration?
No. The eVisitor registration is a legal obligation under the Croatian Tourism Services Act. The legal basis for processing is legal obligation (Article 6(1)(c) GDPR). Consent is neither required nor applicable.
How long can I keep guest data?
It depends on the data type. eVisitor data 10 years, accounting 11 years, contracts and bookings up to 6 years (limitation period), newsletter database until the guest unsubscribes, video surveillance recordings 1 to 3 months. After the period expires, the data must be anonymized or securely deleted.
Can I rely on legitimate interest for marketing cookies?
No. For all cookies that are not strictly technically necessary (analytics, advertising, remarketing), you need the guest’s explicit consent. Legitimate interest is not a valid legal basis for marketing cookies.
Can a guest ask me for a copy of a video recording?
Yes. The guest has the right to access recordings they appear in. You must respond within one month and provide the copy, with the identity of other people in the recording protected (usually by blurring faces).
Do I need a Data Protection Officer as a vacation rental owner?
Probably not. The obligation to appoint a Data Protection Officer (DPO) exists when personal data processing is your core activity on a large scale, which is not the case for smaller vacation rentals. The recommendation is to appoint a contact person for data protection, even if that is you.
Daniel Herman is a growth marketing enthusiast with 10 years of marketing experience who enjoys thinking strategically and seeing the bigger picture. He writes about everything related to developing marketing activities and KPIs, branding, and taking a long-term approach to success, always with the goal of sharing useful ideas and inspiring action.
