The new European Règlement Générale sur la Protection des Données – called GDPR in the UK – rules are designed to give customers and business staff more privacy and control of online data held on them. Any company or person holding computerised information on people is affected, including those hiring out gîtes.
Information watchdog CNIL polices the regulations in France and has issued a downloadable booklet on the subject to be followed if your small business uses email or has a website. It is in French at tinyurl.com/ybj7urab
It says any business which does not have collecting personal data as its core activity just needs to use common sense to conform... but then gives 59 pages of what to do.
It adds that the key targets are large-scale users – and abusers – of customer data; meaning large businesses and that small businesses should use it as a chance to look at and simplify policies.
In essence, you should keep a simple register of how data is used, let clients know what is done (perhaps on a website information page), react if a customer wants data deleted and inform the CNIL quickly if any data is stolen.
Your register can be a computer data file or stored online, should say what type of information is stored, who accesses it, what the data is used for, if it is passed on to anyone else and why, how long you will keep it for and how it is secured. It should be password protected and you must run and update your antivirus.
You need to tell new clients that you will keep their details for future contacts and, if contacting old clients, update them on the new policy.
Customers must have the opportunity to opt out of their information being stored and you must delete all their records if they ask for this.
To sum up, gîte owners doing business by email, with a dedicated email inbox and associated address book should look to cut down on the data they collect. They must:
- Not collect data about people unless it has a legitimate use – being able to contact people about renting out your gîte is a legitimate use
- Collect only information relevant to the use for which you collect it – collecting date of birth information if you do not offer birthday discounts on your rental is not a relevant use
- Collect only legal information – highlighting race or religion (to refuse a rental) is illegal (and was prior to the new RGDP laws)
CNIL told Connexion French guests may offer their carte d’identité for ID purposes but few details from this can reasonably be kept.
Any security camera footage should be kept safe and only for a limited time then deleted.
Owners with both English and French-speaking customers should use both languages in the Data protection/Politique de confidentialité page on their website but this should be in the simplest terms.
One issue that may arise after Brexit is that if you keep letting details in the UK you must inform clients as with all data stored outside the EU.