Czy poradzę sobie bez prawnika?

Tak. Dokumenty są napisane normalnym językiem, nie prawniczym. Każdy szablon ma instrukcję wypełniania. Jeśli wynajmujesz zwykłe mieszkanie albo apartament, nie potrzebujesz prawnika. Przy nietypowych przypadkach (zabytek, budynek użyteczności publicznej) warto się skonsultować.

Mam jedno mieszkanie na Airbnb. Też muszę się rejestrować?

Tak. Rozporządzenie UE dotyczy każdego, kto oferuje wynajem krótkoterminowy, niezależnie czy to jedno mieszkanie czy dwadzieścia. Bez numeru CWTON platforma musi zdjąć Twoją ofertę.

Kiedy dostanę pliki?

Od razu po zapłacie. Dostajesz e-mail z linkami do pobrania i widzisz wszystko w zakładce Moje konto. Nie musisz na nic czekać.

Mam kilka mieszkań. Muszę kupować osobne pakiety?

Nie. Jeden pakiet to szablony, które kopiujesz i wypełniasz osobno dla każdego obiektu. Nie ma limitu na liczbę mieszkań.

Czym się różnią pakiety Starter, Standard i Full?

Starter to minimum: rejestracja CWTON, regulamin porządkowy i dokumenty ppoż. Standard daje pełną dokumentację (12 szablonów, kalkulator podatkowy, listy kontrolne, słowniczek pojęć). Pełna Zgodność dodaje wersję angielską instrukcji, listę kontrolną platform (Airbnb/Booking) i kalendarz terminów.

Co jeśli przepisy się zmienią po zakupie?

Dokumenty są oparte na rozporządzeniu UE 2024/1028 i polskiej ustawie implementującej. Jeśli po zakupie zmieni się coś istotnego, wyślemy zaktualizowane pliki mailem na adres z zamówienia. Bez dodatkowych opłat.

Czy dostanę fakturę?

Tak. Zaznacz Potrzebuję faktury w formularzu zamówienia i podaj NIP. Faktura zostanie wygenerowana automatycznie i wysłana na Twój e-mail.

A co z RODO i danymi gości?

Pakiety Standard i Full zawierają klauzulę informacyjną RODO dla gości oraz instrukcję prowadzenia rejestru. Tłumaczymy krok po kroku, jakie dane możesz zbierać, jak długo je przechowywać i co musi być w regulaminie.

Co to jest CWTON i jak się zarejestrować?

CWTON to Centralny Wykaz Turystycznych Obiektow Noclegowych - obowiazkowy rejestr wprowadzony przez rozporzadzenie UE 2024/1028. Kazdy host wynajmujacy krotkoterminowo na Airbnb, Booking.com lub podobnych platformach musi uzyskac numer CWTON przed 20 maja 2026. Bez niego platforma ma obowiazek zdjac Twoja oferte. Rejestracja odbywa sie online przez system rzadowy. Pakiet HostReady zawiera instrukcje krok po kroku: jak zalozyc konto, jakie dane podac, jak wypelnic formularz i co zrobic po otrzymaniu numeru.

Blog

Regulations & Law

GDPR in Short-Term Rental - What Guest Data Can You Collect?

24 March 2026Pawel Bury

Collecting personal data from guests? You need a legal basis and a privacy notice. Here is a practical GDPR guide for hosts.

GDPR in Short-Term Rental - How to Legally Collect and Process Guest Data

Every host renting an apartment short-term collects guest personal data. Name, surname, phone number, email address, and often also ID or passport number. All this information falls under GDPR - the General Data Protection Regulation. Violating these rules can result in fines up to 20 million euros. In this article, you'll learn how to properly process guest data and avoid problems with the Data Protection Authority (UODO).

What Personal Data Do You Collect as a Host?

Before we get to the obligations, it's worth recognizing how much personal data you process as part of short-term rental. Here are the typical categories:

Identification Data

Name and surname - basic booking data
Identity document number - ID card or passport, required for guest registration
PESEL number or date of birth - required for foreign guest registration
Citizenship - recorded for foreign guests

Contact Data

Phone number - for guest communication
Email address - from the booking platform or direct
Home address - e.g., for invoicing

Financial Data

Invoice data - tax ID, company name
Payment information - payment method, deposit

Monitoring Data

Camera recordings - if you use exterior surveillance
Access logs - from electronic locks (smart locks)

Legal Basis for Data Processing

GDPR requires that all personal data processing has a specific legal basis. For short-term rental, you have several bases available:

Contract Performance (Art. 6(1)(b) GDPR)

This is the most common basis for processing guest data. An apartment reservation is a contract - to perform it, you must process guest data such as name, surname, contact details, and payment information. On this basis, you can process data necessary for:

Fulfilling the reservation and stay
Guest communication before, during, and after the stay
Payment settlement
Issuing invoices

Legal Obligation (Art. 6(1)(c) GDPR)

Some data must be collected due to legal obligations:

Guest registration - the Population Registration Act requires temporary registration
Foreign guest registration - obligation to report to the Foreigners Office within 48 hours
Tax obligations - storing data for tax settlement purposes
Tourist fee - if applicable in your municipality, you must record guest data

Legitimate Interest of the Controller (Art. 6(1)(f) GDPR)

This basis can be used in limited cases:

External video surveillance (property protection)
Pursuing claims (e.g., for damage)
Post-stay contact for reviews

Consent (Art. 6(1)(a) GDPR)

Use consent only when you have no other legal basis, e.g.:

Sending newsletters with offers
Direct marketing
Processing data for purposes beyond fulfilling the reservation

Remember that consent must be voluntary, specific, informed, and unambiguous. You cannot make the reservation conditional on consenting to marketing.

Privacy Notice - What Must You Tell Guests?

GDPR requires you to inform guests about processing their data. The privacy notice must include:

Controller data - your name, surname (or company name), address, contact details
Processing purposes - what you use the data for (reservation fulfillment, registration, tax reporting)
Legal basis - on what basis you process data (contract, legal obligation, consent)
Data recipients - who you share data with (booking platform, tax office, accounting)
Retention period - how long you store data
Guest rights - right of access, rectification, deletion, restriction of processing, portability, objection
Right to complain - information about the ability to file a complaint with UODO
Voluntariness information - which data is required and which is optional

How to Deliver the Privacy Notice

You can deliver the notice to guests in several ways:

In a pre-arrival message - email with booking confirmation
In the property rules - available before booking and on-site
In paper form - in the welcome booklet in the apartment
On your website - in the privacy policy section

Guest Register - How to Maintain It in Compliance With GDPR

What Is the Guest Register?

The guest register (stay record) is a document where you record data of guests using the apartment. Maintaining it may arise from the registration obligation or organizational needs.

What Should It Contain?

Minimum data in the guest register:

Guest name and surname
Identity document number
Check-in and check-out dates
Citizenship (for foreigners)

Format

The guest register can be maintained in:

Paper form - traditional bound register, stored in a secure place
Electronic form - spreadsheet or dedicated application

Regardless of format, you must ensure appropriate data protection from unauthorized access. For paper format, this means storage in a locked drawer or safe. For electronic format - passwords, encryption, and regular backups.

Data Retention Period - How Long Can You Keep Guest Data?

GDPR requires storing data only for the period necessary to fulfill processing purposes. Here are approximate periods for different data categories:

Reservation data - until end of stay + statute of limitations for claims (3 years, in some cases 6 years)
Tax data - 5 years from the end of the tax year in which the tax obligation arose
Registration data - according to Population Registration Act requirements
Surveillance recordings - maximum 30 days (unless they serve as evidence in proceedings)
Marketing data (consent-based) - until consent is withdrawn

After the retention period expires, data must be permanently deleted or anonymized.

Guest Rights Regarding Their Data

Guests have several rights under GDPR that you must respect:

Right of Access (Art. 15 GDPR)

A guest can request information about what data you process, for what purpose, and to whom you share it. You have 30 days to respond.

Right to Rectification (Art. 16 GDPR)

A guest can request correction of incorrect or incomplete data.

Right to Erasure (Art. 17 GDPR)

The so-called right to be forgotten. A guest can request deletion of their data, but you don't always have to comply - e.g., if the data is needed for tax obligations.

Right to Restriction of Processing (Art. 18 GDPR)

A guest can request restriction of data processing in specific situations, e.g., when they contest the accuracy of data.

Right to Object (Art. 21 GDPR)

A guest can object to data processing based on the controller's legitimate interest, including direct marketing.

Video Surveillance (CCTV) - Special Rules

More and more hosts install exterior cameras at the apartment entrance or on the property. Video surveillance is subject to special GDPR rules:

Where Can You Install Cameras?

Allowed: building entrance, parking lot, garden, stairwell (with housing community consent)
Prohibited: apartment interior, bathroom, bedroom, guests' private spaces

Surveillance Obligations

Mark the monitored zone with information signs
Provide information about the data controller and surveillance purpose
Retention period for recordings - maximum 30 days
Secure recordings from unauthorized access
Include surveillance in the privacy notice

Platforms and Surveillance

Important: platforms like Airbnb and Booking.com have their own surveillance rules. Airbnb requires disclosure of all recording devices in the listing. Hidden surveillance is strictly prohibited and can result in account removal.

Data Breach - What to Do

If a personal data breach occurs (e.g., guest data leak, laptop theft with data, unauthorized access), you have the following obligations:

Report to UODO

If the breach may risk guests' rights and freedoms, you must report it to the Data Protection Authority (UODO) within 72 hours of discovering the breach.

Notify Guests

If the breach may pose a high risk to guests' rights and freedoms (e.g., identity document number leak), you must directly notify the affected individuals.

Breach Documentation

Regardless of whether you report the breach to UODO, you must maintain a breach register describing the circumstances, consequences, and remedial actions taken.

Practical Tips - How to Be GDPR Compliant

Prepare a privacy notice and include it in your property rules and guest communications
Collect only necessary data - don't ask for more than you need
Secure data - computer passwords, encrypted disk, locked drawer for paper documents
Set retention periods and regularly delete unnecessary data
Maintain a processing activities register - even if you're not formally required to, it's good practice
Train co-workers - if someone helps you with guest services, they need to know how to handle data
Sign data processing agreements - with entities you share data with (cleaning company, accounting, management company)
Respond to guest requests - if a guest asks for data access or deletion, act quickly

Data Processing Agreements

When Do You Need a Processing Agreement?

If you share guest data with other entities that process it on your behalf, you must enter into a data processing agreement. This particularly applies to:

Cleaning company - if they have access to the guest register or contact data
Accounting firm - processes guests' financial data (invoices)
Property management company - if you've delegated guest services
Software provider - channel manager, booking system, CRM
Hosting company - if you run a website with a booking form

What Should the Processing Agreement Contain?

The agreement must specify the subject and duration of processing, the nature and purpose of processing, types of personal data and categories of persons, controller obligations and rights, and processor obligations regarding data security. The processor must guarantee appropriate technical and organizational measures ensuring data security.

Booking Platforms and GDPR

Who Is the Data Controller - You or the Platform?

This is an important question because it determines the scope of your obligations. With platforms like Airbnb or Booking.com, the situation is as follows: the platform is the data controller for the booking and payment process, while you are the data controller for the guest's stay, registration, additional information collected directly from the guest, and any surveillance. In practice, this means you have your own GDPR obligations regardless of what the platform does. You can't rely solely on Airbnb's or Booking.com's privacy policy.

Platform Data and Your Obligations

When a guest makes a reservation through a platform, you receive their contact data. From that moment, you become a co-controller or independent controller of that data. You must inform the guest about processing data in the context of the stay, ensure security of received data, and not use it for purposes the guest didn't consent to, such as adding to a newsletter without consent.

Penalties for GDPR Violations

The consequences of GDPR non-compliance can be severe:

Administrative fines - up to 20 million euros or 4% of annual turnover (for large entities)
Fines for individuals - UODO also imposes fines on individuals running rentals; fines to date have reached tens of thousands of PLN
Civil damages - guests can seek compensation for data breaches
Reputation loss - negative reviews and loss of guest trust

Summary

GDPR in short-term rental is a topic that can't be ignored. As a host, you process guest personal data and must do so in compliance with the law. Key elements include: a proper privacy notice, collecting only necessary data, appropriate security, observing retention periods, and respecting guest rights.

Well-prepared GDPR documentation not only protects you from fines but also builds guest trust and demonstrates professionalism.

Don't want to search for templates and regulations on your own? The HostReady Package includes complete documentation, fill-in templates, and checklists - ready to use right after purchase.