Self-Check-In Without a Front Desk: Smart Locks, GDPR, and Guest Registration

No front desk doesn't waive the guest register obligation. What security requirements a good smart lock should meet, what an entrance camera is and isn't allowed to do, and what a GDPR-compliant notice for an online form looks like.
READY-MADE STR DOCUMENTATION
Get compliant in 2 evenings.
CWTON registration without the stress.
Instead of writing documents from scratch (40+ hours) or paying a lawyer (£1,500+), download ready-made templates aligned with Polish STR law and CWTON requirements.
Self-check-in without a front desk: smart locks, GDPR, and guest registration in practice
An electronic lock with a PIN code sent automatically before arrival is now standard in short-term rental, guests don't wait around for the host, and the host doesn't waste time driving over at odd hours. That convenience comes with its own requirements: guest data still has to be collected in line with GDPR, and the lock itself has to meet basic security conditions, so it becomes a safeguard rather than an open door.
Key takeaways
- Self-check-in doesn't waive the obligation to keep a guest register, data has to be collected before handing over access, not after
- An automatically issued PIN code should be unique to each reservation and deactivated right after checkout
- GDPR requires clear information on how long a guest's data (including any footage from an entrance camera) is retained and for what purpose
- A camera pointed at the entrance is allowed, but it can't cover the inside of the unit or shared spaces in a way that infringes on neighbours' privacy
A guest register despite no physical front desk
Not having a front desk doesn't remove the obligation to collect and keep guest data. A guest register, with the name and contact details of the person making the reservation, has to exist regardless of whether the data is collected in person or through an online form before arrival.
A practical setup: an online form sent automatically after booking confirmation, asking the guest to fill in their details before the access code is generated. The PIN code is only released once the form is completed, which naturally enforces a complete register without manual verification from the host.
Electronic locks: basic security requirements
- A unique code for every reservation: the same code used by multiple consecutive guests is a risk, a previous guest, or anyone they shared the code with, could still have access to the unit
- Automatic deactivation after checkout: most smart lock systems let you set an exact expiry time for the code, synced with the checkout time on the booking calendar
- Backup power: an electronic lock should have batteries checked regularly and a physical spare key available to the host in case of electronic failure
- Instructions for the guest in more than one format: a photo of the lock with a step-by-step description, not just the digital code itself, cuts down on "I can't get in" messages in the middle of the night
An entrance camera: what's allowed, and what isn't
A camera monitoring the entrance to the apartment (not the interior) is a common practice that boosts security, but it's subject to specific limits under GDPR and privacy protection rules:
- The camera can't record the inside of the rented unit, that's a privacy violation regardless of the host's intent
- If the camera covers a shared area of the building (stairwell, corridor), it may require the housing association's consent or need to meet additional requirements for monitoring shared spaces
- Information about the presence of a camera at the entrance should be clearly visible (a sticker, a sign) and described in the house rules and pre-arrival information given to the guest
- Footage should have a defined, limited retention period, after which it's automatically deleted, not kept indefinitely
A GDPR notice for self-check-in
The form collecting guest data before the access code is generated should include a short GDPR information clause explaining: who the data controller is, the purpose of collecting the data (guest register, a requirement stemming from accommodation service regulations), how long it's kept, and who it might be shared with (e.g. in the event of an inspection).
Frequently Asked Questions (FAQ)
Can I send the lock code before receiving the guest's full details?
It's better to avoid that. It's worth setting up the process so the code is generated and sent automatically only after the form is filled in, that's a simpler way to ensure compliance than relying on the guest to fill in details "later."
How long should I keep entrance camera footage?
There's no single fixed deadline mandated specifically for this case, but good practice is to keep footage for as short a period as reasonably needed for the purpose (e.g. resolving a security incident), often a few days to a couple of weeks, after which it's automatically overwritten or deleted.
Does an electronic lock need to be certified or registered?
There's no requirement for formal smart lock certification for short-term rental, but it's worth choosing devices from reputable manufacturers with technical documentation, especially for insurance purposes, some insurers may ask about the type of entrance security when assessing risk.
What if a guest loses their PIN code during their stay?
It's worth having a backup procedure ready, an alternative way to contact the host (phone, messaging app) and the ability to remotely generate a new code or unlock the door through an app, if the system supports it.