The Bed & Breakfast Association "Rive d'Abruzzo" of Roseto asks me, in my capacity as a privacy practitioner, if there is any action to be taken by member facilities in view of the full operation, in the Italian legal system, of the European Regulation 2016/679 as of next May 25.

In this regard, I think it can be said that the management of a B&B, despite the fact that in the light of current law it is not an activity that is carried out professionally (the law stipulates that this kind of tourist accommodation, which offers occasional hospitality or for recurring seasonal periods using part of the dwelling, "does not constitute the exercise of entrepreneurial activity"-in fact, registration in the business register is not required), nevertheless is somewhat affected by the changes made by the new privacy legislation.

PREMISE. To frame the problem, I specify in the introduction that in the specific case of B & B management, at least for the vast majority of cases, only the common personal data of those who ask for availability of accommodation, or of those who then become guests of the house (first name, last name, date of birth, social security number, telephone and email address, details of an identity document in case of overnight stay) are processed, with the sole exception of cases in which a handicapped person is hosted: on that occasion, in order to exempt the guest from the payment of the tourist tax, it is necessary to collect (and transmit to the municipality) a special declaration (complete with consent) on a form provided by the municipality itself. Minors are accepted only if accompanied by their parental authority or guardian, and their data are processed by the B&B manager. The data are then sent - online - only to the Public Administration (to the Municipality and the Region for statistics, to the Ministry of Interior for security) and not profiled.

1. SECURITY. First of all, in my opinion the adoption, in this specific case by the B&B operator, of the simplified security systems provided for by the Privacy Code currently in force (until May 25), which probably every accommodation facility already has, is confirmed, and therefore:

(i) identification code that uniquely identifies one person (username)

(ii) password of at least 8 characters, which contains no traceable references to the person accessing the data, to be changed every 6 to 3 months, and to be known only to the person accessing the data

(iii) periodic updates of antivirus and those electronic programs that protect data from intrusion.

On this issue, therefore, it does not seem to me that the Regulations hold any particular novelties or pitfalls.

2. DISCLOSURE. Instead, I believe that the disclosure should be updated to the requirements of the new legislation (see list in Art. 13 of the European Regulations) and that said informative should be displayed on the premises where the guest is received; but above all, it is important that this document should benefit from a special space dedicated to it, very well stated and accessible, on the B&B's website; with regard to this, I have elaborated the explanatory document that I reproduce at the bottom, following this exposition, referring to it for the few instructions for the use of the informative and for the contents that the same, again in my opinion, should enclose. I ask that everything in it be carefully reviewed so that concrete and normative practice is consistent.

3. PROCESSING REGISTER. Finally, I remain persuaded that in this, as in almost all cases of implementation of the new privacy legislation, it is necessary for the B&B manager to adopt the Register of Processing (electronic or paper), where the data referred to in Article 30 of the European Regulations, which can be summarized as follows:

(i) identification of the personal data controller,

(ii) description of the processing carried out and what the purposes of the processing are, list of the categories of personal data processed and the categories of data subjects, and any third party recipients of the personal data processed,

(iii) the retention time of personal data processed,

(iv) a description of the security measures taken to prevent the risks of destruction or loss, including accidental loss, of personal data processed or unauthorized access.

Regarding the adoption of the Register of Processing, I actually believe that the last paragraph of Article 30 of the European Regulation leaves no choice, and that it obliges all operators to equip themselves with said register: in fact, the norm contains such an extensive list that the exceptions in my opinion will be able to be counted. I also understand that the Italian Privacy Guarantor has prudently pronounced himself in the sense of hoping that with the advent of the new legislation all those involved will equip themselves with the register, not least because in the case of controls of any kind the consultation of a document like that makes everything easier for those carrying out the controls.

Fernando Rubino

Data protection specialist

and Data Protection Consultant



Yes, I have read the information on the processing of personal data

N.B.: In compliance with the current legislation on the processing of personal data, your message can only be sent if you declare that you have read the information on the processing of personal data.


It is understood that the sending of the message concerning the availability request or reservation is conditioned not only by entering in the appropriate way the mandatory data concerning the request, but also by the affixing of the "flag" within the square placed next to the above expression]




In light of the European legislation set by the EU Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the free movement of data (hereinafter EU Regulation), we inform you that your data will be processed exclusively for the purpose of following up on your request regarding the execution of pre-contractual measures, and possibly fulfilling Contract obligations.

In this regard, we provide you with the following additional information:

Personal Data Controller

The data controller of your personal data pursuant to and in accordance with the EU Regulation is...................................................................., in its capacity as Manager of the B&B....................................................................., located in ..................................................................., street.......................................................................... n..........., email........................................................, tel.................................................

Purpose of personal data processing

The purposes of the processing of your personal data are related to the fulfillment of obligations related to the negotiation and pre-negotiation relations with you; the data will also be processed for purposes related to the management of an effective business relationship, such as:

  1. For freely disclosed data entry into the computer records of the receiving facility,
  2. For proper bookkeeping,
  3. For credit protection,
  4. To comply with tax regulatory requirements.

Disclosure of personal data to third parties

Your data may be disclosed to:

  1. employees or collaborators who need to handle data for the proper management of contractual relations, to the extent strictly relevant to the above purposes;
  2. Companies or other legal entities, qualified in the field of information technology, whose cooperation is used by the B&B Manager;
  3. Companies or other legal entities whose activity is aimed at accounting, tax and administrative management of the contract, as well as credit protection and other related activities; these entities will manage the data on the basis of negotiated acts, suitable to ensure the obligation of confidentiality and fairness in the processing of data and may communicate the data collected to the extent that this is functional for the execution of the contract,
  4. Banking institutions in charge of collections and payments;
  5. Bodies of the Public Administration, for the performance of their institutional duties in implementation of legal provisions.

Transfer of personal data to states outside the European Union

Your data may not be transferred to a country outside the European Community or an international organization outside the EU.

Period of retention of personal data

Your data will be retained for a period of time appropriate for the fulfillment of the purposes of the processing of personal data outlined above; in particular, the criteria of conduct in relation to the period of time of retention of personal data will refer exclusively to the need to retain your data as long as there is a justifiable interest, related to the achievement of the purposes for which they were collected and processed.

Right of access to one's personal data

At any time you may exercise, with regard to the Data Controller, the right to request access to your personal data, their rectification or erasure or the restriction of the processing concerning you, as well as the right to data portability. In addition, you may at any time exercise the right to lodge a complaint with the Data Protection Authority.

Automated decision making

The processing of personal data referred to herein will not besubject to automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the EU Regulation.

Data Security

Finally, the B&B Manager, as identified above as the Data Controller of your personal data, assures you that the data collected for the purposes referred to in this statement will be processed with and without the aid of electronic means, adopting organizational, physical and logical measures suitable to guarantee their security and confidentiality, in accordance with the principles of lawfulness, correctness and transparency established by the European legislation on the processing of personal data of natural persons and the free movement of such data.