GDPR and personal data for an outdoor guide

As a guide, you collect a great deal of information about your clients, some of which may be medical in nature. The GDPR and applicable data protection laws govern this reality: understanding the basics lets you act with confidence.

This guide does not replace legal advice. For specific questions (trips, expeditions, working abroad), do not hesitate to consult a legal professional or the resources provided by your professional association or insurer.

What data does a guide collect?

In the course of your activity, you generally collect the following information:

• Identity data: surname, first name, sometimes date of birth.
• Contact details: email, phone, postal address.
• Activity-related data: skill level, experience, goals.
• Insurance data: personal liability insurance, possibly a licence or membership number.
• Health data where applicable: allergies, treatments, conditions to be taken into account, physical limitations.

All of this information falls under "personal data", and health data is considered sensitive data under the GDPR. It requires particular care.

Legal basis and consent

The GDPR requires you to define a "legal basis" for each processing of personal data. For a guide, the main ones are:

• Performance of a contract: necessary to process a booking request, communicate practical information, send an invoice.
• Legitimate interest: for example, keeping a history of your client relationship for proper follow-up (and to some extent, for retention purposes).

For health data, the rule is stricter: processing is in principle prohibited, except in certain cases (vital interest, medical purposes, etc.) or with explicit consent from the individual concerned.

In practice, if you collect health information to adapt the outing and ensure safety (allergies, contraindications, treatments), it is prudent to:

• Limit questions to what is strictly necessary for safety,
• Explain why this information is requested and how it will be used,
• Obtain explicit consent (checkbox, clear statement, electronic or paper signature).

Data retention periods

The GDPR requires that data not be kept "longer than necessary". A few commonly accepted benchmarks (to be adapted with legal advice if needed):

• Client data used for the commercial relationship: for example, 3 years after the last activity, unless there is an ongoing relationship.
• Accounting documents (invoices, supporting documents): often 10 years (legal retention obligations).
• Strictly medical data not needed long-term: shorter duration, or anonymisation as soon as possible.

What matters most is to define clear rules (even simple ones), document them in your privacy policy, and have a practical way to apply them.

Individual rights: access, rectification, erasure

Your clients have rights over their data. They can request:

• Access: to know what data you hold about them.
• Rectification: to correct inaccurate information.
• Erasure: in certain cases, to request the deletion of their data (except where legal obligations apply, such as accounting).
• Restriction or objection to certain uses (for example, commercial prospecting).

In practice, you must inform your clients how to exercise these rights (contact email, form, postal address) and respond within a reasonable timeframe (generally one month).

A privacy policy accessible on your website or sent with your client form is a good way to explain these points.

Security and field best practices

The GDPR also emphasises security. Even without being a technical expert, you can already avoid a number of risks with a few good habits:

• Avoid storing sensitive data in unencrypted emails or on loose sheets of paper.
• Protect your devices (password, PIN code, built-in encryption on modern smartphones).
• Limit data sharing to what is strictly necessary (do not circulate health information).
• Where possible, use tools hosted in Europe with a clear security policy.

In the field, you can also minimise what you carry: for example, only access the information truly needed for the outing (emergency contact, serious allergies), rather than the entire detailed history.

How a tool like GuideMate can help

A specialised tool like GuideMate does not replace your responsibility as a "data controller", but it can help you implement certain best practices more easily:

• Centralisation of client records in a single database,
• Data hosted on European infrastructure,
• Ability to structure what you retain and for how long,
• Clear view of who your clients are, without multiplying scattered files.

The goal is to move from a pile of emails and notebooks to a more coherent system, where you know what you collect, why, where it is stored and for how long.

FAQ — GDPR for an outdoor guide

Can I still use a simple paper notebook?

Yes, the GDPR does not require you to use a digital tool. However, even on paper, you remain responsible for the security and confidentiality of the information (do not leave the notebook lying around, limit sensitive data, destroy old pages that are no longer needed, etc.).

Do I need written consent for all collected data?

Not necessarily. For data required to perform the contract (identity, contact details, practical information), the legal basis can be the contract itself or your legitimate interest. However, for health data, explicit consent is strongly recommended, with a clear statement of the purpose (safety of the outing).

I'm just a "small" guide — does the GDPR really apply to me?

Yes, as soon as you process personal data, regardless of the size of your business. The good news is that simple measures (collect less, store better, inform your clients, delete what is no longer needed) already cover a large part of what is expected.

---

Want to try? GuideMate is free to start — no credit card, no time limit. Data hosted in Europe.