For an STR operator, the main impacts are: (1) publish a clear privacy policy, (2) get explicit consent before sharing guest contact info with a third party (cleaner, locksmith), (3) notify any privacy incident to the CAI (Commission d'accès à l'information) within 72 hours if it poses a serious risk.
Reserver.ca operates its own infrastructure (Postgres + Postmark + Cloudflare) and never sends guest data to non-compliant external CRMs. The public privacy policy is reviewed quarterly.
Non-compliance fines are substantial: up to CA$25M or 4% of worldwide revenue, on par with European GDPR.