The Association of Scotland’s Self-Caterers (ASSC) has formally written to the City of Edinburgh Council (CEC) to raise concerns about the use of short-term let licensing data in connection with early Visitor Levy engagement.
A number of members in Edinburgh have contacted us after receiving unsolicited emails, and in some cases cold telephone calls, from the council’s Visitor Levy team. These communications confirm that non-public contact details supplied for short-term let licence applications are being used to identify properties presumed to be liable for the levy and to initiate pre-implementation engagement ahead of the levy going live in summer 2026. Some members have also been advised that contact details may be drawn from Non-Domestic Rates records.
Members have reported that the volume and nature of this contact has felt intrusive and disproportionate, particularly where liability has not been confirmed and no prior engagement has taken place. While some have noted that any formal pre-engagement on the Visitor Levy should properly have taken place before 1 October, ASSC’s primary concern is not timing but data governance.
The ASSC is not opposing the introduction of a Visitor Levy at this point. Our concern relates to data protection, transparency and the lawful reuse of regulated data. Personal data provided under statutory regimes such as licensing or rating is subject to strict purpose limitation requirements under UK GDPR. Reuse of non-public contact details for a different statutory function requires a clear lawful basis, transparency at the point of collection and appropriate safeguards.
We have asked the council to clarify the lawful basis relied upon for this data reuse, whether a Data Protection Impact Assessment has been undertaken, and what safeguards are in place to prevent wider function creep. We have also asked that further unsolicited contact with operators is paused until these issues are clarified.
This matter has also been raised with the Scottish Government due to its wider relevance for Visitor Levy implementation across Scotland.
The ASSC will continue to engage constructively to ensure that levy implementation is legally robust, proportionate and based on sound data governance, protecting both operators and public authorities from avoidable risk. Members affected by unsolicited contact are encouraged to keep us informed.
On 18th February, City of Edinburgh Council responded to our letter:
“Thank you for your correspondence of 9 February 2026 concerning the above.
I can confirm that a Data Protection Impact Assessment (DPIA) was completed as part of the development of the Visitor Levy for the City of Edinburgh. This assessment ensured that privacy risks were carefully evaluated and that compliance with data protection requirements was fully considered throughout the process.
I acknowledge your concerns and observations regarding the lawful basis, intended purpose, and compatibility of the data processing activities associated with the Visitor Levy. However, the primary objective of the Visitor Levy is to enhance local services, facilities, and infrastructure that are utilised by visitors to the area. In this context, the Council considers these activities to be undertaken in the public interest, as part of the Council’s power to advance well-being in section 20 of the Local Government in Scotland Act 2003. Consequently, the Council has determined that the appropriate lawful basis for this processing, in accordance with Article 6(1)(e) of the UK GDPR, is that it is necessary for the performance of a public task.
With regard to the compatibility of data processing and the intended purpose, it is important to highlight that Part 6 of the Visitor Levy (Scotland) Act 2024 provides a legislative framework for the management of information related to the Levy. Specifically, Section 73 of the Act authorises the establishment and ongoing maintenance of a register of individuals or entities liable for the Visitor Levy. In addition, Section 74 grants the power to share relevant information as necessary to support the effective administration of the Levy. Within this statutory context, we consider that the sharing of data within the Council—between relevant services or officers—is justifiable, provided that such sharing is strictly relevant and necessary for the fulfilment of the functions assigned to Authorised Officers under the Act. We remain vigilant to ensure that any internal data sharing is limited to what is essential for the performance of these statutory duties.
While we consider that the Council’s privacy notices adequately discharge the Council’s transparency obligations in respect of the processing of personal data, I can also confirm that the Council is currently reviewing privacy information to ensure that the Council’s use of personal data in relation to the Visitor Levy is completely open and transparent. This review is being conducted with the objective of maintaining clarity for all individuals whose data may be processed as part of the Visitor Levy scheme. By regularly examining and updating privacy notices and related documentation, the Council aims to provide assurance that all processing activities are communicated clearly and that data subjects are fully informed about how their information is handled. This commitment to transparency supports the Council’s responsibilities under data protection legislation and ensures ongoing trust in the administration of the Visitor Levy.
Should there be any amendment to the manner in which personal data is processed in relation to the Visitor Levy, the DPIA will be updated accordingly. This revision will ensure that all processing activities continue to comply with our data protection responsibilities and obligations.
I trust you will find this response helpful. However, if you continue to have concerns, you should address these to the UK Information Commissioner – the regulator for data protection matters in the UK.”