The AEPD Reports That Requesting a Copy of ID Card or Passport at Accommodations Is Not Permitted
The Spanish Data Protection Agency (AEPD) has issued a clarifying note on the application of Royal Decree 933/2021, commonly known as the “Traveler Registry,” which establishes the obligations for documenting and reporting information of individuals or legal entities engaged in accommodation activities. In this note, the AEPD emphasizes that requesting a copy of the ID card or passport of guests is not permitted, as it violates the principle of data minimization and involves excessive processing of personal information.
Prohibitions Regarding the Identification of Clients in Tourism
Royal Decree 933/2021 aims to protect people and property and maintain citizen tranquility 1, given the special relevance of accommodation logistics in the modus operandi of criminals. However, the AEPD has identified that requesting copies of identity documents exceeds what is necessary to fulfill this purpose.
The GDPR, in its Article 5.1.c), establishes that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed: principle of data minimization. Requesting a copy of the ID card or passport implies collecting additional data that is not required by the regulations, such as the photograph, document expiration date, CAN, or parents’ names.
Providing a copy of personal documentation implies an unnecessary risk of identity theft, which must be avoided or, at least, effectively mitigated.
Sending a copy of the document does not allow for certain verification of the person’s identity and, therefore, lacks sufficient suitability to fulfill the purpose of the rule. Furthermore, the ID card does not contain all the information requested in Annex I of Royal Decree 933/2021, so, by itself, it is not a valid resource to comply with the aforementioned rule.
AEPD Sanctions for Non-Compliance with Data Protection
Non-compliance with data protection regulations can lead to significant economic and reputational sanctions for accommodation establishments. The AEPD has the power to impose fines that vary depending on the severity of the infraction, potentially reaching up to 20 million euros or 4% of the company’s global annual turnover, as established in the GDPR.
In addition to economic sanctions, companies that fail to comply with the regulations may face:
- Warnings: formal warnings from the AEPD to correct irregular practices.
- Obligation to notify interested parties: if a security breach occurs that affects the personal data of customers, the company is obliged to notify the interested parties and the AEPD.
- Reputational damage: negative publicity derived from a sanction by the AEPD can damage the image and reputation of the company, which may affect its business.
How Should Hotels and Accommodations Register?
The AEPD proposes that accommodation establishments use a form to collect exclusively the data required in sections A.3 and B.3 of Annex I of Royal Decree 933/2021. This form can be completed online or in person at the accommodation.
The data to be collected is as follows:
- Type of identity document: DNI, passport, NIE, etc.
- Identity document number.
- First name and last name.
- Date of birth.
- Nationality.
Data Authentication:
- In cases of in-person collection, it may be sufficient to visually verify the correspondence between the data provided and the identity document shown.
- In the case of online data collection without in-person assistance, this verification can be done through mechanisms such as digital certificates. It is also possible to verify that the data and information provided matches the data associated with the payment method used. Similarly, among the possible measures, the sending of security codes sent to the phone numbers or email addresses of the guests required to identify themselves can be used as authentication factors.
It is essential that hotels and tourist accommodations review their data collection procedures to ensure compliance with the RGPD and avoid possible sanctions. The AEPD does not rule out the existence of other valid procedures to comply with these obligations, whose compatibility with the RGPD must be evaluated, in any case, by the data controller.
At Letslaw, we are expert lawyers in digital law, so we can advise you on everything you need.
María Manrique es abogada especializada en derecho digital, protección de datos y derecho de las telecomunicaciones.
Graduada en Derecho por la Universidad Complutense de Madrid, actualmente cursa un máster en derecho de las telecomunicaciones, audiovisual y sociedad de la información en la Universidad Carlos III. Asesora en comercio electrónico, publicidad digital, inteligencia artificial, NFTs y blockchain, con un perfil adaptable y proactivo en entornos tecnológicos.
More from my site
Compliance with the GDPR in the Tourism Sector
What are the misconceptions about artificial intelligence according to the AEPD?
The AEPD publishes a report on Addictive patterns and the right to personal integrity
The AEPD and the European supervisor analyse the challenges posed by the processing of neurodata
First fines of over 40,000€ by the AEPD for exploiting customer data through business Wi-Fi
The AEPD orders a precautionary measure for Meta