Data protection in the hospitality sector
Data protection in the hospitality sector is an essential aspect of managing any establishment that offers accommodation services, whether hotels, hostels, tourist apartments, or rural lodgings. The requirement to record guests’ identities has been reinforced by Royal Decree 933/2021, which establishes documentary control obligations with the aim of protecting public security and preventing crimes linked to accommodation logistics.
However, this legal obligation must be interpreted together with the General Data Protection Regulation (GDPR), which recognises the fundamental right to the protection of personal data and requires that any processing be lawful, transparent, and limited to what is strictly necessary.
The question is not whether hotels should collect personal data, but how they should do so, what limits apply and which practices must be avoided to prevent infringements.
How hotels should handle data
Accommodation providers are required to collect certain identifying data from their guests prior to the start of the stay, as set out in Annex I of Royal Decree 933/2021. According to guidance from the Spanish Data Protection Agency (AEPD), this information must be collected using a form, either in person or digitally, through which the guest provides only the data required by the regulation.
The GDPR provides that personal data may only be processed where there is a lawful basis justifying it. In this case, the basis is compliance with a legal obligation imposed on the establishment. However, the existence of an obligation does not entitle the controller to request any information it wishes. Under the principle of data minimisation, set out in Article 5(1)(c) GDPR, processing must be limited to the data strictly necessary for the intended purpose. Excessive data collection constitutes non-compliance, even if the guest provides the information voluntarily, because consent cannot be considered freely given where the provision of the service is conditioned on supplying data that are not necessary.
Likewise, identity verification does not require retaining a copy of the identity document. The AEPD indicates that it is sufficient to visually verify that the data provided correspond to the document shown, without scanning or photocopying it. For online check-in, identity may be verified using secure mechanisms such as electronic certificates, validation of payment means, or verification codes sent to the guest’s phone or email.
Once collected, data must be retained only for the period required by the applicable rules and stored with measures that ensure confidentiality, preventing unauthorised access or data loss. The establishment must clearly inform the guest who the controller is, the purpose of collection, the retention period, and the guest’s rights of access, rectification, and erasure, among others.
Data that should not be requested from guests
A frequent question among hotels and lodging providers is whether they may request and retain a copy of the guest’s ID card or passport. According to the AEPD, the answer is clearly negative. The Agency has stated that requesting or keeping a copy of the document infringes the principle of data minimisation, as the document contains information not necessary to comply with the legal obligation, such as the photograph, expiry date, or family-related data. In addition, retaining copies creates an added risk of identity theft that should be avoided.
Therefore, the establishment must not require or store copies of the DNI, passport or NIE, photographs of the document, or any additional data not included among those required by the Royal Decree. Nor should it request information relating to health, religious orientation, ethnic origin, or any other data considered sensitive under the GDPR, as this would constitute disproportionate processing lacking a lawful basis.
The purpose of identification is to confirm the guest’s identity, not to collect more information than necessary. Complying properly with this obligation not only avoids penalties but also conveys trust and respect for customers’ privacy, an important differentiator in a sector so focused on user experience as hospitality.
For all these reasons, hotels must collect identification data because the regulations require it, but they must do so in a proportionate, secure, and GDPR-compliant manner. It is neither necessary nor permitted to photocopy documents or store additional information that is not required. The balance between legal obligation and privacy is attainable if the proportionality required by the GDPR is applied.
At Letslaw, we stay abreast of the applicable regulations and help our clients handle their hotel guests’ data correctly in accordance with the law. Letslaw is a law firm with lawyers specialised in digital law, e-commerce, and advertising law.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
The AEPD Reports That Requesting a Copy of ID Card or Passport at Accommodations Is Not Permitted
What does the entry into force of Royal Decree 933/2021 regarding the registration of travelers mean?
Compliance with the GDPR in the Tourism Sector
External Data Protection Officer service
Legitimate Interest and Data Protection
Use of video cameras for security in the domestic sphere: how does it affect data protection?