Menu
Unmade bed with white sheets and pillows next to a large window. Outside, an urban cityscape with tall buildings and a variety of architectural styles is visible. The scene is bright, suggesting daytime, and the view captures a mix of modern and older structures.

Spains DPA fines hotels over scanning guest identity documents

, , , , , , , ,

Spain’s data protection authority (AEPD) continues to receive complaints about hotels and accommodation platforms requesting full copies of guests’ ID cards or passports during reservation or check-in. Although the obligation to collect certain guest data and comply with the register of travellers exists, that requirement does not justify collecting more information than strictly necessary. The AEPD reminded establishments that requesting copies or scans of identity documents at reservation or check-in breaches data minimisation principles under the GDPR.

The AEPD recently fined World 2 Meet, S. L. (Iberostar Group’s travel division) €70,000 after a guest reported that the platform required copies of all occupants’ identity documents to complete a villa booking. World 2 Meet confirmed the request was part of its online check-in process and argued it scanned the machine readable zone (MRZ) to verify identity. The authority found the practice excessive because full ID copies contain more personal data than required—such as photographs, expiry dates and additional identifiers—and increase the risk of identity theft.

The AEPD noted that a copy of the ID does not by itself provide all information required by Annex I of Royal Decree 933/2021 and therefore is not a sufficient or proportionate means to fulfil those reporting obligations. The authority based the sanction on the nature, gravity and duration of the breach, the company’s refusal to accept an alternative means of identification offered by the guest, and the sensitive nature of numeric identifiers that can uniquely identify a person and enable identity fraud if not properly protected.

Although the fine was set at €70,000, World 2 Meet paid €42,000 on 5 August after applying available reductions, an action the AEPD interpreted as recognition of responsibility. The resolution reinforces that accommodation providers must apply data minimisation, accept appropriate alternative verification methods, and implement technical and organizational measures ensuring that only strictly necessary personal data are collected and processed for guest registration and public security notifications.

  • Save

Related Posts

Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied