Spains DPA fines hotels over scanning guest identity documents
Spain’s data protection authority (AEPD) continues to receive complaints about hotels and accommodation platforms requesting full copies of guests’ ID cards or passports during reservation or check-in. Although the obligation to collect certain guest data and comply with the register of travellers exists, that requirement does not justify collecting more information than strictly necessary. The AEPD reminded establishments that requesting copies or scans of identity documents at reservation or check-in breaches data minimisation principles under the GDPR.
The AEPD recently fined World 2 Meet, S. L. (Iberostar Group’s travel division) €70,000 after a guest reported that the platform required copies of all occupants’ identity documents to complete a villa booking. World 2 Meet confirmed the request was part of its online check-in process and argued it scanned the machine readable zone (MRZ) to verify identity. The authority found the practice excessive because full ID copies contain more personal data than required—such as photographs, expiry dates and additional identifiers—and increase the risk of identity theft.
The AEPD noted that a copy of the ID does not by itself provide all information required by Annex I of Royal Decree 933/2021 and therefore is not a sufficient or proportionate means to fulfil those reporting obligations. The authority based the sanction on the nature, gravity and duration of the breach, the company’s refusal to accept an alternative means of identification offered by the guest, and the sensitive nature of numeric identifiers that can uniquely identify a person and enable identity fraud if not properly protected.
Although the fine was set at €70,000, World 2 Meet paid €42,000 on 5 August after applying available reductions, an action the AEPD interpreted as recognition of responsibility. The resolution reinforces that accommodation providers must apply data minimisation, accept appropriate alternative verification methods, and implement technical and organizational measures ensuring that only strictly necessary personal data are collected and processed for guest registration and public security notifications.