Wednesday, 27 August 2025, 11:06
Spain’s data protection agency (AEPD) keeps receiving complaints concerning hotels and accommodation providers asking for a full copy of the guest’s ID card or passport to formalise their reservation or check-in process. Despite the countless and substantial fines that this body is imposing, some establishments still request a copy or scan of the identification documents from their customers.
The obligation of any accommodation establishment to collect certain customer data and comply with the new register of travellers does not give carte blanche to collect more information than necessary. The Spanish data protection agency (AEPD) has reminded hotels of the ban to request a copy of the customer’s ID card or passport during the reservation, as well as to scan their identity document when they arrive at the hotel and check in.
The latest sanction, amounting to 70,000 euros, was imposed on World 2 Meet, S. L. – the travel division of the Iberostar Group. The sanctioning procedure was initiated on 18 July. According to the resolution, the incident occurred when the affected party booked a World 2 Meet villa. At this point, the platform asked all guests for a copy of their identity document in order to register them, which they considered to be an “excessive” request for data.
The customer complained that they had provided the details of their respective identity documents, but that World 2 Meet insisted on requesting a full copy of the ID card of each of the guests, claiming that this was necessary to process the registration and make the appropriate notifications to the Guardia Civil. However, the complainant reiterated that it was sufficient to send the information contained in these identity documents and that it was not necessary to send the copy.
Online check-in
After being warned by the data protection authority, World 2 Meet confirmed that this request was indeed made for the purpose of online check-in. “In order to verify the veracity of the information provided by the guests and to validate their identity, an image of their identity document is requested during the online check-in process.”
World 2 Meet explained that the verification of the guest’s identity is done “by scanning the machine readable zone (MRZ) code that all ID documents include”. “The data obtained from the MRZ is automatically transferred to the entry ticket, allowing the guest to continue to fill it in and sign it (…),” the company said.
However, the data protection authority stated that requesting a copy of the DNI (Spanish ID) or passport violates the principle of data minimisation set out in Article 5(1)(c) of the GDPR and involves excessive processing of data. “This is because the full ID contains more data than is required under the applicable rules, such as the photograph, the expiry date of the document, the CAN or the name of the parents. Also, providing a copy of personal documentation implies, among other things, an unnecessary risk of identity theft, which should be avoided or at least effectively mitigated.”
The AEPD also warns that the ID document does not contain all the information requested in Annex I of Royal Decree 933/2021 and, therefore, on its own, is not a valid resource for complying with the aforementioned regulation. In this regard, it should be noted that the purpose of Royal Decree 933/2021 is “the protection of persons and property and the maintenance of public peace of mind”, given the “special relevance” of the logistics of accommodation “in the modus operandi of criminals”. Sending a copy of the document does not allow the identity of the person to be verified with certainty and, therefore, lacks sufficient suitability to fulfil the purpose of the regulation.
In the resolution, the AEPD justified its high fine on the following grounds:
– The nature, gravity and duration of the breach, as well as the number of data subjects concerned and the level of damage they have suffered (Article 83(2)(a) of the GDPR): World 2 Meet requested a copy of both sides of the identity document, despite the risk that this entails.
– Intentionality/negligence in the infringement (article 83.2, letter b) of the RGPD): The claimant’s request to obtain an alternative means of identification was not complied with. In this case, intentionality can be observed in the refusal of World 2 Meet, when the customer offered to provide the data strictly necessary for check-in: “Please reply to this e-mail specifying what data is required from the respective ID cards in order to complete the strictly legal check-in.” The company replied: “The data strictly necessary, as we have already indicated, is either the ID card or the passport of each of the occupants, which is the only way we can identify them in order to pass to the security forces.” Therefore, “despite the fact that the complainant proposed an alternative method, raising objections to such treatment and doubts as to its compliance with current regulations, the company insisted on collecting a full copy of the ID card, which implies a presumed intention to follow a practice that may not be in line with legal requirements”.
– The categories of personal data concerned by the infringement (Article 83(2)(g) of the GDPR): The numeric identifier of the ID card, together with the verification character corresponding to the tax identification number, identifies a natural person ‘beyond doubt’. This makes it a particularly sensitive piece of data because, to the extent that its processing is not accompanied by the necessary technical and organisational measures to ensure that the person identified with it is really its holder, a third party can easily supplant the identity of a natural person or, in other words, can carry out identity fraud.
Finally, although the fine amounted to 70,000 euros, on 5 August, the company proceeded to pay the fine to the amount of 42,000 euros, making use of the two reductions provided for in the agreement, “which implies recognition of responsibility”, according to the AEPD’s resolution.