According to media reports the AEPD’s resolution, the establishment’s practice involves excessive processing of personal data, thus violating the principle of data minimisation contained in Article 5.1.c) of the General Data Protection Regulation (GDPR). This principle establishes that only data that is strictly necessary for the specific purpose of the processing may be collected.
The hotel has a voluntary online check-in process, but requires an image or photograph of the identity document in person to allow the stay. However, the AEPD concludes that this measure is not relevant or necessary to comply with the regulations on the registration of travellers, since the document can be shown without the need to be photocopied or stored.
The sanction imposed is based on the infringement of Article 5.1.c) of the GDPR, which can lead to fines of up to 20 million euros or, in the case of companies, 4% of the annual turnover. The Spanish Organisation of Consumers and Users (OCU) and the travel agency associations UNAV, Acave and Fetave have called for the precautionary suspension of Royal Decree 933/2021, which tightens up the registration of travellers, until the European Commission finalises its analysis of the possible breach of the European Data Protection Regulation, as reported in a joint statement.
From the point of view of these organisations, this traveller registration, which came into force last December, represents a ‘clear excess’ in the collection of personal data, which is ‘against the fundamental principle of European regulations, which requires that data processing be relevant and not excessive.
They also consider that the information required in this registry goes far beyond the ‘legitimate objective of guaranteeing security’, denouncing that it ‘invades the privacy of consumers in an unjustified and disproportionate manner’. In addition, the travel agency organisations have criticised the fact that the RD imposes a series of “excessive” obligations on the sector and establishments that do not correspond to them and that, furthermore, generate “a notable responsibility in terms of data custody”.
6 comments
To be able to write a comment, you have to be registered and logged in
Steve PickeringShould say passport :-D
TawnyYou've just reminded me of my first couple of visits to Mallorca. assort kept by reception and getting it back the next day. I'd forgotten all about that
Morgan WilliamsIt's bad here that you have to laugh at the lunacy of it! And the registration system you mention sounds as bad as most Spanish websites! I don't think they had very good IT teachers/courses in Spain - really behind the times!
It always used to be normal practice to have your passport copied by the hotel. A lot of them used to keep your passport until you paid and checked out. Its like this in many countries.
Funny, I clearly remember a confrontation I had with the guardia civil years ago when signing up for the Guardia Civil registration of guests. The confrontation was about their insistence that we were required to keep copies of each and every guest's passport or ID we filed on their system, and if we didn't we could be fined up to 1000€. I argued that this was probably a violation of EU privacy law. They insisted it isn't, it's Spanish law, and we must obey it or suffer fines. They didn't take kindly to being doubted in that way. So, per guardia civil order, copying each and every guest's passport or ID has been routine ever since. Nobody has ever complained, and we have them all neatly filed in file folders by month and year, just in case the guardia civil ever wants to check. They never have though. I sense they never really used that database for anything anyway. The online registration system operated like it was built by a junior IT student, like something from the 90's. So, now I can be fined 1500€ for obeying the Guardia Civil? What a stupid bunch of contradictory bullshit.
Wow.... thats a precedent set right there.