Heated debate between tourist sector and the Spanish government continues over new registration scheme.

Heated debate between tourist sector and the Spanish government continues over new registration scheme. | Majorca Daily Bulletin reporter

Humphrey CarterPalma11/02/2025 10:28Updated at 11:49
TW
0

While the argument over the new 'big brother' visitor registration scheme rumbles on, the Spanish Data Protection Agency (AEPD) has fined a hotel in Cantabria, 1,500 euros for requiring a photocopy of a guest’s ID card as a requirement to complete their reservation. The traveller, when refusing to provide said copy, saw how their reservation was cancelled.

According to media reports the AEPD’s resolution, the establishment’s practice involves excessive processing of personal data, thus violating the principle of data minimisation contained in Article 5.1.c) of the General Data Protection Regulation (GDPR). This principle establishes that only data that is strictly necessary for the specific purpose of the processing may be collected.

Related news
Ryanair CEO Michael O’Leary has demanded that Spain withdraws sanctions for abusive practices.

Ryanair CEO blasts “mad” Spanish consumer minister again

More related news

The hotel has a voluntary online check-in process, but requires an image or photograph of the identity document in person to allow the stay. However, the AEPD concludes that this measure is not relevant or necessary to comply with the regulations on the registration of travellers, since the document can be shown without the need to be photocopied or stored.

The sanction imposed is based on the infringement of Article 5.1.c) of the GDPR, which can lead to fines of up to 20 million euros or, in the case of companies, 4% of the annual turnover. The Spanish Organisation of Consumers and Users (OCU) and the travel agency associations UNAV, Acave and Fetave have called for the precautionary suspension of Royal Decree 933/2021, which tightens up the registration of travellers, until the European Commission finalises its analysis of the possible breach of the European Data Protection Regulation, as reported in a joint statement.
From the point of view of these organisations, this traveller registration, which came into force last December, represents a ‘clear excess’ in the collection of personal data, which is ‘against the fundamental principle of European regulations, which requires that data processing be relevant and not excessive.

They also consider that the information required in this registry goes far beyond the ‘legitimate objective of guaranteeing security’, denouncing that it ‘invades the privacy of consumers in an unjustified and disproportionate manner’. In addition, the travel agency organisations have criticised the fact that the RD imposes a series of “excessive” obligations on the sector and establishments that do not correspond to them and that, furthermore, generate “a notable responsibility in terms of data custody”.