Hotel fined for scanning guest’s ID

The obligation of a hotel or any accommodation establishment in Spain to collect specific customer data and adhere to the new register of guests, as outlined in a royal decree, […]

August 4, 2025 Updated on August 1, 2025 2 Mins Read

The obligation of a hotel or any accommodation establishment in Spain to collect specific customer data and adhere to the new register of guests, as outlined in a royal decree, does not grant permission to collect more information than is essential. The Spanish data protection agency (AEPD) cautions that establishments are prohibited from requesting and generating copies or images of the guest’s ID card or passport during the check-in process under this circumstance.

Numerous complaints have been submitted to this state body for months, and numerous of them have led to substantial penalties. Suneris S.A. owns the Hotel & Spa Beverly Park, a four-star hotel located in the municipality of Blanes, Girona. It is the entity that has been hit by the final one. After the hotel staff requested his identification card for scanning purposes, a guest at this establishment submitted a formal complaint to the AEPD. The hotel receptionist used the computer to copy the visitor’s data when he declined. The passenger also disclosed that the staff had left a master key card in his room, which granted him access to all of the rooms.

According to the organisation, the objective of the search was to transmit the data to state security forces. Nevertheless, the AEPD declared that “it is not mandatory to collect, register, or provide the competent authorities with a complete image or photocopy of the individual’s identity document.” The name and surname, the identification number, the support number, the type of document (passport, ID card), the nationality, and the date of birth are the only pieces of information that are required, as per this official body.

Consequently, Suneris S. A.’s acquisition of additional information that is neither necessary nor pertinent is “unjustifiable,” as it violates the current regulatory framework. The complete ID card contains more data than is necessary, such as the photo, the expiry date of the document, the CAN, or the name of the parents. Consequently, it is considered “excessive data processing.” The resolution also asserts that the provision of a copy of personal documentation poses a superfluous risk of identity theft, which should be avoided or, at the very least, effectively mitigated.

It is for this reason that the AEPD has levied an administrative sanction of 9,000 euros. The company acknowledged the facts and capitalised on the expeditious payment conditions, which resulted in a reduction to 5,400 euros.