Data protection: It is prohibited to ask for copies of ID cards in hotels.
The Spanish Data Protection Agency considers photocopying ID cards to be "excessive."
Now that the summer holidays are approaching, the Spanish Data Protection Agency (AEPD) warns: it is prohibited to request a copy of your ID card when staying at a hotel. The agency has issued a information note Remember that, although Royal Decree 933/2021 establishes the obligation of the owner of the hostel or hotel to collect certain data from the people who use their services, this request for information does not authorize requesting a copy of the client's identity document, since this "would violate the principle of data minimization and would constitute excessive processing."
According to the agency, documents such as the DNI include additional information to that required by the law (such as the photograph, the expiration date, the CAN (the six-digit number in the right corner of the ID card) and the names of the parents), the processing of which "increases the risk of identity theft." Furthermore, the DNI does not include all the information requested in the law, so, on its own, "it is not a valid resource to comply" with the law. Furthermore, sending a copy of the document does not allow the identity of the person sending it to be verified with certainty, the AEPD points out.
What should I order?
To comply with the legal obligation, the agency considers that the guest must provide the data detailed in the corresponding sections of the Royal Decree, and that these can be collected using an in-person or online form.
To authenticate the data provided, in the case of in-person verification, a visual verification of the document would suffice. If this verification is performed online, the use of mechanisms such as digital certificates, verification with the data associated with the payment method, or authentication via codes sent to the guest's phone or email is recommended. In any case, any other procedure used "must be evaluated by the data controller, who will always guarantee its compatibility with data protection regulations," the agency notes.
