Requesting a photocopy of ID at hotels and tourist accommodations: a legal mistake that can be very costly

A recent €75,000 fine imposed by the Spanish Data Protection Agency (AEPD) on a Barcelona-based SME has raised alarm bells in the tourism sector. The reason: requiring ID photos and selfies from travelers booking their apartments via Airbnb, claiming it was necessary to comply with the Traveler Registry regulations.

On this matter, the AEPD has been very clear: neither the law requires such images nor does the GDPR allow them. Therefore, all companies managing tourist accommodations must take note to avoid penalties and ensure the security of their guests’ data.

The sanctioned company required customers to provide photographs of both sides of their ID card and a facial image (selfie) as a condition for accessing the accommodation. It claimed this was a legal requirement related to the Traveler Registry, but the AEPD dismissed that argument: the law does not require collecting ID images, nor is it permitted to gather more personal data than strictly necessary.

Furthermore, the company failed to provide clear information about the processing of that data: who was responsible, what it was used for, how long it would be stored, or what rights users had. The result: two serious violations of the General Data Protection Regulation (GDPR), with fines of €25,000 and €50,000 respectively.

The regulations of the new Traveler Registry, approved under Royal Decree 933/2021 and in force since December 2, 2024, expand upon the obligations already established in the former Order INT/1922/2003, which governed guest registration in traditional accommodations. Under the new rule, the obligation to register and report user data now extends not only to those directly providing lodging or vehicle rental services, but also to digital platforms and tour operators acting as intermediaries, such as Airbnb, Booking, or Expedia.

This change reflects the evolution of the tourism sector and e-commerce. Nowadays, many companies connect travelers with accommodations without directly offering the service. For that reason, the new legal framework clarifies that any entity involved in a booking and collecting personal data may be subject to these obligations.

Yes, the law requires lodging establishments (hotels, resorts, hostels, campsites, etc.) to identify all their guests.

Since late 2023, Royal Decree 933/2021 mandates registering travelers staying at tourist accommodations such as hotels, apartments, or rural houses. This registration must be submitted to the State Security Forces through a digital platform.

Only the following identification data must be collected:

• Full name
• Type and number of identity document
• Date of birth
• Nationality
• Check-in date (and check-out date, if applicable)
• Accommodation code or number
• Means of transport used (in some cases)

Under no circumstances is it mandatory or advisable to request photos of the ID, selfies, or any other biometric data.

This would violate the GDPR’s data minimization principle (art. 5.1.c), which requires collecting only the data necessary for the intended purpose. Additionally, the company would be committing an infringement if it fails to properly inform users about the processing of that data.

Yes, as long as they comply with GDPR principles: proportionality, security, and transparency. Digital check-in tools cannot require more information than necessary, nor use the data for secondary purposes (such as sending advertising) without explicit consent.

If you ever need to send a digital copy of your ID, do so cautiously. The National Police advises against sharing full and accurate images of the document, as they can be used for fraud or identity theft. A safe practice is to pixelate sensitive data (such as address, signature, or support code) leaving only what is strictly necessary visible. You can also add a text overlay on the image stating the reason for sending and the date, which makes misuse more difficult.

Remember that over 53% of the population has suffered some type of online fraud in the past year, according to CIS. Therefore, whenever you share your ID, do it through secure channels and only when absolutely necessary. Never agree to send it without guarantees or clear legal justification.

Regulatory compliance is not just a legal obligation, but also a key tool to protect your business’s trust and reputation. Requesting unnecessary data or failing to properly inform about its processing can lead to hefty fines and reputational damage that’s hard to repair.

At CINC Asesoría, we have a specialized team in Data Protection and regulatory compliance ready to help you adapt your tourism activity to the GDPR and the Traveler Registry regulations. If you have any doubts about how to correctly apply Royal Decree 933/2021 or about what data you can legally request, contact us and we will advise you with no obligation.