There is some uncertainty in the hotel industry over whether photocopies of ID cards or passports can or should be stored as proof of compliance with the obligations in Royal Decree 933/2021 on traveler registration. In this article we take a detailed look at what the legislation says and what guidance the AEPD has given on this subject.
It has been common practice in the hotel industry to scan or ask for photocopies of guests’ ID cards or passports at check-in. Various hotels have argued that they need photocopies of guests’ ID cards or passports to comply with the obligations in Royal Decree 933/2021 on traveler registration and that it speeds up the registration process considerably. That decree, however, does not state that it is mandatory or advisable to obtain a photocopy of a guest’s ID card or passport.
From the standpoint of the data protection legislation, it has to be taken into consideration that requesting a copy of an official ID document such as an ID card or passport poses a high risk to data subjects’ rights. The reason for it being seen as high risk has to do with the fact that, if that copy came into the hands of third parties, the information on that document could be used for potentially very harmful practices, such as identity theft or impersonation, with all the associated consequences for an individual.
Therefore, in recent years the Spanish Data Protection Agency (AEPD) has been particularly active in all matters concerning requests for photocopies of ID cards or passports. Proof of this is that the authority has imposed various penalties in this connection on a range of businesses, including hotels.
In other sectors fines have been imposed for practices involving requesting a photocopy of an ID card generally to exercise data protection rights (the right of access, for example) or requiring a photocopy to collect a parcel from a courier. The AEPD usually takes a very serious view of cyberattacks gaining the information on ID cards or passports and consequently imposes heavier fines. In relation to the hotel industry, there have been two rulings in which the AEPD has fined accommodation establishments for requesting a photocopy of an ID card during the check-in process.
In line with this and with the intention to clarify any interpretation doubts over compliance with the obligations in Royal Decree 933/2021 and of the privacy legislation, in June 2025 the AEPD issued an information notice expressly mentioning that requesting a copy of an ID card or a passport to comply with the identification obligations contained in Royal Decree 933/2021 contravenes the minimization principle under the General Data Protection Regulation (GDPR).
The data minimization principle is one of the guiding principles of privacy law. In short, it dictates that no more than the minimum amount of data needed to fulfill the purpose of the processing should be requested. In relation to complying with the obligation to identify guests, the AEPD considers that this principle is contravened by requesting a photocopy of an ID card or passport because this document contains more personal data than Royal Decree 933/2021 requires (they contain a picture or the names of the parents, which are not necessary to comply with the obligations in Royal Decree 933/2021).
In its information notice, the AEPD poses as a less invasive alternative which could still be used to comply with the identification obligation that of asking the user to complete the information on a form, and makes separate recommendations for collecting data in-person and online:
- In-person data collection: presenting a physical ID card or passport and not storing a copy of it.
- Online data collection: it recommends using digital certificates or data verification with the information associated with payment methods, sending security codes to email addresses, etc., without precluding the use of any other technology that can produce the same result without requesting a copy of an ID card or passport.
To summarize, in case there were any doubts (despite the earlier penalties) the AEPD has clarified categorically that entities cannot request a photocopy of an ID or passport to comply with the obligations in Royal Decree 933/2021.
So the question is: what steps should obliged entities under Royal Decree 933/2021 take to comply with the provisions in that legislation and to avoid breaching privacy law? This is what we recommend:
- Stop the practice of requesting a photocopy or scanned copy of an ID card or passport.
- Review forms and registration systems to ensure that only the minimum data needed to comply with the legislation is requested.
- Review registration procedures to give emphasis to visual verification in the case of in-person registration and study available verification alternatives in a digital environment. This might be the right time to further explore the benefits that the EIDAS 2 EU regulation might have to offer, which lays down a European digital identity framework, for the hotel industry as a whole.
- Educate staff on the importance of collecting data correctly and of not requesting photocopies of ID cards or passports, and stress that this information cannot be requested informally either with the excuse that it will speed up the registration process.
