It is expected that, from December 2, Royal Decree 933/2021 will be fully applicable, which obliges lodging and vehicle rental companies, as well as tour operators and digital platforms acting as intermediaries in these activities, to document and transmit their clients’ data to the authorities. This regulation presents certain challenges from a privacy perspective.
Royal Decree 933/2021, of October 26, 2021, establishing the documentation and information obligations of individuals or legal entities engaged in accommodation and motor vehicle rental activities (RD 933/2021), commonly known as the “Travelers’ Register” royal decree has been technically in force since April 27, 2022, but until now has never been so hotly debated nor has it been on the covers of so many media outlets and platforms.
This is because, following an adaptation period of 5 months and two extensions, the currently scheduled date for its full application is December 2, 2024. But let’s take a step back and set the context of the controversy that is currently on most of the covers of the specialist press.
As noted, it has been more than 2 years since the entry into force of RD 933/2021, which significantly expanded: (i) the scope of application of the previous obligations regarding record keeping and the transmission of data to the authorities (contained until then mainly in Order INT/1922/2003, of July 3, 2003, on registers and reports on the entry of travelers into hotels and similar establishments) to include – in addition to companies directly engaged in accommodation and vehicle rental activities – tourism operators and digital platforms that act as intermediaries in such activities, and (ii) the quantity of data that obliged entities had to collect from travelers and transmit to the Spanish authorities. These are precisely the two aspects that have triggered so much controversy around the application of RD 933/2021.
However, the legislation has yet to be fully applied given that, as noted, when it comes to one of the main obligations laid down in RD 933/2021, the disclosure of data to the Spanish authorities, the Ministry of Home Affairs, with the aim of making it easier for users to become familiar with the new environment and ensuring the operation of the electronic platform through which data will be disclosed (SES.HOSPEDAJES) under optimal conditions, decided to establish an “adaptation period” which, barring any last-minute surprise (which cannot be completely ruled out given the latest developments in this regard), will end on December 2, 2024.
And we say that a last-minute change would not be out of the question since, very recently, on October 23, 2024, the plenary session of the lower house of the Spanish parliament approved on October 23, 2024, the non-legislative motion of the Grupo Popular, which, among other aspects, urges the government to: (i) extend the suspension of application of RD 933/2021 until a comprehensive and proportionate review and adjustment of these regulations is undertaken in conjunction with the most affected tourism sub-sectors; (ii) review the obligations to collect personal data required by RD 933/2021 to ensure their compatibility with EU data protection regulations; and (iii) support the claims that have been unanimously raised by the entire Spanish tourism sector regarding the detrimental effects of the scope and content of RD 933/2021 on the operation of tourism activities.
Now that we have a bit more context, what are the main obligations laid down in RD 933/2021 which have triggered so much controversy? In brief, the following stand out:
- Data collection: obliged entities must collect numerous personal data (identification, contact and transactional data, including identification and payment method details, such as bank card number and expiration date) from travelers and persons accompanying them, even if they are minors.
- Storage: obliged entities must store such data in an electronic record for a period of three years from the end of the service engaged.
- Communication or disclosure of data to the Spanish authorities: obliged entities must communicate, electronically and through the SES.HOSPEDAJES platform, the data collected from travelers immediately, and in any case, within a period not to exceed 24 hours, respectively, from: (i) the reservation or the formalization of the contract or, where appropriate, its cancellation; or (ii) the start of the engaged services.
Both issues, the broadening of the scope of application by RD 933/2021 and the substantial increase in the number of personal data that intermediaries are required to collect, store and disclose, are triggering not only a great controversy in the tourism operator and intermediation sector, but also numerous doubts at the legal level regarding their legal fit.
How do all these obligations fit in with complying with the data protection regulations and what legal doubts are raised by their fulfillment? In our view, they raise myriad doubts and their fit with the personal data regulations is complex. We highlight the most relevant ones below:
- Principle of matters reserved for legislation by statute only: the obligations imposed by RD 933/2021 involve the processing of personal data, which must be carried out, to comply with the General Data Protection Regulation (GDPR), in reliance upon one of the legal bases set out in article 6 of the GDPR. In this case, and given that the processing of data provided for in RD 933/2021 will be carried out in compliance with such royal decree, the applicable legal basis could be, apparently, compliance with a legal obligation (per article 6.1 c) of the GDPR).
However, it is important to bear in mind that any obligation that affects fundamental rights and, in particular, personal data protection rights to the extent that they impact a fundamental right, must be backed by provisions having the rank of a statute. In this respect, the Supreme Court (STS 1922/2024) determined that the principle of matters reserved for legislation by statute only, does not exclude possible legislative collaboration (by virtue, for example, of a royal decree), although a mere blank reference cannot be considered sufficient, but rather it must contain the general criteria or guidelines forming the basis for any limitations that may be established, and these limitations must be proportionate to the aim pursued.
In this case, it is true that RD 933/2021 was approved pursuant to article 149.1.29. of the Spanish Constitution, which grants the State sole power in the area of public security and, moreover, in implementing the provisions of article 25.1 of Constitutional Act 4/2015, of March 30, 2015, on the Protection of Citizens’ Security. However, neither of these two pieces of legislation include intermediaries in accommodation and vehicle rental activities as being subject to collecting, storing and disclosing personal data to the authorities, as RD 933/2021 does. Therefore, RD 933/2021, a piece of legislation which does not have the rank of a statute, would be imposing on intermediaries certain obligations that have a significant impact on the protection of data subjects’ personal data.
- Proportionality: in accordance with article 6.3 of the GDPR, the national legislation that imposes conditions for processing personal data must meet an objective of public interest which must be specific and proportionate to the legitimate aim pursued. This fits with the case law of the Court of Justice of the European Union which has repeatedly indicated that any interference in fundamental rights to privacy and to personal data protection must be limited to what is strictly necessary to achieve the legitimate aims pursued by the legislation (i.e., the possibility of adopting less intrusive measures to achieve the same aims would render the processing unnecessary and disproportionate).
In this case, and bearing in mind: (i) the large quantity of data that RD 933/2021 requires obliged entities to collect and transmit; (ii) the breadth of the scope of RD 933/2021, which will involve the receipt by the Spanish authorities of the same data through different sources (hotels and vehicle lease companies, travel agencies, online intermediaries, etc.); and (iii) the existence of international conventions and treaties regulating procedures for mutual legal assistance and the sharing of personal data between authorities in the context of criminal investigations, one may wonder whether there are other alternatives to the obligations established in RD 933/2021 that are better and less intrusive and detrimental for achieving the result desired by RD 933/2021; that is, the protection of persons and assets, and the maintenance of tranquility and citizens’ security.
- Foreseeability or reasonable expectation: according to Recital 41 of the GDPR, the legislation that imposes a legal obligation related to data protection must be foreseeable to the data subjects concerned.
In the case of RD 933/2021, one may wonder whether its application will be foreseeable to all the data subjects concerned, bearing in mind that not only will the data of Spanish data subjects be disclosed to the Spanish authorities but also the data of any foreigner who wishes to find lodging or rent a vehicle in Spain and those of their companions. These last-mentioned data subjects will be largely unaware of the application of RD 933/2021 and, even if they are aware, they will hardly be able to access the content of the law, which is available in Spanish.
Another question related to the foreseeability of the application of RD 933/2021, and which ties in with the transparency principle set out in the GDPR, is the fact that RD 933/2021 itself does not establish how the Spanish authorities will comply with their information obligations under the GDPR once they receive the personal data of travelers from the obliged entities. As recipients of the personal data, the Spanish authorities must fulfill the duty of information envisaged in article 14 of the GDPR, unless they consider that any of the exceptions established in its subarticle 5 applies, or that they are exempt from doing so given that, otherwise, public safety, national security or the rights and liberties of other persons would be at risk, or judicial or police investigations or proceedings would be hindered. None of this is clarified or established in RD 933/2021, with the uncertainty this entails for the data subjects concerned.
As can be seen, just days away from the effective application of RD 933/2021, there are still numerous doubts about the compatibility of the obligations established in it with the data protection legislation. For now, the sector will have to live with this situation until the Ministry of Home Affairs or the Spanish Data Protection Agency issues an opinion in this respect and modifies or limits the system, either in the objective scope or in the number and type of data to be collected, stored and transferred.