Many questions arise around hotel data protection and other lodging business. One of them is about the legality of scanning ID cards or passports in hotels and other accommodation.
Just in 2018, a case came to light in Spain that alarmed owners or managers of tourist accommodation. That case was a resolution of the Spanish Data Protection Agency (AEPD), which sanctioned a hotel in the Balearic Islands with 30 thousand euros. The reason: scanning the passport of a Dutch guest.
Because of this “tragic” episode, doubts grew among professionals in the sector: Can a hotel scan the ID card or passport of guests? What are the legal bases to comply with?
You have to know the limits and regulations. Therefore, we will explain the regulations to be respected in Spain, so that you can continue to use the scanning of ID and passports in all legal way.
Legal bases to follow when scanning your guests’ ID cards or passports
Scanning your guests’ ID cards or passports is legal. All hotels or tourist accommodation can use it, but with some legal nuances. When a guest stays in a accommodation, it is required to process personal data, according to 2 legal bases. These 2 legal bases will allow you to collect a certain level of data, and it is essential to respect them in order to avoid large financial penalties:
- Firstly, due to the contractual relation you have with the guest, you are entitled to collect basic data. This can be first name, surname, e-mail address or means of payment. Due to this contractual relationship, you can legally scan the basic data of your guest.
- There is a legal basis, which obliges all tourist establishments to collect more personal data of the guest. These laws are the Law 4/2013, of 4 June and the Royal Decree 933/2021. Which establishes: “…the new obligations of documentary registration and information of natural or legal persons who exercise activities of accommodation”.
These laws oblige all Spanish tourist accommodations to keep a travelers register. This implies periodically reporting the data to the authorities, in order to “guarantee public safety”. In short, they will have to collect 31 pieces of information, for each guest, in order to send the report to the competent authorities. You can see how to register travellers and review what data is required here. . Failure to comply with this rule can also lead to fines of up to €30,000.
To summarise briefly, every Spanish accommodation is authorised and obliged to collect certain data from its guests. By contractual relationship, and by legal obligation imposed by the aforementioned rules.
Why was the hotel in the Balearic Islands sanctioned?
In this case the hotel that was sanctioned, collected data derived from the first two legal bases explained above. That is, because of the existing contractual relationship and because of the legal obligation, through the scanning of passport, ID card or other documents.
During the scanning of the ID, the hotel also collected the guest’s photograph. This is where the big problem arises, and the sanction issued.
According to the hotel’s defence, the photo was collected temporarily (although this was not the case). They claim that it was collected in order to be able to incorporate it in the guest’s magnetic card. A magnetic card, which allows the guest to enter their room and make purchases within the accommodation. Thanks to the photo inside the magnetic card, hotel employees could verify that it was the guest. This prevented fraudulent use of the card by third parties and prevented financial damage to the customer.
Knowing that they could not treat the image of the guest on the legal or contractual basis. The hotel applied as a legal basis the legitimate interest of the establishment, consisting of ensuring that it charged the real user of the service.
But in order to be able to use and argue a legitimate interest as a legal basis, the hotel had to assess and justify it properly and inform the guest beforehand.
This is where the hotel failed. It did not do the work beforehand to inform the guest that his or her photo was going to be used in the scanning of the ID card or passport.
This is what caused the sanction and not the scanning of an ID. It is the fact that the photograph was also taken and used on a legal basis that was not sufficiently well-argued and documented.
In short, can I scan the ID card or passport of my guests?
Yes! You can scan your guests’ ID or passport. In fact, it is an essential tool nowadays to be able to save time, and improve the experience of your customers. But it is very important that you justify why you are collecting this data, and what you are going to use it for.
At Chekin, we offer you an online check-in tool. Where your guests can complete the register form quickly and easily before their arrival at the accommodation. In addition, we have a biometric match system that allows you to verify the identity of your guests remotely. Find out more about our tool here.
