Four-star hotel in Spain fined for scanning guest's ID card
The Spanish data protection agency (AEPD) said that this practice during the check-in process at accommodation establishments constitutes an "excessive processing of personal data"
The obligation of a hotel or any accommodation establishment in Spain to collect certain customer data and comply with the new register of guests, set out in a royal decree, does not give carte blanche to collect more information than necessary. Under this condition, the Spanish data protection agency (AEPD) warns that establishments are not allowed to request and make copies or scans of the guest's ID card or passport during the check-in process.
For months now, countless complaints have reached this state body and many of them have resulted in the imposition of significant penalties. The last one has fallen on Suneris S.A. - the company that owns the Hotel & Spa Beverly Park, a four-star hotel located in the municipality of Blanes, Girona. A guest in this establishment filed a formal complaint with the AEPD, after the hotel staff asked for his ID card in order to scan it. When the guest refused, the hotel receptionist copied his data using the computer. The guest also reported that the staff had left a master key card in his room, which allowed access to all the rooms.
The company said that the purpose of the scan was to send the information to the state security forces. However, the AEPD stated that "it is not obligatory to collect, register or communicate to the competent authorities the full image or photocopy of the person's identity document". According to this official body, the only information that must be provided are the name and surname, the identification number, the support number, the type of document (ID card, passport, etc.), the nationality and the date of birth.
Therefore, the collection of more information than necessary or relevant by Suneris S. A. "cannot be justified", as it does not comply with the current regulation. It constitutes an "excessive data processing", because "the full ID card contains more data than required, such as the photo, the expiry date of the document, the CAN or the name of the parents". "Furthermore, providing a copy of personal documentation implies, among other things, an unnecessary risk of identity theft, which should be avoided or, at least, effectively mitigated," the resolution states.
For this reason, the AEPD has imposed an administrative fine of 9,000 euros. This was reduced to 5,400 euros after the company acknowledged the facts and took advantage of prompt payment conditions.
