Delete
Tourist rental company fined 75,000 euros for requesting 'unnecessary' personal data

Tourist rental company fined 75,000 euros for requesting 'unnecessary' personal data

A guest filed a complaint with the Spanish data protection agency (AEPD) after they were asked to provide their ID photographed on both sides and even a selfie when checking in online

Susana Zamora

Malaga

Wednesday, 17 May 2023, 17:21

Compartir

Spanish authorities have fined a tourist rental company 75,000 euros for requesting "unnecessary" personal data and not disclosing what it would be used for.

Following a complaint to the Spanish data protection agency (AEPD), they found that during the booking process, guests would be forced to check in online and then asked to fill in a form with their postal address, telephone number, email address, ID photographed on both sides and even a selfie. Guests were then encouraged to send an email in case they did not wish to receive advertising offers, but were not given any option to refuse sending the requested data.

When the guest complained to the company about its excessive request for data, it replied that it only had the data that had been provided to Airbnb, the platform through which they had made the booking. The rest of the data, according to the company, had been requested because, in Catalonia, they have to transfer travellers' data to the police.

According to the ruling, personal data must be "adequate, relevant and limited to the need" for which it is collected. The rental company did not provide a clear answer and did not provide the information in a transparent manner, data protection officials said.

The tourism rental company processed personal data such as names, surnames, telephone numbers, email addresses, postal addresses, images of the ID card "and not all of it is necessary either to provide the service of renting holiday flats or to comply with the obligation to register persons staying in accommodation establishments in Catalonia," the AEPD added.

After the complaint was filed by the client, the company did not present any evidence to refute the facts reported. For this reason, the Spanish data protection agency has imposed a fine of 25,000 euros for violating article 5 of the GDPR terms and 50,000 for violating article 13 of the same regulation.

Reporta un error en esta noticia

* Campos obligatorios