Can hotels request a copy of your ID or passport?

Cliente mostrando su DNI en la recepción de un alojamiento - fotocopia DNI hospedajes

Can hotels request a copy of your ID or passport?

Guest showing ID at hotel reception - copy of ID hotels

Introduction:

In recent months, a heated debate has emerged about whether hotels and lodgings can request a copy of guests’ ID. The Spanish Data Protection Agency (AEPD) has already stated: this practice violates data protection regulations.

In June 2025, the Spanish Data Protection Agency (AEPD) firmly reminded that requesting or storing copies of clients’ ID or passport in lodging establishments breaches the principle of data minimization under the GDPR. This article explains the legal background and proposes a practical protocol for lodging businesses to comply without legal risk. This article is informative and does not replace personalized legal advice.

1. What does the law and the AEPD say?

  • The Royal Decree 933/2021 requires lodging establishments to collect certain data from their clients (name, document, nationality, dates, etc.).

  • The AEPD has stated that requesting full ID copies (with photo, expiration date, CAN, parents’ names…) violates articles 5.1 b) and c) of the GDPR (purpose limitation and data minimization), and poses an identity theft risk.

  • Moreover, this practice does not guarantee identity: sending or showing a copy does not confirm that the person providing it is the actual guest.

2. Real cases and fines

  • A hotel in Cantabria was fined €1,500 (reduced to €1,200 for early payment) for cancelling a guest’s booking after they refused to provide a copy of their ID: the AEPD deemed it excessive processing.

  • Other fines up to €30,000 have been imposed for non-compliance with traveler registration laws, highlighting the legal seriousness of such actions.

3. How to comply without copying IDs

3.1 Collect only legally required data

The Royal Decree requires collecting data like name, surname, ID type and number, nationality, sex, place of origin, check-in/check-out dates (Annex I – A.3 and B.3). This can be done via physical or online forms.

3.2 On-site verification

A simple visual verification of the ID or passport is enough—no need to scan or store copies.

3.3 Online verification

Use digital certificates, payment method validation or SMS/email code verification—without storing full document images.

3.4 OCR or recognition alternatives

Extract only the necessary fields from the document without storing the image. Perform prior impact assessments and ensure appropriate security measures.

4. Recommendations for lodgings

Guest showing ID at hotel reception - copy of ID hotels

Is your lodging asking guests for a copy of their ID? Stop now.

Introduction:

In June 2025, the Spanish Data Protection Agency (AEPD) firmly stated that storing ID or passport copies violates the GDPR’s minimization principle. This article explains the legal reasoning and provides a practical protocol to comply without legal risk. This article is informative and does not replace personalized legal advice.

1. What does the law and the AEPD say?

  • The Royal Decree 933/2021 requires lodging establishments to collect certain data from guests (name, ID, nationality, dates, etc.).

  • The AEPD has confirmed that requesting full ID copies (with photo, expiration, CAN, parents’ names…) violates GDPR principles and increases identity theft risk.

  • Sending or receiving a copy doesn’t guarantee the identity of the person providing it.

2. Real cases and fines

  • A hotel in northern Spain was fined €1,500 for rejecting a booking after a guest refused to provide an ID copy. The AEPD deemed this excessive processing.

  • Other businesses have faced fines up to €30,000 for similar breaches in traveler data processing.

3. How to comply without copying IDs

We explain how to comply with Royal Decree 933/2021 without needing ID copies in lodgings.

3.1 Collect only required data

Required fields include: full name, document type and number, nationality, sex, place of origin, check-in/check-out dates. Use online or paper forms.

3.2 On-site verification

Verify identity visually. Do not scan or store the document.

3.3 Online verification

Use digital certificates, payment checks or SMS/email codes to verify identity without copying the document.

3.4 OCR and recognition alternatives

Extract necessary fields only, don’t store the image, and carry out impact assessments with security guarantees.

4. Recommendations for lodgings

Conclusion and Call to Action (CTA):

Complying with Royal Decree 933/2021 does not require storing ID copies: simply collect data through forms, verify identity visually or digitally, and apply a lawful and secure process. As a firm specialized in data protection, we can help you:

  1. Review and adapt your check-in procedures.

  2. Draft the correct forms and privacy clauses.

  3. Train your team on best practices and regulations.

📩 Contact us for an audit or to implement these improvements and ensure legal compliance while reducing reputational risks.

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *