Accuracy in the data, and the principle of minimization. Training staff with clarity and rigor is key to avoiding reasons for sanction.

New sanction from the AEPD for requiring a photocopy of ID in the 933/2021 traveler registry.

Data protection requirements permeate many aspects of our daily activity, knowing how far I can or cannot demand from users their data is essential to safeguard both reputation and avoid complaints and subsequent sanctions.

The AEPD, in a recent resolution of file ps-00036-2024 dated February 03, 2025, has notified a fine of €1,500 to an accommodation after a violation of the PRINCIPLE OF DATA MINIMIZATION, by requiring the passenger to take a complete photo/scan on both sides of the ID card, not only allowing it to be displayed. The establishment configured its tool for the TRAVELER PARTY requiring photography, and eliminating the possibility of filling in part manually if the passenger does not give their consent to allow photography.

The establishment insisted on the procedure, confusing its obligation to check the genuineness of the data in accordance with the provisions of Royal Decree 933/2021, with the need to provide a Copy/photograph of the identity document, which in no case is required by the regulations, nor does it have to be reported Of all the data which contains that document.

Do you know which ID data exceeds those required by regulations?

How should customer identification data be requested and how should the person in charge of that data processing act?

Have you reviewed how your application stores data on behalf of travelers and if it does so in accordance with regulations?

Do you know that the non-compliance of a data processor also falls on the data controller?

Do you have this limited in your treatment manager attachments?

In TOURISM & LAW we are at your disposal to advise you and you can, in a preventive way, avoid incidents in this and many other cases.