"It's an unnecessary risk": the AEPD says it's prohibited to ask for a copy of an ID card to stay in a lodging establishment.

The Spanish Data Protection Agency (AEPD) has reported that accommodations are not permitted to request a copy of a guest's ID or passport, pursuant to Royal Decree 933/2021 or the new traveler registry, which establishes the obligation for the owner of the accommodation activity to collect certain data from the people who use their services.

In a statement, the agency justified this practice by arguing that it would violate the principle of data minimization and constitute "excessive" processing, given that the full ID contains more data than required by applicable regulations , such as the photograph, the document's expiration date, the National Identity Document (CAN), or the parents' names.

Likewise, the AEPD has stated that providing a copy of personal documentation entails, among other things, an "unnecessary" risk of identity theft , which "must be avoided or, at least, effectively mitigated."

Additionally, he noted that the DNI does not contain all of the information requested in Annex I of Royal Decree 933/2021, so it is not, on its own, a valid means of complying with the aforementioned regulation.

Regarding the data collection required by Royal Decree 933/2021, the AEPD considers that it may be sufficient for individuals to provide or complete a form containing only the data required in sections A.3 and B.3 of Annex I of the Royal Decree. This includes traveler data such as name, surname, gender, ID number, date of birth, and mobile phone number.

Regarding the authentication of data collected via a form, in the case of in-person collection, the AEPD may simply need to visually verify that the data provided corresponds to the identification document presented.

In the case of online data collection without in-person assistance, this verification can be carried out using mechanisms such as digital certificates , the agency stated in the press release. "It is also possible to verify that the data and information provided matches the data associated with the payment method used," the agency stated.

Likewise, among the possible measures, security codes can be sent to the phone numbers or email addresses of guests who are required to identify themselves as authentication factors.