A legal paradox that, for now, remains uncontested. What seemed like a routine procedure in hotels—photocopying guests' ID cards or passports upon check-in—has become the new legal battleground between the government, the tourism sector, and data protection authorities. The trigger: a recent ruling by the Spanish Data Protection Agency (AEPD) declaring illegal the practice of photocopying or scanning identity documents as a measure to comply with the controversial Royal Decree 933/2021 on traveler registration.
Meanwhile, thousands of accommodations, tourist apartments, car rental companies, and travel agencies are unsure of what to expect. Technically, accommodations can verify the document, but they cannot photocopy or archive it in its entirety unless specifically authorized or legally mandated. However, most lack systems that allow them to comply with traceability requirements without incurring data protection violations.
The Spanish Data Protection Agency (AEPD) made it clear: requiring a copy of a DNI (National Identity Document) or passport violates the data minimization principle established by the General Data Protection Regulation (GDPR). The measure, according to the agency, involves "excessive processing of personal information" and creates "an unnecessary risk of identity theft that must be avoided or, at least, effectively mitigated."
But what was intended as a technical warning has unleashed a political and operational storm in the tourism sector. Both the Spanish Confederation of Hotels and Tourist Accommodations (CEHAT) and the National Union of Travel Agencies (UNAV) have spoken out.
From CEHAT, its president, Jorge Marichal, has denounced the situation with a mixture of frustration and urgency: "We cannot allow a tourist bus that has just arrived at a hotel to have to wait and fill out a form as cumbersome as applying for a visa to the United States." The hotel association believes the underlying problem is the lack of legislative development of the decree itself, which leaves establishments in a legal no-man's-land. They demand an urgent inter-ministerial meeting between the Interior Ministry and Tourism, in addition to the immediate deployment of a single technological system managed by Segittur (Spanish Ministry of Tourism) to avoid this disparity in criteria and the risk of sanctions.
For its part, the UNAV (National Autonomous University of Valencia) has expressed its disappointment with the AEPD (Spanish Association of Data Protection Officers) for not addressing the impact on travel agencies or the incompatibility of Royal Decree 933/2021 with European regulations. They complain that their sector has been left out of the spotlight, despite also being affected by requirements for identification and storage of personal data.
The root of the conflict lies in the lack of regulatory coordination: the Ministry of the Interior requires real-time identity checks; the AEPD prohibits storing more data than necessary; and the Ministry of Tourism has barely mediated between the two. For the tourism sector, the consequence is legal uncertainty and operational delays. "This is not a minor problem, but a dysfunction that affects the customer experience, national security, and the efficient operation of thousands of companies," states CEHAT. The entity demands the immediate implementation of a nationally approved reader to guarantee compliance with both the Royal Decree and the GDPR without compromising operations. As long as the Interior Ministry does not clarify the procedure and Tourism does not provide a technological solution, the sector is in jeopardy. And while the AEPD reiterates its role as guarantor of privacy, travelers and businesses face an absurd situation: bound by one rule that, by complying with it, may violate another.
