Mes Advocats
← Previous

20 June 2025 · Lucas Charnet

Your ID Can’t Be Photocopied: Hotels Must Adapt to the AEPD’s New Interpretation

Your ID Can’t Be Photocopied: Hotels Must Adapt to the AEPD’s New Interpretation

20 June, 2025

Data Protection

Lucas Charnet

![](https://www.mesadvocats.com/blog/wp-content/uploads/pexels-helenalopes-2017802-scaled.jpg)

You arrive at the hotel after a long journey. You hand over your ID to check in, and without a second thought, the receptionist scans or photocopies it. It’s a routine, almost automatic gesture. But from now on, this practice could cost establishments dearly—literally.

The Spanish Data Protection Agency (AEPD) has been clear: requesting a photocopy of a guest’s ID is illegal. This was confirmed in an informational note issued on June 17, 2025, in connection with the obligations set forth in Royal Decree 933/2021. And the change is significant: it marks a turning point in how hotels, hostels, tourist apartments and all types of accommodations must handle guests’ personal data.

What has changed exactly?

Nothing in the law itself—but its interpretation has. Royal Decree 933/2021, in force since December 2024, requires hospitality businesses to collect certain identifying information from their guests, which must be submitted to the Ministry of the Interior through a new digital platform (SES.HOSPEDAJES). However, the AEPD has clarified that this obligation does not authorize or justify making copies of ID documents.

Why? Because scanning or storing a copy of an ID involves processing far more data than necessary: a photograph, signature, expiration date, CAN number, parents’ names… data not required by the regulation. This violates the data minimization principle set forth in Article 5.1(c) of the General Data Protection Regulation (GDPR).

In other words: if it’s not necessary for the purpose, you can’t request or keep it.

So how can hotels carry out a legal check-in?

This is the key point: Royal Decree 933/2021 does not require a copy of the ID, but rather a set of data that the guest can provide via a form—either in person or online—whose accuracy can be verified by visually inspecting the original document, but not by scanning or storing it.

If the check-in is in person, it’s enough to visually verify that the provided data matches the ID. If it’s online, alternative mechanisms may be used, such as:

  • digital certificates;
  • comparing the data with the payment method;
  • sending a code to the guest’s phone or email.

    • The AEPD has made it clear that hotels must not only comply with citizen security regulations, but must also respect the principles of the GDPR.

    What are the risks for hotels that continue to photocopy IDs?

    This isn’t just a recommendation. The AEPD has been unequivocal: this practice may be penalized. And there are already precedents. Excessive data use, unnecessary document storage, or lack of security measures may constitute serious violations, potentially leading to fines of up to €20 million or 4% of annual global turnover.

    Beyond the financial risk, there’s also a reputational one. Storing copies of IDs increases exposure to cyberattacks. In recent years, several hotel chains have suffered data breaches that were later exploited for scams or identity theft via platforms like Booking or Airbnb.

    Photocopying an ID doesn’t help you comply with the law. It’s a legal and technological ticking time bomb.

    What does the Ministry of the Interior say?

    The Ministry of the Interior has defended the new system, stating it has helped locate over 18,000 people wanted by authorities thanks to data cross-referencing. But this does not contradict the AEPD’s position: data can and must be collected… without violating the GDPR.

    The challenge lies in striking a balance between public safety and privacy. And in that balance, the AEPD has made it clear that indiscriminate ID copying has no place.

    What should hotels do now?

    1. Review their check-in procedures and eliminate any process involving ID or passport photocopying or storage.
    2. Update data collection forms, ensuring they only request the data specified in Sections A.3, A.4, B.3, and B.4 of Annex I of Royal Decree 933/2021.
    3. Train staff on how to verify information without violating data protection rules.
    4. Strengthen the security of IT systems, especially for online data collection.
    5. Consider legal or technical advice to implement alternative authentication measures compatible with the GDPR.

    Final reflection: between privacy and tourism

    Spain is a global tourism powerhouse—but that doesn’t justify legal shortcuts. Data protection is not a burden, but a safeguard. For the guest, who wants to trust that their information won’t be misused. And for the hotel, which must protect its business from fines and legal complaints.

    At MES Advocats, we advise businesses in the tourism sector on privacy policies, GDPR compliance, and how to meet legal obligations. We understand that tourism evolves, and so does the law. That’s why our mission is to help you navigate both safely and strategically. You can contact us  through this link.

    If your establishment still photocopies IDs, now is the time to update.

    ###

    ![International Data Protection Day: How to Improve Your Company’s Privacy](https://www.mesadvocats.com/blog/en/proteccion-datos-empresa-rgpd-medidas-practicas/ "International Data Protection Day: How to Improve Your Company’s Privacy")
    ![Can I keep an ex-employee’s email account active?](https://www.mesadvocats.com/blog/en/puc-mantenir-actiu-el-correu-dun-exempleat/ "Can I keep an ex-employee’s email account active?")
    ![Regulation of Artificial Intelligence in Europe and Spain: Legal Framework and Risk Levels](https://www.mesadvocats.com/blog/en/ai-regulation-europe-spain-compliance-obligations/ "Regulation of Artificial Intelligence in Europe and Spain: Legal Framework and Risk Levels")

    Check-in legalDNI y privacidadReial decret 933/2021RGPD

    ---