There appears to be some confusion with regards to what information Britons and other visitors have to provide on arrival on holiday. It was previously announced by the Spanish government that, when booking accommodation, or hiring a car in Mallorca, people are now required by law to provide more information than before. All information collected will be passed onto the Spanish Ministry of Interior in order to improve the country’s national security.
However, today, the Spanish Data Protection Agency (AEPD) has reported that accommodation providers are not allowed to request a copy of a customer’s ID card or passport, in accordance with Royal Decree 933/2021 or the new register of travellers, which establishes the obligation of accommodation providers to collect certain data from people who use their services.
The agency has justified in a statement that this practice would violate the principle of data minimisation and would constitute ‘excessive’ processing, given that the full ID card contains more data than is required under the applicable regulations, such as a photograph, the expiry date of the document, the CAN (unique identification code) and the names of the parents.
The AEPD also stated that providing a copy of personal documentation involves, among other things, an ‘unnecessary’ risk of identity theft, which ‘must be avoided or, at least, effectively mitigated’.
In addition, it has pointed out that the ID card does not contain all the information requested in Annex I of Royal Decree 933/2021 and therefore, on its own, is not a valid means of complying with the aforementioned regulation.
With regard to the collection of data required by Royal Decree 933/2021, the AEPD considers that it could be sufficient for individuals to provide or complete a form containing only the data required in sections A.3 and B.3 of Annex I of the Royal Decree. This includes passenger data such as name, surname, sex, identity document number, date of birth and mobile phone number.
With regard to the authentication of data collected by means of a form, in cases of in-person collection, the AEPD considers that it may be sufficient to visually check that the data provided corresponds to the identity document presented.
In the case of online data collection without in-person attendance, this verification can be carried out using mechanisms such as digital certificates, as stated in the press release. ‘It is also possible to verify that the data and information provided matches the data associated with the means of payment used,’ according to the agency. Similarly, among the possible measures, security codes sent to the telephone numbers or email addresses of guests required to identify themselves can be used as authentication factors.