On December 2, 2011, a new regulation came into force (Royal Decree 933/2021, of October 26, which establishes the documentary registration and information obligations of individuals or legal entities engaged in lodging and motor vehicle rental activities), requiring hotels, travel agencies and other types of tourist accommodations to keep a register of travelers who use their services.
This regulation is causing a lot of controversy, since both the sector and the users qualify the information that must be requested as "excessive", and doubts are raised as to whether it is adequate or not in the eyes of the regulations on personal data protection in the registration of travelers.
It is necessary to remember that in the processing of this Royal Decree , the AEPD issued a report (the 175906/2018), which analyzed this issue and on which a brief summary of its content is made below:
1. The AEPD understands the processing of personal data to be legitimate, as it is regulated by a regulation, in this case the Organic Law 4/2015, of March 30, on the protection of citizen security and which is developed in part by this Royal Decree, and its purpose is to ensure the preservation of citizen security and the prevention, detection and, where appropriate, prosecution of criminal conduct.
2. The collection of personal data established in the standard does not necessarily violate the principle of data minimization, although it does not assess it in depth.
3. It considers the 3-year record retention period to be adequate, as it is similar to that indicated in standards with similar obligations.
4. It considers it advisable to carry out an Impact Assessment of the processing, in order to detect possible consequences for the rights and freedoms of the persons concerned.
We help your company or business to comply with GDPR regulations.
Contact our data protection experts and we will help you to solve your doubts and comply with the regulations in the right way.
