News
📢 Spain, excessive data collection!
📢 Do you work in the hotel industry 🇪🇸? Is your privacy policy really up to date?
👁️ If you go to a hotel in Spain 🇪🇸 Expect to fill in a form with 40 fields to collect your personal data!
🇪🇸🇪🇸 Why do Spanish hotels collect so much personal data? 🇪🇸🇪🇸
We've gone from 12 → +40 fields with Real Decreto 933/2021(end 2024)
👮🔑 Legal obligation
Any hotel, tourist accommodation or vehicle rental company must:
1.Check the identity of the traveller.
2.Collect personal data.
3.Send them to the police via the Hospedajes / SIRHUS platform.
🕰️ Before (Order INT/1922/2003)
~12 fields: surname, first name, gender, date & place of birth, nationality, passport/ID number, dates of arrival & departure, signature.
🚀 Since – RD 933/2021(end 2024)
≥ 40 fields grouped in two blocks:
|
🗂️ Identity & Contact |
💳 Transaction & Stay |
|
• Full postal address |
• Payment method |
🚨 The protest of professionals
The ACAVe, UNAV, FETAVE federations denounce a collection of ‘40 minimum data’ deemed disproportionate.
⚖️ The European Commission has opened an investigation: is RD 933/2021 GDPR-compliant?
🔍 GDPR check – Key non-compliance issues
|
📌 GDPR Principle |
❌ Issue |
|
Data minimisation (Art. 5-1-c) |
Highly personal items (card data, kinship, licence plate) have no clear link with police identification. |
|
Information duty (Art. 13) |
Privacy notices rarely updated: guests aren’t told about 40 data points, retention periods or their rights. |
|
Transparency & purpose (Art. 5-1-a/b) |
Fields like booking cost or sales channel mix fiscal/marketing aims with public-security aims—no explanation given. |
💡 What’s next? Brussels’ verdict, possible decree revision, and a race for hotel chains to rewrite their traveller information sheets.