News
๐ข Spain, excessive data collection!
๐ข Do you work in the hotel industry ๐ช๐ธ? Is your privacy policy really up to date?
๐๏ธ If you go to a hotel in Spain ๐ช๐ธ Expect to fill in a form with 40 fields to collect your personal data!
๐ช๐ธ๐ช๐ธ Why do Spanish hotels collect so much personal data? ๐ช๐ธ๐ช๐ธ
We've gone from 12 → +40 fields with Real Decreto 933/2021(end 2024)
๐ฎ๐ Legal obligation
Any hotel, tourist accommodation or vehicle rental company must:
1.Check the identity of the traveller.
2.Collect personal data.
3.Send them to the police via the Hospedajes / SIRHUS platform.
๐ฐ๏ธ Before (Order INT/1922/2003)
~12 fields: surname, first name, gender, date & place of birth, nationality, passport/ID number, dates of arrival & departure, signature.
๐ Since – RD 933/2021(end 2024)
≥ 40 fields grouped in two blocks:
|
๐๏ธ Identity & Contact |
๐ณ Transaction & Stay |
|
• Full postal address |
• Payment method |
๐จ The protest of professionals
The ACAVe, UNAV, FETAVE federations denounce a collection of ‘40 minimum data’ deemed disproportionate.
โ๏ธ The European Commission has opened an investigation: is RD 933/2021 GDPR-compliant?
๐ GDPR check – Key non-compliance issues
|
๐ GDPR Principle |
โ Issue |
|
Data minimisation (Art. 5-1-c) |
Highly personal items (card data, kinship, licence plate) have no clear link with police identification. |
|
Information duty (Art. 13) |
Privacy notices rarely updated: guests aren’t told about 40 data points, retention periods or their rights. |
|
Transparency & purpose (Art. 5-1-a/b) |
Fields like booking cost or sales channel mix fiscal/marketing aims with public-security aims—no explanation given. |
๐ก What’s next? Brussels’ verdict, possible decree revision, and a race for hotel chains to rewrite their traveller information sheets.