Can a hotel make a photocopy of your ID card when you check in?

According to current regulations in Spain, hotels are not authorised to make copies of identity documents.

When you arrive at a hotel, you are often asked for your national ID card to complete the check-in process. But you may have wondered: Is it legal for the establishment to photocopy your ID card? The answer is no. According to current regulations in Spain, hotels are not authorised to make copies of identity documents.

Protection of our personal data is a right that we must exercise and safeguard at all times.

For this reason we have outlined below why we need to check in at hotels and what information they need, in addition to what the law says in this regard, to give you an understanding and arguments to protect your identity.

What is the check-in process at hotels for?

The purpose of the check-in process at hotels is to identify the guests that will be staying at the hotel. This identification is required by law under Article 25 of Organic Law 4/2015, on the Protection of Citizen Safety, which states that accommodation venues must record the data of their guests and report this information to the law enforcement agencies. This measure is designed to ensure citizen safety and prevent criminal activities.

What information is essential at check-in?

To comply with the regulation, the hotel must collect the following data from guests during check-in:

  • Name and surnames: To fully identify the guest.
  • Identity document number: This may be the Spanish National ID, passport or foreigner identity card.
  • Date of birth: To verify that the guest is of legal age and other legal aspects.
  • Nationality: Information required by the authorities.
  • Arrival and departure dates: To register the period of the stay at the establishment.

This is sufficient data to meet the registration obligations stipulated by law. The hotel does not need a physical or digital copy of the guest’s identity document, especially when there are other methods for gathering that information without posing a risk.

Information that should NOT be requested by the hotel during check-in

There are certain types of personal data that hotels are not authorised to request during the check-in process because they are not needed to meet their legal obligations. These include:

  • Photocopy or scan of the ID card or passport: As mentioned before, the regulation does not require the hotel to keep a copy of the identity document.
  • Full home address: Unless it is necessary for some specific, justified reason, this information is not compulsory.
  • Credit card number without a related transaction: They should not request financial information unless a payment is made or a guarantee is needed.
  • Other personal data: Information such as parents’ names, profession or marital status are not relevant for registration.

Requests for these additional details without giving proper justification could be considered an infringement of the principle of data minimisation set forth in the General Data Protection Regulation (GDPR), which states that the personal data collected must be limited to what is strictly necessary for the intended purpose.

What does the law say about photocopying ID cards?

The Spanish Data Protection Agency (AEPD) has been clear in this regard: photocopying or scanning a guest’s ID card with no legal basis to justify it is deemed excessive personal data processing. This practice violates the GDPR’s principle of data minimisation, which stipulates that the data gathered must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

One example to illustrate this is the case of a hotel in Cantabria that was fined 1,500 euros by the AEPD for insisting on photocopying a guest’s ID card. The guest refused to let them make a copy of the document, offering instead to show it to them so they could take down the necessary details. In response to the establishment’s refusal, the guest filed a complaint that led to the aforementioned fine. The AEPD’s decision underscores the fact that demanding a copy of an identity document without proper justification is an infringement of the GDPR and can result in financial penalties for the offending establishments.

In general, establishments increasingly choose to use identity verification services such as very-ID, which enable them to validate identity documents in a completely secure manner.

Why shouldn’t hotels photocopy ID cards during check-in?

Protecting personal data is a right that we must constantly safeguard. Besides the issue of legality, letting a hotel make a photocopy of your identity document is not recommended because of the possible security risk this poses.

Hotels are not likely to use your data for unlawful purposes but, generally speaking, most accommodations do not have very reliable security systems, and could easily have a security breach or be hacked, with the ensuing risk of your data being leaked or even of identity theft. In fact, precisely because of these practices, data theft is increasingly common in the hotel industry.

Therefore, we recommend that you never give out a copy of your ID card; here are some alternatives to minimise the risks:

  • If they make a photocopy, you can write the purpose for which it is made over the copy; for example: Exclusively for check-in at hotel X on date X.
  • If you travel often, you can give them a copy of your ID card directly yourself, with a watermark or an inscription that prevents the image from being used for other purposes.
  • The best option is to try to perform the process through a digital verification system such as very-ID, which more and more accommodations now offer. This prevents the ID card from being physically tampered with, instead scanning the document with an application that offers full security guarantees.

How do you handle check-in if you are a hotel?

On the other hand, if you are a hotel and need to verify your guests’ identity reliably and lawfully, there are digital solutions available, such as the digital identification options offered by Logalty. Very-ID uses NFC technology to minimise the risk of identity theft.

With this solution, the document validation process becomes a very simple and secure procedure, with no need to make unnecessary copies and no risk of data leaks:

  • The chip is read via NFC to obtain an original of the electronic document
  • The information extracted is provided by the issuing authority of the document and is unalterable
  • It is possible to take a selfie to compare it with the chip photo
  • Thus, any tampered-with documents are detected as soon as they are scanned.

This is a perfect solution for hotels, because it lets them validate national ID cards as well as ordinary and electronic passports, thus covering all the options normally used for check-in.