Compliance

Fines of up to €100,000 for photocopying an ID: why your hotel should stop now

Spain's data protection authority warns that photocopying or photographing an ID isn't allowed and can cost up to €100,000. What the law actually says, why the traveller register doesn't require a copy, and how to comply without storing ID scans.

HT

HazCheckin Team

HazCheckin

4 min read
Person holding an ID document next to a mobile phone

Asking for an ID at the front desk is routine. Photocopying it or snapping a photo “just to have a record” is routine in plenty of properties too. And that’s the problem: this very common habit is exactly what Spain’s Data Protection Agency (AEPD) considers unlawful — with fines that can reach €100,000.

This isn’t a theoretical threat. The AEPD has already sanctioned both large companies and small businesses for precisely this.

What the AEPD says: showing is fine, copying isn’t

The key is a distinction almost nobody makes: checking someone’s identity is one thing; keeping a copy of the document is another entirely.

The AEPD puts it simply: the rules let you ask a guest to show their document so you can verify who they are, but they don’t allow you to keep a photocopy or a photograph of it. Doing so systematically, without a basis that justifies it, breaches the data minimisation principle (Article 5.1.c of the GDPR): you may only process data strictly necessary for the purpose — not one field more.

And to identify a guest you don’t need an image of their ID sitting in a drawer or a folder on your computer. Seeing it and recording the data the law requires is enough.

The fines are already landing

The range runs from a few thousand euros to six figures:

  • €100,000 to a major telecoms operator for photographing customers’ IDs on both sides when delivering orders.
  • €11,000 to a towing company because an employee photographed a customer’s ID with their phone without consent.
  • €1,500 to a guesthouse that tried to photocopy a customer’s document.

Look at that last case: it’s a small accommodation, the kind of business that assumes “this is how it’s always been done.” Size offers no protection. What the AEPD looks at is the practice, not the turnover.

“But I have to register the traveller”

This is where two things that aren’t the same get blurred — and they’re worth keeping apart.

Yes: Royal Decree 933/2021 requires you to collect the guest’s data and report it to SES.HOSPEDAJES. That’s a legal obligation, and you don’t need the guest’s consent to comply with it.

But that obligation asks for the data — name, document number, date of birth, nationality and little else — not an image of the document. Transcribing the ID number into the traveller report is mandatory. Keeping a photocopy of the ID is not, and that’s exactly what can earn you the fine.

Put another way: the traveller-register law and the AEPD don’t contradict each other. They ask you to record the data and, at the same time, not keep copies you don’t need.

The real risk of that folder of photocopies

Beyond the fine, a folder — physical or digital — full of ID copies is a silent liability:

  • If your system is breached or a laptop is stolen, you expose full identity documents of hundreds of people.
  • Those copies tend to stick around “forever,” far beyond what any legitimate purpose justifies.
  • A guest has the right to ask why you’re keeping their document, and “just in case” isn’t an answer that holds up before the AEPD.

The safest document is the one you never stored.

How to comply without photocopies: the HazCheckin approach

With HazCheckin you don’t have to choose between meeting the registration law and meeting data protection rules. The flow is built for both at once:

  • Identity verification without storing the ID. Guests confirm their identity during online check-in — including liveness-based verification when needed — without you ending up with a photocopy filed away “just in case.”
  • Only the data the law asks for. You collect the exact fields the traveller register requires, not one extra “just in case” field.
  • Automatic reporting to SES.HOSPEDAJES. The traveller report data is sent to the Ministry of the Interior’s platform without typing anything by hand or keeping images of the document.
  • Retention and security by default. Encryption, access control and retention aligned with the rules — no photocopies piling up in a drawer.

The practice the AEPD fines — photocopying or photographing the ID — simply stops happening, because the system doesn’t need it to do its job.

In short

Photocopying or photographing your guests’ IDs was never mandatory, and now you know it can get expensive. What the law requires is that you register their data and report it to SES.HOSPEDAJES — not that you collect copies of their documents.

If you automate check-in with a tool that verifies identity and files the report without storing photocopies, complying with both rules stops depending on whoever happens to be at the desk. See how we approach it in HazCheckin’s features.

Back to the blog

Related articles

A host setting up their accommodation on a laptop
Operations

Import your property from Airbnb or Booking in one click

Stop typing your accommodation details by hand. Paste your Airbnb or Booking.com listing URL into HazCheckin and we read the listing for you — name, description, capacity, amenities, location and photos.

2 min read
GDPR compliant

We comply with the European Union's General Data Protection Regulation (GDPR). Your data — and your guests' data — stays safe.