GDPR for hotels: how to handle guest data at check-in without getting burned

Every time a guest hands you their ID, you become responsible for data that isn’t yours. And the law treats you as exactly that. Check-in is the moment an accommodation collects the most personal data, and the easiest place to get it wrong.

The good news: the GDPR doesn’t ban you from asking for the document. It requires you to ask for it properly.

You have a lawful basis, but only for the right thing

There are two distinct processing activities here, and it pays not to blur them.

The first is guest registration. Reporting guest data to SES.HOSPEDAJES needs no consent: it’s a legal obligation (Article 6.1.c of the GDPR), imposed by Royal Decree 933/2021. The guest can’t refuse and you can’t skip it.

The second is everything else: sending offers, adding them to your newsletter, storing their card for future bookings. That falls outside the legal obligation. It needs a different basis —usually their consent— and you can’t smuggle it inside the check-in form. Mixing the two is one of the mistakes Spain’s data protection authority penalises most often.

Ask for exactly what you need, not one field more

The minimisation principle (Article 5.1.c) says something simple: only the data necessary for the purpose. The guest report defines what you need —name, document, date of birth, nationality and little else. If your form asks for the guest’s occupation “just in case”, it’s surplus.

A photo of the document is legitimate to verify identity. Keeping it indefinitely “for the record” is not.

Three years. Not one more

RD 933/2021 sets retention of registration data at three years from the end of the service. After that, it must be deleted. This isn’t optional, and it isn’t “better safe than sorry”: keeping data beyond what’s necessary breaks the storage-limitation principle (Article 5.1.e).

The typical mistake isn’t holding data for three years. It’s never deleting it. A database full of 2019 passport scans is a liability, not an asset: if you’re breached, you expose former guests who shouldn’t still be in there.

Security: sensitive data travels over the internet

Collecting documents online means passport numbers and faces move across the network. Article 32 asks for “appropriate” measures: encryption in transit and at rest, control over who has access, and a provider that won’t use those documents to train anything or pass them to third parties without a contract.

If verification includes a biometric selfie, the bar rises: biometric data used to identify a person is a special category (Article 9). It should only be processed to confirm identity at that moment and disappear afterwards, not sit in an archive.

What to review this week

• Does your check-in form separate the mandatory (registration) from the optional (marketing)?
• Do you provide a clear privacy notice —who you are, why you process the data, how long you keep it— linked at the point of collection? See how we frame it in our privacy policy.
• Do you actually delete after three years, or just say so?
• Does your tool encrypt the documents and limit access?

Guest registration and the GDPR don’t clash. What clashes with the law is over-collecting, over-keeping and not disclosing it. If you automate the guest report with a tool that applies these limits by default, compliance stops depending on someone remembering.