From December 2 – if there are no new extensions – hotels, tourist apartments or car rental companies will be obliged to collect and submit to the Ministry of the Interior almost three times more data about their customers than until now, including sensitive information such as credit card and bank account numbers or home addresses. This is indicated by a royal decree that the government approved in 2021 and which has since registered various extensions which have delayed its application. Today, the subject returns to the forefront of the public scene following its upcoming entry into force, which has fueled the debate on its implications in the field of private life, the right to private life and the competitiveness of the Spanish tourism sector.
This measure angers the tourism industry, which mainly questions the administrative burden it imposes on the sector. They highlight the impossibility of automating the process, which would involve additional manual work for establishments, which could also lead to an increase in errors. But the new regulation has also angered data protection experts, who warn of a “breach of privacy” represented by the increase in the amount of data collected and transferred to authorities.
The preamble to the royal decree justifies this greater collection of information as a means of combating terrorism and organized crime and emphasizes that “the logistics of accommodation and the acquisition or use of motor vehicles” are of particular importance in the modus operandi of criminals. It also ensures that it respects the principles of “necessity and effectiveness” and that “it contains the essential regulations to meet the need and the purposes pursued, without other options which would make it possible to obtain the desired result”.
The new regulations require hoteliers, owners of tourist residences, travel agencies and vehicle rental companies to collect up to 28 pieces of data from their customers. Unofficial personal data such as address, telephone number or mobile phone appears as new; and others related to transactions, such as payment method identification, bank account IBAN and card expiration date. Additionally, in the event that one of the travelers is a minor, the relationship must also be reflected. This data must be uploaded to a platform – called SES.HOSPEDAJES – launched by Interior and must be kept for three years. Those who report incorrect or late data face penalties of up to 30,000 euros.
In the model currently in force, the data that those who carry out accommodation activities must collect are only ten and are included in the official documents that travelers carry, such as the identity card or passport. In addition, they must be communicated to the National Police Corps and not to the Secretary of State for Security. Many establishments use an automated system with document readers that directly access each reservation and generate a file that is sent each night to state security forces and bodies, industry sources explain.
In response to questions from elDiario.es, a spokesperson for the Ministry of the Interior affirms that at the time this royal decree was subject to all previous reports provided for by law, including that of the Agency Spanish Data Protection Act (AEPD). ), “that he had no objection to its contents.” This public body actually requested in its report that an “adequate impact assessment on data protection” be carried out on the collection and communication of this information in order to “determine” whether they respected the so-called principle of minimization, which refers to the idea that only personal data strictly necessary to achieve a specific purpose should be collected and processed.
However, the AEPD also recognizes that “the simple reference to the interest of the information can be considered sufficient to prove compliance with the principle of data minimization”. However, privacy experts believe that this new regulation could conflict with this principle as well as that of proportionality. “The reference to security is a very vague justification. This seems to me to be an excessive rule which goes against the principle of minimization. Are there really no other, less privacy-intrusive options that allow us to achieve the desired result? » asks Borja Adsuara, doctor of legal philosophy and lawyer specializing in digital rights.
Lawyer Jorge Campanillas, specialist in information and communications technology law, also believes that the royal decree “goes beyond the principle of minimization”. “In the field of data protection, regulations require that the minimum data essential to achieve the intended purpose be collected. But now, under the pretext of security and terrorism, everything seems permitted. “I don’t know to what extent it is necessary to demand data such as mobile phone, email or relationship,” explains this lawyer.
Adsuara also fears that new security vulnerabilities will be created. “Hotels manage payments through armored booking platforms that spend a lot of money on security so they don’t get hacked. With the new regulations, they will be obliged to retrieve this data and include it in the platform created by the Ministry of the Interior. Obviously, they will download them to their computers. And maybe a big chain has the ability to keep it safe. But what happens with a small hotel or a rural house? It will be the amusement park for hackers,” he says.
“The more dispersed the data, the more risks we all run,” says Campanillas, who also highlights the challenge that managing this information will represent for small establishments. This expert recalls for example that the AEPD sanctioned a hotel establishment in 2022 for having scanned the identity of its users at the time of registration and subsequently using these photographs for access control and billing for their consumption during their stay. stay. In this case, the AEPD considered the collection and use of the photograph to be “unnecessary” and “disproportionate”.
Extensions for “technical reasons”
The SES.HOSPEDAJES platform began testing in January 2023, but Interior specifies that a gradual adaptation period has been proposed for its final launch on June 2, 2023. This limit has been extended three times for “technical reasons” in order to facilitate interconnection and data transmission. from establishments located in autonomous communities that have autonomous police forces: first until January 31, 2024 and, then, until October 1 and now until December 2.
However, hospitality employers argue that the problem is not a question of delays or adaptation to technology. The concerns of the sector are the alleged incompatibility of the text with European Union regulations, the legal uncertainty or the competitive disadvantage that the new regulations will generate in the national and European market due to the great “administrative burden” that they impose. on workers. Furthermore, companies in the tourism sector consider that the increase in data requests from their customers “implies a significant interference in their privacy rights without offering clear guarantees”.
“The checks we have been carrying out for many years – the affiliation of each customer – have worked well. In fact, safety is one of the main attributes of the tourist experience in our country. But until now we were asking for official data, which appears on their identity documents,” explains Jorge Marichal, president of the Spanish Confederation of Hotels and Tourist Accommodation (CEHAT), which represents more than 16 000 establishments with a total of 1.8 million places.
Marichal questions what he defines as “overzealousness” in data collection and suggests that regulations “have more economic than security overtones.” “We don’t understand why we have to collect economic and personal data from the time of booking and even before the overnight stay. We are neither the police nor Treasury inspectors. We are people dedicated to hosting. We accept that we have some control over who stays in our facilities, but from there to what is asked of us, there is a very big step,” he says.
Hoteliers also criticize the Interior for an alleged lack of “constructive dialogue” and denounce that the public platform today “does not work”. In this regard, an Interior spokesperson defends that his department has had “permanent dialogue” with the sectors concerned to facilitate their adaptation to the requirements of the new regulations and the platform where the data is entered. The two parties are due to meet again this Friday, October 4.
