From December 2, establishments dedicated to accommodation of travelers and car rental companies will have to submit to the Ministry of the Interior an exhaustive list of 42 personal data, including 28 Affect Customer Privacy. Otherwise, service providers face fines of up to 30,000 euros.
The measure is included in a royal decree approved in 2021, which should have started to come into force in January 2023. It has been postponed several times after complaints from the tourism sector and the extension of deadlines for using the appropriate technology , although the Interior has announced that it will become definitively effective on December 2.
Among the information that hotels and car rental companies must collect is basic data such as the identity, name, address, telephone number or email of each customer. Also if they are alone or accompanied and the identity of this person. However, the main novelty is that bank card number or the IBAN of an account with which the payment was made.
So, up to a list of 42 details – 14 referring to the company and 28 to the customers themselves, which companies must enter on a digital platform called Accommodationscreated by the Ministry of the Interior. THEThe Secretary of State for Security will be responsible for storing the information.
The decree justifies these new requirements with the aim of “improving the effectiveness of the prevention and investigation of terrorism offenses or those linked to serious organized crime.” Although the measure has attracted criticism from different sectors believing that it could violate the right to privacy or basic privacy principles.
Cut of the Hospedajes application, created by the Ministry of the Interior.
Data protection
Previously, hotels were obliged to collect a list of 14 personal data from guests and send them to the police if necessary. Therefore, the information is multiplied by three and this becomes mandatory because it must be sent through the aforementioned electronic platform.
This would go against the principle of data minimizationincluded in the General Data Protection Regulation, which limits the amount of personal data to what is strictly essential to achieve its purpose.
The lawyer specializing in digital law Carlos Rivadulla considers that “this violates fundamental rights”, because “the regulation of privacy is only justified when it is carried out in a manner provided“And in this case, everything indicates that it would be excessive,” he adds.
Comparative table between the passenger data that (professional) accommodation establishments had to collect and communicate to the police until now, according to OM 2003 (14) and those that they must now collect and communicate (42!), according to RD 2021. New products in red. pic.twitter.com/GVPggjfu1i
– Borja Adsuara Varela ⚖️ (@adsuara) September 29, 2024
Lawyers in this area wonder why the Interior should collect all this data from tourists to fight terrorism when it does not exist. no prior indication against the individual in question. And doubts also arise about why hotels and car rental companies are being approached and not to any other sector.
“It is entirely possible that a measure like this end up in court“, predicts Carlos Rivadulla.
In addition, there is European legislation relating to the protection of personal data and the free movement thereof, such as Directive (EU) 2016/680, which could also conflict with what is established by the Ministry of Fernando Grande Marlaska. The Court of Justice of the European Union (CJEU) has also established case law in this regard.
Tourist complaints
Before the measure comes into force, the Interior will meet on October 4 with representatives of the tourism sector. From Marlaska’s office, it is emphasized that they have “had a permanent dialogue with the sectors concerned to facilitate their adaptation to the requirements”, even if hoteliers are totally opposed to the regulations.
Travel agencies, tourist accommodation employers or the hospitality sector criticize the fact that their workers have to manually enter all the required data on a platform because this would cause excessive administrative burden and could discourage to some tourists when they ask for information.
In the case of small establishments, this additional volume of work would constitute an additional problem. And at the same time, cybersecurity experts are warning of the risks that would be generated in these companies, which could be exposed to access attacks. customer banking information.
The data required by other European Union countries is more general, which is why the sector regrets that a situation of legal uncertainty and disadvantaged compared to other European competitors.
The news also caused a sensation in some international newspapers.
Representatives of the tourism sector celebrate that the Marlaska department has summoned them to a meeting at the end of next week, although their position is that the measure does not come into force.
“We will continue to demand that travel agencies be exempted from this obligation because we consider that requested data is already sent by service providers,” he said in a press release. Jose Manuel Lastravice-president and spokesperson for CEAV, the association of travel agencies.
The head of the organization maintains that “also forcing intermediation would mean a duplication of information that is useless and even detrimental to the intended objective, which is security.”
