Posada El Azufral – €1,200 Fine (Spain, 2024)

The data subject was asked by the controller to provide photo ID to complete hotel check in, as part of the controller's legal obligations to maintain records of staying guests. The data subject refused to do so (both online and at the hotel on the day of check-in) on grounds of excessiveness when it became apparent the ID would be kept on file by the controller, and was refused accommodation. The controller alleged photo ID was necessary to verify the accuracy of travellers data provided in entry and exits forms and the registration sheets required from hotel establishments (per Article 4(3) RD 933/2021 establishing the obligations of documentary registration and information of natural or legal persons who carry out activities of hosting and rental of motor vehicles). While the check-in software used by the controller had options to allow travellers to check in online or in person without providing ID, the controller maintained the need for a copy of travellers IDs. Further, while the software would only keep the ID image for 5 days per its privacy policy, the controller confirmed it would keep images for 3 years in order to fulfil its tax obligations. The DPA found that the controller did not have a legal basis for requesting a copy of travellers' identity documents as a condition of their registration (check-in), which was determined to be excessive and unnecessary processing of personal data contrary to the data minimisation principle (Article 5(1)(c) GDPR). The DPA determined that requiring a traveller to provide a copy of their identity documents constituted excessive processing of personal data, since the documents contained personal data that was inadequate, not pertinent and not necessary for the specific purpose of the processing in question (compliance with the legal obligations in force regarding registration of entry and exit of travellers (Article 4(3) RD 933/2021)). The DPA noted that the law (both [https://www.boe.es/diario_boe/txt.php?id=BOE-A-20