WORLD 2 MEET, S.L. – €70,000 Fine (Spain, 2025)

The Controller offered booking services for tourism villas. As part of the check-in process, it was mandatory to verify the identity of the guests, in accordance with the local regulations. For this purpose, the Controller relied on an external platform operated by a partner, which was responsible for collecting a copy of each guest’s ID. Access to the platform was provided via a private link sent to the guest’s email address, outside the reservation platform. The data subject lodged a complaint regarding the processing of their ID, arguing that receiving the request through a private link posed a risk of unauthorised access and potential exposure of their personal data. The DPA found that requiring guests to upload a full copy of their ID through an external platform was unnecessary and disproportionate, violating the GDPR’s data minimisation principle under Article 5(1)(c). A complete ID card contains far more information than what is required by the applicable regulations, such as a photograph, expiration date, CAN, or parents’ names, and collecting this excess data introduces avoidable risks, including identity theft. Moreover, the DPA noted that an ID card alone does not provide all the information mandated by the applicable regulation and therefore cannot, by itself, fulfil its requirements. The purpose of the mentioned regulation is to safeguard people and property and maintain public order, given the role accommodation facilities may play in criminal activity. However, merely sending a copy of an ID document does not reliably verify a person’s identity and does not achieve this purpose. The DPA concluded that compliance with the applicable regulation can be achieved in a less intrusive way, for example, by having guests complete a form that collects only the specific data required under the regulation, whether online or in person. Collecting a full copy of an ID document therefore constitutes excessive processing and is not justified for the stated purpose