In the context of increasing global interconnection and the need to optimize security, traveler registration and the protection of their personal data have become key issues for both government authorities and businesses in the tourism sector.
On December 2, the Ministry of the Interior activated the documentary registry for lodging and motor vehicle rental activities, as set forth in Royal Decree 933/2021, of October 26, 2021, which came into effect in April 2022.
The new registry is hosted on the ses.hospedajes application, managed by the Ministry of the Interior, which is responsible for the custody and protection of the data stored in it.
When analyzing Royal Decree 933/2021 of December 26, 2021, in depth, we must refer to the Spanish Constitution of 1978, which recognizes and guarantees fundamental rights such as the right to life and physical integrity (Article 15) and the right to personal freedom and security (Article 17).
The previous regulatory framework (Order INT 1922/2003 of July 3, concerning registration books and traveler check-in forms in hospitality establishments and similar businesses) was outdated and did not cover new forms of accommodation, such as short-term tourist rentals operated by companies or individuals through digital booking platforms or online reservation centers (Booking, Airbnb, etc.).
With the new regulation, the principles of necessity and efficiency are met, as it is justified by the public interest in ensuring citizen security against terrorist threats and other serious crimes committed by criminal organizations, while also respecting the principles of transparency and efficiency.
Changes of the new normative
One of the main changes regarding the processing of personal data is the requirement for travelers to sign check-in forms. Previously, only adults were required to sign, but now this obligation extends to minors aged 14 and older. This age threshold is consistent with both the European General Data Protection Regulation (GDPR) and Spain’s Organic Law on Data Protection and Digital Rights, which recognize 14 years as the minimum age at which a minor can act as a data subject in certain circumstances. Therefore, a minor aged 14 or older is deemed capable of understanding the check-in form and acknowledging that this information will be communicated to law enforcement authorities. For minors under 14, their legal guardians will continue to be responsible for signing the form.
The check-in forms will be provided by lodging or vehicle rental establishments, which will act as data controllers and must ensure the accuracy of the data recorded, verifying it against the identity documents or systems presented by users.
This brings another key change: the verification of identity documents by users themselves. That is, data controllers must confirm that the information provided is accurate. However, this does not authorize them to store copies of ID documents, as was commonly done in the past. Instead, simply reviewing and verifying the information is sufficient.
This means that all necessary personal details from an identity document can be recorded without the need to store the document itself. This aligns with the recommendations of the Spanish Data Protection Agency, which has repeatedly stated that ID documents are considered sensitive personal data under data protection regulations, as they can be used to uniquely identify an individual. According to the GDPR, any organization storing such data must comply with the principles of necessity, proportionality, and data minimization.
Storing an ID document without a legal justification or a specific purpose could violate these principles.
When collecting travelers’ personal information, it is essential to ensure that these data are protected to prevent breaches of fundamental rights and to avoid any misuse of the data.
To comply with data protection regulations, the new system establishes a maximum retention period of three years for the stored information, starting from the end of the service or contract.
The check-in forms will be automatically transmitted through the application to law enforcement agencies, as well as to European authorities responsible for counterterrorism and organized crime prevention. These communications must be made before the start of the activity. Any modification will require a new communication within a maximum of 24 hours from the time the reservation is made, the contract is formalized, or, if applicable, the booking is canceled.
In conclusion, the new traveler registration system ensures that all communications are carried out automatically via the application, while strictly prohibiting the storage of identity documents.
If you would like more information about the new traveler registration system, the data protection policies that apply, or the technical and organizational measures you need to implement, feel free to contact us.
Article by Imma Martí.
