GDPR and Hotel guest passports and ID cards : do’s and don’ts

 

The scanning of hotel guests’ id cards and passports is a sensitive subject.

Hotels  are required to identify every guest for legal and billing purposes, so they can ask for the ID-card to meet their legal obligation. In a recent case a hotel was fined €30,000 for GDPR breaches while processing a guest’s ID-card. 

 

If you want to stay GDPR compliant, make sure you : 

  1. Have a privacy policy in place that clearly informs the guest on what data you will collect, how you will use the data and how the guest can exercise their GDPR rights
  2. Can prove the guest’s consent to the processing of the ID-card
  3. Only use the data you really need
  4. Make sure you have adequate data security

 

Inform the guest

First  you will need to clearly inform the guest on how you will use the data and how the guest can exercise their GDPR rights. This is best done by publishing your customer privacy policy, online or in print. 

When you want to use the guest’s ID-card even if it is only to confirm the customer’s identity it is advised to ask for written consent for ID-card use from the customer. This can be achieved for example by adding a “I hereby consent to the processing of my ID card or passport” check-box to your guest intake form. Make sure the form also references your hotel’s privacy policy and that a print out of the privacy policy is available online and at the check-in desk.

Making a copy

If you need to make a copy of the ID-card you must make sure you have explicit consent to make and store the copy and only use the data you strictly need :  name and address are ok for guest check-in, but photo and personal register number are not needed for that purpose and thus not allowed.

Security concerns

Having a copy of the ID-card brings along security concerns. Make sure you control access to the copy and that you store it securely. Do consult our knowledge base on the topic of data security, what to consider.

 

GDPR and Hotel guest passports and ID cards

Ignoring these basic rules might expose you to serious fines. In a recent case a hotel was fined €30,000  by the Spanish DPA for a violation GDPR by scanning a data subject’s passport and processing their photograph without a valid legal basis. It was established that the hotel had proved that the scanning of the passport just captures the required fields using OCR, as well as the photograph, and it does not retain a copy of the passport page itself. 

Yet, the AEPD held that the hotel did not have a legal basis to process the data subject’s photography in order to verify the data subject’s identity for purchases in the hotel, highlighting the fact that the hotel’s privacy policy did not mention that the photography would be used for these purposes, nor did it mention that it had a legitimate interest in doing so.

Based on these considerations, the AEPD issued a €30,000 fine on the hotel for an infringement of Article 6 GDPR by lacking a lawful legal basis for the processing of the data subject’s scanned passport, and ordered them to adopt the necessary measures to ensure their processing activities comply with the GDPR.

Using an ID-card to shortcut data input may seem like a good idea, but you are strongly advised to consider all rules concerning data minimisation, consent and data security. You can find more information on those in our knowledge base item: GDPR Regulation and Requirements explained.