GDPR and Hotel guest passports and ID cards : do’s and don’ts
The scanning of hotel guests’ id cards and passports is a sensitive subject.
Hotels are required to identify every guest for legal and billing purposes, so they can ask for the ID-card to meet their legal obligation. In a recent case a hotel was fined €30,000 for GDPR breaches while processing a guest’s ID-card.
If you want to stay GDPR compliant, make sure you :
- Can prove the guest’s consent to the processing of the ID-card
- Only use the data you really need
- Make sure you have adequate data security
Inform the guest
Making a copy
If you need to make a copy of the ID-card you must make sure you have explicit consent to make and store the copy and only use the data you strictly need : name and address are ok for guest check-in, but photo and personal register number are not needed for that purpose and thus not allowed.
Having a copy of the ID-card brings along security concerns. Make sure you control access to the copy and that you store it securely. Do consult our knowledge base on the topic of data security, what to consider.
GDPR and Hotel guest passports and ID cards
Ignoring these basic rules might expose you to serious fines. In a recent case a hotel was fined €30,000 by the Spanish DPA for a violation GDPR by scanning a data subject’s passport and processing their photograph without a valid legal basis. It was established that the hotel had proved that the scanning of the passport just captures the required fields using OCR, as well as the photograph, and it does not retain a copy of the passport page itself.
Based on these considerations, the AEPD issued a €30,000 fine on the hotel for an infringement of Article 6 GDPR by lacking a lawful legal basis for the processing of the data subject’s scanned passport, and ordered them to adopt the necessary measures to ensure their processing activities comply with the GDPR.
Using an ID-card to shortcut data input may seem like a good idea, but you are strongly advised to consider all rules concerning data minimisation, consent and data security. You can find more information on those in our knowledge base item: GDPR Regulation and Requirements explained.