💥 The AEPD has just made its decision. In the world of tourism and accommodation, complying with the law is not always as simple as it seems. One of the issues that raises the most questions among owners, managers, and companies in the sector is this:
Can I ask my guests for a copy of their ID to comply with regulations?
This is a very common question. Many establishments, out of habit, simplicity, or “caution,” continue to collect copies of customers’ ID cards… without knowing that this practice is illegal and that The fines are no joke.
📢 We are going to explain the NOTE FROM THE SPANISH DATA PROTECTION AGENCY regarding the request for copies of identity documents in accommodation facilities in order to comply with Royal Decree 933/2021. You can check it out here: 👉 Nota AEPD – Registro de hospedajes
📜 Royal Decree 933/2021: what it really says
In October 2021, the Royal Decree 933/2021, which regulates the obligation to record data on persons using hosting services (and also vehicle rental). Its purpose is clear: collaborate with law enforcement agencies to prevent crime and ensure the public peace.
This decree requires accommodations to collect and communicate certain identifying data of the guests before the stay begins, but there is something very important you should keep in mind:
The Royal Decree does NOT require that a copy of your ID card or passport be requested or kept.
🚫So, should you request a copy of your ID card? NO: according to the AEPD (Spanish Data Protection Agency).
The Spanish Data Protection Agency (AEPD) has been very clear on this point:
A copy of the identity document should not be requested.
Why?
Porque pedir o almacenar una copia del DNI o pasaporte vulnera el principio de minimización de datos del artículo 5.1.c) del Reglamento General de Protección de Datos (RGPD). Este principio establece que solo se pueden tratar los datos estrictamente necesarios para la finalidad prevista.
And a copy of your ID contains much more information than you need:
- Photograph
- Expiration date
- Parents’ names
- CAN code
- And many other facts
In addition, keep these documentsincreases the risk of identity theft, data leaks, or misuse, something that could result in very serious penalties from the AEPD.
🤯 That’s not all… there are fines.
Yes, in addition to being an unauthorized practice, it can be expensive. The GDPR provides for fines of up to 20 million euros or 4% of global annual turnover, depending on the severity of the offense.
That is why we insist: Do not request or keep copies of ID cards. of your guests. It is not legal, it is not necessary, and it is not safe.
✅ What data can and should you collect?
Let’s return to Royal Decree 933/2021. Annex I (sections A.3, A.4, B.3, and B.4) details the mandatory information you must collect:
- First and last name
- Identity document number (ID card, passport, or equivalent)
- Nationality
- Date of issue and validity of the document
- Address
- Payment method and cardholder details (if applicable)
- Phone number and email address
- Etcetera.
👁️🗨️ And how do I verify the data without a copy?
This is where many people get scared. But don’t worry: erifying the data does not imply saving the document.
According to the AEPD:
- In person, one check is sufficient visual of the identity document. In other words, you compare the information provided with the document in the guest’s possession.
- Online, You may, according to the law, use methods such as:
- Digital certificates
- Cross-checking with payment methods
- Authentication codes sent by SMS or email
- Other valid authentication factors
In summary: there are ways to verify without storing. You comply with the law and protect your guests’ privacy.
🛡️ And how can I be sure I’m doing everything right?
This is where we come in. (www.registroparteviajeros.com)
💡 At Registro Parte Viajeros, we make it easy (and legal) for you.
In Registroparteviajeros.com we have designed a comprehensive solution that It complies 100% with Royal Decree 933/2021, the GDPR, and the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).
What can we do for you? Among other things, then:
✔️ We collect only the data required by law.
✔️ We do not request or store copies of documents.
✔️We will notify you if the guest does not fill out the form.
✔️ We communicate and send reports directly to the Ministry of the Interior.
In other words: we help you comply without complicating your life.
And if there are regulatory changes, we adapt for you, because our platform evolves with the law.
🧾 What laws should you be aware of?
In case you want to learn more, these are the main regulations governing data processing and hosting activities in Spain:
- Real Decreto 933/2021, October 26
- General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679
- Organic Law 3/2018, December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)
- Public Safety Act (Organic Law 4/2015), which also regulates part of the obligations regarding guest identification.
✨ Conclusion: protect your business, protect your guests
In the accommodation sector, trust is everything. And that trust starts with protecting your customers’ data.
Do not ask for copies of ID cards. You do not need them, they are not legal, and they do not help you comply with the law any better.
Do it right, do it easy, and do it safely.
In Registro Parte Viajeros we are here to help you comply with regulations, protect your guests’ information, and avoid problems.
👉 Want to know more? Write to us and we will help you step by step. (Whatsapp)
Sources consulted:
- Royal Decree 933/2021
- GDPR – Regulation (EU) 2016/679
- AEPD information note – June 2025
- LOPDGDD – Organic Law 3/2018
