On 17th June 2025, the Spanish Data Protection Authority (“AEPD”) published guidance in relation to Royal Decree 933/2021, which regulates document registration and information obligations relating to accommodation and motor vehicle rental activities (“Royal Decree“). In particular, the AEPD has clarified that the Royal Decree does not authorise requests for copies of identity documents by accommodation establishments.

Summary of key points:

• No copies of ID documents: The AEPD has clarified that accommodation providers must not request a copy of guests’ national identity documents or passports. Doing so would breach the data minimization principle set out in Article 5.1(c) of the GDPR, since these documents include more personal data than is strictly required under the Royal Decree.

• Data collection methods: According to the AEPD, it is sufficient for guests to provide a form (either online or in person at the accommodation) that collects only the data required under sections A.3 and B.3 of Annex I of the Royal Decree.

• Authentication requirements:
  • For in-person collection, a simple visual verification of the data against the identity document is sufficient.
  • For online collection (without in-person interaction), verification may be carried out using mechanisms such as:
    • Digital certificates.
  • • Confirmation that the provided data matches the information associated with the payment method used.
    • Other authentication methods, such as sending security codes to the guest’s registered phone number or email address (both of which are required to be collected under the Royal Decree).

In order to ensure compliance with, not only the Royal Decree, but also data protection requirements, those providing accommodation and motor vehicle rental activities should ensure that identity documents are not requested in these circumstances, or risk potential sanctions from the AEPD.