Published on: 18/05/2026
Over the past few years, both the police and the AEPD (Spanish Data Protection Agency) have significantly intensified their interventions to detect tourist accommodations that were not properly complying with Organic Law 4/2015, as well as with the General Data Protection Regulation (GDPR). The intention of these regulations is to ensure the correct identification of guests staying in tourist and holiday rental properties, in order to guarantee public safety and control of tourist accommodations.
Important Update – June 2025: On 17 June 2025, the AEPD issued an official informational note clarifying that it is not permitted to request, scan, photograph or retain copies of the ID card or passport of guests for the purpose of traveller registration, even if the images are not stored.
Contenido
From 1 July 2025, under Royal Decree 1312/2024 and applicable European regulations, failure to comply with obligations such as registration in the Unified National Registry of Tourist Rentals, or advertising without a registration number, may result in fines of up to €600,000 depending on the severity and the autonomous community. This measure represents a radical tightening of sanctions to ensure legality and safety in the tourism sector.
In 2025, the AEPD has considerably increased its fines, sanctioning hospitality companies that scan ID cards with up to €70,000, even when they claim not to retain the image. This action signals a tougher enforcement approach and a clear warning to all accommodation providers.
Concerning Data 2025-2026: Small businesses and self-employed workers in the tourism sector face a complex situation due to the contradiction between the legal obligation to identify guests and the AEPD’s express prohibition on digitising or scanning documents. This discrepancy creates high levels of legal uncertainty.
Organic Law 4/2015 on the Protection of Public Safety establishes obligations related to the documentary registration of guests. These provisions are designed to guarantee public safety through the collection and monitoring of data on individuals staying at tourist establishments such as hotels, apartments, rural houses, campsites, and others.
The GDPR (General Data Protection Regulation) is European Union legislation (Regulation (EU) 2016/679) that governs the processing of personal data of citizens and residents in the EU. It came into force in May 2018 and aims to strengthen the privacy and data protection of individuals.
Those responsible for tourist accommodations are required to register the data of all guests staying at their establishments. This registration must include the information provided in Annex I of RD 933/2021.
Accommodations must submit this information to the authorities via the SES HOSPEDAJES platform. The mandatory data under Annex I includes:
Since June 2025, the AEPD has definitively clarified that the following are not permitted:
This prohibition is justified by the fact that the data minimisation principle of the GDPR establishes that data which exceeds what is strictly necessary may not be collected or stored. A full ID card contains information that is not required, such as a photograph, expiry date, parents’ names and biometric data.
A hotel in Cantabria was fined for attempting to obtain photographs of a guest’s ID card through the online check-in process. The platform requested that guests fill in their details and attach photographs of both sides of their ID card.
What happened? The guest refused to attach the images but completed the rest of the form. On the day of arrival, the hotel demanded that the guest provide their ID card so a photograph could be taken. The guest refused again and the hotel decided to cancel the reservation.
Resolution: The AEPD determined that scanning or photocopying the full ID card exceeds the necessary data processing, even when the images are not stored. What is required is an in-person visual check or the use of electronic means that do not retain copies of the document.
Lesson: Even the intention to photograph (without saving) is subject to sanction.
During police inspections at public holidays (Easter Week and the Quebrantahuesos march), 2 tourist flats were found where hosts had not completed guest registration within the mandatory 24-hour deadline.
Fine imposed: Sanctions for non-compliance with Organic Law 4/2015.
Lesson: Authorities intensify checks during peak seasons. Registration must be completed within 24 hours.
Source: heraldo.es
A hostel located in Cala de Blanes faced a fine of up to €30,000 for failing to comply with Organic Law 4/2015 by omitting the mandatory documentary registration of guests, following several police warnings.
A rural hotel in Badajoz requested images of guests’ ID cards (both sides) via WhatsApp. When the customer repeatedly refused, the hotel denied access to the apartment, which had been paid for in advance.
Complaint and resolution: The customer filed a complaint with the Civil Guard and the AEPD, which imposed a fine of €2,000 for a serious infringement.
Critical lesson: Requesting ID images via WhatsApp is directly subject to sanction, even before the images are saved.
Source: Diario Sur
The AEPD sanctioned the operator of a mobile application with €1,000 (reduced to €600 for early payment) for requesting a full copy of users’ ID cards to verify identifying data submitted via a form.
Resolution: It was deemed disproportionate to request the full ID card when less invasive means are available.
The AEPD fined a hotel €30,000 for systematically scanning the ID cards/passports of its customers at check-in without legal necessity, even without retaining the images.
Key message: The act of scanning itself, regardless of whether the data is retained or not, is subject to sanction.
The AEPD permits the following methods for verifying guests’ identity without violating the GDPR:
Failure to comply with these obligations may be considered an administrative infringement under Organic Law 4/2015 and/or a serious infringement of the GDPR. Sanctions may include:
Important note: In 2025, municipalities such as Alicante have acquired their own sanctioning capacity to fine illegal tourist properties with amounts ranging from €10,000 to €600,000 depending on severity.
Authorities have significantly stepped up controls:
To adapt to these regulations in 2025-2026, it is highly advisable to implement digital systems that:
This regulatory tightening is generating growing concern among small businesses and self-employed workers in the tourism sector. However, it also presents a clear opportunity:
The fundamental recommendation is to comply with the Law and the GDPR by limiting data collection exclusively to what is required for registration, and by using official tools to submit this information without retaining any documentation.
Those who invest in appropriate digital solutions now will be protected from future sanctions and will have a competitive advantage over less careful competitors.
A: No. The AEPD has made it clear that the act of capturing/scanning is itself an infringement, even if the image is deleted immediately afterwards. The prohibition applies prior to storage.
A: No. This has been sanctioned with fines of €2,000 or more. The act of requesting it is already an infringement.
A: Yes, but through in-person visual verification or non-invasive digital methods (OTP, payment verification). Never by scanning or photographing.
A: Within 24 hours of their arrival. Failure to meet this deadline is also subject to sanction.
