The Spanish privacy authority Agencia Española de Protección de Datos (“AEPD”) has imposed a 30,000 Euro penalty on a Spanish hotel for storing and distributing passport photos of hotel guests without a valid ground. Spanish law requires hotels to register their guests using a copy or scan of a valid ID card. Hotels are also obliged to collect a copy or scan of the ID cars from their guests.
This case was prompted by a complaint of a Dutch hotel guest. After ordering a drink, the hotel guest had his key card scanned to pay. He then noticed that the waiter was shown a scan of his passport photo from his passport, displaying his name and other personal data. The hotel used the photo scan to check whether the hotel guest placing the order was really that hotel guest, in order to prevent other people from ordering food and drinks at his expense. This may look like a smart monitoring tool, which is also in the interest of the guests. However, the hotel had failed to ask the guest’s prior consent for storing and distributing the photo in his passport. This made the Dutch hotel guest file a complaint. The Spanish supervisor concluded that storing and distributing a passport photo scan is too severe a monitoring tool. It is sufficient to inquire after the room number of a hotel guest, possibly in combination with his name. The hotel has to pay the penalty and adjust its working method.
In Dutch hotels too, there is a risk of unlawful processing. Collecting a passport copy or scan from guests is not permitted to hotels in the Netherlands. However, other registration obligations do apply. In this article we describe what data a hotel can and cannot register, and for how long such data are allowed to be retained.
Statutory registration obligation
Under Section 438 of the Dutch Penal Code, hotels are obliged to register their guests in what is known as a ‘night register’. In practice, this requires hotels to view the ID card of guests and to record the following data: type of ID card, name, place of residence, arrival and departure date. Making a copy or scan of the ID card is not mandatory under this article, nor is the copying out of other personal data from the ID card. The primary purpose of the night register is to facilitate detection and arrests of persons wanted by the police. Hotels are therefore obliged by law to give the police access to the night register. Please note that the obligation to register applies only to the main booker, not to accompanying guests.
Municipal Bylaw
Similar or even stricter rules for the registration of data of hotel guests may be recorded in a Municipal Bylaw. Pursuant to the Municipalities Act, each individual municipality adopts a different Bylaw. In the City of Amsterdam, Article 2.36 of the Bylaw provides that the operator of a hotel has to register, besides the data in Section 438 of the Penal Code, the following data: address, date of birth, place of birth, profession or position, and nationality of the hotel guest. For the City of The Hague, the rule under Article 2:38 of the Bylaw is that the following data may be registered: name, address, place of birth, data of birth, position, arrival and departure date.
A strict GDPR regime applies to the making of a copy or scan of an ID card; this is only allowed if an organization is obliged to do so by law. The reason is that an ID card may contain ‘special’ personal data, which are so sensitive that they may seriously affect a person’s privacy. For example, a passport photo may reveal information about the person's race, religion or health. In principle, the processing of special personal data is prohibited under Article 9 GDPR, unless one of the exceptions in Articles 25 to 30 of the GDPR IA applies. No exception has been created for the registration of hotel guests.
The use of a national identification number – such as the social security number (“BSN”) in the Netherlands – has been made subject to restrictions because of the risks the use of a such a number may involve. A BSN may make it much easier to link several files and information to each other, which may pose an extra threat to personal privacy. Under Article 46 GDPR IA, the BSN can only be processed in the following three cases: (i) in order to implement the act that prescribes the number, (ii) for purposes stipulated by law, or (iii) for additional cases as designated in an order in council. Hotels do not have a statutory ground for the processing of the BSN.
In short: a hotel is obliged to record the following data of the main booker: type of ID card, name, place of residence, arrival and departure date. Depending on the municipality where the hotel is located, it may be mandatory to register additional data. Making a copy or scan of the ID card is prohibited.
Retention period
For purposes of the retention and deletion of personal data, hotels have to reckon with statutory time-limits on the one hand and maximum retention periods of personal data on the other hand. This is the basis for a hotel to determine when personal data must be deleted.
Personal data of hotel guests cannot be retained for any longer than is necessary for the purposes for which they are processed under the GDPR. If a hotel can substantiate a necessity for its organisation to retain personal data for a certain period in order to achieve a predefined justified objective, the maximum retention period can be determined using this substantiation. Hotels can and must make their own considered choices in this. Hotels that have a hard time to determine the retention periods of registered guests may refer to the standard retention periods for visitor registrations set out in the former Personal Data Protection Act. The Exemption Decree PDPA provided a maximum retention period of six months for a visitors’ register, except where a statutory retention period applies in a concrete case (e.g. under a Municipal Bylaw).
Want to know more? Please contact Hester de Vries, Julia Siskina or Romy van Es.