Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



The Audiencia Nacional has reduced by half the sanction imposed by the AEPD on a hotel for using data collected from a passport

PrintMailRate-it

​​​​​​​​​​​​​​​​​​​​​​published on 24 May 2024 | reading time approx. 3 minutes


The proceedings began in January 2019 following a complaint to the Data Protection Authority of the Netherlands regarding the handling of personal data of a Dutch married couple at a hotel in Mallorca. The complaint pertained to the hotel's practices of storing scanned copies of the couple's passports during check-in. Despite their objection, the hotel insisted on a full scan, citing it as a police requirement. 

Hotels increasingly ask for various personal details before granting room access, such as ID numbers, first and last names, phone numbers, and guest count. However, what is the legal justification for the use of this data?

The resolutions of the Audiencia Nacional and the Spanish Data Protection Authority (AEPD) consider that the scanning of the passport page with personal data and photos and the submission of this data to the State Security Forces is legitimized by Article 6.1.c) of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), which allows the processing of data when it is necessary to comply with a legal obligation applicable to the data controller.

The breach is related to the incorporation of client’s data (room number, reservation details, number of guests, departure date, name, surname, VIP status, visits, and photograph) into hotel staff devices for identity verification. 

Despite the hotel's claim of a legitimate interest in fraud prevention through photo verification, as stated in Article 6.1.f) of the RGPD, both the AEPD and the Audiencia Nacional consider it necessary to strike a balance between the legitimate interest of the establishment in controlling consumption and preventing fraud and the rights of the complainant in terms of privacy and protection of personal data. 

The Authority admitted that preventing the fraudulent use of cards could be a legitimate objective; it nonetheless emphasized that it is not enough to have a legitimate interest and that other aspects needed to be considered. 

Furthermore, it considered that the processing of personal data by the hotel was not strictly necessary to fulfill the alleged legitimate interest, suggesting that less intrusive methods exist, such as signatures or room numbers.

Finally, the Authority found that the hotel's collection and use of photographs of customers constituted excessive processing of personal data, disproportionately affecting customers compared to the hotel's legitimate interest.

The Audiencia Nacional, in its resolution released in early May, has ruled on the sanctions imposed by the AEPD, establishing that the Authority had identified the long duration of the infringement as an aggravating factor, noting that the hotel showed no intention of modifying its situation. 

However, the Audiencia Nacional considered that the presentation of the new privacy policy might mean a change in the hotel's practices, an aspect that the AEPD had not adequately considered in its initial assessment. In addition, the Audiencia Nacional considered that the AEPD did not appropriately demonstrate the hotel's negligence, reducing to simple negligence and not so major infraction as to justify a higher fine.

The court determined that the processing of sensitive data (article 9 GDPR), as well-known as the lack of a solid justification due to insufficient evidence demonstrating a specific abuse or improper exploitation of such data, was not sufficient to consider the conduct as aggravated.

Ultimately, without additional concrete damages, it is concluded that the extent of the damage was not excessive. Therefore, the reduction of the fine from 30000 Euro to 15000 Euro is justified due to the absence of some aggravating circumstances, the mere presence of mitigating factors, and a fairer assessment of the facts by the Audiencia Nacional.

Authors:
Inés Olalquiaga
Jorge Cabet - Senior Associate

 DATA PROTECTION BITES

contact

Contact Person Picture

Patricia Ayala Jiménez

Abogado

Partner

+34 91 5359 977

Invia richiesta

 RÖDL & PARTNER SPAIN

​​​​Discover more about our offices in Spain. Read more »
Deutschland Weltweit Search Menu