AEPD (Spain) - EXP202309109

From GDPRhub
AEPD - PS/00331/2023
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Published: 18.10.2023
Fine: 2,000 EUR
National Case Number/Name: PS/00331/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

Spain's supervisory authority (the AEPD) fined a hotel €2,000 for scanning the ID cards of its customers where not required by applicable law and, therefore, in breach of the Article 5(1)(c) GDPR on the principle of minimisation.

English Summary


Two data subjects tried to check in at the hotel (the data controller), but the accommodation manager told them that they could not check in because someone had already taken the room they had booked, using their personal data. The data subjects asked for a complaint form, but the data controller did not have one. As a result, the data subjects reported the hotel to the Municipal Police of the Torrevieja Town Hall (Alicante).

The police inspected the hotel and discovered that in the Guest Register Book there was no numerical annotation of the registers, but only loose sheets with scanned ID cards. The police also found that the hotel did not report such searches to the security forces as required by law.

Consequently, the Police reported the facts to the AEPD regarding the misuse of the hotel guests' ID cards.


The AEPD acknowledges that there is legislation in Spain concerning the registration of hotel guests. However, the AEPD stresses that this legislation does not oblige hotels to scan their customers' ID cards. Therefore, the AEPD concludes that the data controller has engaged in excessive processing of the data subjects contrary to the minimisation principle of Article 5(1)(c) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     File No.: EXP202309109 (PS/00331/2023)


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:

FIRST: On 05/15/23, this Spanish Agency for the Protection of
Written data from the Municipal Police of the Torrevieja City Council (Alicante),
regarding some events that occurred at the UNIQUE hotel establishment
HOTEL APARTMENT. S.L with CIF.: B54915855 of said town, for the alleged
violation of data protection regulations: Regulation (EU) 2016/679, of the
European Parliament and of the Council, of 04/27/16, regarding the Protection of

Natural Persons with regard to the Processing of Personal Data and the Free
Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, of
Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD)

The events described by the Local Police deal, among other issues, with a

complaint they received for not providing the Aparthotel complaint forms to
some clients. The events occurred on ***DATE.1, when a young couple
He went to the reception of the aparthotel to carry out the “CHECKIN” and the
The person in charge of the establishment did not give them accommodation, citing that another person
had registered before them with their personal data.

The inspection was carried out by the Local Police, regarding the Registration Book of
Clients, it was verified that there was no numerical annotation of the records.
In the case of loose sheets and with scanned DNI. It was also found that the
establishment did not communicate such records to the security forces.
security as mandated by current legislation.

Along with the letter, a loose sheet of a registration/checkin form is attached.
with the logo of the Aparthotel and the scanned DNI documents of both
young people who filed a complaint with the Municipal Police.

SECOND: On 07/27/23, by the Directorate of the Spanish Agency for
Data Protection, sanctioning procedure begins against the entity UNIQUE HOTEL
APARTMENT. S.L., when appreciating reasonable indications of violation of the provisions of
article 5.1.c) RGPD, due to a possible processing of excessive personal data when
scan clients' IDs.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (LPACAP) and RD 203/2021, of March 30, which approves the
Regulations for action and operation of the public sector by electronic means,
through electronic notification that was made on 07/28/23.

THIRD: Notified of the aforementioned initiation agreement in accordance with the established rules
in Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) and after the period granted

C/ Jorge Juan, 6
28001 – Madrid 2/6

for the formulation of allegations, it has been verified that no allegation has been received
any by the claimed party.

Article 64.2.f) of the LPACAP - provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period regarding the content of the initiation agreement, when
This contains a precise statement about the imputed responsibility,
may be considered a proposal for a resolution. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the

imputation, the violation of the RGPD attributed to the person complained of and the sanction that could be
impose Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to initiate the file and in response to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is
considered in the present case proposed resolution.

In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                PROVEN FACTS

First: According to the Municipal Police of the Torrevieja City Council
(Alicante), inspection carried out at the UNIQUE HOTEL hotel establishment
APARTMENT, it was found that, in the Client Record Book, there was no
numerical annotation of the records in the case of loose sheets, with the DNI
scanned. Along with the document, a loose sheet of a form is attached.

registration/checkin, with the aparthotel logo and scanned DNI documents.

                           FOUNDATIONS OF LAW



The Director of the Spanish Agency is competent to resolve this procedure.
of Data Protection, by virtue of the powers that art 58.2 of the RGPD recognizes to
each Control Authority and, as established in arts. 47, 64.2 and 68.1

                                  Previous issues

In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,

involves processing personal data, since the entity
UNIQUE HOTEL APARTMENT. S.L carries out the collection and conservation of data
clients' personal data and carries out this activity in its capacity as responsible for the
treatment, given that it is the one who determines the purposes and means of such activity, by virtue
of article 4.7 of the GDPR.

For its part, article 5.1.c) of the GDPR regulates the “principles relating to processing”
establishing that: “1. Personal data will be: c) adequate, relevant and

C/ Jorge Juan, 6
28001 – Madrid 3/6

limited to what is necessary in relation to the purposes for which they are processed
(“data minimization”)”

This article states that personal data will be “adequate,
relevant and limited to the need” for which they were collected, in such a way
that, if the objective pursued can be achieved without excessive treatment of
data, this is how it should be done.

In turn, recital 39 of the GDPR indicates that: “Personal data must only be

processed if the purpose of the processing could not reasonably be achieved by others
media." Therefore, only data that is “adequate,
relevant and not excessive in relation to the purpose for which they are obtained or processed.”

The categories of data selected for processing must be the

strictly necessary to achieve the stated objective and the person responsible for the
processing must strictly limit data collection to that information that
is directly related to the specific goal that is intended to be achieved.

In this case, it is confirmed that the entity UNIQUE HOTEL APARTMENT.
S.L performs a scan of the clients' DNI and that it does not comply with the regulations

in force in relation to the obligation you have to communicate the data to the
State security forces and bodies.

Organic Law 4/2015, on the protection of citizen security, establishes, in its
article 25.1 “Documentary registration obligations” the following:

       “Natural or legal persons who carry out activities relevant to the
       citizen security, such as accommodation, transportation of people, access
       commercial use of telephone or telematic services for public use through
       establishments open to the public, trade or repair of used objects,

       rental or scrapping of motor vehicles, purchase and sale of jewelry and metals, whether
       whether precious or not, objects or works of art, security locksmithing, centers
       metal waste managers, wholesale trade establishments
       scrap metal or waste products, or sale of hazardous chemicals
       to individuals, will be subject to the obligations of documentary registration and
       information in the terms established by the applicable provisions.”

Likewise, Order INT/1922/2003, of July 3, on record books and parts of
entry of travelers into hospitality and other similar establishments includes, in its
Annex the “Traveller entry part model”, and the traveler data indicates
that the following data will be collected from travelers: “number. of document

identity, type of document, date of issue of the document, first surname,
second surname, first name, sex, date of birth, country of nationality, date of

                                Administrative violation

C/ Jorge Juan, 6
28001 – Madrid 4/6

In this way, from the documentation in the file it can be concluded that the
copy of the identification document is not a necessary treatment to carry out the
registration, and comply with Organic Law 4/2015, constituting said action

a violation of article 5.1.c) RGPD, since it would not be necessary data
for the processing that is carried out, considering that excessive data has been processed
that are not necessary for the purpose for which they are intended.


The violation of art. 5.1.c) of the RGPD implies the commission of one of the infractions
typified in art. 83.5 of the RGPD, which provides the following: “Violations of the
following provisions will be sanctioned, in accordance with section 2, with fines
administrative expenses of €20000000 maximum or, in the case of a company, a

amount equivalent to a maximum of 4% of the total global annual turnover of the
previous financial year, opting for the highest amount: “a) the principles
basics for the treatment, including the conditions for consent under
of the arts. 5, 6, 7 9”.

For the purposes of the limitation period, article 72 “Infringements considered “very

serious” of the LOPDGDD indicates: “1. Based on what is established in article 83.5 of the
Regulation (EU) 2016/679 are considered very serious and will expire after three years.
infringements that involve a substantial violation of the articles
mentioned in that and, in particular, the following: a) The processing of data
personal data violating the principles and guarantees established in article 5 of the

Regulation (EU) 2016/679.”

The balance of the circumstances contemplated, with respect to the infraction committed
By violating the provisions of article 5.1.c) of the RGPD, it allows setting a penalty of
2,000 euros (two thousand euros).


Article 58.2 of the GDPR establishes the corrective powers available to a
control authority and section d) of the aforementioned provision establishes that it may consist
in, “order the person responsible or in charge of the treatment that the operations of

treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period.”

Therefore, it is appropriate to impose the corrective measure described in article 58.2.d) of the
RGPD and order the complained party to, within a period of one month, establish the

appropriate measures to adapt the management of the customer registry in the
hotel establishment as stipulated in article 5.1.c) of the RGPD.

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the

Spanish Data Protection Agency,


C/ Jorge Juan, 6
28001 – Madrid 5/6

B54915855, for the violation of article 5.1.c) of the RGPD, typified in 83.5 of the
cited GDPR, a fine of 2,000 euros (two thousand euros).

B54915855, to implement, within one month, the necessary corrective measures
to adapt the management of clients' personal data to what is stipulated in the
article 5.1.c) of the RGPD, as well as to inform this Agency within the same period
on the measures taken.

THIRD: NOTIFY this resolution to the entity UNIQUE HOTEL

FOURTH: Warn the sanctioned person that the sanction imposed must be made effective

once this resolution is enforceable, in accordance with the provisions of the
article 98.1.b) of law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it into the restricted account No. ES00 0000 0000 0000

0000 0000, opened in the name of the Spanish Data Protection Agency in the
banking entity CAIXABANK, S.A. or otherwise, it will proceed to
collection in executive period.

Once the notification is received and once enforceable, if the enforceable date is

between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month. In accordance
With the provisions of article 50 of the LOPDGDD, this Resolution will be made

public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative route (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file

appeal for replacement by the Director of the Spanish Data Protection Agency in
the period of one month counting from the day following the notification of this resolution
or directly administrative contentious appeal before the Contentious Chamber.
administrative of the National Court, in accordance with the provisions of article 25 and
in section 5 of the fourth additional provision of Law 29/1998, of July 13,

regulatory authority of the Contentious-Administrative Jurisdiction, within a period of two months to
count from the day following the notification of this act, as provided in the
article 46.1 of the aforementioned legal text.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,

of October 1, of the Common Administrative Procedure of the Administrations
Public, the final resolution may be provisionally suspended administratively if
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

C/ Jorge Juan, 6
28001 – Madrid 6/6

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [],
or through any of the other registries provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1.

You must also transfer to the Agency the documentation that accredits the filing.

effectiveness of the contentious-administrative appeal. If the Agency was not aware
of the filing of the contentious-administrative appeal within a period of two months
From the day following notification of this resolution, the
precautionary suspension.

Sea Spain Martí
Director of the Spanish Data Protection Agency.

28001 – Madrid 6