AEPD (Spain) - PS/00078/2021
|AEPD (Spain) - PS/00078/2021
|Article 5(1)(c) GDPR
Article 6 GDPR
Article 6(1)(f) GDPR
Ley Orgánica 4/2015 de protección de la seguridad ciudadana.
|Marins Playa S.A.
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA issued a €30,000 fine against a hotel for a violation of Article 6 GDPR by scanning a data subject's passport and processing their photograph without a valid legal basis.
English Summary[edit | edit source]
Facts[edit | edit source]
This case was initiated by a complaint filed with the Dutch DPA (Autoriteit Persoonsgegevens –AP) by a Dutch data subject against Marins Playa S.A., a hotel in Spain.
According to the data subject, when checking-in to the hotel, their passport was scanned as part of its registration process despite their objection. The passport scan included more personal data than what was required for this purpose. The data subject stated that the hotel employee which performed the registration process, claimed that this scan was performed in order to comply with local police force requirements.
The AP remitted this complaint to the Spanish DPA (AEPD), which is the competent lead DPA under Article 56 GDPR, due to the fact that the hotel’s main establishment is in Spain. When remitting their case to the AEPD, the AP asked if indeed national law required the passport scan, or if only some of the data contained in it was necessary for the hotel registration process.
The Spanish DPA initiated proceedings, and asked the hotel to inform them of its processing operations in this case. The hotel stated that the scan is made to generate text information through Optical Character Recognition (OCR), which is then introduced in the relevant fields in their hotel management software. The hotel admitted that there is no specific requirement from the police force to scan the document, only to remit the information in the required fields. Regarding the scanned passport photograph, the hotel explained that it is used to verify the guest’s identity for purchases within the hotel, and avoid fraudulent charges by third parties.
The AEPD initially issued a draft decision dismissing the case, holding that the hotel had a legitimate interest and legal obligation to process the data required. However, the AP objected to the dismissal of the case, pointing out to the AEPD that in order to base this processing on a legitimate interest, the necessity and proportionality of the processing should be evaluated, specifically if there are reasonable and less intrusive ways to verify this information, also taking into consideration the data minimisation principle under Article 5(1)(c) GDPR. The AP mentioned several alternatives which were less intrussive, and standard practices in most hotels, such as security questions and signatures.
Based on these objections by the AP, the AEPD decided to reassess the case. The hotel responded to these points stating that employees which verify the guest’s identity for consumption only have access to their name and photograph on their software, not the actual scanned page of the passport. The hotel now claimed (as the AEPD had initially held in its draft decision) to have a legitimate interest in using the photography for verification purposes in order to prevent fraudulent charges on the guest’s magnetic card.
Holding[edit | edit source]
In their reassessment of the case, the AEPD established that the hotel had proved that the scanning of the passport just captures the required fields using OCR, as well as the photograph, and it does not retain a copy of the passport page itself.
Regarding the data processed through OCR for its guest registration process, the AEPD held that the hotel had a legal basis to process this data under Article 6(1)(b) GDPR for the performance of a contract, and as well as Article 6(1)(c) GDPR to comply with legal obligations for lodging establishments under legal law, which entail the remission of guest information to police databases.
The AEPD also highlighted that the data minimisation principle under Article 5(1)(c) GDPR should be observed in these cases, in order to assess that the data subject’s rights or freedoms do not prevail with regard to that legitimate interest. Considering that the data subject was unaware of the purposes or legal basis for this processing, the AEPD held that this processing was excessive, also taking into account the arguments established by the AP regarding less intrusive means to achieve the processing’s purpose.
Based on these considerations, the AEPD issued a €30,000 fine on Marins Playa S.A. hotel for an infringement of Article 6 GDPR by lacking a lawful legal basis for the processing of the data subject’s scanned passport, and ordered them to adopt the necessary measures to ensure their processing activities comply with the GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.