Data Protection affirms in its resolution that the treatment of the image of the guests is disproportionate and excessive.

The Spanish Agency for Data Protection (AEPD) has just imposed a fine of 30,000 euros on a hotel company for completely scanning the page of the passport that contained the information of the holder. The body has imposed this fine considering that it is an excessive treatment of the client’s personal information and that there is no type of legal basis that supports this type of action.

The matter is based on the claim made by a Dutchman in which he indicated that in the hotel registration process they requested his passport, which was scanned, despite his opposition. The client claimed that not all the data included in it was necessary to carry out the check-in, to which the hotel employee replied that said scanning was done following instructions from the police. In addition, the claimant claimed to have seen the hotel employees with the passport photo on their tablets.

Well, the AEPD explains in its resolution that the data collected, except for the photograph, were necessary for the execution of the contract to which the interested party is a party. Regarding the image, the hotel indicates that it used it as a security method, to avoid fraudulent use of magnetic cards, a support in which the client could charge expenses. Thus, by being able to compare the image of the system with the person requesting the consumption, third parties were prevented from making charges to their account.

The data protection agency points out that, although the Citizen Security Protection Law imposes obligations regarding the information that must be collected on the guest registry, the passport image would not be related to this obligation.

The AEPD indicates that the hotel duly informed guests about the collection and communication of their data, but did not do so about the use made of the image and does not believe that the attempt to protect the client is a sufficient justification.

The Spanish authority understands that the scanning and use of the passport image for these purposes is disproportionate and excessive, and even more so when there are less invasive means to guarantee that the cardholder is the person making the payment. In addition, despite the fact that the hotel claims to have a legitimate interest, the company did not prove to the Spanish Data Protection Agency that it had carried out the prior weighting required by the RGPD to base the data processing on this legal basis.

In this sense, María Zarzalejos, associate of the privacy, IT and digital business area of ​​Andersen, affirms that «it seems reasonable that in this case not even obtaining the express consent of the client has a place for the treatment of the data corresponding to the photograph. It could be considered that it has not been granted freely if this entails a restriction of your rights as a client or the impossibility of staying at the hotel.

Finally, the agency points out, the guest was not informed about the uses and purposes of treating his image, preventing him from the option of opposing said treatment.