Royal Decree 933/2021: Traveler Registration and Data Protection in the Tourism Sector

Traveler Registration and Data Protection in the Tourism Sector

Last Monday, December 2, the Royal Decree 933/2021, of October 26, which establishes a new obligation for hotels, tourist apartments, travel agencies and car rental companies: record and communicate your customer and transaction dataThis regulatory change, designed to improve citizen security, also poses significant challenges in terms of regulatory compliance and data protection.

In this article, we'll analyze the key aspects of this regulation, the data that must be recorded, companies' obligations, retention periods, and how to ensure compliance with personal data protection legislation.

The Royal Decree aims to strengthen public security and crime prevention, especially those related to terrorism and organized crime. According to the preamble to the law, accommodation and vehicle rentals are frequently used in criminals' modus operandi, given the ease of contracting through digital means and the privacy these transactions offer. In this context, the regulation seeks to create a more robust document control system that allows law enforcement agencies to access relevant information in real time for the prevention and detection of criminal activities.

Who is obligated?

The Royal Decree affects:

1. Lodging establishments: Hotels, hostels, guesthouses, rural houses, campsites, tourist apartments and any overnight accommodation service, whether professional or not.
2. Digital platforms: Includes those that mediate in lodging or vehicle rental, even if they do not directly provide the underlying service.
3. Self-drive car rental companies: Includes traditional companies, tour operators that act as intermediaries in the service, and digital platforms that act as intermediaries.

The Royal Decree establishes an unprecedented level of detail in the data that must be collected by the required companies, differentiating between the lodging and vehicle rental sectors.

Hospitality sector data

Companies must register the following data, according to the Annex I of the Royal Decree:

• Traveler data: Name, surname, sex, identity document (type, number and format), nationality, date of birth, place of habitual residence (full address, city, country), telephone numbers (landline and mobile), email address, number of travelers and relationship if any of them are minors.
• Transaction data: Contract reference number, check-in and check-out dates, property address, number of rooms, payment type (cash, card, transfer, etc.), payment method details (card number, IBAN, cardholder, etc.).

Vehicle rental sector data

For self-drive car rental companies, the data required, according to the Annex II, include:

• Tenant information: Name, surname, sex, identity document (type, number and format), nationality, date of birth, place of habitual residence, telephone numbers, email address.
• Primary driver and second driver details (if applicable): Name, surname, identity document, driver's license (number, type and validity), nationality, place of habitual residence, telephone numbers and email address.
• Vehicle and transaction data: Make, model, license plate, chassis number, mileage at pickup and return, pickup and return location and date, as well as contract and payment details (type, cardholder, card number, IBAN, etc.).

Obligated subjects must carry a computer record of this data and ensure its accuracy by checking users' ID documents. In the case of the hospitality sector, the data must be submitted in the official application. SES.LODGING, developed by the State Secretariat for Security. Furthermore, data communications to the authorities must be made telematically within a period of no more than 24 hours from the time of booking, formalization of the contract or effective provision of the service.

For those who carry out non-professional hosting activities, data transmission by non-telematic means is permitted.

Data retention periods

Once collected, data must be retained for a period of three years from the end of the service or contract. This deadline is mandatory, and failure to comply may result in severe penalties.

Sanctioning regime

The Royal Decree establishes a sanctioning regime based on the Organic Law 4/2015, of March 30, for the protection of citizen security:

• Serious violations: These include the lack of documentary records or the failure to comply with mandatory communications. These can be punished with fines ranging from €601 to €30,000.
• Minor infractions: These include errors or deficiencies in completing records, or delays in mandatory communications. Fines can reach 600 euros.

Impact on the protection of personal data

This new regulatory framework poses significant challenges in terms of privacy and personal data protection. The processing of this data must strictly comply with the Organic Law 7/2021, of May 26, on the protection of personal data processed for the purposes of prevention, detection and investigation of criminal offenses.

Main implications for data protection

1. Centralized filesThe data will be stored in two files managed by the State Secretariat for Security, accessible only to the Security Forces, the judicial authorities, and the Public Prosecutor's Office.
2. Interconnection with police databases: Interconnection with other databases will be allowed to optimize the prevention and detection of serious crimes.
3. Minimization and security: Companies must implement technical and organizational measures to ensure the integrity, confidentiality, and availability of collected data, preventing unauthorized access.

Find out more related posts in our DPO blog