In a recent decision, the Spanish Data Protection Authority (Agencia Española de Protección de Datos – “AEPD) fined Marins Playa, S.A. (“Marins Playa“), a provider of hotel services, with 30,000 euros for collecting and further processing photographs contained in the ID documents of its guests.

At check-in, the hotel personnel requests and scans the ID document (e.g. passport) of the visitor. This scan does not produce a copy of the ID document, but only collects, digitalizes and transfers certain information from those documents to the records of the hotel. Namely, the number, type and date of issuance of the ID document, as well as the name, surname, sex, country, date of birth and photo of the person. Then, the hotel employee collects the signature of the guest in digital format, with a tablet where guests can read the privacy policy of Marins Playa.

At the end of the check-in process, the hotel employee gives a magnetic card to the guest, which the guest has to use for accessing his room and for using the services of the hotel (e.g. bar). This way, when, for example, the visitor orders something at the bar, he must present the magnetic card, so that the waiter can verify his identity and include the relevant expense into his bill. The waiter verifies the identity with a device which contains the cardholder’s photo previously scanned from his ID document, his name, as well as some other information about his reservation.

The AEPD acknowledged the existence of appropriate legal basis for the use of most of the abovementioned personal data. In particular, the AEPD understood that the processing of such information is necessary for the performance of the contract between the hotel manager and the guests (Art. 6.1(b) GDPR) and/or for the fulfilment of a Spanish legal obligation (Art. 6.1(c) GDPR) which demands hotels to record and share certain details about their guests with the State Security Forces and Corps. However, when it comes to the use of the photo, the opinion of the AEPD was different.

Marins Playa argued that the use of the photo of its guests was justified by its legitimate interest to verify the identity of the users of the hotel and to avoid the fraudulent use of hotels’ magnetic cards by third parties, thus preventing potential serious economic prejudices to the visitors (i.e. expenses made by third parties being charged into the accounts of the guests).

The AEPD, however, concluded that it was difficult to accept that legitimate interest could serve as the legal basis for the use of the photo, because such processing was performed in a concealed manner; the data protection-related information given to guests did not contain anything about the collection and subsequent use of their ID photo.

Moreover, there was no proof that Marins Playa carried out any balancing exercise between its legitimate interests and the rights and freedoms of the affected data subjects.

Then, the AEPD suggested that, even if Marins Playa had not made the abovementioned omissions, legitimate interest would not be an appropriate legal basis in the present scenario. Whilst the AEPD acknowledged that avoiding the fraudulent use of the card is an interest which can be regarded as legitimate, this is not enough for a processing operation to fall under the scope of Art. 6.1(f) of GDPR (legitimate interest). Two other conditions must also be met, including the necessity of processing the personal data for the purposes of the legitimate interests pursued by the controller and the fact that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence over such legitimate interests.

In this sense, the AEPD considered that the processing of guests’ photos was not necessary because the same goal (i.e. avoiding fraudulent use of the magnetic cards) can be reasonably achieved through the combination of other less impactful and/or intrusive means, such as:

  • Asking for some control data from the guest (e.g. his surname and room number) to check whether the answers match the information of the cardholder.
  • Requesting the signing of a receipt by the guest (this signature could be compared to the one given during check-in).
  • In case loss occurs, enabling the blocking of the card to avoid fraudulent use.

Based on the above, and on a further finding that Marins Playa failed to facilitate the right to object or establish opt-out mechanisms, the AEPD concluded that the legitimate interest invoked by Marins Playa did not prevail over the rights and freedoms of the data subjects and, thus, could not be used as an appropriate legal basis for the processing.

The above is a useful lesson for hotels processing the ID photo of their guests. Hotels, as the data controllers, should probably ask themselves whether such processing is necessary for the purpose that they seek to achieve and, if so, whether they should seek guest’s consent instead of relying on one’s own legitimate interest.

[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU and EFTA member states may therefore serve as an instructive guidance for compliance with local regulations.]