Article - August 6, 2024.
Accuracy of data and the principle of minimization. Training staff with clarity and rigor is key to avoid sanction reasons.
Data protection requirements permeate many aspects of our daily activities. Knowing to what extent I can or cannot ask users for their data is essential to safeguard both our reputation and to avoid complaints and subsequent sanctions.
The AEPD, in a recent resolution of file ps-00036-2024 of February 03, 2025, has notified a fine of 1,500 euros to an accommodation as a result of a breach of the PRINCIPLE OF MINIMIZATION OF DATA, by requiring the passenger to take a photograph/scan of both sides of the ID card, not allowing only its exhibition. The establishment configured its tool for the TRAVELER'S REPORT requiring a photograph, and eliminating the possibility of filling in the report manually if the passenger does not consent to allow a photograph.
The establishment insisted on the procedure, confusing its obligation to verify the authenticity of the data in accordance with the provisions of Royal Decree 933/2021, with the obligation to provide a copy/photograph of the identity document, which in no case is required by the regulations, nor is it required to provide information on all the data contained in the document.
Do you know which data in the DNI exceeds the data required by the regulations?
How should customer identification data be requested and how should the data processor act?
Have you checked how your traveler application stores data and if it does so in compliance with regulations?
Do you know that the non-compliance of a processor also falls on the data controller?
Do you have this limited in your processing manager annexes?
At TOURISM & LAW we are at your disposal to advise you so that you can, in a preventive way, avoid incidents in this and many other cases.